"Our IT department has identified a potential issue with shared account usage in our applications. Can we control unauthorized usage or will we need to replace the apps? We want to avoid that cost if at all possible."

View a slideshow of the worst moments in network security history.

This is a more common problem than you might expect. The problem is that privileged users share administrative accounts, and without a way to track or control this, the organization is at risk of unauthorized activities. Depending on the application, this can be a serious risk. For example, I recently saw one company that had nearly 50 system administrators sharing a generic "admin" account in the legacy customer management system. If one of these folks decided to copy and sell customer records, how would the firm pinpoint the culprit?

Another company saw the same problem with multiple system administrators sharing superuser accounts on Solaris boxes. Any of these admins could log in, add new accounts or change account privileges for malicious access in the future, and the firm would not be able to track down the offender.

The cost of replacement is often high, and in this environment, most organizations don't want to take on the capex of a replacement project if it's not required. A very effective and clever solution is to use correlation technology to connect users' desktop logins with logins to the shared applications. In my first example, with the shared legacy applications, the firm used this technique to avoid replacing its existing (and useful) applications.

Users log in to their Windows desktop machine, and so the firm could collect each user's Windows domain ID and IP address. From the application logs, they could collect information about each user's login and transaction information in the legacy app. With their SIEM product's correlation ability, the company could connect these pieces of data and report who was using the shared account ID at any particular time.

This report allowed the company to enforce a "no shared account" policy in a way that could not be done previously. The best side effect, for the company's CFO, was the ability to defer an application rewrite project for at least a few years. The firm's limited IT staff could focus on projects that support revenue generation instead of simply replacing existing functionality.