CIS13: From Governance to Virtualization: The Expanding Arena of Privileged Identity Management

From Governance to Virtualiza2on: The Expanding Arena of Privileged Iden2ty Management

Russell Miller

Director, Solu0ons Marke0ng

2

Agenda

Copyright © 2013 CA. All rights reserved.

è  The Challenge of Privileged Iden22es

è  The State of Virtualiza2on Security

è  Privileged Iden2ty Governance

è  Social Media

è Q&A

Edward Snowden was a privileged user on key NSA systems

“When you’re in posi2ons of privileged access, like a systems administrator for these sort of intelligence community agencies, you’re exposed to a lot more informa2on on a broader scale than the average employee.”

-‐ Edward Snowden

Source: hSp://www.guardian.co.uk/world/2013/jun/09/edward-‐snowden-‐nsa-‐whistleblower-‐surveillance?guni=Network%20front:network-‐front%20full-‐width-‐1%20bento-‐box:Bento%20box:Posi2on1

3 Copyright © 2013 CA. All rights reserved.

Privileged iden00es pose a par0cularly significant threat to network and data security

All-‐Powerful Access

Lack of Accountability Risk

§  Unrestricted “root” or “Administrator” access

§  No segrega2on of du2es

§  Use of shared accounts

§  Poor log integrity and quality

Virtualiza0on magnifies these challenges!

Copyright © 2013 CA. All rights reserved. 4

The Problem With Privileged Iden00es

There are three types of insider threats and two primary principles to apply to mi0gate the risk

§  Deter malicious insiders

§  Trace ac0ons to individuals

§ Limit damage done by a malicious or exploited insider

§ “Stop Stupid!”

Implement Least Privilege

Access

Ensure Accountability

Types of Insider Threats

Exploited Insiders

Malicious Insiders

Careless Insiders

?

Ac0ons to Take


There are many real-‐world – and public – examples of insiders causing significant damage


hSp://www.wired.com/threatlevel/2008/07/sf-‐city-‐charged/ hSp://www.theregister.co.uk/2011/02/28/bri2sh_airlines_it_expert_convicted/ hSp://www.darkreading.com/security/news/212903570/it-‐worker-‐indicted-‐for-‐sefng-‐malware-‐bomb-‐at-‐fannie-‐mae.html hSp://www.darkreading.com/authen2ca2on/167901072/security/security-‐management/229100384/a-‐glaring-‐lesson-‐in-‐shared-‐passwords.html hSp://www.infosecurity-‐magazine.com/view/18237/insider-‐data-‐breach-‐costs-‐bank-‐of-‐america-‐over-‐10-‐million-‐says-‐secret-‐service/ hSp://www.eweek.com/security-‐watch/former-‐gucci-‐employee-‐indicted-‐for-‐it-‐rampage.html hSp://www.darkreading.com/security/news/223800029/ex-‐tsa-‐employee-‐indicted-‐for-‐tampering-‐with-‐database-‐of-‐terrorist-‐suspects.html

The stages of an external aPack

§  Basic research

§  Domain queries

§  Port scans

§  Vulnerability scans

§  “Spear Phishing”

§  Social Engineering

§  Zero day vulnerability exploita0on

§  OS & applica0on vulnerability exploita0on

§  Administra0ve access

§  Compromise of new systems

§  Con0nuous export of sensi0ve data

§  Effect service availability

§  Covering of tracks

§  Rootkits

Reconnaissance Ini0al Entry Escala0on of Privileges

Con0nuous Exploita0on

Stages of an External APack


Tradi0onal perimeter and infrastructure security capabili0es only address part of the problem!

Perimeter security

An0-‐virus

Phishing protec0on

Server hardening

Capture and review server and device audit logs





Content-‐aware iden0ty & access management bolster an APT defense!

Log and audit privileged user ac0vity

Perimeter security

Least privilege access

An0-‐virus

Phishing protec0on

Employee educa0on

Virtualiza0on security Externalized/ unexpected security

Server hardening

Shared account management

Capture and review server and device audit logs

Data controls & analysis

Advanced authen0ca0on & fraud preven0on

Iden0ty & Access Governance

Capabili0es of CA Security





Effec0ve Privileged Iden0ty Management requires a comprehensive solu0on

Privileged Iden0ty

Management


Hypervisor

VM VM VM

Shared Account Management

Fine-‐Grained Access Controls

User Ac2vity Repor2ng /

Session Recording

UNIX Authen2ca2on

Bridging

Virtualiza2on Security

11

Agenda





è  Social Media

è Q&A

Jason Cornish, former Shionogi Pharma IT Staffer Pled guilty to Feb ‘11 computer intrusion

