La mayor parte de las brechas de datos son debidas al uso indebido de credenciales privilegiadas. Los invitamos a conocer el enfoque de CyberArk, en esta presentación de Carolina Bozza.
Carolina será una de los presentadores en nuestro evento "EL ATAQUE INTERNO", el próximo 6 de mayo. El link de inscripción es:
https://eventioz.com.ar/e/el-ataque-interno?utm_source=eventioz&utm_medium=emailtrans&utm_campaign=ez_invite_recipient&utm_content=button_cta&source=orevem
Los esperamos!!
5. 5
Privileged Accounts Create a Huge Attack Surface
Privileged
Accounts
System
Administrators
3rd Party & Service
Providers
Select Business
Users
Social Networking
Account
Managers
Applications
• Privileged accounts exist in every connected device,
database, application, industrial controller and more!
• Typically a ~3X ratio of privileged accounts to employees
6. 6
Layers of Security in the Digital Vault
Vault Safes
Tamper-Proof
Auditability
Comprehensive
Monitoring
Segregation of
Duties
Firewall Authentication
Hierarchical
Encryption
Session
Encryption
11. 11
Unix Linux
Target Resources
Windows
Server
Windows
PC OS
On-Demand Privileges Manager (OPM)
On-Demand Privileges ManagerEnd Users
3. Validate policy
4. One-time access granted
Limit User Privileges:
• Standard privileges
• Permitted elevated privileges
• Blocked privileges
1. Elevated privilege request sent
2. Authenticate user
12. 12
Privileged Threat Analytics
Normal
Abnormal
ALERT:
SIEM & CyberArk
Behavioral Analysis
SIEM Solutions
Login Data
Target System
Data
GOALS:
• Find the signal in
the noise.
• Enable the SOC to
instantly locate the
most serious alerts.
Behavioral Analysis: Self-learning statistical
model based on a combination of patented
algorithms, login data, and target system data
gathered from inbound SIEM integrations.
So as we talk about the new battleground for cyber attacks being inside you network, let’s look at today’s attacks
First, regardless of whether the attack starts on the outside or the inside, the attackers ultimately have to become an insider
As we mentioned before, over 90% of orgs have already experienced a perimeter breach…
and with the rapid advancement of malware and phishing techniques, it has become easier than ever to breach the perimeter.
So perimeter defenses alone simply cannot stand up to attackers…..The battle to defend your systems, your data and your company HAS TO Happen on the inside.
And this is because once breached, what does the attacker do?…(CLICK SLIDE)
- They work from the inside...and
- Look for access to an account….preferably a privileged account
- and then Leverage those credentials to escalate their privileges…
- to be able to see more in the network…
- access more on the network…
- and move around more freely on the network
- At that point they do their reconnaissance to see how best to get to their target
- They Move laterally in order to get into better position..
- and/or further escalate their privileges
- And so on and so on until…
- they are able to get to their target
- complete the attack
- and then exfiltrate the data (CLICK SLIDE)
So protecting the perimeter from breach is no longer an effective security strategy….
- Today’s strategies must move inside the organization….and essentially assume that the attacker is already inside.
Who are your privileged users and what credentials do they have?
A privileged user is any user that has the capability to change, alter or impact the operational service of a business process. So, in any organization, this includes not only system administrators, but some people you may not consider privileged users today. Think about some of your business users and even social networking account managers. Do they have access privileges to impact important business processes?
Typically, the number of privileged accounts in an organization is three times the number of employees. Think about this – how many desktops do you have, servers, databases, network devices, pieces of infrastructure…?
The CyberArk Digital Vault was built from the ground up with security in mind. The Digital Vault include seven layers of security to ensure the highest levels of protection of your most sensitive credentials, files, and audit logs.
The vault includes:
Layered encryption to protect data in storage and at rest
A built in firewall to ensure that only authorized traffic is able to access the vault
Integration with a variety of strong authentication methods to assure the identity of your users
Segregation of duties to ensure that ensure privileged credentials can only be accessed by authorized users for approved business reasons
Comprehensive monitoring to rapidly detect system issues and security events
Enterprise Password Vault (EPV) enables organizations to secure, manage and track the use of privileged passwords whether on-premise or in the cloud, across operating systems, databases, applications, hypervisors, network devices and more.
EPV leverage the secure digital vault to secure store and proactively rotate privileged account passwords is accordance with policies. Let’s see how this works in practice:
When a privileged user wants to wants to access an enterprise resource – be in the on-prem or in cloud – he must first retrieve the password from CyberArk
The user must authenticate to CyberArk before he is able to access to passwords. The ensure the user is – in fact – the true user, CyberArk supports a variety of authentication methods, including LDAP, RADIUS, RSA SecurID, SSO, and more
Once the user is in, he will be able to see a list of all the privileged accounts to which he has access. Note here, the user will not be able to see any accounts that he in not entitled to. From a security perspective, this reduces the risk of targeted attacks against specific systems, as the user cannot know what other systems exist within the infrastructure.
