What is an “NPE”?
For those not working at a Federal agency, the acronym ‘NPE’ may be foreign. Or you may know it as service accounts for non-federal organizations. Like any other industry, the US Federal government often has a language of its own. In this instance, NPE stands for non-person entity and is defined as “An entity with a digital identity that acts in cyberspace but is not a human actor.” This cyberspace includes machines, organizations, hardware devices, software applications, code, containers, and information artifacts. For those outside the federal government, think of NPEs as service accounts in the commercial sector.
Why you should be monitoring NPE behavior
74% of data breaches start with privileged credential abuse. [Forbes]
Federal agencies and commercial businesses rely on a stable and secure foundation of infrastructure, applications, and data. Protecting this foundation has become a huge security challenge given the diversity and ever-expanding types of devices, applications, and workload types (cloud, virtual, containers, bare metal) while maintaining operations and services. To exacerbate this, add the potential risks associated with undetected or unmanaged non-person entities. Where is an agency or team to start?
NPEs have a long shelf life, as they are deployed to support administrative or infrastructure processes (used to act on behalf of a person) mostly to support applications. They are not easily traceable to an individual user, which enables them to be run unbeknownst to security teams, enabling unfettered access. They run in the background, execute system commands, and are rarely rotated, which makes them valuable targets for attackers. Once compromised, unmonitored NPEs can enable a “free for all” across your infrastructure and sensitive data without you knowing they are there – helping themselves to a bountiful harvest.
The Federal government has put forth a memorandum M-19-17 from the Office of Management and Budget (OMB) that defines managing identities, credentials, and access in modern government. Within this memorandum, the Government states, “Agencies shall manage the digital identity lifecycle of devices, non-person entities (NPEs), and automated technologies such as Robotic Process Automation (RPA) tools and Artificial Intelligence (AI), ensuring the digital identity is distinguishable, auditable, and consistently managed across the agency. This includes establishing mechanisms to bind, update, revoke, and destroy credentials for the device or automated technology.”
Overall, “as technology evolves, the Government must offer flexible solutions to meet changing technology needs and shift the focus from managing the lifecycle of credentials to the lifecycle of identities.” Without key controls around detecting and managing the risks of these entities, bad actors can “live off the land” and move laterally and with impunity once the NPE credentials have been accessed.
Enabling real-time visibility to manage NPE risks
Security teams of all kinds – federal and commercial focused – need to take a focused approach to NPE risk protection. It’s essential to
- Enhance visibility – establish an inventory of users, identities, non-person entities (NPE), and service accounts, where and how they are used across the infrastructure and all applications.
- Improve risk posture – identify the risks associated with NPEs and know where and how they are used across the application environment.
- Profile and baseline normal behavior – profile the behavior of all NPEs across the application environment in real-time to automatically establish allow-list policies and interactions based on known and normal behavior.
- Proactively detect and respond in real-time – detect anomalous NPE behaviors inconsistent with the known normal behavior, generate alerts only on suspicious behavior, and respond in real-time to compromised NPEs.
Whether they are called NPEs or service accounts, we automatically detect, report, and enforce usage policies across servers, workloads, and applications, notifying security teams and agencies of suspicious behavior that strays from established normal, approved actions.