World®’16
TechTalk:ThreatAnalyticsforPrivilegedAccessManagementShawnCroswellPrincipalConsultant,Cybersecurity– CATechnologies
SCT05T
SECURITY
2 ©2016CA.ALLRIGHTSRESERVED.@CAWORLD#CAWORLD
©2016CA.Allrightsreserved.Alltrademarksreferencedhereinbelongtotheirrespectivecompanies.
Thecontentprovidedinthis CAWorld2016presentationisintendedforinformationalpurposesonlyanddoesnotformanytypeofwarranty. The informationprovidedbyaCApartnerand/orCAcustomerhasnotbeenreviewedforaccuracybyCA.
ForInformationalPurposesOnlyTermsofthisPresentation
3 ©2016CA.ALLRIGHTSRESERVED.@CAWORLD#CAWORLD
Agenda
MINDINGTHEGAP
THREATANALYTICSFORCAPRIVILEGEDACCESSMANAGER(CAPAM)
AUGMENTINGPAMDATA
DEPLOYINGTHREATANALYTICSFORPAM
USECASES
1
2
3
4
5
4 ©2016CA.ALLRIGHTSRESERVED.@CAWORLD#CAWORLD
MeaningfulGapsEnterpriseDefensesAreStatic
ProvisioningProvidenewusers
withaccesstoresources
Enterprisesecuritysolutionsdon’tadaptbasedonbehaviorhowdataisaccessed,usedormisused
Compromisedaccounts
Privilegedaccessandinsiders
AWS
SIEM IDS
Untrustedendpoints
AuthenticationValidateidentitywhenaccessrequested
Badguysexploitthisgaptotheiradvantage
PrivilegedAccess
Limitadminandsystemcontrolaccess
Identity&AccessManagement
Manageandreportonaccessprovided
5 ©2016CA.ALLRIGHTSRESERVED.@CAWORLD#CAWORLD
CAThreatAnalyticsFillstheSecurityGapEnablingPrivilegedAccessManagementWithAnalytics
CATechnologiesisamarketleaderinprovidingdatasciencebasedfraudanalyticstobanks
Sameapproachusedincreditcardsecurity
Analytics enablesecurity
Continuousbehaviormonitoringof howvaluableassetsareaccessedandused
Mathematicalmodels of individualentitiesdetectbehaviorvariations
Automatedtriggering ofadaptivecontrolstomitigateriskandlimitdamage
Provide insightintorisk,pastactivitiesandsystemoperations
6 ©2016CA.ALLRIGHTSRESERVED.@CAWORLD#CAWORLD
CAThreatAnalyticsforCAPrivilegedAccessManager(CAPAM)ComplexAnalyticCapabilitiesDeliveredinanEasy-to-deploy,Easy-to-useSolution
Advancedanalytics
Entity- relationshipmapping
Intuitiveriskdecisions&automatedmitigationsRawdata
§ Focusondomainspecificcontextualdata– forPAM,initiallyauthentication&connectionevents
§ FutureintegrationwithotherCAproducts(andtheircontextualdata)enableeffortlessandaccurateaccesstoeventdata
§ Systemextractscriticalinformationaboutactivitiesandenvironment⎻ Locations⎻ Systemaccess⎻ Devices⎻ Sensitivity
§ Behaviorcapturedandmodeledforfastevaluation
§ Changesinmodelareevaluatedtodetectriskandmaliciousactivity
§ Triggerautomatedcontrolstomitigaterisk
§ Startasessionrecording
§ Forceare-authentication
§ Generateactionablealerts
§ Enablecontextrichreporting
7 ©2016CA.ALLRIGHTSRESERVED.@CAWORLD#CAWORLD
CAThreatAnalyticsforPAM:Super-ChargingPAM!Domain-specificAnalyticstoDefendAgainstRealWorldAttacks
Compromisedidentity
High-riskinsideractivity&threat
Insightandincidentresponsesupport
Automaticallytriggermitigations§ Alerting§ Reportingandinsightintosystemuseandrisk
Authorizeduseractionsthatposeseriousrisks:§ Contractors§ Partners§ Policyviolators§ Disgruntledanddepartingemployees
Identitiescompromisedbyattacksthatinclude:§ Phishing§ Weakpasswords§ Malware§ Compromiseddevices§ Man-in-the-middle
Blindspotsinhowsystemsareused.NeedquickresponsestoincidentsandSOCinquiries:§ IdentifyusersandriskyactivityassociatedwithIP,devices,dataassets
Detect
Mitigate
Breachprevention OperationalinsightsImprovedcompliance
§ Automatedsessionrecording§ Re-authentication
Results
8 ©2016CA.ALLRIGHTSRESERVED.@CAWORLD#CAWORLD
SimpletoDeploy;QuickTimetoValue
CAThreatAnalytics
forPAM
CAPrivilegedAccess
Manager
Adifferentapproach
üPAMspecificanalyticsandcapabilities- notagenerictoolkitortoolthatrequires$andtimetodeploy
üEnterpriseimmediatelyhasnewdetectioncapabilities,controlsandinsights
üComplementsSIEMandbigdataanalyticeffortsbyprovidingPAMdomainspecificanalyticinsights,andcorrelations
Deploymentrequirestheinstallationofasingle
virtualmachine.(Alldataandcomponentsarefully
underyourcontrol.)
