CyberArk Privileged Threat Analytics™

CyberArk Privileged Threat Analytics™

Solution Brief

©Cyber-Ark Software Ltd. | cyberark.com 2

Table of Contents

The New Security Battleground: Inside Your Network .......................................................................................3

Privileged Account Security ...................................................................................................................................3

CyberArk Privileged Threat Analytics™: Detect and Disrupt In-progress Attacks ..............................................4

The right data vs. all the data .................................................................................................................................4

Privileged users vs. privileged accounts ...............................................................................................................................................................................................................................4

Patented analytic algorithms ..............................................................................................................................................................................................................................................................5

Real-time alerting vs. forensic analysis ..................................................................................................................................................................................................................................5

Integration with SIEM solutions .....................................................................................................................................................................................................................................................6

CyberArk Privileged Threat Analytics™: Collect. Detect. Alert. Disrupt. ...........................................................6

Benefits of CyberArk Privileged Threat Analytics ..................................................................................................7

Conclusion ...............................................................................................................................................................7

CyberArk Privileged Account Security Solution ....................................................................................................8

About CyberArk .......................................................................................................................................................8



The New Security Battleground: Inside Your Network

The new battleground for information security is inside your network. Perimeter security, such as firewalls and anti-malware, remain a necessary and important component of every security strategy. However, the perpetrators of advanced, targeted threats are aggressively breaking through the perimeter. Patient, cunning and armed with the resources to succeed, they will eventually find their way inside your organization. In addition, a “rogue insider” with legitimate access may abuse trusted privileges. Whether the threat originates externally or with a malicious insider, attackers will lay in wait as long as necessary to gain access to valuable assets, resulting in damaged reputations, financial losses and stolen intellectual property.

How do advanced attackers find their way to the heart of your enterprise? The pathway is the privileged account. According to information security firm Mandiant, advanced persistent threat attackers “prefer to leverage privileged accounts where possible, such as domain administrators, service accounts with domain privilege, local administrator accounts, and privileged user accounts.” Mandiant found that of 141 companies attacked by Chinese cyber attackers, 90% of breaches involved privileged pathways.2

Privileged Account Security

To mitigate the risks of a serious breach, enterprises must adopt a security posture that specifically addresses their privileged account exposure. The key to privileged account security is to implement defense in depth: build layers of protection, recognizing that no single measure is enough to keep determined attackers out. Best-practice privileged account security takes the following approach:

1. Discovery

Automate discovery of privileged accounts found in every networked device, hypervisor, database, application, server and social

media account on-premise, in the hybrid cloud, and in OT/SCADA systems.

2. Proactive Protection

Protect against the risks of shared credentials by eliminating shared logins, securing and encrypting privileged passwords, requiring

strong authentication to privileged resources, and enforcing least-privilege access.

3. Isolation, Recording and Monitoring

Isolate privileged accounts to prevent the spread of malware to sensitive systems. Use session recording to provide an audit trail of

all activity for privileged accounts, and implement live monitoring to track the activity that occurs during privileged user sessions.

4. Real-time Analytics

Detect in-progress attacks with real-time privileged account intelligence and respond immediately to alerts of suspicious behavior.

2 Mandiant, “Exposing One of China’s Cyber Espionage Units,” February 2013

Median number of days advanced attackers are on the network before being detected1

1 https://www.mandiant.com/threat-landscape/#

243



CyberArk Privileged Threat Analytics: Detect and Disrupt In-progress Attacks

CyberArk Privileged Threat Analytics is an expert system for privileged account security intelligence. The solution provides targeted, immediately actionable threat alerts by identifying previously undetectable, malicious privileged user activity.

As the industry’s only targeted privileged threat analytics solution, CyberArk Privileged Threat Analytics calls attention to the most menacing of threats - those aimed at privileged accounts. By applying patented analytic alogrithms to a rich set of privileged account behavioral data, the solution produces highly accurate and immediately actionable intelligence, allowing incident response teams to disrupt and respond directly to the attack..

•Figure 1. The CyberArk Dashboard: Visual representations of incidents make it easy to quickly identify unusual behavior

The right data vs. all the data

CyberArk Privileged Threat Analytics focuses on the data that counts: privileged account user data. In an enterprise IT organization, countless security events occur daily. These include innumerable false positives, causing organizations to struggle to know how to respond appropriately to the real threat. CyberArk Privileged Threat Analytics focuses on privileged accounts, where the highest risk for extensive damage, and the greatest opportunity to stop in-progress attacks, lies.

