I remember watching Saturday morning cartoons when they would air a lot of those public service announcements with the shooting star tagline “The More You Know” (yes, I’m dating myself a bit here). I still see that pop up every now and then as a meme on Facebook or Twitter somewhere. But, as funny as it can be nowadays when the internet gets a hold of it for one funny GIF or another, there’s a pretty relevant idea buried in this that the Information Security industry can really take to heart, especially in an era where things move as fast as they do, and organizations are constantly bombarded with one-size-fits-all solutions promised by one vendor or another.
Sure, we all want to find a way to improve the security posture of our organizations, and most of us in technology got there because we’re really good at finding the path of least resistance when it comes to accomplishing tasks. But often, decision makers will skip one very key step in the process when selecting a software product and trying to implement it as a security control on their network. That being, they don’t have a good handle on what they have, what’s actually going on within their network, or what the scope of the problem is that they want to solve. As one of my favorite SANS instructors told me (and has been echoed by many): You can’t protect what you don’t know you have.
When I first started here at Thycotic, one of the features of Secret Server that jumped out at me was the various discovery tools in the suite for Windows, Unix, and VMware accounts. I distinctly remember the conversation I had at that time with our company founder when he first showed it to me:
Nathan: “So, wait. You have a module here that will automatically scan and find all these privileged accounts wherever they are and how they’re being used?”
Founder: “Yes. Just something we tossed in to make it easier to populate the encrypted store.”
Nathan: “Wait, wait, wait… this was an almost incidental tool?!? If I had known this back in my days as a sysadmin, this would have solved SO many problems for me!”
Founder: “Really? That’s cool. Maybe you can let more people know about it.”
Nathan: “Not just that, but maybe we should make this a tool people can use to scope out their network and see just how many accounts they have running around out there. THAT would be cool!”
Well, I’m pleased to say that somewhere along the way, that conversation must have stuck because we’ve recently released a standalone version of that very module as the Privileged Accounts Discovery for Windows tool. And best of all, it’s free.
Now, you can use a very simple, purpose-built tool that can scan the Windows systems on your network and identify where privileged accounts exist on your systems, how they’re being used (running Windows Services, Scheduled Tasks, etc.), whether or not they’re expired, and much more information about each credential. All of this can be output in a CSV file that you can use to do some additional analysis, or to an Executive Risk Report in PDF format that will represent the findings in charts and graphs along with providing remediation recommendations.
If you’re a decision maker looking into purchasing a full-fledged Privileged Account Management solution, this tool is an excellent first step that can give you visibility into the true scope of what you’re going to be dealing with. Know up front how big the problem is so that you can ensure you purchase the right product with the right feature set the first time. Don’t budget for something that turns out isn’t able to get the job done and have to go back to your executives or finance team to request even more budget and go through the whole process again. If you’re an operations team member or a sysadmin, this sort of tool will help you have a better understanding of what the implementation will look like, which stakeholders and other admins may need to get involved and maybe even reveal some of those servers and workstations that have slipped through the cracks of your inventory or asset management system. And for security folks, this kind of visibility is absolutely key to be able to find where the possible attack vectors are in the environment and begin to build the necessary controls to lock them down and protect the assets these privileged credentials are able to access. All of this, from a free tool no less.
There’s so much benefit for all teams involved that skipping that initial step of understanding what you have and the full scope of the problem you’re trying to solve needs to be avoided at all costs. There are plenty of ways to do these assessments quickly and efficiently, with the long-term return being more than worth the investment in taking that beginning step. So, decision makers out there? Consider this your own personal Public Service Announcement to help during your next software purchase. The More You Know, indeed…
