Welcome totheworld PROactiveCybersecurity · (Windows Azure) Policy management Built-in auditing &...

„Welcome to the worldPROactive Cybersecurity"

Peter Schaudeck Senior Manager, Partner SalesCentral & Eastern Europe

March 14th 2018, RISK Conference Lasko

This pdf Version is slightly different than the versionshown during RISK conference.

• Slide Animations are cleaned and adjusted for bettervisibility

• Some extra slides for better understanding of contexthave been added.

Similarities ?

The „TV5 affair“ !

The „facebook“ dilemma !

“Companies spend millions of dollars on firewalls, encryption, and secure access devices and it’s money wasted because none of these measures address the weakest link in the security chain: the people who use, administer, operate and account for computer systems that contain protected information.”

Kevin Mitnik, former FBI Most Wanted Hacker

The Avecto paradigm

PROactively Stoppingcyberattacks without

stopping user productivity

PROactive versus Detection-basedEndpoint Security

• Mitigating attack vectors• „Time to attack“ doesn‘t matter• Malware pattern doesn‘t matter

• It‘s always a race against time• Patterns constantly change• Even „Next-gen“ solution often fail

DETECTIONBASEDMultilayered

approach

“The common misconception is that a user with local admin rights can do little harm

and that administrative actions taken at the endpoint are isolated to the endpoint itself.

Gartner, Inc., “Reduce Access to Windows Local Administrator with Endpoint Privilege Management,” Lori Robinson, October 20, 2017

Neither assertion is true.”

Magic Question #1

„What can you do with local admin rights and how can you do harm ?“

A local admin user has the keys to the kingdom...and beyond!

What can they do with the keys to the kingdom?Top 10 secrets of an admin user

1. Change registry keysNavigate around GPO and central management + policies

2. Take control of system services Disable and interfere with other security products such as anti-virus and firewall

3. Take ownership of files and foldersYou can own any file on the system – period: privileges always beat permissions

4. Manage certificates for the local machine Risk of phishing and man-in-the middle attacks

5. Use port scanning toolsCapturing network traffic allows the potential of finding a vulnerability

6. Go from Admin to System Create scheduled tasks to run as System. Applications can be set to run bypassing UAC, processes can be run as System

7. Install and uninstall any application or patchLeave the environment open to vulnerabilities

8. Cover tracksDelete application, system and security event logs

9. Manage and create your own usersCreate multiple admins as needed

10. Access any part of the OSSet ‘traps’ for users with higher privilege such as Domain Admin for privilege escalation attacks

„Local admin rights“ isone of the key attackvectors abused by a

large variety ofcyberattacks.

„Remove local Admin rights, remove threats, achieve Least Privilege“

Return the keys to the kingdom...

Magic Question #2

„What will happen, whenyou remove local admin

rights and switch to a standard user context?

What can’t and still can they do without the keys to the kingdom? - EXAMPLESKey challenge: working in standard user mode

Users CAN’T:• do even the basic things any longer

like changing date and time, changing network settings

• Simply install a programeven a simple printer driver installation is getting cumbersome

• ignore User Account control (UAC) for any small system change or installation.It will constantly bother you .

Users still CAN:• Install certain programs like Firefox or

Chrome in local user directorydespite of a fully hardened company wide established Internet Browser

• Install Cloud Storage Tools or Portable appsin your local directory, such as Dropbox, Onedrive, Bittorrent, also from USB stick

• „unwanted“ execution of documentbased attacksinside of trusted or whitelisted applications

„Remove local Admin rights, remove threats, achieve Least Privilege“

Return the keys to the kingdom...

„Control your applicationsand system processes“

Industry and analyst advice

Implementing these 4 strategies mitigates

85% of cyber threats

Implementing these 4 strategies

mitigates min. 85% of cyber threats

1 Application whitelisting2 Reducing admin users3 OS patching4 Application patching

NSA (US National Security Agency)Industry advise

Magic Question #3

„Why are attackersstill winning?“

Why are the attackers winning?Security Compromises

Locked & Well Managed

• Enforce strong security configuration & controls

• Ensure applications & operating systems are fully patched

• Protect vulnerable applications and high risk activities

• Stop unknown & un-approved applications from running

• Remove local administrative rights to achieve least privilege

• Users require freedom & consumer-like experience

• System stability and uptime are the most important factors

• User productivity and efficiency must be maintained

• System stability and uptime are the most important factors

• User productivity and efficiency must be maintained

• Users need the flexibility to run new & undefined applications

• Users need to configure their endpoints & install software

Magic Question #4

„How Avecto can helpyou manage this

dilemma…?“

The impossible compromiseThe Endpoint Security Paradoxon

SecurityUser

Experience

Objective = Balance both“Underlocked”

