Tech Tak: Threat Analytics for Privileged Access Management

14
World ® ’1 6 Tech Talk: Threat Analytics for Privileged Access Management Shawn Croswell Principal Consultant, Cybersecurity – CA Technologies SCT05T SECURITY

Transcript of Tech Tak: Threat Analytics for Privileged Access Management

Page 1: Tech Tak: Threat Analytics for Privileged Access Management

World®’16

TechTalk:ThreatAnalyticsforPrivilegedAccessManagementShawnCroswellPrincipalConsultant,Cybersecurity– CATechnologies

SCT05T

SECURITY

Page 2: Tech Tak: Threat Analytics for Privileged Access Management

2 ©2016CA.ALLRIGHTSRESERVED.@CAWORLD#CAWORLD

©2016CA.Allrightsreserved.Alltrademarksreferencedhereinbelongtotheirrespectivecompanies.

Thecontentprovidedinthis CAWorld2016presentationisintendedforinformationalpurposesonlyanddoesnotformanytypeofwarranty. The informationprovidedbyaCApartnerand/orCAcustomerhasnotbeenreviewedforaccuracybyCA.

ForInformationalPurposesOnlyTermsofthisPresentation

Page 3: Tech Tak: Threat Analytics for Privileged Access Management

3 ©2016CA.ALLRIGHTSRESERVED.@CAWORLD#CAWORLD

Agenda

MINDINGTHEGAP

THREATANALYTICSFORCAPRIVILEGEDACCESSMANAGER(CAPAM)

AUGMENTINGPAMDATA

DEPLOYINGTHREATANALYTICSFORPAM

USECASES

1

2

3

4

5

Page 4: Tech Tak: Threat Analytics for Privileged Access Management

4 ©2016CA.ALLRIGHTSRESERVED.@CAWORLD#CAWORLD

MeaningfulGapsEnterpriseDefensesAreStatic

ProvisioningProvidenewusers

withaccesstoresources

Enterprisesecuritysolutionsdon’tadaptbasedonbehaviorhowdataisaccessed,usedormisused

Compromisedaccounts

Privilegedaccessandinsiders

AWS

SIEM IDS

Untrustedendpoints

AuthenticationValidateidentitywhenaccessrequested

Badguysexploitthisgaptotheiradvantage

PrivilegedAccess

Limitadminandsystemcontrolaccess

Identity&AccessManagement

Manageandreportonaccessprovided

Page 5: Tech Tak: Threat Analytics for Privileged Access Management

5 ©2016CA.ALLRIGHTSRESERVED.@CAWORLD#CAWORLD

CAThreatAnalyticsFillstheSecurityGapEnablingPrivilegedAccessManagementWithAnalytics

CATechnologiesisamarketleaderinprovidingdatasciencebasedfraudanalyticstobanks

Sameapproachusedincreditcardsecurity

Analytics enablesecurity

Continuousbehaviormonitoringof howvaluableassetsareaccessedandused

Mathematicalmodels of individualentitiesdetectbehaviorvariations

Automatedtriggering ofadaptivecontrolstomitigateriskandlimitdamage

Provide insightintorisk,pastactivitiesandsystemoperations

Page 6: Tech Tak: Threat Analytics for Privileged Access Management

6 ©2016CA.ALLRIGHTSRESERVED.@CAWORLD#CAWORLD

CAThreatAnalyticsforCAPrivilegedAccessManager(CAPAM)ComplexAnalyticCapabilitiesDeliveredinanEasy-to-deploy,Easy-to-useSolution

Advancedanalytics

Entity- relationshipmapping

Intuitiveriskdecisions&automatedmitigationsRawdata

§ Focusondomainspecificcontextualdata– forPAM,initiallyauthentication&connectionevents

§ FutureintegrationwithotherCAproducts(andtheircontextualdata)enableeffortlessandaccurateaccesstoeventdata

§ Systemextractscriticalinformationaboutactivitiesandenvironment⎻ Locations⎻ Systemaccess⎻ Devices⎻ Sensitivity

