CyberArk Security for the Heart of the Enterprise
Bogdan Tobol Regional Sales Director North/Eastern Europe Anunak Attack Summary Breach Overview What Happened?
Target: Financial institutions Attacker: Anunak cybercrime ring Motivation: Monetary Goal: Steal money directly from banks Outcome: >$25M stolen since 2H 2014 What Happened? Anunak launched targeted attacks againstseveral banks Gained privileged access to systems Transferred money to outside accounts Compromised ATMs to steal cash What happened? The Carbanak attack was carried out by members of the Anunak cybercrime ring, and primarily targeted several Russian and Eastern European banks. The goal of the attack was to steal money directly from banks, and their attacks were quite successful. In the second half of 2014 alone, the Anunak crime ring stole $25 million from the banks, and its estimated that in total, theyve stolen hundreds of millions of dollars from banks, payment processors and retailers. Large US Retailer: March 2014 Attack Summary
COMPANY OVERVIEW Industry Retail Employees 27,000 Headquarters USA WHAT HAPPENED? Early 2014: 260,000 credit cards stolen from alarge US retailer went up for sale Early 2015: The same retailer announced asecond intrusion to POS systems This large North American retailer operates more that 2,800 stores, has over 27,000 employees and generates an annual revenue near $4 billion. In March of 2014, over 260,000 credit cards went up for sale on a prominent crime shop named Rescator[dot]so. The one common thread between all the cards for sale was that they were each used at stores belonging to the same large US retailer. Notably, the cards for sale were listed by zip code, enabling purchasers to buy locally to increase the likelihood the cards would work. The inclusion of zip code information was a intentional countermeasure to avoid geo blocks placed by banks on credit cards following another major retail breach. These bank-set geo blocks immediately restricted the physical area in which cards could be used, meaning out of state card purchasers would have no luck using the stolen cards. Learning from this limitation, Rescator posted card zip code information so that the card purchasers could buy locally to avoid the blocks. To the researchers investigating this breach, however, the presence of zip codes provided insight into just how many stores were breached. While this retailer claimed that far fewer cards were actually stolen and only a limited number of locations were impacted, the evidence gathered from Rescators site suggested otherwise.The evidence suggested that most if not all stores were breached, and the true number of stolen cards was closer to 260,000. Today we will discuss this attack, which occurred in early 2014, but its also notable this same retailer recently confirmed a second POS intrusion that put some card data at risk. It is still undetermined if this is truly a second incident or if perhaps that first incident was not fully remediated. Sony Pictures Entertainment Breach Summary
Company Overview Industry: Media/Entertainment Revenue: $8 billion Employees: 6,500 Headquarters: California, US What Happened: What was taken: IP, IT information,employee PII, and more Alleged threat actor: North Korea Likely motivation: Brand damage Impact: Complete loss of IT control,brand damage, pulled moviepremier The Sony Pictures Entertainment breach is arguably the most well-known data breach due to its target, attack methods and outcome. Sony employees walked into work and turned on their computers to find the notice Hacked by GOP.The attackers publicly gave Sony an ultimatum: pull the release of The Interview, or have all your data publicly leaked. The facts: Sony Pictures is an $8 billion media company with 6,500 employees, based in Southern California. At the time of the attack, Sony was about to release the comedy The Interview, in which unlikely assassins were hired to kill Kim Jong-un, the supreme leader of North Korea. The perpetrators claimed that the goal of this attack was to prevent the release of The Interview and significantly embarrass Sony until they agreed. Attackers stole intellectual property, employee salary data, personals, and detailed information about the IT infrastructure among other things. Following the attack, Sony suffered complete loss of control over its IT environment, suffered public embarrassment, and ultimately pulled the movie release. More, Sonys chief executive was forced to resign due to the content of publicly released personals. Following an investigation, the US government publicly attributed the attack to North Korea though there is speculation that this may not be the full story. Privileged Accounts are Targeted in All Advanced Attacks