All users given admin rights

All users locked down to a standard user

account

Poor user experience leads to privilege creep

Without admin rights users can’t do their job and desktops are difficult to manage

Giving admin rights is professional

negligenceSecurity weakened and the threat is always escalating

support costsfor local admin users increase

support costs for standard users

increase

“Overlocked”

Zero admins

The PROactive

Defendpoint approach

Eliminate admin rights, achieve least privilege

Pragmatic whitelisting

Zero admins

The PROactive

Whitelist trusted apps and block malware

ASSIGN PRIVILEGE TO APPS, TASKS & SCRIPTS but never to users

Zero admins

Enhanced security

The PROactive

Protect Trusted Apps(e.g. Protect MS Office or Adobe Reader from embedded Malware)

Zero admins

Enhanced security

Actionable intelligence

The PROactive

Insight and analysis to make informed decisions

Zero admins

Enhanced security

Actionable intelligence

The PROactive

Insight and analysis to make informed decisionsQuickstart Policy

User Interaction / Exception handling

WithoutAvecto

defendpoint

User Interaction / Exception handling

WithAvecto

defendpoint

“QuickStart Policy” and exception handling / user interactionOut of the Box – How it works

Allow seamless elevationAuto Approval of Business Apps 1

Corporate brandingTailored message

Auto Approval Operating System 2 Confirm Execution

3 Corporate brandingTailored message

3rd Party Signed AppsReasonRe-authentication

4 Helpdesk RequestChallenge / Response

Unsigned / Untrusted Apps43 Corporate branding

Tailored message

4 Helpdesk RequestChallenge / Response

Unsigned / Untrusted Apps43 Corporate branding

Tailored message

Admin rights can be removed immediately

Policies can be targeted at different user group, with powerful filtering options

User experience can be customised

Policies can be refined over time

User behaviour captured

Quickstart Policy

Windows & Mac agentWindows & Mac agentWindows & Mac agent

ArchitectureManagement & Deployment

Most Valuable Partner

Part 1 (the agent)

Defendpoint ePO EditionClient deployment

Policy management

Built-in auditing & reporting

(Windows Azure)

Policy management

Defendpoint Group Policy Edition

Policy management

Part 2 (the Policy Management Platform)

Defendpoint ePO EditionClient deployment

Policy management

(Windows Azure)

Policy management

Defendpoint Group Policy Edition

Policy management

Enterprise ReportingEnterprise ReportingEnterprise ReportingCentralized auditing | Reporting dashboards | Actionable intelligence

Part 3 (the Enterprise Reporting Platform)

McAfee Security Innovation Alliance Partner of the year 2017

End to end management viaMcAfee ePolicy Orchestrator®

Technology integration withMcAfee Threat Intelligence Exchange(TIE/DXL)

4 Million licenses deployed globally with ePO

Fully integrated security solution

About Avecto • UK/Manchester based – founded 2008 - Still privately owned and fast growing• 100% channel focussed• PROactive (not detection based) cybersecurity engine with multilayered approach

(PM, AC, TAP, insights)• Great customer names and use cases

Success Factors:• Our approach – our story: once understood and tested by our customers, they go for it !• Customer Journey – A structured methodology that leads to greater success• Quick Start implementation program – “Starts simple, stays simple”• Highly scalable (no limit in terms of company size)

About Avecto and why we win ?

Proven track recordSuccessful global deployments

Over 1000+ successful implementations

8 million licences deployed globally

Project rollouts of up to 454,000 users

Please join Andrej Kreuth from ADD Slovenia tomorrow at 12.25 (Gala Hall) for the ADD/Avecto Customer success Story: a Technical Point of View

Interested to hear more ?

