Jeff Vealey Customer Success Technical Advisor CyberArk Software State of play There are only two types of companies Those that have been hacked and those that will be Even that is merging in to one category those that have been hacked and will be again ID: 909183
Download Presentation The PPT/PDF document "Stopping Attacks Before They Stop Busine..." is the property of its rightful owner. Permission is granted to download and print the materials on this web site for personal, non-commercial use only, and to display it on your personal computer provided you do not modify the materials and that you retain all copyright notices contained in the materials. By downloading content from our website, you accept the terms of this agreement.
Slide1
Stopping Attacks Before They Stop Business
Jeff Vealey – Customer Success
Technical Advisor
CyberArk Software
Slide2State of play
There are only two types of companies: Those that have been hacked, and those that will be. Even that is merging in to one category; those that have been hacked and will be again.
FBI Director Robert Mueller 2012
Slide3Recent history
Slide4Cyber Attacks Are a Daily Event
Slide5Cyber Security and Privileged Access
Mandiant, M-Trends and APT1 Report
“…100% of data breaches involved stolen credentials.”
“APT intruders…prefer to leverage privileged accounts where possible, such as Domain Administrators, service accounts with Domain privileges, local Administrator accounts, and privileged user accounts.”
Slide6Any account which has the ability to access and update the configuration of a critical system or impact it’s operational service
Privileged Account Definition and Scope
WiFi Routers, Smart TVs
Routers, Firewalls, Hypervisors, Databases, Applications
Routers, Firewalls, Servers, Databases, Applications
Laptops, Tablets, Smartphones
Power Plants, Factory Floors
Privileged Account Definition
Slide7Privileged Account Security: the new security layer
PERIMETER SECURITY
PRIVILEGED ACCOUNT SECURITY
SECURITY CONTROLS INSIDE THE NETWORK
MONITORING
Slide8Typical processes that attackers expose…
Local admin accounts set to the same password
Separate, named domain accounts created for each admin
Non-expiring passwords for critical accounts
Hard-coded credentials for applications in code, scripts and appliances
Unmanaged SSH Keys used for interactive sessions and applications
Workstation users granted local admin rights
Standing Access – network, access and authentication
Lack of visibility around who, why and is it legitimate access
Excessive Permissions for specific roles, like; DBA, Developers, etc.
Slide9Data Breaches - Real Life Example
Slide10Step 3:
Hash of helpdesk user who remotely assisted executive 3 days prior extracted and used.
Step 1:
Attackers used Phishing Scam to detect local admin users.
How did the attack start?
Step 2:
Executive user with local admin Privilege discovered. Pass the hash attack starts
ABC Company
Slide11Step 6:
Golden Ticket Attack Performed
Step 4:
Using the helpdesk users password hash, Server Access was finally gained
What happened?
Step 5:
Authenticated to multiple servers using those privileges until they gained domain-admin level access
Used system access to:
Write own Kerberos Tickets
Exfiltrate
Data
Local Admin accounts
Domain Admin accounts
Slide12Comprehensive Approach Required
Slide13Stats
Slide14Privileged Account Statistics
Of Advanced attacks exploit Privileged Credentials.
100
%
Slide15Privileged Account Statistics
Shared by who? What happens when people leave the organization?
Of Privileged Account Passwords are shared.
51
%
Slide16Privileged Account Statistics
Current processes are making it easier for attackers to move around the infrastructure.
Of Large Enterprises take 90 days or longer to change Privileged Passwords.
53
%
Slide17Privileged Account Statistics
There is more than 1 way to underestimate this. Amount, Scope, Power, Same/Similar Passwords
Of Large Enterprises do not know, or have underestimated the magnitude of their Privileged Account Security problem.
86
%
Slide18Privileged Account Statistics
Remember the breach for a US health insurer? 70 million credit card details were stolen because of 1 unmanaged credential.
Of Privileged Accounts across Enterprises are either unknown or un-managed
67
%
Slide19Privileged Account Statistics
Truth?
Are these numbers correct?
??
%
Slide20Privileged Account Statistics
Of Advanced attacks exploit Privileged Credentials.