APT intrudersprefer to leverage privileged accounts where possible, such as Domain Administrators, service accounts with Domain privileges, local Administrator accounts, and privileged user accounts. 100% of breaches involved stolen credentials. SLIDE 8 Privileged Accounts Are A Built in Vulnerability Simply put, Privileged Accounts are built-in vulnerabilities throughout your infrastructure. Put yourself in the hackers shoesneed access to a particular network segment or want to change firewall rules to enable external communication?Want to gain access to the domain controller?Want to dump the database table to capture a competitors customer list? Unprotected, unmonitored privileged accounts are the way to go. Mandiant, M-Trends and APT1 Report Privileged Credentials are Everywhere
Privileged Accounts Routers, Firewalls, Hypervisors, Databases, Applications Routers, Firewalls, Servers, Databases, Applications Laptops, Tablets, Smartphones Power Plants, Factory Floors WiFi Routers, Smart TVs Where are your privileged accounts?They are everywhere in every piece of hardware and software.They exist across the entire IT stack including data, applications, endpoints and the network. A privileged user is any user that has the capability to change, alter or impact the operational service of a business process.So, in any organization, this includes not only system administrators, but some people you may not consider privileged users today.Think about some of your business users and even social networking account managers.Do they have access privileges to impact important business processes? Privilege is At The Center of the Attack Lifecycle
Typical Lifecycle of a Cyber Attack Privilege is At The Center of the Attack Lifecycle Hijacked Credentials Put the Attacker in Control
Compromised Privileged Accounts Routers, Firewalls, Hypervisors, Databases, Applications Power Plants, Factory Floors Enable attackers to: Bypass security controls & monitoring Access all of the data on the device Disrupt normal operation of the device Cause physical damage Routers, Servers, Databases, Applications Firewall WiFi Routers, Smart TVs Laptops, Tablets, Smartphones CyberArk Breaks the Attack Chain CyberArk Delivers a New Critical Security Layer
PERIMETER SECURITY SECURITY CONTROLS INSIDE THE NETWORK MONITORING PRIVILEGED ACCOUNT SECURITY CyberArk provides a critical new layer in the overall security strategy, because it delivers both proactive protection and threat detection in the critical path of privileged accounts, the target of every external and insider attack. Privilege Account Security Across the Stack
Network Data End-point Applications Data Security Application Security Privileged Account Security End Point Security Network Security Solving The Privileged Account Security Problem
Enterprise Cloud SCADA/ICS Advanced, External Threats Insider Threats Securing Application Credentials Securing Shared Admin Accounts Threats Control & Accountability forPrivileged Users Monitor & Record PrivilegedActivity Compliance Reporting Remote User Access Control Audit & Compliance Weve talked a lot about how critical privileged account security is to address advanced threats and malicious insiders.But its important to know that industry and government compliance standards and regulations require the protection and monitoring of privileged accounts. We address these issues in your physical on-premises environment, across private, hybrid and public cloud environments as well as in SCADA and industrial control environments where we already have over 100 deployments. Comprehensive Controls on Privileged Activity
Lock Down Credentials Isolate & Control Sessions Continuously Monitor Protect privileged passwords and SSH keys Prevent malware attacks and control privileged access Implement continuous monitoring across all privileged accounts Enterprise Password Vault SSH Key Manager Application Identity Manager Privileged Session Manager On-Demand Privileges Unix OPM Windows Privileged Threat Analytics The Problem: Users with admin rights can
Install kernel-mode root kits Install system-level level key loggers Install Malicious ActiveX controls, including IE and Explorer extensions Install spyware and adware Install malware; Pass-the-Hash exploits Install and start services Stop existing services (such as the firewall) Access data belonging to other users Cause code to run whenever anybody else logs on to that system Replace OS and other program files with Trojan horses Disable/uninstall anti-virus Create and modify user accounts Reset local passwords Render the machine unbootable And more How do you handle events that generally require local admin rights?
