CyberArk Privileged Account Security - ALEM . CyberArk - ALEM - Nedim 05.06... · PDF...

download CyberArk Privileged Account Security - ALEM . CyberArk - ALEM - Nedim 05.06... · PDF fileCyberArk Privileged Account Security Nedim Toroman, Business Development Manager Veracomp

If you can't read please download the document

  • date post

    27-Jun-2018
  • Category

    Documents

  • view

    235
  • download

    12

Embed Size (px)

Transcript of CyberArk Privileged Account Security - ALEM . CyberArk - ALEM - Nedim 05.06... · PDF...

  • CyberArkPrivileged Account Security

    Nedim Toroman, Business Development Manager

    Veracomp

    securITy

  • Critical Steps to Stopping Advanced Threats

    Protect and Manage them

    Control, Isolate and Monitor any Privileged Access

    Discover all of your Privileged Accounts

    Use Proactive Controls for Threat Detection

  • CyberArks Privileged Account Security Solution

    Enterprise

    Password

    Vault

    Privileged

    Session

    Manager

    Application

    Identity

    Manager

    On-Demand

    Privileges

    Manager

    Management Portal/Web Access

    Master Policy

    Secure Digital Vault

    Privileged Threat Analytics

    Shared

    Technology

    Platform

    Proactive

    Controls,

    Monitoring &

    Management

    Behavioral

    Analytics

    Protect Detect Respond

    SSH Key

    Manager

  • CyberArk PIM Auto Discovery

    Vmware ESX/ESXi

    Linux virtual images

    Windows virtual images

    Unix/Linux Servers

    Windows Services

    Scheduled Tasks

    IIS Pools

    Windows

    Desktops & Laptops

    Windows Servers

    Where do all the privileged and superuser accounts exist?

  • Critical Steps to Stopping Advanced Threats

    Protect and Manage them

    Control, Isolate and Monitor any Privileged Access

    Discover all of your Privileged Accounts

    Use Proactive Controls for Threat Detection

    `

  • Layers of Security in the Digital Vault

    Vault Safes

    Tamper-Proof

    Auditability

    Comprehensive

    Monitoring

    Segregation of

    Duties

    Firewall Authentication

    Hierarchical

    Encryption

    Session

    Encryption

  • System User Pass

    Unix root

    Oracle SYS

    Windows Administrator

    z/OS DB2ADMIN

    Cisco enable

    IT

    Vault

    Enterprise IT Environment

    Master Policy

    1. Master policy and Platforms definition

    2. Initial load & resetAutomatic Detection, Bulk upload, Manual

    3. Request workflowDual control,

    Integration with ticketing systems,

    One-time passwords, exclusivity, groups

    4. Direct connection to device

    5. Auditor access

    Security/

    Risk Management

    Auditors

    Enterprise Password Vault Overview

    Portal

    Policy

    Request to view Reports

    Request access to WindowsAdministrator On prod.dom.us

    tops3cr3t

    tops3cr3t

    tops3cr3t

    tops3cr3t

    tops3cr3t

    tops3cr3t

    tops3cr3t

    tops3cr3t

    tops3cr3t

    tops3cr3t

    lm7yT5wX5$aq+pTojsd$5fhy7qeF$1gviNa9%Oiue^$fgW

    Policy

  • Virtual

    Servers

    Unix/Linux

    Servers

    iSeries

    MainframesWindows

    Servers

    zSeries

    MainframeDatabases Applications

    Network

    Devices

    Security

    Appliances

    Websites

    & Web Apps

    OPM

    Workflow

    PSM

    Workflow

    EPV

    Workflow

    AIM

    WorkflowMonitoring &

    Reporting Workflow

    Unix Admins Windows Admins DBAs VM AdminsExternal

    Vendors

    Business

    Applications

    Auditor/

    Security & Risk

    I just need to patch

    the database

    External Vendors

    Support team need to

    connect remotely

    I need to check out

    the password

    I have this script that

    connects with root

    every night...

    Great, what are your

    root entitlements,

    who used it and why?

    Admin

    Privileged Accounts Management Use Cases

  • Critical Steps to Stopping Advanced Threats

    Protect and Manage them

    Control, Isolate and Monitor any Privileged Access

    Discover all of your Privileged Accounts

    Use Proactive Controls for Threat Detection

    `

  • Routers and SwitchesVault

    Windows/UNIX

    Servers

    Web Portals

    1. Logon through PVWA

    2. Connect

    3. Fetch credential from Vault

    4. Connect using native protocols

    5. Store session recording

    6. Activity is monitored via Logs forwarded to

    SIEM/Syslog

    4

    5

    Databases

    Application

    ESX\vCenters

    1

    HTTPS

    2

    RDP over HTTPS

    PSM

    3

    CyberArk Privileged Session Manager

    6

    SIEM/Syslog

  • PSM for Secure Access

    IT/ Auditors/Security Operations

    Firewall

    External

    `Vendors

    HTTPS

    Secure Internal Network

    Windows Servers

    UNIX

    Servers

    & DBs

    Routers and Switches

    Toad

    Passwords not divulged

    Secure Isolation

    Details session monitoring

    Isolation

    Monitor and Control

    Internet

  • Command Search with Click to Play

    13

    Search for SQL commands that include the word 'Salary'

    Click to Play Point in Time

  • PIM/PSM Suite

    Network Devices

    Virtual Servers

    Windows

    Windows Servers

    UnixLinux

    Unix /Linux Servers

    AS400

    iSeriesMainframes

    Databases Applications Security Appliances

    OS390

    zSeriesMainframes

    AIM

    Workflow

    PSM

    Workflow

    PSM and Real-Time monitoring

    Syslog:

    Rob has accessedthe HR Database !

    RobertDavid

  • Critical Steps to Stopping Advanced Threats

    Protect and Manage them

    Control, Isolate and Monitor any Privileged Access

    Discover all of your Privileged Accounts

    Use Proactive Controls for Threat Detection`

  • Privileged Threat Analytics

    Intelligence-based analytics for detecting suspicious

    privileged user activity

    Privileged

    Threat

    Analytics

    Detects malicious privileged account

    behavior

    Detects and identifies

    anomalies as they happen

    Respond, disrupting the attack before

    serious damage is done

  • Protection, Accountability, Intelligence

  • How Privileged Threat Analytics works

    Normal

    ALERT: SIEM & CyberArk

    Behavioral Analysis

    SIEM Solution

    Behavioral Analysis: Self-learning statistical model based on a combination of patented algorithms, Vault access data, and target system data gathered from inbound SIEM integrations.CyberArk

    Vault

    Abnormal

    PRIVILEGED ACCOUNT ACTIVITY

    Privileged User

    Critical System Access

  • Attackers working hours generally, the attackers worked between 2AM and 10AM from Monday to Saturday included.

    The attacks came during the day in China, which is after hours in Europe and the US

    Critical Behavioral Indicator of Attacks Time of Day

    Based on Mandiant, research data

  • Access to Privileged Accounts During Irregular Hours: Ex.1

    December 28th, 2012

    February 13th, 2013

    Source: Data of CyberArk customer analyzed in the CyberArk labs

  • Access to Privileged Accounts During Irregular Hours: Ex. 2

  • Excessive Access to Privileged Accounts

    Abnormal sequence of 52 password retrieval activities in 8 hours

    starting on March 20th

  • Privileged Threat Incident Details

  • PTA Reports

  • Hvala vam na panji!

    Kontakt nedim.toroman@veracomp.ba

    Pitanja?

    8.6.2015 securITy 26

    mailto:nedim.toroman@veracomp.ba