1 Introduction
KuppingerCole analysts have, for some time now, been cognizant of the limitations in the defensive capabilities of Security Information and Event Management (SIEM) solutions. While expectations for SIEM to deliver have been high, research from real world implementations has shown that these solutions are not as effective as had been hoped. This is largely due to the difficulties in calibrating the overwhelming quantity of log and event information collected by SIEM systems in order to separate innocuous events from others that correspond to serious security incidents and merit a rapid response. This difficulty has made SIEM tools more useful for auditing and compliance requirements than as a reliable tool for responding in real time to serious attacks.
In response to these challenges with SIEM an evolution of its defensive benefits was termed Real-Time Security Intelligence (RTSI). RTSI, like SIEM tools, also relies on the collection, aggregation and correlation of activity information from key systems within an organisation. Yet unlike SIEM, which typically relied on manual calibration and classification of anomalous activity, RTSI makes use of the latest advances in analytics from the big data and business intelligence fields and is thereby able to use sophisticated algorithms and shared intelligence to perform continuous self-calibration. Modern RTSI solutions should not only be able to now detect serious threats, but should also be capable of automatic mitigation responses to perceived threats.
While ideally no system within an organisation should be considered exempt from security monitoring and anomalous activity detection, the key importance of protecting privileged system access cannot be overstated. Instead of taking an all-or-nothing approach, risk mitigation should start with those accounts, systems or entitlements that have the potential to cause the greatest detrimental impact to an organisation should they be compromised. In most cases these high-risk privileges, which grant unfettered access to information systems are known as administrator or root access credentials. It is here that risk mitigation should begin.
Far from being a niche market anymore, Privilege Management (PxM) is more and more becoming a mandatory component of any enterprise security infrastructure. Many vendors now offer integrated solutions for automated discovery of privileged accounts, storing and managing privileged account credentials in a secured vault, and monitoring of privileged access to servers, databases and network devices. Some vendors go further and implement real-time analytics to detect and/or prevent malicious activities. For a detailed overview of the leading PxM vendors, please refer to the KuppingerCole Leadership Compass on Privilege Management[^1] .
CyberArk has been a leading vendor in the PxM market for some time now, and has grown steadily since its founding in 1999 by focusing specifically in the monitoring and control of privileged access. It has released a major update to its threat analytics solution that specifically focuses not only on detection by analysing abnormal and potentially malicious use of privileged accounts, but now offers real-time, automated remediation response capabilities. CyberArk Privileged Threat Analytics provides a complete view of and analytics on privileged credential and account use, covering devices within as well as outside of the company’s Privileged Account Security Solution management.
When anomalous activity is detected, the solution generates immediately actionable threat alerts and can trigger an automated response. The product integrates with leading Security Information and Event Management (SIEM) solutions and can operate independently, as part of the larger CyberArk solution. This integration allows customers to extend their SIEM investment by feeding it logs and evidence of the detected threat and the response taken by Privileged Threat Analytics, allowing SIEM to act as a monitoring, detection and compliance tool across an entire enterprise’s infrastructure, while Privileged Threat Analytics performs its key task of detecting, alerting, and responding to malicious privileged access.
CyberArk Privileged Threat Analytics delivers advanced analytics, based on patent-pending behavioural and deterministic algorithms, which detect anomalies when they occur. This is done by comparing the historical patterns of privileged access with the current behaviour and use of privileged accounts. While there are other, broad security analytics solutions on the market, such as SIEM and the upcoming, Real-time Security Intelligence[^2] solutions, having a specialized product offering targeted monitoring and rapid response of the misuse of privileged account usage provides an RTSI approach to privilege management that is ahead of the curve compared to more generalised approaches available today.