REMEDIANT, INC. SBIR Phase I Award, March 2020

Problem Space: OS-Level Privileged Access rights are sometimes called “Administrator Rights” and are inclusive of Local Admin Rights (Windows), sudo rights (Linux) and Administrator rights (Mac OS X). Administrator rights in all cases may be granted by nature of being a member of a Group that is granted Administrator rights, or the rights may be granted directly to a user. Through these various mechanisms, the state of privilege access grants across a large environment (thousands or hundreds of thousands of computers) is very difficult to accurately assess. Further, rights tend to accrete over time, but those ‘temporary’ grants are rarely revoked when the need ends. Malevolent actors primarily target accounts with Privileged Access rights because those accounts can be used to attack or exfiltrate key data stores, due to the lateral movement capabilities that they provide. Solution: SecureONE is our solution for managing OS-level Privileged Access in large environments. It works by deploying as a set of virtual or physical appliances that sit inside the network, and reach out to connect to the Mac, Linux and Windows computers on the network to index and inventory the current privileged accounts. Critically, this includes both Windows Active Directory domain accounts as well as local accounts that the directory is not aware of. The data from the scans is combined with data from Active Directory’s Groups, Users and Computer objects to provide a full and complete picture of the distribution of privileged access inside the network (see product screenshots in Volume 5). This scanning is done continuously, with results in the Dashboard and Insight views continuously updated; the scan result data is also streamed out via SYSLOG to SIEM or UEBA solution(s), if applicable. In our experience, every environment has far more OS-level privileged access allocated than is strictly needed. To solve this problem, SecureONE can enroll computers in Protect Mode. In Protect Mode, all of the existing privileged access, whether granted to local accounts or domain accounts, whether directly or via group membership, is revoked. The list of users and groups who previously had privileged access now makes up the Privileged Access Inventory for that computer, and any users (or new members of groups) are permitted to get Just in Time Access (JITA) to that endpoint. To do this, the user first logs into SecureONE using 2FA or MFA, selects the computer they want to get access to, and clicks the Access System button. Within ~100ms, SecureONE grants their account privileged access on that endpoint (assuming the user is in the Privileged Access Inventory) and the user can log onto that system, either locally or remotely, with the needed privileged access. At the conclusion of the JITA session (generally, 4 hours, though that can be extended or manually expired early), the user’s privileged access rights are removed, thus returning the system to a state with Zero Standing Privilege.