Pain varies based on role and current state of admin privilege management Users have local admin rights Local admin rights are removed Scenario: Buyer: Operations Team Pain: Spends lots of timing fixingdamage and remediating incidents onusers laptops Pain: Handles consistent help desk callsas users need privileges to install and runapproved applications Desktop Engineering IT Planning andEngineering Director of IT How much time and effort do you spend responding to endpoint incidents? How do you handle events that generally require local admin rights? Security Team Pain: Limited ability to protect theorganizations due to a giant,unmanaged attack surface Pain: Forced to manage privilege creep,as users regain local admin rights to runbusiness applications Security Analyst Security Architect Director of IT Security How many security incidents could you prevent each year by eliminating local admin rights? How do you revoke local admin rights once they are no longer needed by business users? Recap: Least Privilege + App Control = Reduced Risk
Application Control Limit privileges for business andadministrative users Gap: Malicious applications that dontneed privileges can still get in Only allow whitelisted, trustedapplications Gap: Applications that require privilegesrequires users to have local admin priv. Why is this important: When we look at data around advanced attacks, most start with phishings against non-privileged business users. The numbers show that a campaign of just 10s yields a greater than 90% chance that at least one person will become the criminals prey.Once the attacker is in, they can exploit local admin privileges to advance the attack and Individually, least privilege alone limits the privileges for business and administrative users, which is a good thing.But, if an organization has removed admin rights but is not monitoring and controlling which applications are allowed to run in their environment, and a rogue application containing malware that does not require admin rights to run can enter your infrastructure, execute and penetrate the environment. Alternatively, if youre only doing application control, than you can be stuck in a situation where a whitelist application requires privileges to run. In this case, in order the run the application, the IT team has to give local admin privileges back to the users.Over time, organizations can end up with most of their users having local admin rights if they need applications that require privileges. Despite the individual shortcomings, when used together, these can controls can be extremely effective. Combined, we can: Reduce the attack surface by preventing known bad applications from executing Limit what malware can do by limiting the privileges granted to unknown applications Combined least privilege and application control enable organizations to reduce the attack surface and block the progression of malware-based attacks Privileged Accounts are Targeted in All Advanced Attacks
Anything that involves serious intellectual property will be contained in highly secure systems and privileged accounts are the only way hackers can get in. SLIDE 8 Privileged Accounts Are A Built in Vulnerability Simply put, Privileged Accounts are built-in vulnerabilities throughout your infrastructure. Put yourself in the hackers shoesneed access to a particular network segment or want to change firewall rules to enable external communication?Want to gain access to the domain controller?Want to dump the database table to capture a competitors customer list? Unprotected, unmonitored privileged accounts are the way to go. Avivah Litan, Vice President and Distinguished Analyst at Gartner, 2012 Can We Really Isolate All Critical Networks?