§ Behaviorcapturedandmodeledforfastevaluation

§ Changesinmodelareevaluatedtodetectriskandmaliciousactivity

§ Triggerautomatedcontrolstomitigaterisk

§ Startasessionrecording

§ Forceare-authentication

§ Generateactionablealerts

§ Enablecontextrichreporting

Page 7: Tech Tak: Threat Analytics for Privileged Access Management

7 ©2016CA.ALLRIGHTSRESERVED.@CAWORLD#CAWORLD

CAThreatAnalyticsforPAM:Super-ChargingPAM!Domain-specificAnalyticstoDefendAgainstRealWorldAttacks

Compromisedidentity

High-riskinsideractivity&threat

Insightandincidentresponsesupport

Automaticallytriggermitigations§ Alerting§ Reportingandinsightintosystemuseandrisk

Authorizeduseractionsthatposeseriousrisks:§ Contractors§ Partners§ Policyviolators§ Disgruntledanddepartingemployees

Identitiescompromisedbyattacksthatinclude:§ Phishing§ Weakpasswords§ Malware§ Compromiseddevices§ Man-in-the-middle

Blindspotsinhowsystemsareused.NeedquickresponsestoincidentsandSOCinquiries:§ IdentifyusersandriskyactivityassociatedwithIP,devices,dataassets

Detect

Mitigate

Breachprevention OperationalinsightsImprovedcompliance

§ Automatedsessionrecording§ Re-authentication

Results

Page 8: Tech Tak: Threat Analytics for Privileged Access Management

8 ©2016CA.ALLRIGHTSRESERVED.@CAWORLD#CAWORLD

SimpletoDeploy;QuickTimetoValue

CAThreatAnalytics

forPAM

CAPrivilegedAccess

Manager

Adifferentapproach

üPAMspecificanalyticsandcapabilities- notagenerictoolkitortoolthatrequires$andtimetodeploy

üEnterpriseimmediatelyhasnewdetectioncapabilities,controlsandinsights

üComplementsSIEMandbigdataanalyticeffortsbyprovidingPAMdomainspecificanalyticinsights,andcorrelations

Deploymentrequirestheinstallationofasingle

virtualmachine.(Alldataandcomponentsarefully

underyourcontrol.)

SystemautomaticallyaccessesandbeginsanalyzingPAMuser

activities

CustomeraccessesnewinsightsandriskcapabilitiesviaPAM

1

23

Page 9: Tech Tak: Threat Analytics for Privileged Access Management

9 ©2016CA.ALLRIGHTSRESERVED.@CAWORLD#CAWORLD

Demo:OverseasContractorUseCaseInsiderThreatDetectionandMitigation

Result:Successfuldetectionandquickmitigationofinsiderthreat

CAThreatAnalyticsforPAM

Activitycontinuouslymonitoredinbackground

Sessionrecordingautomaticallyinitiated

IncidentreportforcomplianceofficerorSOC

Overseascontractors

High-risksessionbehaviorisdetected

PCI

Continuousmonitoringandanalysisofaccessenablessystemto:§ Monitoraccessforallusers,includingBangalore-based

contractorsauthorizedtouseshareddatabaseandserveraccounts

§ Identifyhighlyunusualsessionactivitiesofindividualoverseasdeveloperthatinclude:-- Unusualsessionactivitiesandlengthsbasedonindividualandotherenterpriseusers

-- Accesstolargenumberofsensitivesystems,manyforthefirsttime

-- RemoteDesktopProtocolaccesstoahigh-riskPCIserver

Thisbehaviorposeshighriskandisnotconsistentwithpastactionsoftheuserortheenterprise.

§ CAThreatAnalyticsforPAMautomaticallytriggerssessionrecordingforreview

§ Admingeneratesincidentreportforcomplianceofficer/SOC

CAPrivilegedAccessManager

Page 10: Tech Tak: Threat Analytics for Privileged Access Management

10 ©2016CA.ALLRIGHTSRESERVED.@CAWORLD#CAWORLD

Demo:IncidentResponseUseCase

TheEnterpriseSOCisinvestigatingahighpriorityincidentandwantstoknow– “WhatinformationcanthePAMAdminprovidetoassist?”

UsingtheIPaddressprovidedbytheSOC– thePAMadmincansearchBAforPAMandquickly:- IdentifyallusersassociatedwithIPaddress- Inspectaccessandactivitiesofthemostsuspicioususer- ProvideIRteamwithidentityofthesuspicioususer- NavigatetoInsightpagetogetalldormantaccountstoprovidetoIRteam

also

CAThreatAnalyticsforPAM’sabilitytocorrelateaccessactivity,IPaddresses,sessions,andriskprovideimmediate valuetoinvestigations.

