1

The New Cyber Battleground:Inside Your Network

Chad Froomkin

Major Account Executive

Southeast

2

Why are we here?

90% of organizations breached 

59%of organizations breached more than once  

$3,500,000Average cost per incident to investigate and remediate  Ponemon Institute - Cost of Data Breach: Global Analysis, 2014

Cisco Talos, Deliotte Financial Advisory service, Deloitte & Touche LLP, Mandiant, RSA, Verizon RISK - CyberArk Threat Report: Privileged Account Exploits Shift the front lines of Cyber Security, 2014

3

The new cyber battleground: Inside your network

Over 90% of organizations have been breached

• In the past: “I can stop everything at the perimeter”

• Today: “I can’t stop anything at the perimeter”

Information security focus shifts to inside the network

• Over 35% of breaches are internal – driven by malicious and unintentional insiders

• Compromised credentials empower any attacker to act as an insider

Compliance and audit requirements focus on privileged accounts

• Privileged accounts provide access to the most sensitive and valuable assets

• Information exposure damages brand reputation and customer confidence

4

What do we know?

54% 94% 243 100%Of compromised

systems contained malware

Of breaches are reported by third

parties

Median number of days advanced

attackers are on the network before being

detected

Of breaches involved stolen

credentials

Mandiant, M-Trends and APT1 Report, 2014

“We have to assume we have already been breached”Brian Krebs

(Krebs on Security)

5

Privileged accounts are targeted in all advanced attacks

Mandiant, M-Trends and APT1 Report, 2014

“…100% of breaches involved stolen

credentials.”

“APT intruders…prefer to leverage privileged accounts

where possible, such as Domain Administrators, service accounts

with Domain privileges, local Administrator accounts, and privileged user accounts.”

6

Privileged accounts are targeted in all advanced attacks

Avivah Litan, Vice President and Distinguished Analyst at Gartner, 2014

“Anything that involvesserious intellectual property

will be contained in highly secure systems and privileged accounts

are the only way hackers canget in.”

7

Privileged accounts are targeted in all advanced attacks

CyberSheathAPT Privileged Account ExploitationSecuring Organizations against Advanced, Targeted Attacks,2013

“…that’s how I know I’m dealingwith a sophisticated adversary…

if they are targeting privileged accounts, I’ve got a serious APT

problem…”

8

Perimeter defenses are consistently breached

Over 28 Billion spent on IT security in 2014!!!

Over 90% of organizations breached

Cisco Talos, Deliotte Financial Advisory service, Deloitte & Touche LLP, Mandiant, RSA, Verizon RISK - CyberArk Threat Report: Privileged Account Exploits Shift the front lines of Cyber Security, 2014

9

Privileged Account Security:Now a critical security layer

10

Typical Lifecycle of a Cyber AttackPrivilege is at the center of the attack lifecycle

11

Scope of Privileged Account “attack surface” underestimated

1-250 251-500 501-1,000 1,001-5,000 5,001+ Don't know0%

5%

10%

15%

20%

25%

30%

35%

In Your Estimation, How Many Privileged Accounts Are There In Your Organization?

Cyber - Privileged Account Security & Compliance Survey, 2014 (Enterprises > 5000 Employees)

12

Many organizations only use partial measures

Paper-based Homegrown SW

IAM Solutions PIM Software SIEMs DAM Other0%

5%

10%

15%

20%

25%

How Do You Monitor Or Record Privi-leged Account Activity?

Cyber - Privileged Account Security & Compliance Survey, 2014

72%

28%

Do you monitor and recordprivileged activity?

13

Privileged Accounts create a HUGE attack surface

Privileged accounts exist in every connected device, database, application, industrial controller and more!