The assumption that all critical networkcould be isolated is very problematic: Removable media Mistakes and temporary connections Remote access How do we design a truly secureremote access system? A design that will also help secureagainst the first two types of threat Securing Access Into the ICS/OT Network
Corporate Network Third party vendor DMZ firewall VPN Web Portal Supervisor DMZ PSM Password Session Recording ICS firewall ICS Network Vault UNIX Servers Databases SCADA Devices Routers & Switches Windows Servers Anti Virus & Content Filtering SSH Keys: A Critical Privileged Account Problem
SSH keys are commonly used by users and machines to access Privileged Accounts.They are an attack vector commonly used to gain access to critical systems. of companies report being impacted by SSH key related compromises* 51% *Source: Ponemon Institute Layers of Security in the Digital Vault
Hierarchical Encryption Vault Safes Tamper-Proof Auditability Comprehensive Monitoring Session Encryption The CyberArk Digital Vault was built from the ground up with security in mind.The Digital Vault include seven layers of security to ensure the highest levels of protection of your most sensitive credentials, files, and audit logs. The vault includes: Layered encryption to protect data in storage and at rest A built in firewall to ensure that only authorized traffic is able to access the vault Integration with a variety of strong authentication methods to assure the identity of your users Segregation of duties to ensure that ensure privileged credentials can only be accessed by authorized users for approved business reasons Comprehensive monitoring to rapidly detect system issues and security events Segregation of Duties Authentication Firewall Sensitive Information Management Easy, Secure and Compliant File Sharing
SHARE Sensitive documents between users To complement CyberArks PAS solution, CyberArk also offers Sensitive Information Management to help organizations protect their most sensitive documents while enabling secure collaboration between internal teams, partners, and customers. Sensitive Information Management enables easy, secure and compliant file sharing between authorized users and applications. Users can create safes to share files with trusted users and applications. Granular access controls and strong levels of encryption mean that trusted parties can share and access sensitive files while keeping those files safe from unauthorized eyes. Segregation of duties means IT teams are able to administer and support platform without having access to any of the underlying, sensitive files. - With SIM, trusted users are able to easily exchange sensitive documents without putting the information at risk SIMs automated distribution and collection capabilities also enable trusted systems to share large amounts of data. As an example, several of our customers use SIM to automatically transfer employee time and pay information to ADP systems to simplify and secure payroll processes. To help our customers meet compliance, SIM enables IT teams to audit file access.They can audit who and what has access to which safes to ensure that access controls are properly enforced.They can also report on who has accessed which files, and if certain files were viewed or downloaded.The full, tamper-proof audit trail combined with easy reporting enables IT teams and auditors to pull the precise data needed to prove compliance with applicable industry regulations. Lastly, SIM supports a variety of interfaces and can accessed in a variety of ways including web access via a portal, an Outlook add-in to securely send files via, and a mobile app to access and share files via tablets while on-the-go.The flexibility in access choices enables users to stay productive whether they are in the office, working from home or on the road while keeping sensitive information secure. AUTOMATE AUDIT File transfers between applications File sharing and access to sensitive documents CyberArk Overview Trusted experts in privileged accountsecurity 1,900 privileged account security customers 40% of Fortune 100 30% GROWTH 40% 56% Approach privileged accounts as a security challenge Designed and built from the ground up for security Twelve years of innovation in privileged account controls, monitoring and analytics First with vault, first with monitoring, first with analytics Over 100 software engineers, multiple patents CyberArk is the trusted expert in Privileged Account Security we focus our innovation and security expertise solely on these privileged accounts.And, our approach is purely from a security perspective, rather than an identity management and automation perspective.We view this as a security challenge and have designed our products from the ground up with that in mind. We have 1800 global customers, including 40% of the Fortune 100 and 18% of the Global 2000, so we have seen more and done more with privileged accounts than any other vendor out there. We have over 12 years of innovation built into our solution.We were the first to bring a password vaulting solution to market, the first enterprise-scalable application identity management solution, the first to offer integrated session monitoring with isolation and control and most recently we released privileged threat analytics, the first vendor to release a targeted analytics product aimed at detecting unusual behavior on privileged accounts. CyberArk has the industrys only comprehensive privileged account security solution. CyberArk serves customers in more than 65 countries and sells its products and services direct as well as through an extensive network of more than 200 global partners. CyberArk is a well-funded, profitable and cash flow positive company. Our growth accelerated to 56% year-over-year in 2014, we have a strong balance sheet and have been profitable for several years. Only comprehensive privileged account security solution One solution, focused exclusively on privileged accounts Enterprise-proven IDC Names CyberArk the PAM Market Leader
CyberArk is the PAM pure-play big gorilla with the most revenue and largest customer base. SOURCE: "IDC MarketScape: Worldwide Privileged Access Management 2014 Vendor Assessment, by Pete Lindstrom , December 2014, IDC Document#253303 Trusted by Customers Worldwide
Over 1,900 Global Customers 40% of Fortune 100 19% of Global 2000 Thank you