§ Tomitigatefutureattacks-- PAMadminaddssuspiciousIPaddressthreatintelligencetoBAforPAM.Futureactivityisthenautomaticallydetectedandanalyzed.

§ PAMadminconfiguresTAforPAMtosendautomatedalertstoSIEMwhenanyactivityrelatedtoasuspiciousIPisdetected

PAMAdminClosestheDooronAttackers

Result:CAThreatAnalyticsforPAMprovidesimmediatevaluetoincidentresponseeffortsandclosesthedooronfutureattacks

AutomatedAlertstoSIEM/SOC

CAPAMCAThreatAnalyticsforPAM

Activitycontinuouslymonitored

ThreatintelligenceusedbyTAtoproactively

addressfuturethreats

IRTeam

Immediateinsightregardingusers,activity,

risk,etc

!

ThreatIntellusedbyAnalytics

Canyouhelp….attackfrom

193.105.219.210?!

Page 11: Tech Tak: Threat Analytics for Privileged Access Management

11 ©2016CA.ALLRIGHTSRESERVED.@CAWORLD#CAWORLD

AnalyticsandIntelligentControls

CAThreatAnalyticsforPAM

§ Offersanadd-onthatsuperchargesexistingCAPrivilegedAccessManagercapabilities

§ Enablesautomateddetection,mitigationandalertingforcriticalthreats

§ Easydeployment: Deploysassingle,virtualmachine—nospecialskillsorsignificanteffortrequired

§ Quicktoprovidevalue: Immediately deliverscompellinguserexperiencewithhuman-understandableriskandinsights

Solutionsummary

§ Automaticallyestablishesnormaloperatingprofilesforusersandenterprisebasedonobservedbehavior

§ Useshistoricandreal-timeactivitytoassesscontextandanalyzerisk

§ Providesmeaningfulinsightregardinguserandsystemactivities

§ Triggerriskmitigationsandcontrolsincludingtriggeringsessionrecording

AdvancedAnalyticsand

AutomatedMitigation

Page 12: Tech Tak: Threat Analytics for Privileged Access Management

12 ©2016CA.ALLRIGHTSRESERVED.@CAWORLD#CAWORLD

CAThreatAnalyticsforPAM• ExtendsandsuperchargesexistingCAPrivilegedAccessManagercapabilitiesbyenablingautomated

detection,mitigationandalertingforcriticalthreats.Providescustomizationsthatcustomerscanadjusttomeettheuniqueneedsofeachorganization.

• Deliverseasytodeploy,add-oncapabilityasasinglevirtualmachineandrequiresnospecialskillsoreffortgetupandrunning.

• Providesvaluebyimmediatelydeliveringacompellinguserexperiencewithhuman-understandableriskandinsights.

Summary

Page 13: Tech Tak: Threat Analytics for Privileged Access Management

13 ©2016CA.ALLRIGHTSRESERVED.@CAWORLD#CAWORLD

Don’tMissOurINTERACTIVESecurityDemoExperience!

SNEAKPEEK!

13 ©2016CA.ALLRIGHTSRESERVED.@CAWORLD#CAWORLD

Page 14: Tech Tak: Threat Analytics for Privileged Access Management

14 ©2016CA.ALLRIGHTSRESERVED.@CAWORLD#CAWORLD

Wewanttohearfromyou!

§ ITCentralisaleadingtechnologyreviewsite.CAhasthemtohelpgenerateproductreviewsforourSecurityproducts.

§ ITCSstaffwillbeatmostsessions.Ifyouwouldliketoofferaproductreview,pleaseaskthemaftertheclass,orgobytheirbooth.

