Thycotic Privileged Account Management. PHOTO: Cybercrime Magazine.

Thycotic: White Hat Hackers Jumping On The Privileged Account Management Bandwagon

Penetration testers have started recommending PAM solutions

– John P. Mello, Jr.

Sausalito, Calif. – Sep. 12, 2018

If there’s one thing most cyber attacks on organizations have in common it’s compromised credentials that give an adversary privileged access to a network.

“Privileged accounts are the keys to an organization’s kingdom. They’re your crown jewels,” said Jai Dargan, vice president of product management at Thycotic.

Thycotic, based in Washington, D.C., makes solutions aimed at foiling intruders bent on gaining unauthorized access to a company’s secrets through a legitimate user’s identity. Those solutions are part of a hot product category known as PAM — Privileged Access Management. (It’s also referred to as PIM — Privileged Identity Management — and the broader IAM market— Identity and Access Management.)

With a PAM solution in place, adversaries have a tougher time penetrating a network and snatching access to privileged accounts. PAM protects privileged groups that have access to domain-joined computers and applications. It also gives organizations better visibility and transparency into who has privileged credentials and what they’re doing with them.

PAM’s value to the security of an organization’s digital assets is starting to become widely recognized. For example, Gartner, in a recent list of Top 10 Security Projects for 2018, recommended privileged account management number one.

“Thycotic’s goal is to protect 20,000 companies around the world from cyber attacks – with free privileged account security software worth $100 million” – Steve Morgan, Editor-In-Chief at Cybercrime Magazine

“PAM is getting the attention of CISOs and CIOs now because people are starting to see PAM as not just vaulting of a password,” Thycotic’s Dargan explained. “It’s a very complex cyber defense discipline. It requires very careful risk-based operational management and control planning.”

Better Security Driving Growth

Security practitioners are also interested in PAM because they’re realizing the critical role credentials play in much of the cyber intrusions taking place today. “Eighty percent of all cyber attacks involve weak or stolen privileged account passwords,” said Thycotic’s CMO Steve Kahan.

Privileged account compromise also plays a leading role in attacks on rapidly expanding technologies. A recent survey by BeyondTrust found that 52 percent of organizations reported that when next-generation technologies such as IoT devices and the cloud are breached, it’s due to users having excessive privileges.

A number of factors will be driving growth in the PAM market over the next three to six years.

One such factor is PAM solution’s ability to protect organizations from advanced cyber threats, such as Zero Day exploits, where conventional security solutions fail, Prescient & Strategic Intelligence noted in a market report.

It added that such solutions can accelerate responses to cyber attacks and work conveniently with existing security frameworks, which are also spurring adoption of the technology.

Increased productivity is another growth driver for the technology, it noted. PAM solutions provide for single sign-on and federated identities to be used by employees. That removes the hassle of multiple login credentials for multiple business processes, as well as boost security.

Exploding Market

Compliance requirements are also fueling growth, P&S reported. More and more IT administrators are deploying the PAM solutions to meet the recommendations of auditors for better credentials and risk management.

Thycotic’s Dargan explained that compliance pressure is coming from a number of different directions.

For example, privileged accounts are catching the attention of regulators. “Privileged accounts are increasingly being mentioned explicitly in different regulatory frameworks,”  he said.

“Over time, regulators are going to mandate recording and managing privileged sessions,” he added. Such recordings are part of a typical PAM solution.

White Hat hackers hired to test the security of organizations are also getting on the PAM bandwagon. “Penetration testers, when they conduct audits on companies, are finding weaknesses with safeguarding privileged accounts and as part of their recommendations are recommending a PAM solution,” Dargan observed.

“Very few organizations can answer questions such as how many privileged account passwords do you have, who has access to them, how often are they changed, are they shared and how rigorously are they managed?” added Thycotic’s Kahan. “That’s why the market is exploding.”

Better Than 25 Percent Growth

All these factors will contribute an annual growth rate for the PAM market of a minimum of 25 percent over the next two to five years, according to Cybersecurity Ventures.

Data Bridge Market Research forecasts the global privileged identity management market, which it pegged at $1.06 billion in 2016, will grow at a compound annual rate of 33.3 percent from 2017 to 2024.

Meanwhile, MarketsandMarkets predicts the market will reach $3.79 billion by 2021, growing at a CAGR of 32.7 percent.

