Control and accountability for privileged users
Andreas Nordenadler, CyberArk
CyberArk
Approach privileged accounts as a security challenge
• Designed and built from the ground up for security
Trusted experts in privileged account security
• Over 1,500 privileged account security customers
Twelve years of innovation in privileged
account controls, monitoring and
analytics
• First with vault, first with monitoring, first with analytics
• Over 100 software engineers, multiple patents
Only comprehensive privileged account
security solution
• One solution, focused exclusively on privileged accounts
World-class Customers
Other Industries Financial Services Communications & Media
Pharmaceuticals Energy & Utilities
Trusted experts to more than 1,500 organizations around the globe
CyberArk Customer Snapshot
PRIVILEGE
Shared Admin Accounts & Personal Privileged Accounts
Cloud Accounts
Application to Application
Accounts
Privileged Accounts
Privileged Credentials are (needed) Everywhere
WiFi Router, Smart TV
Power plant,
Factory Floor
Laptop, Tablet,
Smartphone
Routers, Firewalls, Hypervisors,
Databases, Applications
Routers, Firewalls, Servers,
Databases, Applications
Hijacked Credentials Put the Attacker in Control
WiFi Router, Smart TV
Power plant,
Factory Floor
Laptop, Tablet,
Smartphone
Compromised Privileged Accounts
Routers, Firewalls, Hypervisors,
Databases, Applications
Routers, Firewalls, Servers,
Databases, Applications
Privileged Accounts are Targeted in All
Advanced Attacks
Mandiant, M-Trends and APT1 Report
“…100% of breaches
involved stolen
credentials.”
“APT intruders…prefer to
leverage privileged accounts
where possible, such as Domain
Administrators, service accounts
with Domain privileges, local
Administrator accounts, and
privileged user accounts.”
Typical Lifecycle of a Cyber Attack Privilege is At The Center of the Attack Lifecycle
The Story That Never Ends
“Anybody in the position of
privileged access with the
technical capabilities that I had
could suck out secrets…”
Edward Snowden, NSA Systems Administrator
The Beginning of Corporate Accountability(?)
Privileged Account Management Drivers
Increased Audit &
Compliance
Requirements
Evolving Threats ▪ Advanced, External Threats
▪ Malicious Insider Threats
▪ Accidental Insider Threats
▪ External regulations
▪ Business partner demands
▪ Internal audit requirements
What is CyberArk Doing to Help?
CyberArk Breaks the Attack Chain
CyberArk’s Privileged Account Security Solution
Enterprise
Password
Vault®
Privileged
Session
Manager®
Application
Identity
Manager™
On-Demand
Privileges
Manager™
Management Portal/Web Access
Master Policy
Secure Digital Vault™
Privileged Threat Analytics
Shared
Technology
Platform
Proactive
Controls,
Monitoring &
Management
Behavioral
Analytics
Protect Detect Respond
SSH Key
Manager
System User Pass
Unix root
Oracle SYS
Windows Administrator
z/OS DB2ADMIN
Cisco enable
IT
Vault
Enterprise IT Environment
Policy Manager
1. Master/exception policy definition
2. Initial load & reset Automatic Detection, Bulk upload, Manual
3. Request workflow Dual control,
Integration with ticketing systems,
One-time passwords, exclusivity, groups
4. Direct connection to device
5. Auditor access
Security/
Risk Management
Auditors
Privileged Account Security – IRL 1/2
Portal
Policy
Request to view Reports
Request access to Windows Administrator On prod.dom.us
tops3cr3t
tops3cr3t
tops3cr3t
tops3cr3t
tops3cr3t
tops3cr3t
tops3cr3t
tops3cr3t
tops3cr3t
tops3cr3t
lm7yT5w X5$aq+p Tojsd$5fh y7qeF$1 gviNa9% Oiue^$fgW
Policy
Other…
Vault
Windows Servers
Servers
1. Logon through Password Vault Web Access
2. Connect
3. Fetch credential from Vault
4. Connect using native protocols
5. Store session recording
6. Logs forwarded to SIEM/Syslog
4
5
Databases
6
SIEM/Syslog
ESX\vCenters
Unix
Linux
1
HTTPS
2
RDP over HTTPS
PSM
3
Privileged Account Security – IRL 2/2
Portal
Four Critical Steps to Stopping Advanced Threats
Protect and manage privileged account credentials
Control, isolate and monitor privileged access to servers and databases
Use real-time privileged account intelligence to
detect and respond to in-progress attacks
Discover all of your privileged accounts
Challenge: Identify and Manage Privileged Accounts
Identifying privileged accounts is difficult
▪ High volume of accounts (Default admin accounts, “Backdoor” accounts, service
accounts, local privileged accounts and local accounts on servers)
▪ Employee turnover
▪ Lack of historical records and documentation
Risks
▪ Unmanaged privileged accounts are exploited in over 90% of corporate breaches
▪ A large number of machines on a network can be vulnerable to Pass-the-Hash attacks
■ Stored privileged credential hashes create vulnerabilities to Pass-the-Hash
attacks on multiple machines throughout a network
▪ Without a clear understanding of the volume and location of privileged accounts,
auditors lack the reliable information they need to complete an audit
■ Privileged account controls and monitoring are needed for security and
compliance requirements
Solution: CyberArk Discovery & Audit (DNA)
DNA helps organizations gain visibility of
their privileged account environment
▪ Discover all privileged and non-privileged
accounts
▪ Locate all privileged credentials including:
■ Passwords
■ SSH keys
■ Password hashes
▪ Easily review the Executive Summary
Dashboard
▪ Enhance insight with visual maps of
password hashes and SSH key trusts
▪ Gain visibility without impacting
performance
■ Requires no installation
■ Consumes very low bandwidth
CyberArk Discovery and Audit (DNATM
) Benefits
Understand your risk
• Identify and assess privileged
account attack surface and
Pass-the-Hash vulnerabilities
Save time and money
• Reduce time and cost of
security audit preparation
• Simple executable –
results in minutes
Optimize privileged account
project benefits
• Understand the project scope
• Prioritize project priorities
Healthcare company – discovered several
local admin accounts created by 3rd party
vendors. Raised project urgency.
Telecommunication company - used DNA
to discover Service Accounts for scoping of
an AIM project
Bank – used DNA report for scoping first
phase of deployment
Energy company – DNA exposed critical
misconfiguration of local administrative
accounts, deeply nested within the accounts
tree. Very difficult to find without DNA.
CyberArk DNATM
DEMO
Discovery and Audit 5.0: What does it scan?
▪ Windows accounts
▪ Unix accounts
▪ Accounts with access rights to desktops and servers:
■ Privileged and non-Privileged accounts (Windows and Unix)
(e.g. ‘Guest’ account, local ‘Administrator’ account)
■ Local and domain accounts (Windows and Unix)
(e.g. personal domain account ‘johnr’, ‘john_Admin’)
▪ Windows Service Accounts:
■ Accounts used in Windows Services
■ Accounts used in Scheduled Tasks
▪ SSH Keys:
■ Public and Private SSH Keys
■ Orphan Keys
■ SSH Key Trusts between accounts and machines
Thank You!