From here, the user will select the account he is trying to access. At that point, EPV will retrieve the password and either send it directly to target system and open a privileged session, or the user will have the option to view the password and use it to manually the session.
Through this architecture, EPV enables organizations to control access to critical systems, monitor privileged account activity, and automatically rotate passwords at a regular cadence – anywhere from after each login to every few months.
SSH Key Manager enables organizations to secure, manage and track the use of privileged SSH keys for Unix and Linux systems.
Similar to Enterprise Password Vault, SSH Key Manager leverages CyberArk’s Digital Vault infrastructure to securely store, proactively rotate and control access to SSH keys used by privileged users and applications to remotely access Unix and Linux systems.
From the key rotation perspective, SSH Key Manager automatically rotates SSH key pairs, saves the private key to the Digital Vault, and distributes the public key to the target system.
From the user experience perspective, just as in EPV, a user will authenticate to PVWA and select the appropriate account to access.
At that point, CyberArk will call the Vault for the correct private key and then provide the key to the user. The user may use the SSH Client of his or her choice to initiate the remote session.
Before authenticating the user, the target will ensure the public and private keys are a match. If the keys match, the user will be authenticated to the remote session.
SSH Key Manager leverages the secure digital vault to secure store and proactively rotate SSH key pairs is accordance with policies. Let’s see how this works in practice:
When a privileged user wants to wants to access an enterprise resource – be in the on-prem or in cloud – he must first retrieve the private key from CyberArk
Just as in EPV, the user must authenticate to CyberArk before he is able to access to the private key.
Once the user is in, he will be able to see a list of all the privileged accounts to which he has access.
From here, the user will select the account he is trying to access. At that point, the user will be able to SSH Key Manager will retrieve the private key
Through this architecture, EPV enables organizations to control access to critical systems, monitor privileged account activity, and automatically rotate passwords at a regular cadence – anywhere from after each login to every few months.
Privileged Session Manager provides full forensic audit capabilities for both security and compliance purposes. PSM isolates, controls and monitors privileged user access and activities for your critical systems, and offers fully searchable record of those activities. Let’s take a look at a closer look at PSM:
- Much like EPV, before initiating a privileged session, the user will first login to CyberArk.
The user will then select the system he needs to access, and select “secure connect”
Much like EPV, when the user choses to securely connect, CyberArk will retrieve the system password, and authenticate the user
BUT, something a little different will happen. The user will not be directly connected to the target system.
Instead, the user will be connected to the target system via a secure jump server. This jump server serves to isolate the user from the target to prevent the potential spread of malware from the user endpoint to the critical system.
PSM monitors and records all privileged session activity that is directed through jump server, and provides both video recordings a detailed audit trails of this information.
The recordings and audit trail and then sent back to the secure digital vault, which is only accessible by a limited number of CyberArk admins. As a result, malicious users using privileged credentials are unable to hide their steps – their activities are all recorded and saved in the tamper-proof vault.
While this CyberArk interface login is the typical login process for Windows users, PSM also enables UNIX/Linus users to conduct this entire flow – authentication to CyberArk, authentication to the target system, and session monitoring – all via the native command line. For UNIX/Linux users, PSM leverages an SSH proxy server as the secure jump sever to streamline the user experience while still protecting access to the target and enforcing session monitoring.
Application Identity Manager eliminates the use of hard-coded, embedded passwords in applications and replaces them with dynamic passwords that can be stored and rotated in the password vault. Because many applications use embedded, hard-coded passwords, the passwords can easily be sniffed by attackers and used to compromise critical systems. Several regulatory bodies have started to catch up this risk and require that organizations eliminate the use of static hard-coded credentials. To strengthen security and comply with regulations, organizations should address the challenge of static, hardcoded credentials. Let’s look at how AIM can help:
In this scenario, instead of users accessing enterprise resources, applications need to access them.
In the past, this authentication process typically would have happened through a hard coded script that includes the username, password, and host IP address. For an attacker on the inside - who can see this traffic – this information is gold. With the credentials exposed, the attacker now has unfettered access to critical systems.
So how can we fix this? Instead of coding in credentials, there is a far more secure way to enable this communication.
Let’s think back to EPV, where we secured and rotated passwords in accordance with policies. We can leverage the same vaulting technology protect application credentials.
Instead of hardcoding passwords, organizations can modify the scripts to call the Vault for the Username, Password, and Host IP. Before providing any of this information, the Vault must authenticate the application using advanced authentication methods, including IP address, OS user, run-time signature and more.
Once the application is authenticated to the Vault, the Vault retrieves the target password and authenticates the application to the target resource, establishing the app to app connection.