Note:§ Onlytakes5-7mins§ Youhavetotalcontroloverthereview§ Itcanbeanonymous,ifrequired


Creating Privileged Moments

Creating Privileged Moments

Keeping up with the Hack-Dashians Data Encryption for IMS ... Encryption.pdfthe Hack-Dashians Data Encryption for IMS and ... Increasing Insider Threat Employees with privileged access

Keeping up with the Hack-Dashians Data Encryption for IMS ... Encryption.pdfthe Hack-Dashians Data Encryption for IMS and ... Increasing Insider Threat Employees with privileged access

1 Hitachi ID Privileged Access Manager - IAM Solutions · Hitachi ID Privileged Access Manager works by randomizing privileged passwords and connecting people and programs to privileged

1 Hitachi ID Privileged Access Manager - IAM Solutions · Hitachi ID Privileged Access Manager works by randomizing privileged passwords and connecting people and programs to privileged

inSider threat - Bitpipedocs.media.bitpipe.com/.../item_465972/Insider-Threat-Report-2015.pdf · share the insider threat spotlight report 8 Privileged users, such as managers with

inSider threat - Bitpipedocs.media.bitpipe.com/.../item_465972/Insider-Threat-Report-2015.pdf · share the insider threat spotlight report 8 Privileged users, such as managers with

Pre-Con Ed: Privileged Identity Governance: Are You Certifying Privileged User Access?

Pre-Con Ed: Privileged Identity Governance: Are You Certifying Privileged User Access?

PRIVILEGED COMMUNICATION AND PRIVILEGED DOCUMENTS - Law …redengine.lawsociety.sk.ca/inmagicgenie/documentfolder/AC0635.pdf · PRIVILEGED COMMUNICATION AND PRIVILEGED DOCUMENTS "SPECIAL

PRIVILEGED COMMUNICATION AND PRIVILEGED DOCUMENTS - Law …redengine.lawsociety.sk.ca/inmagicgenie/documentfolder/AC0635.pdf · PRIVILEGED COMMUNICATION AND PRIVILEGED DOCUMENTS "SPECIAL

INSIDER THREAT€¦ · research product designs) (HR) / e a % (Network, infrastructure controls) Confidential business information Privileged account information Sensitive personal

INSIDER THREAT€¦ · research product designs) (HR) / e a % (Network, infrastructure controls) Confidential business information Privileged account information Sensitive personal

Confidentiality & Privileged Communication

Confidentiality & Privileged Communication

Privileged Piety

Privileged Piety

BeyondTrust Privileged Remote Access Integration with … · 2020-04-07 · BeyondTrust Privileged Remote Access Integration with Privileged Identity Author: BeyondTrust Technical

BeyondTrust Privileged Remote Access Integration with … · 2020-04-07 · BeyondTrust Privileged Remote Access Integration with Privileged Identity Author: BeyondTrust Technical

Securing Your Organization with Cloud-based Privileged ... · importantly, privileged accounts. Denying attackers privileged access into the network provides a critical safeguard

Securing Your Organization with Cloud-based Privileged ... · importantly, privileged accounts. Denying attackers privileged access into the network provides a critical safeguard

Privileged session management

Privileged session management

Privileged Docs

Privileged Docs

Privileged Access Management

Privileged Access Management

BeyondTrust and TAG Company Srl - brain-it.it · 3. 2018 Forrester Wave: Privileged Identity Management 4. 2018 Privileged Access Threat Report, BeyondTrust 28% of breaches involve

BeyondTrust and TAG Company Srl - brain-it.it · 3. 2018 Forrester Wave: Privileged Identity Management 4. 2018 Privileged Access Threat Report, BeyondTrust 28% of breaches involve

Request for Proposal 3101 For Procurement of Privileged ... · privileged access management solutions sometimes synonymously referred as ^privileged account management and privileged

Request for Proposal 3101 For Procurement of Privileged ... · privileged access management solutions sometimes synonymously referred as ^privileged account management and privileged

Our Privileged Customers

Our Privileged Customers

DISCLAIMER: THESE SLIDES ARE ORIGINALLY PRESENTED IN …€¦ · Encryption Software Threat Intelligence Software Privileged Access Management Software Tokenization Software 46.2%

DISCLAIMER: THESE SLIDES ARE ORIGINALLY PRESENTED IN …€¦ · Encryption Software Threat Intelligence Software Privileged Access Management Software Tokenization Software 46.2%

Poor, but Privileged

Poor, but Privileged

inSider threat - PAE · SHARE THE INSIDER THREAT SPOTLIGHT REPORT 4 KeY SURVeY FINDINGS Privileged users, such as managers with access to sensitive information, pose the biggest insider

inSider threat - PAE · SHARE THE INSIDER THREAT SPOTLIGHT REPORT 4 KeY SURVeY FINDINGS Privileged users, such as managers with access to sensitive information, pose the biggest insider