Typically a ~3X ratio of privileged accounts to employees

14

What, Where & Why of Privileged Accounts

Scope Used by Used for

Elevated Personal• Cloud providers• Personal accounts w/ elevated permissions

• IT staff • Any employee

• Privileged operations• Access to sensitive

information• Web sites

Shared Privileged Accounts

• Administrator• UNIX root• Cisco Enable• Oracle SYS• Local Administrators• ERP admin

• IT staff • Sys admins/Net admins• DBAs• Help desk• Developers• Social media mgrs• Legacy applications

• Emergency• Fire-call• Disaster recovery• Privileged operations• Access to sensitive

information

Application Accounts(App2App)

• Hard coded/ embedded App IDs

• Service Accounts

• Applications/scripts• Windows Services• Scheduled Tasks• Batch jobs, etc• Developers

• Online database access• Batch processing• App-2-App

communication

All PowerfulDifficult to Control, Manage & Monitor

Pose Devastating Risk if Misused

15

Telecom breaches draw attention to insider access issues

▪ August 2014 : A global top 5 Telecommunications company reported that, for the 2nd time in 2014, a privileged insider gained unauthorized access to customer information.

“ We’ve recently determined that one of our employees violated our strict privacy and security guidelines by accessing your account without authorization and while doing so, would have

been able to view and may have obtained your account information, including your social security number and driver's license number ”

▪ Yet another reminder that true technical controls need to be put in place to better manage the privileges and access that employees have to data and systems.

16

Chinese hack U.S. weather systems & satellite network

▪ October 2014: A federal agency recently had four of its websites attacked by hackers from China. To block the attackers, government officials were forced to shut down a handful of its services.

▪ Post breach, security testing discovered multiple weaknesses:￭ “Weak or default passwords and operating system vulnerabilities with well

documented exploits” ￭ Significant problems with remote access ￭ Assessment results lacked supporting evidence – lack of audit logs

17

• Once necessary privileges are obtained Install malware on POS

• Install Remote Administration Tools - Ex-filtrate data

• Access Via compromised 3rd

party account

• Escalation of privileges

*For example* Via Pass the Hash

The framework of a retail breach

Goal

18

The Privileged Account Security maturity model

Baseline maturity

Mediummaturity

Highmaturity

Discover and control

Manage and monitor

Expand scope and automate

19

1) Baseline Maturity

Baseline maturity

Discover and control

Inventory the privileged accounts

Limit standard user accounts

Establish on- and off-boarding processes

Remove non-expiring passwords

Securely store passwords Ensure attribution

20

Schedule password changes

Utilize one-time passwords

Implement session recording

Prevent human usage of service accounts

Control application accounts

Detect anomalies

2) Medium Maturity

Mediummaturity

Manage and monitor

21

3) High Maturity

Highmaturity

Expand scope and automate

Use multi-factor authentication

Replace all hard-coded passwords in applications

Employ next-generation jump-servers

Implement approval and monitoring workflows

Proactively detect malicious behavior

22

Critical steps to stopping advanced threats

Protect and manage privileged account credentials

Control, isolate and monitor privileged access to servers and databases

Use real-time privileged account intelligence to detect and respond to in-progress attacks

Discover all of your privileged accounts

23

Virtual Servers

Unix/Linux

Servers

iSeriesMainframes

WindowsServers

zSeriesMainfram

e

Databases

Applications Network Devices

SecurityAppliance

s

Websites& Web Apps

Unix AdminsWindows Admins

DBAs VM Admins ExternalVendors

Business Applications

Auditor/Security & Risk

I need the password to map a

drive

I need my service provider to connect remotely with root

I just need root to patch a database

I have this script that needs to run

as root every night

What are your root entitlements, who used it, when did

they use it and why?

Enterprise account usage today

What are your root entitlements, who used it, when did

they use it and why?

?

24

Requirements for an effective Privileged Account Security Solution

Granular Privileged

Access Controls

Privileged User Access

Controls

Protecting & Isolating Sensitive Assets

PrivilegedActivity

Monitoring

ApplicationIdentityControls

25

Break the attack chain!!!

26

DNA - Discovery & Audit

Discover where your privileged accounts exist

Clearly assess privileged account security risks

Identify all privileged passwords, SSH keys, and password hashes

Collect reliable and comprehensive audit information

27

The CyberArk Team:

Chad Froomkin – Major Account Executive Southeast: NC/SC/TN

(770) 322-4201

Chad.Froomkin@cyberark.com

 

Doug Brecher – Internal Account Executive Southeast

(617) 796-3264

Doug.Brecher@cyberark.com