100
%
Slide21Compliance View
Slide22Compliance and Regulation
PCI
SOX
Slide23Reduce Risk of Privileged Account Exploits
Slide24Implement a standardized privileged access strategy
NETWORK INFRASTRUCTURE
OPERATING SYSTEM
DATABASE
APPLICATION
For each layer:
Why is Privileged Access needed?
Who needs Privileged Access?
Which entities are used to authenticate?
Can approval workflows be enforced?
What controls are in place right now?
Slide25Example Controls…
Ref
Process
Description
Priority
C1
Inventory and reduce the number of privileged accounts in your organization
Knowing how many accounts are present in the environment and where they are is a critical first step in making informed risk decisions and protecting the accounts. Once inventoried, privileged accounts should be reviewed and unnecessary accounts should be deleted to reduce the overall number of accounts requiring management.
C2
Prohibit standard user accounts from having privileged access.
Utilising separate accounts for general and administrative use enables organizations to identify misuse or abuse of privileged accounts. In addition, enforcing least privilege is a significant step an organization can take towards improving the security of their network environment.
C3
Create a process for on- and off-boarding employees that have privileged account access.
Employees should understand the responsibility that comes with privileged access and be trained in existing corporate policies before administrative access is granted. Access should routinely be reviewed to ensure privileged access is still required. The off-boarding process should include disabling all employee privileged accounts and changing passwords to any shared accounts the employee had access too.
C4
Eliminate the practice of accounts that have non-expiring passwords.
Passwords should be changed on a regular schedule to reduce their vulnerability to password cracking tools and password sharing between employees.
C5
Store passwords / keys securely
It is imperative that organizations store their privileged credentials in the most secure, encrypted vaulting system available. The use of envelopes, binders, spreadsheets, flat files, etc. for the storage of privileged account information should be eliminated.
Restrict Lateral Movement – Define the Target Operating Model
Tier 0
– Forest admins: Direct or indirect administrative control of the Active Directory forest, domains, or domain controllers
Tier 1
– Server admins: Direct or indirect administrative control over a single or multiple servers
Tier 2
– Workstation Admins: Direct or indirect administrative control over a single or multiple devices
Source – Microsoft Mitigating Pass The Hash and Other Credential Theft V2
Slide27Privileged Account Security
Slide28Privileged Account Security - Critical Steps
Protect and manage privileged account credentials
Control, isolate and monitor privileged access to servers and databases
Use real-time privileged account intelligence to detect and respond to in-progress attacks
Discover all of your privileged accounts
Implement least privileges access for server and workstation access
Slide29First, understand the Current Position
Slide30Slide31Protect and Manage Privileged Account Credentials
Implement strong credential access workflows
Simplify policy management - “master policy” function
Protect the Privileged Credentials – Secure Digital Vault
Slide32Control, Isolate and Monitor Privileged Activity
Isolate malware from the target system
Monitor and record command level activity
Establish a single point of control for privileged sessions
Slide33Privileged Session Activity
Privileged session intelligence
Privileged Credential Access
Vault access
intelligence
Detect Malicious Activity
Real-time, integrated with SIEM
Full forensics capabilities
Privileged account intelligence detects attacks
Full integration with existing SIEM solution
Complete, indexed record of privileged activity
Use Real-time, Privileged Account Intelligence
Detect anomalies in day-to-day activity
Slide34The Standardized Approach for Privileged Access
Real-Time Threat Detection
Detect Attempts to Circumvent Controls
Privileged Account Management
Enforce account management on all privileged accounts
Global IT Environment
Privileged Access
IT Admins
Applications
3
rd
Parties
Secure App2App Authentication
Implements the new concept Target Operation Model for Risk Mitigation. Standardize Privileged Access for all accounts; human and non-human IDs
Benefits:
Mitigates risk by reducing the attack surface within the heart of the enterprise
Implements a standardized workflow for privileged access; central control and audit
Provides full accountability, forensics and threat detection.
Directive
Slide35So….in summary…
Slide36Slide37Slide38Slide39Slide40Slide41Slide42Slide43Slide44Slide45Thank you