Privileged users vs. privileged accounts

Privileged accounts are typically shared accounts – they are not tied to an individual user. This prohibits traditional analytics solutions from attributing activity to a single user. CyberArk Privileged Threat Analytics analyzes account behavior at the individual user level, delivering precise, context-aware, and immediately actionable alerts. The alerts may indicate that an external attacker or a “rogue insider” – a trusted user abusing privilege, has taken over a privileged account. The alert could also indicate that a trusted user has made an unintentional error that could cause harm.



Patented analytic algorithms

Using proprietary algorithms that learn the behavior of the privileged user, CyberArk Privileged Threat Analytics compares real-time privileged account activity to historical privileged user behavior in order to detect anomalies as they occur. These anomalies are then correlated to immediately determine whether they reveal malicious intent. Are the incidents tied to one user? Do they target the same network asset? What action was taken? A greater correlation between incidents indicates a greater threat.

Real-time alerting vs. forensic analysis

Traditional forensic analysis on volumes of latent data brings insight into an organization but does not alert in real-time on active threats. CyberArk Privileged Threat Analytics provides alerts in real-time, sending intelligence to the product dashboard or to an existing SIEM and allowing organizations to take immediate action. E-mail notifications provide details of the incident and can be customized according to threat level, empowering security teams to disrupt attacks in progress.

CyberArk Privileged Threat Analytics can detect a privileged user who accesses a credential at an unusual time of day. By comparing the baseline behavior profile, which determines the regular hours that the user accesses the system, to real-time activity, CyberArk Privileged Threat Analytics will send an alert on any usage that occurs outside of regular hours.

The importance of this example was highlighted in the following excerpt from the February 2013, Mandiant APT1 Report.

“…we were able to identify their working hours. Here is the average working hours for a week (the hour on the graph is UTC+1): Generally, the attackers worked between 2AM and 10AM from Monday to Saturday.” (Exhibit A)

The data indicates that the attacks came from China, which is after hours in Europe and the US.

Example: Access at an unusual time of day00:00

01:00

02:00

03:00

04:00

05:00

06:00

07:00

08:00

09:00

10:00

11:00

12:00

13:00

14:00

15:00

16:00

UTC+1 M T W T F S S

Exhibit A

Figure 2: CyberArk Privileged Threat Analytics dashboard, illustrating anomalies in time-of-day access. (Data from an actual CyberArk customer)



Integration with SIEM solutions

In addition to a proprietary dashboard built into the system, data and alerts from CyberArk Privileged Threat Analytics can be integrated into an organization’s existing SIEM system. This enhances the value of information delivered by the SIEM system, focusing on targeted privileged account risks and fine-grained user behavior.

CyberArk Privileged Threat Analytics: Collect. Detect. Alert. Disrupt.

1. Establish profile of privileged user behaviorCyberArk Privileged Threat Analytics automatically constructs a behavioral profile and maintains a baseline of every privileged user in the system. As a user’s typical behavior changes over time, the baseline profile adjusts to these changes.

2. Identify anomaliesPrivileged user data is continuously fed into the CyberArk Privileged Threat Analytics Engine in real time. Using sophisticated logic, the system automatically looks for deviations from the baseline user profiles.

3. Correlate incidents and assign threat levels Privileged Threat Analytics assigns scores to each individual anomaly, incident, or group of events, and to the system as a whole. Patented algorithms are used to analyze these anomalies and then correlate them to determine the threat level.

4. Disrupt and stop attacks Alerts based on threat level can be sent immediately via email notifications that include details about the incident, and a link that allows the recipient to drill down and further review it. In addition, all data can be reviewed on the built-in dashboard or fed into an organization’s existing SIEM solution.

