cyberark privileged account security - alem sistemalemsistem.ba/alem_lib/security/4. cyberark - alem...
TRANSCRIPT
CyberArkPrivileged Account Security
Nedim Toroman, Business Development Manager
Veracomp
securITy
Critical Steps to Stopping Advanced Threats
Protect and Manage them
Control, Isolate and Monitor any Privileged Access
Discover all of your Privileged Accounts
Use Proactive Controls for Threat Detection
CyberArk’s Privileged Account Security Solution
Enterprise
Password
Vault®
Privileged
Session
Manager®
Application
Identity
Manager™
On-Demand
Privileges
Manager™
Management Portal/Web Access
Master Policy
Secure Digital Vault™
Privileged Threat Analytics
Shared
Technology
Platform
Proactive
Controls,
Monitoring &
Management
Behavioral
Analytics
Protect Detect Respond
SSH Key
Manager
CyberArk PIM Auto Discovery
Vmware ESX/ESXi
Linux virtual images
Windows virtual images
Unix/Linux Servers
Windows Services
Scheduled Tasks
IIS Pools
Windows
Desktops & Laptops
Windows Servers
Where do all the privileged and superuser accounts exist?
Critical Steps to Stopping Advanced Threats
Protect and Manage them
Control, Isolate and Monitor any Privileged Access
Discover all of your Privileged Accounts
Use Proactive Controls for Threat Detection
`
Layers of Security in the Digital Vault
Vault Safes
Tamper-Proof
Auditability
Comprehensive
Monitoring
Segregation of
Duties
Firewall Authentication
Hierarchical
Encryption
Session
Encryption
System User Pass
Unix root
Oracle SYS
Windows Administrator
z/OS DB2ADMIN
Cisco enable
IT
Vault
Enterprise IT Environment
Master Policy
1. Master policy and Platforms definition
2. Initial load & resetAutomatic Detection, Bulk upload, Manual
3. Request workflowDual control,
Integration with ticketing systems,
One-time passwords, exclusivity, groups
4. Direct connection to device
5. Auditor access
Security/
Risk Management
Auditors
Enterprise Password Vault Overview
Portal
Policy
Request to view Reports
Request access to WindowsAdministrator On prod.dom.us
tops3cr3t
tops3cr3t
tops3cr3t
tops3cr3t
tops3cr3t
tops3cr3t
tops3cr3t
tops3cr3t
tops3cr3t
tops3cr3t
lm7yT5wX5$aq+pTojsd$5fhy7qeF$1gviNa9%Oiue^$fgW
Policy
Virtual
Servers
Unix/Linux
Servers
iSeries
MainframesWindows
Servers
zSeries
MainframeDatabases Applications
Network
Devices
Security
Appliances
Websites
& Web Apps
OPM
Workflow
PSM
Workflow
EPV
Workflow
AIM
WorkflowMonitoring &
Reporting Workflow
Unix Admins Windows Admins DBAs VM AdminsExternal
Vendors
Business
Applications
Auditor/
Security & Risk
I just need to patch
the database
External Vendors
Support team need to
connect remotely
I need to check out
the password
I have this script that
connects with “root”
every night...
Great, what are your
“root” entitlements,
who used it and why?
Admin
Privileged Accounts Management – Use Cases
Critical Steps to Stopping Advanced Threats
Protect and Manage them
Control, Isolate and Monitor any Privileged Access
Discover all of your Privileged Accounts
Use Proactive Controls for Threat Detection
`
Routers and SwitchesVault
Windows/UNIX
Servers
Web Portals
1. Logon through PVWA
2. Connect
3. Fetch credential from Vault
4. Connect using native protocols
5. Store session recording
6. Activity is monitored via Logs forwarded to
SIEM/Syslog
4
5
Databases
Application
ESX\vCenters
1
HTTPS
2
RDP over HTTPS
PSM
3
CyberArk Privileged Session Manager
6
SIEM/Syslog
PSM for Secure Access
IT/ Auditors/Security Operations
Firewall
External
`Vendors
HTTPS
Secure Internal Network
Windows Servers
UNIX
Servers
& DBs
Routers and Switches
Toad
Passwords not divulged
Secure Isolation
Details session monitoring
Isolation
Monitor and Control
Internet
Command Search with ‘Click to Play’
13
Search for SQL commands that include the word 'Salary'
Click to Play ‘Point in Time’
PIM/PSM Suite
Network Devices
Virtual Servers
Windows
Windows Servers
UnixLinux
Unix /Linux Servers
AS400
iSeriesMainframes
Databases Applications Security Appliances
OS390
zSeriesMainframes
AIM
Workflow
PSM
Workflow
PSM and Real-Time monitoring
Syslog:
“Rob has accessedthe HR Database !”
RobertDavid
Critical Steps to Stopping Advanced Threats
Protect and Manage them
Control, Isolate and Monitor any Privileged Access
Discover all of your Privileged Accounts
Use Proactive Controls for Threat Detection`
Privileged Threat Analytics
Intelligence-based analytics for detecting suspicious
privileged user activity
Privileged
Threat
Analytics
Detects malicious privileged account
behavior
Detects and identifies
anomalies as they happen
Respond, disrupting the attack before
serious damage is done
Protection, Accountability, Intelligence
How Privileged Threat Analytics works
Normal
ALERT: SIEM & CyberArk
Behavioral Analysis
SIEM Solution
Behavioral Analysis: Self-learning statistical model based on a combination of patented algorithms, Vault access data, and target system data gathered from inbound SIEM integrations.CyberArk
Vault
Abnormal
PRIVILEGED ACCOUNT ACTIVITY
Privileged User
Critical System Access
• “…Attackers working hours generally, the attackers worked between 2AM and 10AM from Monday to Saturday included.”
• The attacks came during the day in China, which is after hours in Europe and the US
Critical Behavioral Indicator of Attacks –Time of Day
Based on Mandiant, research data
Access to Privileged Accounts During Irregular Hours: Ex.1
December 28th, 2012
February 13th, 2013
Source: Data of CyberArk customer analyzed in the CyberArk labs
Access to Privileged Accounts During Irregular Hours: Ex. 2
Excessive Access to Privileged Accounts
Abnormal sequence of 52 password retrieval activities in 8 hours
starting on March 20th
Privileged Threat Incident Details
PTA Reports