Service Accounts can represent tremendous security risk for enterprises. And many of our customers struggle with how to best identify, control and protect these accounts. Let’s take a closer look at what service accounts are and what organizations can do to protect service accounts from attackers and insiders.
You may have noticed that the industry has changed the way that it talks about behavioral analytics. First we started talking about UBA (User Behavior Analytics) and then this quickly evolved to UEBA (User and ENTITY Behavior Analytics). The addition of the word “entity” is important because it calls out the fact that there's a lot of things in our networks that aren't just normal human users. There are non-human accounts, service accounts, within the Active Directory environment that are used to run services or applications such as file shares, database access, web access, etc. These are the things that make our applications and networks run the way we expect and want them to.
There are several key security challenges with service accounts:
- The directory server doesn't really have a good way to distinguish service accounts from humans
- Services tend to be very privileged accounts. They need to do very important things and at times are added as administrators and even domain administrators which can be very risky
- These accounts don't change passwords that often or are set to not expire because there is concern about breaking things if the password changes
These attributes make for a very inviting target for attackers. If an attacker can compromise a privileged service account it can make it very easy for them to spread malware across the environment and very quickly extend their attack. They can also be deceptive and make their attack scripts appear to be human just to help them kind of blend in. The inverse is also true where at times we have users, or insiders, that will sometimes try to use the privileges or credentials of a service account in order to get into and access things that they don't have privileges for themselves. All of these are important security issues.
How can we identify, control and protect them? In this video, we dive into more detail on how to:
- Identify service accounts and shared or stale accounts
- Analyze incidents to look for risk and compromise
- How to enact policies automatically to preempt a threat to service accounts
- How to block interactive logins