Privilege Security & Next-Generation Technology Morey J. Haber Chief Technology Officer mhaber@beyondtrust.com
Agenda • The Next-Gen Threat Landscape o Infomatics, Breaches & the Attack Chain o Securing Cloud, DevOps & IoT o Privilege Security Threats • PAM & Privilege Security Maturity o Privileged Access Management o Privilege Security Maturity Model • How BeyondTrust Helps
The Next-Gen Threat Landscape
Innovation Leader Infonomics 30+ years of firsts "Infonomics is the theory, study, and discipline of asserting 1 st fully-integrated PAM and VM platform • economic significance to information. It provides the 1 st to provide vulnerability insights to inform privilege decisions • framework for businesses to monetize, manage, and 1 st PAM vendor on all major cloud marketplaces • measure information as an actual asset. 1 st Unix/Linux, Mac and network device PAM solution • … Infonomics endeavors to apply both economic and asset management principles and practices to the valuation, Strong roadmap Patented technology handling, and deployment of information assets." • • Active threat response 7 patents granted • • Context-aware PAM 10 pending - Infonomics: How to Monetize, Manage, and Measure Information as an • Asset for Competitive Advantage by Douglas B. Laney SaaS-based PAM platform • DevOps secrets management
Notable Breaches Credentials Unpatched software exploited; Credentials hacked amplified by excessive privileges stolen 80 % 95 % 28 % of security breaches involve of critical vulnerabilities in Microsoft of breaches privileged credentials systems could be mitigated by involve insiders removing admin rights (and growing) Forrester Wave: Privileged Identity Management, Q3 2016 2018 Microsoft Vulnerabilities Report 2018 Verizon Data Breach Investigations Report
The Cyber Attack Chain 1. Perimeter 2. Privilege Hijacking 3. Lateral Movement Exploitation & Escalation & Exfiltration … hijacks privileges or … and compromises other Attacker exploits asset vulnerabilities to gain entry leverages stolen/cracked network resources. passwords Vulnerable Unmanaged Credentials Limited Systems and Excessive Privileges Visibility
The New Enterprise Expanding Accounts DevOps / A2A / A2DB More people, processes and technology have access to your systems and data than ever before. Remote Cloud & Employees IoT Mainstream adoption DevOps Partners & 60% Mobile Contractors IoT 56% Internal WWW Cloud 15% Employees Client- Server Evolving Infrastructure
Attack Surface Evolution DevOps Cloud & Hybrid Cloud Cloud Management Platforms (AWS, Azure) DevOps Tools Dynamic Virtual Environments Virtualized Environments (VMWare, MSFT) Containers Virtualized Machines (UNIX, Linux, Windows) Microservices SaaS Apps (Facebook, LinkedIn, Custom) On-Premise • Shared Administrator Accounts • Desktops (Windows, Mac) • Servers (Unix, Linux, Windows) • Industrial Control Systems • Security Infrastructure • Network Infrastructure • Applications & Application Servers More Privileged Accounts Internet of Things • Databases & Database Servers SaaS Admins Roaming workstations • Machine Credentials (AtoA) Cloud Admins BYOD • Hypervisors & Virtual Machine Application Admins Cameras Privileged End Users Sensors Developers Printers Machine Password & Keys More…
Cloud
Secure Cloud DISCOVER & INVENTORY Enablement Asset RESTRICT Management SCAN FOR PRIVILEGES VULNERABILITIES Privileged Vulnerability Management Management Secure cloud ENSURE enablement CONFIGURATION SEGMENT COMPLIANCE requires a NETWORKS Cloud Security Hardening and Network Design multidisciplinary Best Practices strategy! ENFORCE GAIN ACCOUNTA- APPROPRIATE BILITY OVER CREDENTIAL USAGE SHARED ACCOUNTS ELIMINATE Least Privilege Password HARD-CODED Management Management PASSWORD A2A Security
Secure Cloud Transformation The New Cloud Perimeter • Cloud Management Platforms In the cloud • Shared Administrator Accounts • Servers (Unix, Linux, Windows) • Applications & Application Servers • Databases & Database Servers Into the cloud • Machine Credentials (A to A) • Security & Network Infrastructure From the cloud • Hypervisors & Virtual Machines • SaaS Applications • DevOps Environments • Containers & Micro Services • IoT Devices Virtual Machines, Dedicated Hardware | Marketplace Applications | IaaS, PaaS, & SaaS
