Deep Dive: CA Privileged Access Manager

World®’16

CAPAMforHybridEnterprisesDeepDiveShawnW.Hank,Sr.PrincipalConsultant,CybersecurityCATechnologies,Inc.

SCX29E

SECURITY

Thecontentprovidedinthis CAWorld2016presentationisintendedforinformationalpurposesonlyanddoesnotformanytypeofwarranty. The informationprovidedbyaCApartnerand/orCAcustomerhasnotbeenreviewedforaccuracybyCA.

ForInformationalPurposesOnlyTermsofthisPresentation

Abstract

TheearlierPAMforHybridEnterprises(SXC04E)sessioncoveredabroadsetofCAPAMcapabilitiesasitrelatedtomanagingandcontrollingaccesstocriticalinfrastructureandprivilegedaccountsacrossthehybridenterprise.

Thisdeepdivesessionwillexpandontheearliersessionanddigintotheconfigurationandsetupofsomeofthesefunctionsandfeatures. AttendeeswillbeabletolearnabouttopicssuchasinteractingwiththePAMRESTAPI,AWSsupportfortargetserverdiscoveryandimport,theAWSAPIProxy,VMwareESX/ESXiandNSXfunctionality,PAMServerControlandSingleSignOnintegration,aswellasautodiscoveryoftargetserversandaccounts,andThreatAnalyticsforPAM.

ShawnW.HankCATechnologies,Inc.Sr.PrincipalConsultantCybersecurity

Agenda

PAMRESTAPIs – APRIMER

PAM&AWS

THREATANALYTICSfor PAM

PAM&VMWAREESX/ESXI/NSX

PAMasan IDP/RPor SP

PAM&PAMSCINTEGRATION

CAPAM’sRESTAPIAPrimer

§ Reduceconfiguration,maintenance,andadministrationbytakingadvantageofAPIstoconfigurePrivilegedAccess.– Yes,youcanPoint&Click

viatheUI,butwhywouldyouwanttodothat?

CAPAM’sRESTAPIModesofOperation

§ Gets,Posts,Puts,Deletes– Getexistingobject

datafromPAM– Add/Createnew

objects– Modify/Update

existingobjects– Deleteobjectsthat

arenolongerneeded

CAPAM’sRESTAPIAFewIdeas

§ Importalistofusersandgroupsfromarecentacquisition

§ Updatethetargetserversthatwererecentlyrefreshedinthedatacenter

§ Findallpoliciesforaspecificuser

§ Determinewhatgroup(s)aparticulardevicebelongsto.

CAPAM’sRESTAPI– ExampleAPICallsusingPostman

CAPAM’sRESTAPI– ExampleAPICallsusingPAW

CAPAM’sRESTAPI– ExampleAPICallsusingabrowser

CAPrivilegedAccessManager&AWS

CAPAMandAWS

§ FederationviaSTSandSAML

§ SSOandWebSessionRecording

§ Autodiscovery&autoimportofdevices

§ S3Recording

IaaSsupportforthemarketleadingIaaSprovider

AWSTargetDevice

AD/LDAP

RadiusServer

AWSTargetDevice

PIV/CACRevocationServer

ADFSServer

AWSManagementConsole

Account1Region1ZoneA

AWSTargetDevice

Account2Region1ZoneC

AWSTargetDevice

Account3Region3ZoneB

AWSTargetDevice

Account4Region4ZoneD

Account5Region1ZoneA

CAPAMAMI

AWSIAMCredentialAPI

AWSAPIProxy

RolesBasedPrivilegedFederatedAccessControl&SingleSign-OnforProgrammaticandManualAWSAPIAccess:

• FullFederatedCredentialProvisioningforaccesstotheAWSPublic,Government,andVPCClouds

SeparationofDutiesfortheAWSAPIConsoleInterface:

• RolesareenforcedbyaCentralxAPIPolicyManagerforallAPIAccess

FullAuditTrailandSessionRecordingAcross:• AllAPIaccessisrecordedandlogged

bythexAPIProxyServerUS East 1

US East 1aUS East 1b

Public 2

DisposableInstances(Future)

