How Ordr Customers Are Identifying Account Misuse Through Employee Access

Any computer security policy is founded on the concept of identifying users and establishing their credentials to authorize them to access system networked resources. Managing usernames and passwords might seem like a trivial task but when a network grows to have many resources and correspondingly many users, the potential for security breaches multiplies.

Integration with Windows Active Directory (AD) provides flexibility for network administrators to adopt a wide range of security policies.

In the most extreme form of “least privilege” access, administrators can lock down each user to allow access only to very specific resources, at specific times, and with specified permissions for specific resources such as file systems, individual files, servers, VPNs, medical workstations, medical and industrial equipment, printers and copiers, and phones.

In practice, this ideal level of control is rarely achieved, and compromises are made to make managing the operation more practical. As a result, many organizations face the following user access challenges:

• User accounts often grant more access than the employee needs.
• Sometimes user accounts survive an employee’s termination – for one reason or another they aren’t disabled.
• In some cases, a user can create “local” user accounts with access privileges.  This is often allowed in systems managed with Windows Active Directory.
• There can be some systems in the network that do not use the network administrator’s security protocol.
• IoT Devices (both wired and wireless) and various off the shelf software packages with default passwords (for example: “admin/admin”) appear in corporate network. Most of the time, account management with passwords can become tedious when thousands of IoT devices are deployed in the network, because these devices are typically configured by the manufacturer with default credentials.

While these challenges vary, the end result is the same: an un-authorized user gains access, typically via a VPN or SSH session to some system or device, and from there accesses other privileged resources in the system. In this type of security breach, malware need not be involved, although this may turn out to be a vector for malware. Given the numerous ways in which phishing attacks can install malware agents on an employee-owned corporate laptop, jumping to other devices with weak credentials becomes easier for attackers.

Ordr and Active Directory, RADIUS and wireless Integration

Ordr provides very robust tracking of users using AD/RADIUS and wireless integration, enabling security teams to monitor which user is accessing what device at what time. Ordr provides two key perspective:

1. User tracking – analysis of all devices accessed by a user, including IoT and OT
2. Device tracking – analysis of which users were logged into a specific device, at what time, duration and more.

Ordr also monitors all devices that use supervisory protocols like SSH, telnet, ftp, etc., associates them with user names, correlates them with the network they logged in from (corporate or guest), and maintains an accurate access record for each and every device as well as each and every user.

We also track and monitor corporate and guest network users. Corporate resources need to be accessed by corporate users with the right credentials from the corporate network. Ordr can alert or trigger the appropriate incident response workflow when a guest network user crosses over to the corporate network.

Finally, organizations can take advantage of all this rich user authentication during a security incident to provide qualifying details such as which network was the entry point, which device the “user” used to get into the network and what authentication methods they used, in addition to detailed Ordr Flow Genome flows.

Account Misuse Use Cases

Our customers have used the Ordr platform in many cases where one or more misuse of user accounts have occurred.

• Unauthorized user accessing accounts – Based on the network data collected in the Ordr Data Lake^TM, we were able to reconstruct extensive and specific activities conducted by a person with an unauthorized-yet-active account, specifically:
  • When the user account was logged on and off, and to which system.
  • What specific resources were accessed.
  • The amount and direction of data transacted (in malware terms, the identification of the data that was exfiltrated.
• Former employee accesses records – In one healthcare environment, we identified that a former nurse used their login credentials at a medical facility to access more than 600 data records. With the information gathered from Ordr, the response and mitigation of the security breach was initiated in a few minutes. Similar incidents have been documented publicly.
• Security cameras with default passwords – Another case involved access to security cameras whose default passwords had not been changed. This can happen not only on new installations but also where a failed unit is replaced by a worker not familiar with the organization’s security requirements. After the initial incident the security team was able to make necessary operational changes to avoid a reoccurrence of this specific problem.

To find out more about how Ordr is helping organizations today, you can view our case studies, webinars and white papers here.

Pandian Gnanaprakasam

Pandian has more than 20 years of product and engineering leadership experience and is also a serial entrepreneur. Before founding Ordr, he was the Chief Development Officer at Aruba, responsible for all of engineering and product management functions. Aruba, an enterprise mobile wireless company, was acquired by HPE for $3 Billion in March 2015. Before Aruba, Pandian served as the head of engineering for Cisco’s multi-billion-dollar Wi-Fi business unit and before that as VP of engineering for low-end switching product lines. He graduated with a master’s degree in Electrical Engineering from IIT, Chennai, India and holds several patents to his credit in various networking technologies.