Privileged Attack Vectors: Building Effective Defense Strategies - PowerPoint PPT Presentation

Privileged Attack Vectors: Building Effective Defense Strategies Morey J. Haber Chief Technology Officer mhaber@beyondtrust.com

Agenda • The Threat Landscape • Sample Cases • What is Privileged Access Management? • Twelve Steps to Privilege Security • BeyondTrust

The Threat Landscape

The Infonomics of Data Breaches

The Cyber Attack Chain 1. Perimeter 2. Privilege Hijacking 3. Lateral Movement Exploitation & Escalation & Exfiltration … hijacks privileges or … and compromises other Attacker exploits asset vulnerabilities to gain entry leverages stolen/cracked network resources. passwords Vulnerable Unmanaged Credentials Limited Systems and Excessive Privileges Visibility

How Are Threat Actors Gaining Privileges ? • • • Guessing Vulnerabilities Default credentials • • • Dictionary attacks Misconfigurations Anonymous • • • Brute Force Exploits Predictable • Pass the Hash • • Malware Shared credentials • Security questions • • Social engineering Temporary • Password resets • • MFA flaws Reused Insider Threats External Threats Hidden Threats

Sample Cases

EMPLOYEES AND OTHER INSIDERS HAVE UNNECESSARY ACCESS Employees, vendors and other insiders are often given excessive access to systems and data – and that access can go unmonitored. 88 % of cases, attackers compromise an organization using definable patterns established as early as 2014 Source: Verizon 2017 Data Breach Investigations Report

CREDENTIALS ARE SHARED AND UNMANAGED Passwords are created and shared, but aren’t audited, monitored or managed with discipline or accountability. Privilege abuse was behind 81% of insider misuse incidents. Source: Verizon 2017 Data Breach Investigations Report

IT ASSETS COMMUNICATE UNCHECKED Desktops, laptops, servers and applications communicate and open paths to sensitive assets and data. 99% of successful attacks leverage known vulnerabilities Source: Verizon 2015 Data Breach Investigations Report

Privileged Access Management

Privileged Access Management • Provides an integrated approach to ENTERPRISE PASSWORD enterprise password management MANAGEMENT • Enforces least privilege on all endpoints with- ACTIVE PRIVILEGE out compromising productivity or security DIRECTORY MANAGEMENT BRIDGING • Ensures administrator and root compliance Privileged on Unix, Linux, Windows and Mac Access Management • Identifies high-risk users and assets by USER teaming behavioral analytics and risk data BEHAVIOR SESSION MONITORING with security intelligence from best-of-breed MANAGEMENT security solutions ADVANCED • Achieves unified visibility over accounts, REPORTING & applications, and assets that they protect ANALYTICS

Twelve Steps to Privilege Security

Step 1: Improve Accountability for Privileged Passwords Asset Based: • Privileged account discovery • Develop permissions model • Rotate passwords and keys • Workflow process and auditing • Define session monitoring • Segmentation • User behavior analysis

Step 2: Implement Least Privilege on Endpoints Asset & User Based: Windows & Mac OSX (Desktop, Laptop, Notebook, Tablet, Virtual, etc.) • Remove administrator rights • Implement standard user permissions • Enforce application control • Eliminate multiple accounts • Context-aware rules • Session monitoring • Privileged file monitoring • Layered, multifactor authentication • Auditing of privileged access

Step 3: Leverage Application Risk Levels • Limit application privileges to users and assets based on documentable risks • Vulnerabilities, unmanaged, unauthorized, and privileged • Measure risk for applications executed by user and asset

Step 4: Implement Least Privilege on Servers Privileges Script & Command Auditing Industry Standards • • • Auditing Scripts, commands & shells Authentication • • • Context aware Session monitoring Ticketing • • • Application risk analysis Keystroke logging API integration • • • Segmentation Application logging Searching • Alerting

Step 5: Privilege Management on Network Devices • Default or common passwords that are not configured correctly • Shared credentials across multiple devices for management simplicity • Excessive password ages due to fear of changing or lack of management capabilities • Compromised or insider accounts making changes to allow exfiltration of data • Outsourced devices and infrastructure where changes in personnel, contracts, and tools expose credentials to unaccountable individuals

Step 6: Privilege Management for Virtual and Cloud Cloud-Agnostic – Private or Public • Respects OA and application hardening • License flexibility • Fully automated for passwords & API • Asset inventory integration • Auditing, reporting and change-aware • Docker and container aware • Proxy access • Discover online and offline instances • Session management • Leverage hypervisor APIs • Agent technologies

Step 7: Privilege Management for IoT, IIoT, ICS,SCADA Communications and Restricted Lateral Movement Zones Privileged Access Segmentation Internet Public Users Device Type & Risk Servers Private DMZ IoT IIoT ICS SCADA Guest Dumb Devices Air-Gapped

Step 8: Privilege Automation for DevOps • Only allow approved assets; identify unacceptable variations • Identify security risks and automatically remediate them • Ensure configuration hardening • Eliminate all locations for hard-coded credentials • Platform-agnostic, from cloud to on premise • Limit all users, including privileged access, in the DevOps automated workflow • Provide security and performance visibility to ensure security and automation success

Step 9: Privilege Management Unification Correlate Data Between Disciplines Correlate Data for Risks ENTERPRISE PASSWORD MANAGEMENT ACTIVE PRIVILEGE DIRECTORY MANAGEMENT Threat Analytics Pivot Privileged Data BRIDGING USER BEHAVIOR SESSION Profile Assets, Users, RBAC and Grouping MONITORING MANAGEMENT and Applications ADVANCED REPORTING & ANALYTICS Workflow and Process Validation Third-Party Integration

Step 10: Privileged Account Integration

Step 11: Privileged Auditing and Recovery • Audit and roll back changes and identify who, what, where, and when they were performed. • Restore from the Active Directory recycle bin without having to extract backups. • Audit, report, and recover across a complex Windows or heterogeneous environments.

Step 12: Integrate the Identity Access Stack

Morey J. Haber • 20+ years security experience • Articles on Secure World, Dark Reading, CSO Online, etc. • Author of “Privileged Attack Vectors: Building Effective Cyber-Defense Strategies to Protect Organizations” & ”Asset Attack Vectors” (covering Vulnerability Management) – both available from Apress Media

COMPLETE LEADER Comprehensive, Gartner, Forrester, integrated, intelligent PAM KuppingerCole PROVEN INNOVATIVE 13,000+ customers 30+ years of privilege worldwide; extensive security firsts + partner community expansive roadmap

PowerBroker Privileged Access Management Platform Privilege Password & Session Secure Remote Management Management Access  Secure credentials with  Gain accountability over  Eliminate Admin\root rights Privileged Identity and shared accounts  Enforce Application & Infrastructure manage sessions with  Eliminate hard-coded command control Privileged Access passwords  Efficiently delegate Windows,  Empower and protect your  Monitor privileged sessions Mac, Unix & Linux privileges service desk with the most and user behavior and elevate secure Remote Support Endpoints  Enforce appropriate use  Enforce appropriate software credential usage  Risk based privilege decisions Cloud Hybrid On-Premise

PAM Industry Leader Leader: Forrester PIM Wave, 2016 Leader: Gartner Market Guide for PAM, 2017 Table1. PASM Vendors and Their Key Capabilities

Questions? Morey J. Haber Chief Technology Officer mhaber@beyondtrust.com