Dave Ward4d ago
An alert firing into an unmonitored queue is not detection — it is logging. The organisations that contain incidents well are not always the hardest to breach. They are the ones that noticed fastest and acted on it. Dwell time measured in weeks means weeks of privileged access being abused while your vault dutifully records every session. #CyberSecurity #PrivilegedAccessManagement #PAM
Dave Ward6d ago

The takeaway is not "deploy more monitoring." It is that PAM binaries and SSH modules need cryptographic integrity verification and behavioural baselines stored outside the systems they protect. Air-gapped networks breed false confidence. Authentication infrastructure is now the primary target, and most security architectures still do not treat it that way. #PrivilegedAccessManagement #IdentitySecurity #CyberSecurity

---

Dave Ward6d ago

The lesson isn't just "sophisticated nation-state attack." It's that authentication components are assumed-safe territory in most environments — no integrity monitoring, no change alerting, no threat modelling below the application layer. That gap exists everywhere, not just in APT targets. #PrivilegedAccessManagement #IdentitySecurity #CyberSecurity

---

Keeper SecurityJun 16

🚨 New integration: Keeper Security and Wiz

Our new integration connects Wiz's cloud vulnerability discovery directly to KeeperPAM, automatically rotating compromised credentials and enforcing least privilege – across human users, machine identities, AI agents and database accounts – the moment a risk is found.

#KeeperSecurity #Wiz #CloudSecurity #PrivilegedAccessManagement #IdentitySecurity

Dave WardJun 12
"Third-party access is where good PAM policies go to die. You can govern your internal administrators meticulously and leave a wide-open door for every managed service provider, contractor, and software vendor with admin credentials." From my book on SME cybersecurity. The structural problem: internal PAM has a clear owner. Third-party access lives in the grey area between procurement, IT ops, and security. Grey areas don't get governed. #PrivilegedAccessManagement #VendorRisk #IdentitySecurity
Dave WardJun 12
Dave Cartwright puts it plainly: "Third-party access is where good PAM policies go to die." Every external party with privileged access should authenticate through your vault, with sessions you can record and terminate. Vendor resistance to that is a documented risk acceptance, not a reason to leave the door open. #PrivilegedAccessManagement #VendorRisk #IdentitySecurity
Dave WardJun 10

Most orgs have strong controls around traditional privileged accounts but treat M365 credentials as lower risk. That's the gap this exploits. Session token theft bypasses MFA entirely — by the time your SIEM alerts, the session is already live somewhere else. Patch, yes. But audit the architecture behind it too. #IdentitySecurity #PrivilegedAccessManagement #ZeroTrust

---

Dave WardJun 10

Servers get vaulted. Databases get vaulted. The SD-WAN controller on your perimeter still has the credentials the deployment engineer set three years ago, never rotated, not recorded. Root access is root access regardless of whether your PAM dashboard knows the device exists. #PrivilegedAccessManagement #ZeroDay #CyberSecurity

---

Dave WardJun 8

No patch means compensating controls are your only line right now: segment the management plane, enforce MFA on admin interfaces, vault and rotate those credentials, and get session monitoring in place. Can you name every privileged account touching this system and when it last authenticated? If not, start there. #PrivilegedAccessManagement #CyberSecurity #ZeroTrust

---

Dave WardJun 8

The organisations that handle this well aren't just patching a CVE. They can rotate credentials on that service account without breaking dependent systems, and they have SIEM data to check whether anything unusual preceded the advisory. That's the difference between reactive and operational. #PrivilegedAccessManagement #IdentitySecurity #CyberSecurity

---