Privilege Management for the Cloud Cloud-Agnostic Private, Public and Hybrid Environments • • Respects OA and application hardening License flexibility • Fully automated for passwords & API • Asset inventory integration • Auditing, reporting and change-aware • Docker and container aware • Proxy access • Discover online & offline instances • Session management • Leverage Hypervisor APIs • Regulatory compliance • Agent technologies
DevOps
DevOps Security Strategy RESTRICT DISCOVER & ELIMINATE HARD- GAIN ACCOUNTABILITY PRIVILEGES INVENTORY CODED PASSWORDS OVER SHARED ACCOUTS Asset A2A Security Management Privilege Management Password Management Secure DevOps Least Privilege Vulnerability Management Management Hardening and Network Security Best Design Practices ENSURE CONFIGURATION SEGMENT ENFORCE APPROPRIATE SCAN FOR COMPLIANCE NETWORKS CREDENTIAL USAGE VULNERABILITIES
Privilege Automation for DevOps • • Only allow approved assets; identify Platform-agnostic, from cloud to on unacceptable variations premise • • Identify security risks and Limit all users, including privileged automatically remediate them access, in the DevOps automated workflow • Ensure configuration hardening • Provide security and performance • Eliminate all locations for hard- visibility to ensure security and coded credentials automation success
IoT / IIoT
Privilege Management for IoT, IIoT, ICS,SCADA Communications and Restricted Lateral Movement Zones Privileged Access Internet Segmentation Users Public Device Type & Risk Servers DMZ Private IoT IIoT ICS SCADA Guest Dumb Devices Air-Gapped
The Privileged IoT Perspective • IoT asset and inventory management • Risk assessment with vulnerability management • Password management and privileged session access • Command line least privilege management • Policy and script repository
Privilege Security Threats
Privilege Security Threats • • • Guessing Vulnerabilities Default credentials • • • Dictionary attacks Misconfigurations Anonymous • • • Brute Force Exploits Predictable • Pass the Hash • • Malware Shared credentials • Security questions • • Social engineering Temporary • Password resets • • MFA flaws Reused Insider Threats External Threats Hidden Threats
Accountability for Privileges • Privileged account discovery • Develop permissions model • Rotate passwords and keys • Workflow process and auditing • Define session monitoring • Segmentation • User behavior analysis
Privileged Access Management & Privilege Security Maturity
Privileged Access Management • Provides an integrated approach to ENTERPRISE PASSWORD enterprise password management MANAGEMENT • Enforces least privilege on all endpoints with- ACTIVE PRIVILEGE out compromising productivity or security DIRECTORY MANAGEMENT BRIDGING • Ensures administrator and root compliance Privileged on Unix, Linux, Windows and Mac Access Management • Identifies high-risk users and assets by USER teaming behavioral analytics and risk data BEHAVIOR SESSION MONITORING with security intelligence from best-of-breed MANAGEMENT security solutions ADVANCED • Achieves unified visibility over accounts, REPORTING & applications, and assets that they protect ANALYTICS
The Journey to Privilege-Centric Security IT ECOSYSTEM INTEGRATION NEW ENTERPRISE DEPLOYMENT: CLOUD, DEVOPS, NETWORK/IOT/ICS/SCADA UNIFIED MANAGEMENT, REPORTING & THREAT ANALYTICS FIM, system-level control FIM, VBAM, event Maturity log monitoring Session recording & monitoring Server least A2A & A2DB Asset discovery & privilege / command Endpoint least vulnerability elevation & privilege / command Session scanning delegation elevation & management Password/key storage delegation & rotation Account discovery IMPROVE ACCOUNTABILITY & ELIMINATE EXCESSIVE PRIVILEGES & IDENTIFY & CONTROL OVER SHARED GAIN GRANULAR COMMAND AND INVENTORY CREDENTIALS TASK-LEVEL CONTROL Time
About BeyondTrust
Privilege-Centric Privilege security solutions control, monitor and audit privileged access to systems and data across the expanding enterprise. Security for the New Identity- Enterprise Focused Centralized Not network Dynamic & Modular focused Locations, Integrates w/ teams, contexts best-of-breed solutions Future- Risk- Ready Based Built for next- Accounts for gen IT user & asset risk environments
Recommend
More recommend