SystemautomaticallyaccessesandbeginsanalyzingPAMuser
activities
CustomeraccessesnewinsightsandriskcapabilitiesviaPAM
1
23
9 ©2016CA.ALLRIGHTSRESERVED.@CAWORLD#CAWORLD
Demo:OverseasContractorUseCaseInsiderThreatDetectionandMitigation
Result:Successfuldetectionandquickmitigationofinsiderthreat
CAThreatAnalyticsforPAM
Activitycontinuouslymonitoredinbackground
Sessionrecordingautomaticallyinitiated
IncidentreportforcomplianceofficerorSOC
Overseascontractors
High-risksessionbehaviorisdetected
PCI
Continuousmonitoringandanalysisofaccessenablessystemto:§ Monitoraccessforallusers,includingBangalore-based
contractorsauthorizedtouseshareddatabaseandserveraccounts
§ Identifyhighlyunusualsessionactivitiesofindividualoverseasdeveloperthatinclude:-- Unusualsessionactivitiesandlengthsbasedonindividualandotherenterpriseusers
-- Accesstolargenumberofsensitivesystems,manyforthefirsttime
-- RemoteDesktopProtocolaccesstoahigh-riskPCIserver
Thisbehaviorposeshighriskandisnotconsistentwithpastactionsoftheuserortheenterprise.
§ CAThreatAnalyticsforPAMautomaticallytriggerssessionrecordingforreview
§ Admingeneratesincidentreportforcomplianceofficer/SOC
CAPrivilegedAccessManager
10 ©2016CA.ALLRIGHTSRESERVED.@CAWORLD#CAWORLD
Demo:IncidentResponseUseCase
TheEnterpriseSOCisinvestigatingahighpriorityincidentandwantstoknow– “WhatinformationcanthePAMAdminprovidetoassist?”
UsingtheIPaddressprovidedbytheSOC– thePAMadmincansearchBAforPAMandquickly:- IdentifyallusersassociatedwithIPaddress- Inspectaccessandactivitiesofthemostsuspicioususer- ProvideIRteamwithidentityofthesuspicioususer- NavigatetoInsightpagetogetalldormantaccountstoprovidetoIRteam
also
CAThreatAnalyticsforPAM’sabilitytocorrelateaccessactivity,IPaddresses,sessions,andriskprovideimmediate valuetoinvestigations.
§ Tomitigatefutureattacks-- PAMadminaddssuspiciousIPaddressthreatintelligencetoBAforPAM.Futureactivityisthenautomaticallydetectedandanalyzed.
§ PAMadminconfiguresTAforPAMtosendautomatedalertstoSIEMwhenanyactivityrelatedtoasuspiciousIPisdetected
PAMAdminClosestheDooronAttackers
Result:CAThreatAnalyticsforPAMprovidesimmediatevaluetoincidentresponseeffortsandclosesthedooronfutureattacks
AutomatedAlertstoSIEM/SOC
CAPAMCAThreatAnalyticsforPAM
Activitycontinuouslymonitored
ThreatintelligenceusedbyTAtoproactively
addressfuturethreats
IRTeam
Immediateinsightregardingusers,activity,
risk,etc
!
ThreatIntellusedbyAnalytics
Canyouhelp….attackfrom
193.105.219.210?!
11 ©2016CA.ALLRIGHTSRESERVED.@CAWORLD#CAWORLD
AnalyticsandIntelligentControls
CAThreatAnalyticsforPAM
§ Offersanadd-onthatsuperchargesexistingCAPrivilegedAccessManagercapabilities
§ Enablesautomateddetection,mitigationandalertingforcriticalthreats
§ Easydeployment: Deploysassingle,virtualmachine—nospecialskillsorsignificanteffortrequired
§ Quicktoprovidevalue: Immediately deliverscompellinguserexperiencewithhuman-understandableriskandinsights
Solutionsummary
§ Automaticallyestablishesnormaloperatingprofilesforusersandenterprisebasedonobservedbehavior
§ Useshistoricandreal-timeactivitytoassesscontextandanalyzerisk
§ Providesmeaningfulinsightregardinguserandsystemactivities
§ Triggerriskmitigationsandcontrolsincludingtriggeringsessionrecording
AdvancedAnalyticsand
AutomatedMitigation
12 ©2016CA.ALLRIGHTSRESERVED.@CAWORLD#CAWORLD
CAThreatAnalyticsforPAM• ExtendsandsuperchargesexistingCAPrivilegedAccessManagercapabilitiesbyenablingautomated
detection,mitigationandalertingforcriticalthreats.Providescustomizationsthatcustomerscanadjusttomeettheuniqueneedsofeachorganization.
• Deliverseasytodeploy,add-oncapabilityasasinglevirtualmachineandrequiresnospecialskillsoreffortgetupandrunning.
• Providesvaluebyimmediatelydeliveringacompellinguserexperiencewithhuman-understandableriskandinsights.
Summary
13 ©2016CA.ALLRIGHTSRESERVED.@CAWORLD#CAWORLD
Don’tMissOurINTERACTIVESecurityDemoExperience!
SNEAKPEEK!
13 ©2016CA.ALLRIGHTSRESERVED.@CAWORLD#CAWORLD
14 ©2016CA.ALLRIGHTSRESERVED.@CAWORLD#CAWORLD
Wewanttohearfromyou!
§ ITCentralisaleadingtechnologyreviewsite.CAhasthemtohelpgenerateproductreviewsforourSecurityproducts.
§ ITCSstaffwillbeatmostsessions.Ifyouwouldliketoofferaproductreview,pleaseaskthemaftertheclass,orgobytheirbooth.
Note:§ Onlytakes5-7mins§ Youhavetotalcontroloverthereview§ Itcanbeanonymous,ifrequired
Top Related