3 TIPS TO REVEALING HIDDEN

SECURITY RISKS WITH BEHAVIOR

ANALYTICS

ecole@secureanchor.com * www.secureanchor.com

Secure Anchor is All Cyber Defense, All of the Time

PREVENT – DETECT - RESPOND

Do you want to win?

OR

Do you want to be a loser?

THERE IS REALLY ONLY 1 QUESTION

BTW, I am

a loser

If you have not detected an

attack/compromise in the

last 6 months, it is not

because it is not happening

– it is because you are not

looking in the right areas…

3

You are either hunting or being hunted

Security MUST be focused on

minimizing the impact and controlling

the damage

Two key metrics are:

DWELL TIME

LATERAL MOVEMENT

PREVENTION IS IDEAL BUT

DETECTION IS A MUST

RECENT MAJOR BREACHES

5

Attack Methodology

Dwell Time

Lateral Movement

Insiders Are Responsible for 90% of Security Incidents *

Mailicious

∙ Fraud/Data Theft

∙ Inappropriate access

∙ Disgruntled employee

Unintentional

∙ Misuse of systems

∙ Log-in/log-out failures

∙ Cloud storage

71% 29%

* Verizon 2015 Data Breach Investigations Report

* Kaspersky Lab 2016 Security Risks Special Report

Are You Focused on the Correct Area?

Insiders: Excessive Privileges

Shared Privileged Access Credentials

• Several admins / common credentials

• Lack of accountability

• Compliance (e.g., SOX, HIPAA, GLBA, PCI)

• Maintenance for routine changes / turnover

• Amplified threats from disgruntled insiders

Password Security

• Strength / storage issues

• Communications with administrators

• Routine changes

Need for Dual Control

• Production, critical or sensitive systems

• Compliance requirements (developer or administrative

access to production systems)

Security of Embedded Passwords

• Passwords hardcoded & passed in code or scripts

• Difficult to change / maintain compliance

External Attackers: Vulnerabilities

System or Network Availability

• Operational impacts (performance and downtime) from

malware (HeartBleed, ShellShock, Poodle, Ghost, etc.)

Data Overload

• Easy to find

• Hard to fix

Cost of Remediation

Security

• Unauthorized assets on network

• Default or weak passwords

• Inadequate network access controls

• Unauthorized access

• Unauthorized website changes and defacements

THE EVOLVING THREAT ENVIRONMENT

Most (2/3) don’t know they’ve been attacked

Present for over 200 days before detected

Too easy to successfully attack most companies

• Phishing – High percentage can be socially engineered to click

• Popular sites (water holes) infected

• Most client systems have several known vulnerabilities

• Some attacks leverage non-publicized vulnerabilities

• Once inside undetected, lateral expansion occurs seeking privileged access to key systems often without need to exploit a vulnerability

Expanding target base and content

• No longer limited to defense, financial, large F100 companies

• Includes small, medium sized businesses where controls are lacking

• Thefts - far beyond specific product IP to business plans and how it operates

Sophisticated attack methods / tools - mostly not needed

• Leverages off-the-shelf malware but with variations

• 70% of attacks uses standard malware but have unique signatures

COMMON PITFALLS Trying to protect IP without business sponsorship

• Owners of information must be accountable and take lead to protect information

• Security can help with tools, best control practices, awareness

Thinking technical controls address most issues

• Most large risk management programs require holistic approach (e.g., 7 steps to effective

compliance)

• Governance (oversight), corporate polices

• Employee education and awareness

• Leadership from key groups (Business, Research, Manufacturing, Legal, HR, IT, …)

• Monitoring, response to incidents, enforcement, and assessments

Trying to lead vulnerability management from Security

• IT Operations are accountable for the security of systems under their management

• Security can help with tools, communications and metrics

Trying to implement too many tools

• Very challenging to introduce another console or agent

• Look at the overall security framework / architecture and define key control solutions

• Look for synergies & integration between tools (some can provide additional benefits

11

To defend against an adversary you must understand how the adversary operates, so a

proper defense can be built….

If the offense knows more than the defense you will lose…..

Focus on Behavior & Analytics

Activity patterns focused on data:

— Amount of data accessed

— Failed access attempts

— Data copied or sent to external sources

There are differences in activity between a normal user and

an insider threat.

1. Control and manage privileged access

2. Focus on vulnerability remediation with clear metrics

3. Prioritize risks based on criticality of information

4. Monitoring and timely detection is key

5. Communicate clear metrics to your executives

Focus on rogue behavior not signatures

5 STEPS FOR SECURING ENDPOINTS

Are You Ready to Take…..