“The need for stronger, modern authentication, privileged access management, and new business enablement will further propel key IAM players into double-digit growth,” noted Tom Austin, research vice president for security products at IDC and author of a study on the IAM market.

Kahan added that PAM is becoming a critical layer in an effective security strategy.

“Privileged accounts represent one of the most vulnerable aspects of an organization’s IT infrastructure because they’re used by system administrators, third-party and cloud-service providers, applications and business users, and DevOps personnel,” he said, “and they’re on nearly every connected device — servers, hypervisors, operating system databases, applications, and industrial control systems.”

A Robust PAM Lineup

Thycotic, which has 10,000 customers worldwide and recently made the Inc. 5000 for the sixth year in a row,  offers a number of PAM products.

  • Secret Server, which has both on-premise and cloud versions, offers secure vault and password management with Active Directory integration; discovery of local and active directory privileged accounts; automatic password changing for network accounts; enhanced auditing and reporting; CRM, SAML, HSM integrations; service account and dependency management; approval workflows; Unix protection; advanced scripting; high availability and disaster recovery; and tech support, a knowledge base, and forums.
  • Privileged behavior analytics for Secret Server, which uses machine learning to create real-time graphical views of privileged accounts and access patterns for individual users across an enterprise and to provide early warning alerts of potential account compromises by hackers or malicious insiders.
  • A self-service portal that allows employees to update their Active Directory attributes such as address and phone numbers, and securely reset their AD and Office 365 passwords. It also allows IT administrators and security teams to enforce custom end-user password security policies.
  • Privilege Manager, which can be integrated with Secret Server through an API, a “least privilege” program that removes administrative rights from domain and non-domain endpoints, including hard-coded credentials to thwart attacks through local administrator accounts.
  • Professional services and technical training are also offered to help customers set up their environments, establish best practices, and teach their employees what they need to know to protect privileged accounts.

A Different Kind of PAM Company

Thycotic’s approach to privileged account management differs from others in the market in several ways. It’s designed to be deployed without the need for a lot of professional services. Ease of use is a hallmark of the solution, as well as the use of self-service. And it costs less to implement. “Usability is key to us,” Dargan said. “We want IT administrators and security professionals to be totally self-sufficient because when you’re self-sufficient, you’re guaranteeing higher adoption.”

“Adoption is a key metric,” he continued. “If you put in a user password management solution or a privileged accounts management solution and it’s not deployed correctly, governed well or adoption is not measured or tracked, then the project will fail and you will actually be more insecure than where you started from.”

“From day one for us, it’s been about simplicity,” Kahan added. “Organizations of every size want that. They don’t want to rely on professional services.”

In addition, Thycotic’s user interface, which is highly customizable, is designed with multiple types of users in mind. “When you look at the users of PAM technology, they’re in security, they’re system administrators, they’re ops personnel, they’re in DevOps,”  Kahan explained. “They’re people who are overwhelmed. They’re super busy. Security is only part of their job so they want tools that don’t get in the way of their productivity. That’s been built into our design.”

Dargan sees PAM solutions becoming the hub of security in the organization of the future. “All an organization’s systems can be integrated into this one centralized repository where privileged sessions are recorded and managed, where deep auditing is occurring around any user activity,” he said. “Any time a cursor is moving on a screen and accessing a secret, that activity is being logged and managed by an analytics solution. From there it’s integrated into your hardware, your laptops, your servers, your endpoints in your environment.”

“When you think of PAM that way,” he continued, “it becomes the central nervous system of a company’s entire cyber defense, posture and strategy.”

“If we make PAM simple, PAM can be the next big thing in security, the way antivirus was 20 years ago,” he added.

John P. Mello, Jr. is a freelance writer specializing in business and technology subjects, including consumer electronics, business computing and cybersecurity.

Cybercrime Magazine is recognizing a handful of growing and mid-sized companies in the “Small Giants in Cybersecurity” series launching Q4 2018. These relatively new or emerging firms — in comparison to household-name cybersecurity giants — have demonstrated longevity, innovation, and expertise in protecting against hacks and breaches, ransomware attacks, insider threats, and more. Both the companies and their leaders are highlighted in this ongoing feature series, showcasing their knowledge, commitment, and adept prowess in dealing with unique cybersecurity issues.

Read about more Small Giants here.