Private 1

Private 2

MySQL DBInstance

Public 1

Amazon S3

Internet

Splunk

AuditAPIcalls&responses

CAPrivilegedAccessManager&VMwareESX/ESXi/NSX

§ Auto-Discovery&provisioningGuestVMs&GroupsviaAPI

§ RolesBasedPrivilegedAccessControl&Single

§ SeparationofDutiesforvCenterConsole

§ FullAuditTrail&SessionRecording

§ Password&AccessKeyManagement

§ StrongAuthorization &AttributedUse

PAM&VMwareESX/ESXi

ESX/ESXiHypervisor

vCenterConsole

CAPAMOVA

GuestVMorGroup

EnterpriseDirectory

CAPAM- Physical

PrivilegedUsers

CAPAM– VMwareConfiguration

§ Config– 3rd Party§ VMwarevCenter

(vSphere)

§ SupportmultiplevCenterinstances

§ Local/RADIUS/TACACS/LDAP/ADintegrationforauthenticationtovSphereWeborvCenterClient

CAPrivilegedAccessManagerforVMwareNSXCapabilitySummary

§ VaultingandfulllifecyclemanagementofpasswordsandSSHaccesskeys§ NSX-basedresources,NSXManagerandAPI,otherenterpriseresources

CredentialsManagement

§ TACACS+,AD/LDAP,RADIUS,RSA,SMSMobileToken,SAML,PIV/CAC§ VMwarevSphere®,NSXAPIs,VMware®NSXManager™,otherphysical/virtual

resourcesacrossenterprise

FederatedSSO

§ IntegratedwithNSXManager;ServiceComposerserviceinsertion§ DynamicapplicationofaccesscontrolpoliciesbasedonNSXsecuritypolicies§ EnforcedviaNSXmicro-segmentation

AccessPolicyEnforcement

§ Completelogsandfullsessionrecording§ AllaccesstoNSXresourcesincludingNSXManagerandAPI

AccessPolicyEnforcement

CAPAMforVMwareNSX– NSXManagerRESTAPIProxy

ThelastmileforfullNSXManageradministrationvisibility§ UsersandscriptstalktotheProxy,nottoNSXManager,withdifferentcredentials,which

mayrotateonapolicyorschedule§ CAPAMvaults– androtates– theNSXManagercredentials§ IntegrateswithApplicationtoApplication(A2A)

Closingthe“APILoop”totheNSXmanagementplane

Consumer NSXManager

NSXManagerAPIProxy

Logs A2ARequests ChangePassword

Z-sideRequest/ResponseA-sideRequest/Response

CAPrivilegedAccessManager

CAPAMforVMwareNSX– AccessRestrictor

DFWRulesaddedandremovedon-demand§ Rulesaddedwhenconnectionsareopenedandremovedwhenclosed§ Removesthehumanelementandpotentialforerror§ Enablesahighly-secure“denyall”environmentwhereexceptionsareforcedthroughCA

PAMandonlyCAPAMmayaccessprotectedresources

Automatic,runtime,ephemeralDistributedFirewallRulesmaintainedbyCAPAM

Client

UserTargetVM

NSXManager

DFWCAPrivilegedAccessManager

CAPAMforVMwareNSX– DynamicTaggingandGrouping

CAPAMPolicyinlockstepwithNSXSecurityTagsandGroups§ NSXSecurityTagsandGroupssyncedwithCAPAMandtiedtoPolicies§ AsVMsenter/leaveNSXSecurityGroups,CAPAMAccessisprovisioned/removed

SynchronizeCAPAMpolicieswithchangesintheNSXsecurityposture

VMwarevCenterVMNetwork

NSXManager

CAPAMforVMwareNSX– ServiceComposerIntegration

DeepintegrationwithServiceComposer§ AsVMsenterorleaveNSXSecurityGroups,CAPAMwill:

- Enableordisablesessionrecording- Terminatesessions- ForceCAPAMsessionre-authentication