Focus on outbound traffic

The Dr. Cole Challenge

– Number of connections

– Length of the connections

– Amount of data

SUMMARY

Security is about endpoint security of ALL endpoints

Assume both insider and cyber attacks are occurring

Take a holistic approach; go beyond required technical controls

Focus on vulnerability remediation not just scanning

Widespread assignment of privileged credentials makes it easier for

attackers to get to valuable assets and data

Talk to your executives about security – it could make all of the difference

PowerBroker Password Safe

v5.8

Martin Cannard – Product Manager

PAM – A collection of best practices

AD Bridge Privilege

Delegation

Session

Management

Use AD credentials to access

Unix/Linux hosts Once the user is logged on,

manage what they can do

Managed list of resources the user is

authorized to access. Gateway proxy

capability. Audit of all session activity

Password & SSH

Key Management

Automate the management of functional account

passwords and SSH keys

Comprehensive Security Management

► Secure and automate the process for managing privileged account passwords and keys

► Control how people, services, applications and scripts access managed credentials

► Auto-logon users onto RDP, SSH sessions and apps, without revealing the password

► Record all user and administrator activity (with keystrokes) in a comprehensive audit trail

► Alert in real-time as passwords, and keys are released, and session activity is started

► Monitor session activity in real-time, and immediately lock/terminate suspicious activity

Privileged Password Management

People Services A2A

Privileged

Session

Management

SSH Key

Management

Differentiator:

Adaptive Workflow Control

Adaptive Workflow Control

• Day

• Date

• Time

• Who

• What

• Where

Differentiator:

Included Session Management

Native desktop tool (MSTSC/PuTTY etc.) connects

to Password Safe which proxies connection through

to requested resource

Protected Resources User authenticates to Password Safe and requests

session to protected resource

RDP/SSH session is proxied through the Password

Safe appliance HTTPS RDP / SSH

RDP / SSH

Password

Safe Proxy Proxy

Privileged Session Management

Differentiator:

Controlling Application Access

Automatic Login to ESXi example

Browser

RDP Client

ESXRDP (4489) RDP (3389)

User selects vSphere application

and credentials

vSphere RemoteApp

CredentialCheckout

Credential Management

UserStore

Session Recording / Logging

HTTPS

Automatic Login to Unix/Linux Applications

Typical Use Cases

• Jump host in DMZ

• Menu-driven Apps

• Backup Scripts

• Role-based Apps

Browser

RDP Client

SSH (22) SSH (22)

User selects SSH application and

credentials

SSH Application

CredentialCheckout

Session Recording / Logging

HTTPS

Differentiator:

Reporting & Analytics

Actionable Reporting

Advanced Threat Analytics

What makes Password Safe different?

• Adaptive workflow control to evaluate and intelligently route based on

the who, what, where, and when of the request

• Full network scanning capabilities with built-in auto-onboard capabilities

• Integrated data warehouse and analytics capability

• Smart Rules for building permission sets dynamically according to data

pulled back from scans

• Session management / live monitoring at NO ADDITIONAL COST

• Clean, uncluttered, and intuitive HTML5 interface for end users

Less complexity & cost

Password and Session Management together in the same solution

Rotate SSH keys according to a defined schedule and enforce granular

access control and workflow

Native tools for session management (MSTSC/PuTTY etc), with no Java

required

Faster time to value

Deploy as a hardened physical or virtual appliance with a sealed

operating system, or as software

Clean, uncluttered, and intuitive HTML5 interface for end users

Full network scanning, discovery and profiling with auto-onboarding, and

Smart Rules

Better insights

Integrated data warehouse and threat analytics capability through

BeyondInsight

Live session monitoring, true dual control for locking, terminating or

canceling sessions

Improve workflow by considering the day, date, time and location when a

user accesses resources

Key differentiators and business value

Reduce risk | Achieve compliance | Improve efficiency

PowerBroker Privileged Account Management:

Validated by the industry

BeyondTrust is a “representative vendor” for all five key feature solution categories.1

“Deploying the BeyondTrust PAM platform … provides an integrated, one-stop approach to PAM… one

of only a small band of PAM providers offering end-to-end coverage.”2

“BeyondTrust is a pure-player in the Global Privileged Identity Management market and holds a

significant position in the market.”3

"Frost & Sullivan endorses PowerBroker Password Safe.“4

"Leverage a solution like BeyondTrust’s PowerBroker for Windows to transparently remove

administrator privileges.“5

BeyondTrust is a “Major Player” in Privileged Access Management.6

“BeyondTrust is a vendor you can rely on… BeyondTrust PowerBroker Auditor suite is an

impressive set of flexible and tightly integrated auditing tools for Windows environments.”7

1Gartner, Market Guide for Privileged Account Management, June 17, 2014. 2Ovum, SWOT Assessment: BeyondTrust–The BeyondInsight and PowerBroker Platform, November 5, 2014. 3TechNavio, Global Privileged Identity Management Market 2015-2019, 2014. 4Frost & Sullivan, PowerBroker Password Safe – a Frost & Sullivan Product Review, 2014. 5Forrester, Introducing Forrester’s Targeted Hierarchy of Needs, May 15, 2014. 6IDC, IDC MarketScape: Worldwide Privileged Access Management 2014 Vendor Assessment, March 2015. 7Kuppinger Cole, Executive View: BeyondTrust PowerBroker Auditor Suite, March 2015.

Demonstration

Poll

Q&A

Thank you for attending.