On-Demand Privileges Manager dramatically reduces the usage of privileged rights within an enterprise and enforces 'least privilege' policies for administrative rights. In typical environments, users either have highly restricted permissions or full administrative permissions – there is not much in between. OPM changes that. By enforcing a “least privileges” model, users can gain the standard permissions needed to easily do their everyday jobs and escalate permissions on-demand when required for a business purposes. However, even with elevated privileges, these users will not be “all powerful.” Let’s look at how it works.
Organizations will first decide what privileges are always allowed, which may be allowed on an on-demand, one-time basis, and which will always be blocked. These policy rules will be written in CyberArk and stored in the digital vault.
When a user is working in a Unix, Linux of Windows system, he may need to elevate for a specific business purpose. To elevate privileges, the user will enter a command to request elevated privileges, and enter his CyberArk password.
That request, along with the password, will be sent to Vault.
First, the Vault will authenticate the user to ensure this is the correct person requesting elevated access.
Once the user is authenticated, CyberArk will check the user against approved policies and verify whether or not this on-demand escalation of privileges is allowed. If it’s not, the command will be prohibited.
However, if the this is permitted by policy, CyberArk will grant the user one-time, on-demand escalated privileges to complete the task at hand. With these escalated privileges come increases controls.
As soon an OPM grants the request for elevated privileges, CyberArk will begin monitoring and recording the session. The deter the abuse of these elevated privileges, CyberArk will also notify the user that the session is being monitored and recorded. Just like PSM, the session recording and audit logs will be sent back to the secure digital vault to prevent users from being able to edit or delete any of their session activity.
Our most recent innovation, Privileged Threat Analytics, was introduced at the end of 2013, and offers real-time analysis of privileged user behavior to detect anomalies. By layering in behavioral analytics, PTA is able to provide targeted, immediately actionable threat alerts by identifying previously undetectable malicious privileged user activity. When combined with a SIEM solution, PTA can help organizations decrease their number of false positive alerts and rapidly identify the most critical incidents. The PTA work flow occurs entirely behind the scenes - transparent to user - and begins when a user accesses a privileged credential in the vault.
Once a user logs in to CyberArk and selects an account to access, PTA kicks in. The Vault will send details of the login access attempt to PTA, and PTA will analyze this access attempt against what’s known to be normal for this user.
PTA will also analyze data about the target system, which is retrieved thanks to an inbound integration with the leading SIEM vendor. PTA will look at what’s happening on the target system and analyze if the system is behaving in a way that’s known to be normal.
What’s unique about PTA is that it is not a rules-based engine. Instead, it is a dynamic risk analysis engine that is self-learning can adapt to changing user and system behavior over time. This self-learning statistical model is based on a combination of CyberArk-patented algorithms, historical user and system behavior, and current user and system behavior.
PTA will analyze this combination of data and then determine if the access is normal
Or if it’s abnormal
If the attempt is abnormal, PTA will automatically send an alert to both the CyberArk administrative console and back to the SIEM, leveraging a two-way integration.
The primary goals of this analysis and the two-way integration with SIEM solutions are to find the signal in the noise – dynamically and automatically find the anomalies amongst all the other privileged account activity. And second, enable the SOC team to instantly locate the most serious alerts. Privileged accounts provide access to the keys to the kingdom, so a privileged account alert is typically far most urgent than an endpoint malware alert. By sending PTA alerts back to the SIEM, SOC teams can instantly prioritize these to investigate, terminate, and remediate incidents before the result if data breach.
Now that we’ve talked about the required capabilities, here is a view of how CyberArk delivers this technology in an integrated portfolio of solutions.
At the foundation of the solution is the Shared Technology Platform, which allows customers to deploy a single infrastructure and expand the solution cost-effectively as business needs expand. Seamless integration of products built on the platform provides lowest cost of ownership, and consolidated management, policy controls and reporting capabilities. The platform delivers enterprise-class security, scalability, and high availability on a single, integrated solution.
The products built on the solution include:
• Enterprise Password Vault: proactively protects privileged accounts accessed using a password by detecting accounts, securing passwords, automatically rotating them and controlling access by users
• SSH Key Manager: proactively protects privileged accounts accessed using a password by securing private keys, rotating key pairs and controlling access to private keys
• Privileged Session Manager: enables live monitoring and command-line keystroke level recording of privileged sessions, isolates the target asset from malware and establishes a single point of control for all privileged activity
• Application Identity Manager: secures application to application interfaces by enabling proactive controls on privileged credentials embedded in applications, service accounts and scripts
• On-Demand Privileges Manager: limits the breadth of access of administrative accounts by restricting the use of specified commands and functions
• Privileged Threat Analytics: profiles and analyzes individual privileged user behavior and creates prioritized alerts when abnormal activity is detected
All together, this portfolio of solutions delivers the broadest privileged account security solution available, all with an ease of management and scalability for enterprise-class organizations.