TriggereventsinCAPAMviaNSXServiceComposerworkflows

Session

NSXPartnerEcosystemProduct

NSXManager

VMwarevCenter

ApplyTag

Enable/DisableSessionRecording

TerminateSessions

XsuiteRe-Authentication

CAPrivilegedAccessManager&SingleSignOn

PAM&SSOwithCASingleSign-OnRP/SPtoanUpstreamIDPusinganon-prem IDP

§ IntegrationwithCASingleSign-OnbyenableCASSOastheidentityprovider

§ ExistingCASSOpoliciesdynamicallyevaluatedtodeterminewhogetsaccess

§ OptionalJust-in-Timeprovisioningfeatures

IdentitySuite- ProvisioningConnectorforCAPAM

Extensiveconnector:– PAMAccounts

(localandremote)– Roles– Groups– Policies– Devices&Device

Groups

AccessRequestforPAM

PAM&SSOwithCAIdentityServiceRP/SPtoanUpstreamIDPusingaSaaS-basedIDP

Control&ManageCloudIdentitySprawl

§ Rule-basedprovisioning,de-provisioningandentitlementassignment

§ Automatedidentitylifecyclemanagementaspeoplejoin,moveorleave

§ ExtensibleandAPIdrivenidentitylifecyclemanagement

Enablerule-basedprovisioningandidentitylifecycleautomation

CAPAMasanRP/SPWithCAIdentityServiceastheUpstreamIDP

SingleSign-on

Authentication(SaaS-firstmodel) CAIdentity

Service

Userprovisioning&de-provisioning

SingleSign-onRogueandorphanaccountdetectionandremediation

CASingleSign-On

On-premisesapps

SaaSApps

Peoplesource(optional)

Authentication(Hybridmodel)

SingleSign-on

SaaS-First&HybridDeploymentModelsLeverageexistingon-premisesIAMinvestments

CAPAMasanIDPThreatAnalyticsIntegration,butwillworkforanyServiceProvider

CAPAMasanIDP– ConfigureSPApplyallnecessarySAMLSSOAttributesasrequiredbythetarget

CAPrivilegedAccessManager&PAMServerControl

TheCASolutionPortfolioIdentitySuite,IdentityService,PAM&PAMSC

cessre

quests

rtificatio

Riskana

§ Strongauthentication,includingMFA§ Credentialmanagement§ Policy-based,leastprivilegeaccesscontrol§ Commandfiltering§ Sessionrecording,auditing,attribution§ Applicationpasswordmanagement§ Comprehensive,hybridenterpriseprotection§ Self-contained,hardenedappliance

§ In-depthprotectionforcriticalservers§ Highly-granularaccesscontrols§ Segregateddutiesofsuper-users§ Controlledaccesstosystemresourcessuchas

files,folders,processesandregistries§ SecuredTaskDelegation(sudo)§ EnforceTrustedComputingBase

IDENTITY-BASEDSECURITY HOST-BASEDSECURITY

DEFENSEINDEPTH

CAPrivilegedAccessManager CAPrivilegedAccessManagerServerControl

ENTITYSUITE

ThreatAnalyticsforPAM:Super-ChargingPAM!Domain-specificanalyticstodefendagainstrealworldattacks

Compromisedidentity

High-riskinsideractivity&threat

Insightandincidentresponsesupport

Automaticallytriggermitigations§ Alerting§ Reportingandinsightintosystemuseandrisk

Authorizeduseractionsthatposeseriousrisks:§ Contractors§ Partners§ Policyviolators§ Disgruntledanddepartingemployees

Identitiescompromisedbyattacksthatinclude:§ Phishing§ Weakpasswords§ Malware§ Compromiseddevices§ Man-in-the-middle

Blindspotsinhowsystemsareused.NeedquickresponsestoincidentsandSOCinquiries:§ IdentifyusersandriskyactivityassociatedwithIP,devices,dataassets

Detect

Mitigate

Breachprevention Operationalinsights Improvedcompliance

§ Automatedsessionrecording§ Re-authentication

Results

OverseasContractorUseCaseInsiderThreatDetectionandMitigation

Continuousmonitoringandanalysisofaccessenables:

§ Monitoringaccessforallusers,includingBangalore-basedcontractorsauthorizedtouseshareddatabaseandserveraccounts

§ Identifyinghighlyunusualsessionactivitiesofindividualoverseasdeveloperthatinclude:- Unusualsessionactivitiesandlengthsbasedonindividualandotherenterpriseusers

- Accesstolargenumberofsensitivesystems,manyforthefirsttime

- RemoteDesktopProtocolaccesstoahigh-riskPCIserver

Thisbehaviorposeshighriskandisnotconsistentwithpastactionsoftheuserortheenterprise.

§ ThreatAnalyticsforPrivilegedAccessManagerautomaticallytriggerssessionrecordingforreview

§ Admingeneratesincidentreportforcomplianceofficer/SOC

Result:Successfuldetectionandmitigationofinsiderthreat

ThreatAnalyticsforPAM

Activitycontinuouslymonitoredinbackground

Sessionrecordingautomaticallyinitiated

IncidentreportforcomplianceofficerorSOC

Overseascontractors

High-risksessionbehaviorisdetected

PrivilegedAccessManager

IncidentResponseUseCasePAMAdminclosesthedooronattackers

EnterpriseSOCinvestigationofahighpriorityincident&wantstoknow:“WhatinformationcanthePAMAdminprovidetoassist?”