Alert

Detect

Collect

Privileged User Data

SystemAdministrators

3rd PartyService

Providers

Applications SelectBusiness

Users

SocialNetworkingAcct Mgrs

Systems Data

VirtualServers

Servers Databases Applications Network &Security

CyberArkDashboard SIEM

Providers Users Acct Mgrs

Privileged ThreatAnalytics Engine

Fig. 2 - CyberArk Privileged Threat Analytics process



Benefits of CyberArk Privileged Threat Analytics § Detect and disrupt attacks with analysis based on user behavior, eliminating the dependence on prior knowledge of attack signatures

or sandboxing

§ Dramatically shorten an attacker’s window of opportunity and reduce damage with accurate, real-time alerting of in-progress attacks

§ Quickly assess privileged user activity and anomalies in convenient, easy-to-read graphs and tables

§ Enhance the value of existing SIEM solutions with out-of-the-box integrations. Reduce false positives by focusing on the critical

privileged users, not shared accounts

§ Accelerate remediation with immediate access to detailed information about the attack, including specific user, activity and current

account state

§ Adapt threat detection to a changing risk environment with self-learning algorithms that continuously adjust the baseline behavior

profiles as the accepted behavior changes over time

§ Improve auditing processes with informative data on user patterns and activities.

Conclusion

Defense-in-depth is an approach that organizations must adopt to combat the increasingly aggressive threat landscape. Though perimeter security will keep out low-level attacks, and next generation firewalls will slow attacks down, determined attackers will get inside the network. Privileged accounts are the most direct pathway to an organization’s most valuable assets. Privileged account security intelligence is a key component in defending against advanced attacks by providing targeted, intelligent analytics that empower organizations to disrupt in-progress attacks. Recognizing that attackers are already on the inside, analyzing and alerting on unusual privileged user behavior is a critical component to protect against serious damage.

CyberArk Privileged Threat Analytics provides targeted and immediately actionable threat analytics on privileged accounts, the number one critical attack vector, by identifying previously undetectable malicious privileged user behavior. CyberArk Privileged Threat Analytics is an essential part of an organization’s overall security strategy that enables the incident response team to respond and disrupt in-progress attacks.



CyberArk Privileged Account Security Solution

CyberArk is the trusted expert in privileged account security. We have more experience with privileged account security than any other vendor and we put that expertise to work for our customers in a clear and effective approach to managing the risks associated with privileged accounts.

In addition to Privileged Threat analytics, CyberArk offers the following products for proactive privileged account security. The products provide the comprehensive protection, monitoring, detection, and reporting that are a mandatory requirement to thwart the malicious insider and advanced attacker.

Enterprise Password Vault® - Protection, management and audit of privileged credentials

Application Identity Manager™ - Protection, management and audit of embedded application credentials

Privileged Session Manager® - Isolation and control, session recording and live session monitoring

On-Demand Privileges Manager™ - Least privilege access control for UNIX, Linux and Windows

About CyberArk

CyberArk is the only security company laser-focused on striking down targeted cyber threats; those that make their way inside to attack the heart of the enterprise. Dedicated to stopping attacks before they stop business, CyberArk is trusted by the world’s leading companies – including 40 of the Fortune 100 – to protect their highest-value information assets, infrastructure, and applications.

For over a decade CyberArk has led the market in securing enterprises against cyber attacks that take cover behind insider privileges and attack critical enterprise assets. Today, only CyberArk is delivering a new category of targeted security solutions that help leaders stop reacting to cyber threats and get ahead of them, preventing attack escalation before irreparable business harm is done. At a time when auditors and regulators are recognizing that privileged accounts are the fast track for cyber attacks and demanding stronger protection, CyberArk’s security solutions master high-stakes compliance and audit requirements while arming businesses to protect what matters most.

With offices and authorized partners worldwide, CyberArk is a vital security partner to more than 1,400 global businesses, including:

§ 40 of the Fortune 100

§ 17 of the world’s top 20 banks

§ 8 of the world’s top 12 pharmaceutical companies

§ 75 of the leading energy companies

§ Global brands in retail, manufacturing and telecommunications/cloud

For additional information, visit www.cyberark.com.

All rights reserved. This document contains information and ideas, which are proprietary to Cyber-Ark Software Ltd. No part of this publication may be reproduced, stored in a retrieval system, or transmitted, in any form or by any means, electronic, mechanical, photocopying, recording, scanning or otherwise, without the prior written permission of Cyber-Ark Software Ltd.

© 2000-2013 by Cyber-Ark® Software Ltd. All rights reserved.

CyberArk Privileged Threat Analytics™

Documents

Transcript of CyberArk Privileged Threat Analytics™