Magic Question #5

„How Avecto PROactivelymitgates attack vectors and

how is it different frommany other detection-

based solutions ?“

Attack vector mitigationKnown malware Known exploits

Known malware Known exploits

Attack vector mitigation

Replace OS files (start/stop services)Exposure networks to malware (DDOS)System wide config changes Install unauthorized / licensed softwareManipulate user accounts & Pwd (PtH) attacksDisable/uninstall security software/policies Data leakageInstall malware (i.e. root kits)

Social engineering email/installsInfected content on external media APT’s/exploit kits drop files to disk (payloads)Unknown user installed apps (portable)

Document based attacks (macros, active script)Theft of corporate data (IPR)Zero day browser/Apps exploits

Known malware Known exploits

Attack vector mitigation

Replace OS files (start/stop services)Exposure networks to malware (DDOS)System wide config changes Install unauthorized / licensed softwareManipulate user accounts & Pwd (PtH) attacksDisable/uninstall security software/policies Data leakageInstall malware (i.e. root kits)

Social engineering email/installsInfected content on external media APT’s/exploit kits drop files to disk (payloads)Unknown user installed apps (portable)

Document based attacks (macros, active script)Theft of corporate data (IPR)Zero day browser/Apps exploits

icatio

listin

t Priv

icatio

Magic Question #6

„How does all of that fit into the

world?“

Privilege Access Management … and why buy it ?A redefined market space

• “Buyers continue to show strong appetite for PAM solutions, driven by fear of breaches and the significantrole privileged user accounts and credentials play in such incidents.

• Another significant market driver is the need to address a wide variety of regulatory and industry mandates, as well as expanding audit requirements, which prescribe controls over privileged users, accounts and credentials.”

What is it now ?Privilege Access Management

• Vaulting of privileged credentials

• Session management and access control

• Session recording

• Removal of privileged accounts

• Granular management and elevation of individual tasks

• = PEDM

Managing privileged passwords

• PASM tools monitor and record privileged activity on the systems

• Grant access to privileged user accounts via a password vault

• Controls access to individual accounts with always-on privileges

• Allows the sysadmin to request access to a specific server

• The password vault grants access to the user using a temporary

admin account & attempts to record the sysadmin’s activities

• The admin account is then revoked and the session recording is

logged

PASM - Privileged Account and Session Management

Managing privileged passwords

• Basic level of control • Limited security benefits • Focused on data centre projects, not desktop• Control is all or nothing - full admin privileges or nothing at all• Issuing even temporary admin privileges poses the same level of

risk as a full admin account

Regulation now calls for even greater control – the security bar has been raised!

PASM - Privileged Account and Session Management

Delegating privileged actions

• A more robust and granular approach to user privileges

• Remove admin rights completely and allow all users to operate under

the security of a standard user account

• PEDM will elevate individual commands but not grant access to an

unrestricted privileged session.

• Admin rights assigned only to commands, tasks, applications or scripts

• Ensures the number of admin accounts are dramatically reduced or

eliminated

• 94% critical Microsoft vulnerabilities mitigated

• 90% of critical vulnerabilities in the Windows Server OS mitigated

• Superuser privilege management now classed as PEDM by Gartner

PEDM - Privileged Elevation and Delegation Management

Where to start ?

“Start with PEDM if predominantly Windows based, already have high trust 2FA authentication and allow admins to use accounts with domain admin privileges.

These organizations should eliminate usage of accounts with domain admin privileges except for very specific and extreme situations – elevate privileges from regular user accounts.”

Back to Gardner …

Benefits of a PEDM first approach

Immediate realization of benefits

Remove admin rights completely

Proactive approach to security, not ‘react after the fact’

Remove the greatest risk first across all desktops Create solid foundations

Mitigate 94% of critical vulnerabilities

Complementing an existing PASM solution

Reduce onboarding process and operational workflow (80.20)

Reduce the attack surface by removing admin rights

Reduce noise by auditing and vaulting only high-risk events

Proactive approach to security – block and alert red flag activity

Greater visibility to audit what goes on beneath the surface

Compliance requirements for least privilege and third-party access control

PASM and PEDM can be complimentaryKey differentiators

PASM PEDMReduces admin rights? No Yes

On-demand elevation? No Yes

Proactive approach? No Yes

Elevation of individual commands? No Yes

Vaulting technology? Yes No

Control of router passwords / shared passwords? Yes No

Secure single sign-on? Yes No

Session recording? Yes No

Magic Question #7

„How does Prince William fit in this story?

Let‘s go back to the beginning…

Cassian EwertSenior Technology ConsultantAvecto Ltd.

