When good admins go bad

Let’s face it – security breaches will happen. The main question is when. The recent data breach report from Verizon just reinforces this statement with unprecedented growth of security attacks reported across the board.


Many organizations get a piece of mind by investing into expensive SIEM solutions that help them detect and in some cases prevent well known attacks from happening. However security has always been reactive and there is just no way you can get a 100% guarantee that your data won’t be stolen or line of business application won’t get brought down by professional hackers, external contractors or your own employees…


If you ever tried to protect your organization from its own employees you might have realized how big of a headache this is. The more attackers know and the more they have access to the more challenging it becomes to build a fence they won’t be able to jump over. How do you protect from privilege abuse, data tampering and information leakage should those guys feel themselves mistreated and resort to these wrong doings? What prevents them from going to a secure network share and tampering with personal data customers entrusted the organization with like patient records or credit card data? There will always be exceptions from the rules when admins don’t need to access certain data and still they’ll have this access just in case something goes wrong and they will be there to fix it.


So, how can you track your own admins to make sure they do not go beyond their responsibilities? SIEM solutions will be of a little to no use here. Such activity will just go under their radar and get buried among the audit trails of hundreds of thousands of law abiding users that perform their day to day duties. Pattern based detection will always be lagging behind the attacker’s creativity and ever increasing complexity of the IT infrastructure. If you can’t prevent bad things from happening you better be ready to respond to them.

Organizations need a combination of security talents and tools that would let them investigate breaches in the shortest period of time before they manifest themselves on a multimillion dollar scale of losses to a business.


This is where products like Quest InTrust shine. With its sophisticated forensic analysis and event querying capabilities InTrust helps security specialists find the root cause of a breach, playback attacker’s actions and prepare the evidence of his malicious activity.


I’d like to end this post with a quick video that walks you through a classic real world “admin goes bad” scenario. Big thanks to the analyst on the InTrust team, Dmitry Petrashev who put this together.

In this video you’ll see how InTrust helps you track down a bad guy from the point when he exploits the system and then masks his actions under another user, tampers with the data he shouldn’t have access to and finally covers his tracks to go unnoticed.