UsingtheIPaddressprovidedbytheSOC– thePAMadmincansearchBAforPAMandquickly:- IdentifyallusersassociatedwithIPaddress- Inspectaccessandactivitiesofthemostsuspicioususer- ProvideIRteamwithidentityofthesuspicioususer- NavigatetoInsightpagetogetalldormantaccountstoprovidetoIRteamalso

ThreatAnalytics’abilitytocorrelateaccessactivity,IPaddresses,sessions,andriskprovideimmediate valuetoinvestigations.

§ Tomitigatefutureattacks-- PAMadminaddssuspiciousIPaddressthreatintelligencetoBAforPAM.Futureactivityisthenautomaticallydetectedandanalyzed.

§ PAMadminconfiguresBAforPAMtosendautomatedalertstoSIEMwhenanyactivityrelatedtoasuspiciousIPisdetected

Result:BAforPAMprovidesimmediatevaluetoincidentresponseeffortsandclosesthedooronfutureattacks.

PAMThreatAnalyticsforPAM

Activitycontinuouslymonitored

ThreatintelligenceusedbyBAtoproactivelyaddressfuturethreats

IRTeam

Immediateinsightregardingusers,activity,risk,etc.

AutomatedAlertstoSIEM/SOC

ThreatIntelusedbyAnalytics

Canyouhelp….attackfrom

193.105.219.210?!

AnalyticsandIntelligentControls

ThreatAnalyticsforPAM

§ Offersanadd-onthatsuperchargesexistingPrivilegedAccessManagercapabilities

§ Enablesautomateddetection,mitigationandalertingforcriticalthreats

§ Easydeployment: Deploysassingle,virtualmachine—nospecialskillsorsignificanteffortrequired

§ Quicktoprovidevalue: Immediately deliverscompellinguserexperiencewithhuman-understandableriskandinsights

Solutionsummary

§ Automaticallyestablishesnormaloperatingprofilesforusersandenterprisebasedonobservedbehavior

§ Useshistoricandreal-timeactivitytoassesscontextandanalyzerisk

§ Providesmeaningfulinsightregardinguserandsystemactivities

§ Triggerriskmitigationsandcontrolsincludingtriggeringsessionrecording

AdvancedAnalytics&AutomatedMitigation

PAMforHybridEnterprisesDeepDiveAsyoucansee,thereisalotmoretoPAMthatmeetstheeye!

Fromfunctioningasit’sownPrivilegedUserIDP,toproxyingAPIcallsinordertoauditapplications,todetectingandmitigatingactivitiesviaThreatAnalytics,CAPAMprovidesahostofcapabilitiesthatextendthestandardPrivilegedUserandPrivilegedIdentityfunctions.

Ifyou’dliketohavefurtherdiscussions,simplycontactyourCAAccountteamandwecansetupasessiontodigintoanyofthesetopicsatgreaterdepths.

Summary

RecommendedSessions

SESSION# TITLE DATE/TIME

SCX15E MeetthePAMTeamQ&A 11/14/2016at11:00am

SCT41T PAMMaturityModel 11/16/2016at1:45pm

SCT05T ThreatAnalyticsforPAM 11/17/2016at4:30pm

Don’tMissOurINTERACTIVESecurityDemoExperience!

SNEAKPEEK!

Wewanttohearfromyou!

§ ITCentralisaleadingtechnologyreviewsite.CAhasthemtohelpgenerateproductreviewsforourSecurityproducts.

§ ITCSstaffwillbeatmostsessions.Ifyouwouldliketoofferaproductreview,pleaseaskthemaftertheclass,orgobytheirbooth.

Note:§ Onlytakes5-7mins§ Youhavetotalcontroloverthereview§ Itcanbeanonymous,ifrequired

Deep Dive: CA Privileged Access Manager

Technology

Transcript of Deep Dive: CA Privileged Access Manager

MidoNet deep dive

OpenStack Deep Dive

JavaScript Deep Dive

Android Deep Dive

RecoverPoint Deep Dive

PowerApps Deep Dive

HealthKit Deep Dive

Deep dive formatting

WPF Deep Dive

Deep Dive Training

002 Deep Dive

C# Deep Dive

FCoE Deep Dive

MIPS Deep Dive

Starling Deep Dive

Phonegap deep-dive

DynamoDB Deep Dive

Docker Deep Dive

Deep Dive Xamarin.iOS

MTS deep dive Data Center and CSD deep dive Optiq ...