A recent incident demonstrates the real-‐world poten0al for damage in a virtual environment

–  Wiped out 88 virtual servers on 15 VMware hosts: email, order tracking, financial, & other services

–  Shionogi’s opera2ons frozen for days §  unable to ship product §  unable to issue checks §  unable to send email

All of this was accomplished from a McDonald’s


Virtualiza0on has many clear benefits, but also many o[en-‐ignored risks

Capital and opera2onal cost savings

Great availability / recovery

Ease of disaster recovery

Hardware independence

Improved service levels

New class of privileged iden22es on the hypervisor

Greater impact of aSack or misconfigura2on

New compliance requirements

Dynamic environment leads to oversights

Easy copying of virtual machines

Virtual Sprawl

Posi0ves Nega0ves/Risks

What happens when an organiza0on goes virtual?


New class of privileged iden00es on the hypervisor


Greater impact of aPack or misconfigura0on


New compliance requirements

NIST SP 800-‐125: Guide to Security for Full Virtualiza0on Technologies

Payment Card Industry (PCI) PCI-‐DSS 2.0, Virtualiza0on Guidelines


Dynamic environment can lead to oversights


Copying a virtual machine image is equivalent to stealing a server from a datacenter


Virtual Sprawl


Securing virtual environments requires “the fundamentals” as well as a game-‐changing capability

Least Privilege Access

Infrastructure Hardening

Shared Account Management

User Ac0vity Repor0ng

Virtualiza0on-‐Aware Automa0on of Security Controls

New!

Security fundamentals that now need to be applied to the hypervisor


21

Agenda





è  Social Media

è Q&A

The need for Privileged Iden0ty Governance

Orphaned Accounts

Reduce Audit Burden Gain Visibility into Privileged Account Usage

Privilege Creep


Address these needs by combining governance, management and monitoring capabili0es

Priv. Iden0ty Governance Privileged Iden0ty Mgmt. User Ac0vity Repor0ng

§  User Mgmt. §  Workflow §  Cer2fica2on

§  Fine-‐grained access controls

§  Shared account management

§  Video recording §  Analy2cs and

searchability

ID Gov.


What Privileged Iden0ty Governance can tell you

How can they get access?

How to control access

What was accessed and when?

What can people access?


Iden0ty Governance and Role Management

Iden0ty Governance

Role Management

Monitor access rights with reports/dashboards

Discover and propose poten2al roles based on access paSerns and organiza2onal characteris2cs

Establish centralized segrega2on of du2es and other business and regulatory iden2ty policies

Discover business structure and turn millions of access rights into 100’s of roles

Adapt model as business changes

Automate en2tlements cer2fica2on for users, roles and resources


Use analy0cs to iden0fy privileged users


Iden00es Systems

Users IDs should be correlated to iden0fy mul0ple IDs belonging to the same person – and cleaned up!

Russ.Miller MILLERR RMIL04 RBM102

Name: Russell Miller Employee ID: rmiller123 Loca2on: Boston Etc.

1 Audit Privilege Quality

2 Detect Excep2ons

3 Unique ID correla2on

4 Clean-‐up


Cer0fica0on should include usage informa0on to iden0fy suspicious ac0vi0es


How you can get there!

Collect Account & En0tlement Info

Analyze IDs &

En0tlements

Administer & Control Accounts

Audit & Cer0fy

Accounts

Steps to Govern Privileged Iden00es


System Accounts

Service Accounts

Shared Accounts

Named Accounts

The business value of Privileged Iden0ty Governance

Prevent breaches due to improper Admin ac2ons or data exposure Reduce the burden of audit and compliance efforts Improve efficiency of iden2ty compliance & processes Gain visibility into administrator access and actual usage

2

3

1

4


31

Agenda





è  Social Media

è Q&A

Social media accounts are privileged iden00es!


Insider Threat External Threat

33

Confusion between personal and corporate TwiPer accounts – controls are needed!


34

Agenda





è  Social Media

è Q&A

Ques0ons?


Appendix

Legal No0ce

Copyright © 2013 CA. All rights reserved. Linux® is the registered trademark of Linus Torvalds in the U.S. and other countries. All trademarks, trade names, service marks and logos referenced herein belong to their respec2ve companies. No unauthorized use, copying or distribu2on permiSed.


CIS13: From Governance to Virtualization: The Expanding Arena of Privileged Identity Management

Technology

Transcript of CIS13: From Governance to Virtualization: The Expanding Arena of Privileged Identity Management