Control and accountability for privileged users

Andreas Nordenadler, CyberArk

andreas.nordenadler@cyberark.com

CyberArk

Approach privileged accounts as a security challenge

• Designed and built from the ground up for security

Trusted experts in privileged account security

• Over 1,500 privileged account security customers

Twelve years of innovation in privileged

account controls, monitoring and

analytics

• First with vault, first with monitoring, first with analytics

• Over 100 software engineers, multiple patents

Only comprehensive privileged account

security solution

• One solution, focused exclusively on privileged accounts

World-class Customers

Other Industries Financial Services Communications & Media

Pharmaceuticals Energy & Utilities

Trusted experts to more than 1,500 organizations around the globe

CyberArk Customer Snapshot

PRIVILEGE

Shared Admin Accounts & Personal Privileged Accounts

Cloud Accounts

Application to Application

Accounts

Privileged Accounts

Privileged Credentials are (needed) Everywhere

WiFi Router, Smart TV

Power plant,

Factory Floor

Laptop, Tablet,

Smartphone

Routers, Firewalls, Hypervisors,

Databases, Applications

Routers, Firewalls, Servers,

Databases, Applications

Hijacked Credentials Put the Attacker in Control

WiFi Router, Smart TV

Power plant,

Factory Floor

Laptop, Tablet,

Smartphone

Compromised Privileged Accounts

Routers, Firewalls, Hypervisors,

Databases, Applications

Routers, Firewalls, Servers,

Databases, Applications

Privileged Accounts are Targeted in All

Advanced Attacks

Mandiant, M-Trends and APT1 Report

“…100% of breaches

involved stolen

credentials.”

“APT intruders…prefer to

leverage privileged accounts

where possible, such as Domain

Administrators, service accounts

with Domain privileges, local

Administrator accounts, and

privileged user accounts.”

Typical Lifecycle of a Cyber Attack Privilege is At The Center of the Attack Lifecycle

The Story That Never Ends

“Anybody in the position of

privileged access with the

technical capabilities that I had

could suck out secrets…”

Edward Snowden, NSA Systems Administrator

The Beginning of Corporate Accountability(?)

Privileged Account Management Drivers

Increased Audit &

Compliance

Requirements

Evolving Threats ▪ Advanced, External Threats

▪ Malicious Insider Threats

▪ Accidental Insider Threats

▪ External regulations

▪ Business partner demands

▪ Internal audit requirements

What is CyberArk Doing to Help?

CyberArk Breaks the Attack Chain

CyberArk’s Privileged Account Security Solution

Enterprise

Password

Vault®

Privileged

Session

Manager®

Application

Identity

Manager™

On-Demand

Privileges

Manager™

Management Portal/Web Access

Master Policy

Secure Digital Vault™

Privileged Threat Analytics

Shared

Technology

Platform

Proactive

Controls,

Monitoring &

Management

Behavioral

Analytics

Protect Detect Respond

SSH Key

Manager

System User Pass

Unix root

Oracle SYS

Windows Administrator

z/OS DB2ADMIN

Cisco enable

IT

Vault

Enterprise IT Environment

Policy Manager

1. Master/exception policy definition

2. Initial load & reset Automatic Detection, Bulk upload, Manual

3. Request workflow Dual control,

Integration with ticketing systems,

One-time passwords, exclusivity, groups

4. Direct connection to device

5. Auditor access

Security/

Risk Management

Auditors

Privileged Account Security – IRL 1/2

Portal

Policy

Request to view Reports

Request access to Windows Administrator On prod.dom.us

tops3cr3t

tops3cr3t

tops3cr3t

tops3cr3t

tops3cr3t

tops3cr3t

tops3cr3t

tops3cr3t

tops3cr3t

tops3cr3t

lm7yT5w X5$aq+p Tojsd$5fh y7qeF$1 gviNa9% Oiue^$fgW

Policy

Other…

Vault

Windows Servers

Servers

1. Logon through Password Vault Web Access

2. Connect

3. Fetch credential from Vault

4. Connect using native protocols

5. Store session recording

6. Logs forwarded to SIEM/Syslog

4

5

Databases

6

SIEM/Syslog

ESX\vCenters

Unix

Linux

1

HTTPS

2

RDP over HTTPS

PSM

3

Privileged Account Security – IRL 2/2

Portal

Four Critical Steps to Stopping Advanced Threats

Protect and manage privileged account credentials

Control, isolate and monitor privileged access to servers and databases

Use real-time privileged account intelligence to

detect and respond to in-progress attacks

Discover all of your privileged accounts

Challenge: Identify and Manage Privileged Accounts

Identifying privileged accounts is difficult

▪ High volume of accounts (Default admin accounts, “Backdoor” accounts, service

accounts, local privileged accounts and local accounts on servers)

▪ Employee turnover

▪ Lack of historical records and documentation

Risks

▪ Unmanaged privileged accounts are exploited in over 90% of corporate breaches

▪ A large number of machines on a network can be vulnerable to Pass-the-Hash attacks

￭ Stored privileged credential hashes create vulnerabilities to Pass-the-Hash

attacks on multiple machines throughout a network

▪ Without a clear understanding of the volume and location of privileged accounts,

auditors lack the reliable information they need to complete an audit

￭ Privileged account controls and monitoring are needed for security and

compliance requirements

Solution: CyberArk Discovery & Audit (DNA)

DNA helps organizations gain visibility of

their privileged account environment

▪ Discover all privileged and non-privileged

accounts

▪ Locate all privileged credentials including:

￭ Passwords

￭ SSH keys

￭ Password hashes

▪ Easily review the Executive Summary

Dashboard

▪ Enhance insight with visual maps of

password hashes and SSH key trusts

▪ Gain visibility without impacting

performance

￭ Requires no installation

￭ Consumes very low bandwidth

CyberArk Discovery and Audit (DNATM

) Benefits

Understand your risk

• Identify and assess privileged

account attack surface and

Pass-the-Hash vulnerabilities

Save time and money

• Reduce time and cost of

security audit preparation

• Simple executable –

results in minutes

Optimize privileged account

project benefits

• Understand the project scope

• Prioritize project priorities

Healthcare company – discovered several

local admin accounts created by 3rd party

vendors. Raised project urgency.

Telecommunication company - used DNA

to discover Service Accounts for scoping of

an AIM project

Bank – used DNA report for scoping first

phase of deployment

Energy company – DNA exposed critical

misconfiguration of local administrative

accounts, deeply nested within the accounts

tree. Very difficult to find without DNA.

CyberArk DNATM

DEMO

Discovery and Audit 5.0: What does it scan?

▪ Windows accounts

▪ Unix accounts

▪ Accounts with access rights to desktops and servers:

￭ Privileged and non-Privileged accounts (Windows and Unix)

(e.g. ‘Guest’ account, local ‘Administrator’ account)

￭ Local and domain accounts (Windows and Unix)

(e.g. personal domain account ‘johnr’, ‘john_Admin’)

▪ Windows Service Accounts:

￭ Accounts used in Windows Services

￭ Accounts used in Scheduled Tasks

▪ SSH Keys:

￭ Public and Private SSH Keys

￭ Orphan Keys

￭ SSH Key Trusts between accounts and machines

Thank You!

andreas.nordenadler@cyberark.com