Just in front of this Main Hall

Management Summary

1. Why Avecto ?2. What are we doing ?3. How are we doing it ?

Smart & Fundamental Security | Mitigate attack vectors | proactively stop Cyberattacks | increase user productivity

Management Summary

Opperational efficiencySignificantly reduces IT

cost (e.g. reduce numberof helpdesk tickets)

Pragmatic and simple tomanage „Whitelisting“

even for the largestorganisation (e.g. ½ man-day for Bank of America)

superior Policy and agent architecture

Multi Policy distributionframework (AD/GPE,

ePO, iC3)

never outdated, alwaysprotected, even offline

(no exceptions e.g. temporary admin rights)

Extreme safe and patented Anti-tamperprotection. Protects thesolution and its settings

Widest feature set, granular policy settings

highly adaptive to manycustomer use cases

Patching+Whitelisting+removing admin rights: mitigates >85% of all

Security risks(94% of Microsoft vulnerabilities)

Analyse and informed decisions with

defendpoint “insights” Integrate e.g. with SIEM,

Service Desk etc

Highly secure andefficient due to integrated

multilayeredarchitecture (PM, AC,

TAP, insights)

Help customer to meetCompliance regulations

as recommended by NSA, GDPR, SANS, Gartner…

Efficient Implementation with Quickstart Policies„works in hours, not months“ „starts simple, stays simple“

PROactively preventsmany Cyberattacks e.g. Ransomware, e-spionage,

Insider Threats, SocialEngineering, etc.

Remove admin rightscompletly across entire

business for ALLendpoints and even

servers

Privileges are granted to individual applications,

tasks and scripts, never to users

„Remove privileges, preventbreaches and attacks“

without hinderingproductivity or impacting

systems ressources

Ensure a positive user experience with

customized messaging, seamless elevation and

flexible prompts

WhyAvecto ?

Whatdoes Avecto?

HowAvecto isdoing it ?

Thank you…

multumesc

Welcome totheworld PROactiveCybersecurity · (Windows Azure) Policy management Built-in auditing &...

Documents

Transcript of Welcome totheworld PROactiveCybersecurity · (Windows Azure) Policy management Built-in auditing &...

Oracle Communications Policy Management Policy Variables ... · PDF filePolicy Management Policy Variables Reference ... Oracle Communications Policy Management Policy Variables Reference,

POLICY CONTROL DOCUMENT - 1 POLICY TITLE … · 1 POLICY CONTROL DOCUMENT - 1 POLICY TITLE Standing Financial Instructions POLICY CODE Corp 02 REPLACES POLICY CODE (IF …

STUDY ABROAD INFORMATION EVENTS...STUDY ABROAD INFORMATION 留学 情 報 EVENTS CHECK! COUNSELING TOTHEWORLD TOTHE世界へ、そして未来へ！FUTURE STUDY ABROAD ROAD MAP 2020

andhra-telugu.com · 2016-04-14 · PBEFAGE ThisIs myprevilege tointroduce totheworld ofscholars thisfirst publication (SriVenkateswara University Oriental Series No.6)ofthe earliest

eu policy eu policy eu policy eu policy

Week 7.1 Policy Transfer, Policy Learning, Policy Convergence, Policy Diffusion.

Assertive Discipline Policy - TMET · Assertive Discipline Policy This policy should be read in conjunction with the academies Anti-bullying Policy, Safeguarding Policy, SEN Policy

Week 9.2 Policy Transfer, Policy Learning, Policy Convergence, Policy Diffusion.

Policy , Fiscal Policy and Monetary Policy

Open Policy Hour Einar Bohlin, Policy Analyst. OPH Overview Draft Policy Preview Policy Experience Report Policy BoF.

CORPORATE POLICY POLICY PROCEDURE

POLICY BRIEF N POLICY ON IDPS IN AFGHANISTANsamuelhall.org/REPORTS/Afghanistan National IDP Policy Brief.pdf · POLICY BRIEF NATIONAL POLICY ON IDPS IN AFGHANISTAN From Policy to

Unclaimed Policy No Policy Status Name of Policy Holder ...

Developing Policy for Public Health Nutrition. Outline What is policy? Why we need policy? A framework for policy work –Policy identification –Policy.

CORPORATE POLICY MANUAL Name of Policy: Procurement Policy

Policy No. Policy issuer Policy name Alternative Policy No.

Policy Summary Policy Considerations

Recent Canadian Policy toward Industry: Competition Policy, Industrial ...€¦ · Recent Canadian Policy toward Industry: Competition Policy, Industrial Policy and National Champions*

Macroeconomic Policy 14 Fiscal Policy & Monetary policy 14-1.

National Policy Framework National Policy Framework …planipolis.iiep.unesco.org/.../sri_lanka_policy_framework_higher... · National Policy Framework National Policy Framework ...

STUDY ABROAD INFORMATION EVENTS...STUDY ABROAD INFORMATION 留学情報 EVENTS CHECK! COUNSELING TOTHEWORLD TOTHE世界へ、そして未来へ！FUTURE STUDY ABROAD ROAD MAP 2020