isaca-presentation-aug-18-2016- onion id
TRANSCRIPT
Security Implications of Employee Account Compromise
-Anirban Banerjee, [email protected]
HELLO!I am Anirban Banerjee.Founder and CEO of Onion ID.
https://www.linkedin.com/in/anirbanbanerjeephd
Implication and Compliance
Current Status
What is Privileg
e
Challenges
Strategies
Implication and Compliance
4
Compliance violations Loss of revenue Loss of trust Employee Dissatisfaction
Implications
Compliance
• (1) Availability of ePHI Data—45 CFR 164.308(a)(7)(ii)
• (2) Integrity of ePHI Data—45 CFR 164.312(c)(1), (2), & (e)(2)(i)
• (3) Authentication to ePHI Data Systems—45 CFR 164.312(d)
• (4) Access Control in ePHI Data Systems—45 CFR 164.312(a)(1), (2), & (3)
• (5) Audit of ePHI Data Systems—45 CFR 164.308(a)(5)(ii)(c) & 164.312(b)
Where is PAM relevant?
• 7.1.1 - Inventory of assets• 7.1.2 - ownership of assets• 7.1.3 - acceptable use of assets• 10.1.2 - change management• 10.1.3 - segregation of duties• 10.3.1 - capacity management• 10.10.1 - audit logging• 10.10.2 - monitoring system use
• Additionally - 11.1.1 , 11.2.4 , 11.6.1 , 13.1.1 , 13.2.3, 15.1.4, 15.1.5 15.2.1
Where is PAM relevant?
• #5 Controlled use of administrative privileges.• #6 Maintenance, Monitoring and Analysis of Logs.• #9 Limitation and controls for network ports and services.• #10 Data recovery capability.• #11 Secure configurations for network devices like firewalls and routers.• #14 Controlled access based on the need to know.• #16 Account Monitoring and Control.• #19 Incidence Response and Management.
Where is PAM relevant?
• Need 2FA for every admin access. (v3.2) • Need to demonstrate authorization controls.• Access audit mechanisms need to be in place.
Where is PAM relevant?
What can an employee see
What can an employee click
What can an employee fill
What can an employee download
Use Case
Current Status
12
Laptops In house servers
Mobile devices
Cloud Servers
The Landscape is ChangingIT Landscape
• Shift in Capex to Opex• Cost savings – 25% on avg.
• Employee Mobility• Easy access – 49% on avg.
• Scaling is easier• More efficient – 55% on avg.
• Time savings• More time to innovate – 31% on avg.
• Choice – no traditional vendor lock in
Why is the Cloud Popular
SAML & SaaS
• Less than 25% of corporate apps have SSO support
• Less than 1% of all SaaS apps understand SAML
• Passwords are here to stay!
Mapping User Roles
• How to map to 3rd party SaaS apps?• SAML assertions - weak support.• No magic bullet
What is Privilege
17
Privilege Management is not just Access Control
Privilege Management
PAM - 100% Coverage
Web Apps Servers and Containers
PAM - LayersShrek: Ogres are like onionsDonkey: They Stink?
Shrek: Yes. No.Donkey: Oh.....they make you cry
Shrek: No!Donkey: Oh, you leave 'em out in the sun, they get all brown, start sproutin' little white hairs
Shrek: NO. Layers. Onions have layers. Ogres have layers. Onions have layers. You get it? We both have layers. [sigh]Donkey: Oh, you both have layers.Oh.
PAM has layers. Onions have layers. We both have layers. Get it?
PAM - The 7 Layers
2FA on Apps and Servers
SaaS PAM
SSH, RDP Session Control
Secret Storage
Access sharing
Reporting and Audits
Server PAM
Evolution of PAM
PAM 1.0Crawl
• Password Vaulting• SSH Key Rotation• Video-session
Recording
PAM 2.0Walk
• Rights Management• Time based checkout• Credential rotation
PAM 3.0Run
• SaaS PAM• Adaptive
authentication• Automated auditing
Challenges
23
Secrets management API/Machine to API/Machine authentication API keys in code
Hard Problems
User Fatigue
2FA = Friction
• Entering 8 Digit Codes
• Carrying Hardware• One time Passwords• Multiple IDs
Strategies
26
Command Filtering
SSH Key Management
Session Recording
URL Filtering
Action Filtering
View Filtering
Solution Features
Layer on top of existing services
Dynamic Privilege Management
SSO NAC CASB
Deployment
HappyUsers
2FA ≠ Friction
Air-Signature
Touch ID
Proximity
Geo Fencing
ACTIVE AUTHENTICATION
CAN HELP
▸ Concept of least privilege
▸ Risk score everything▸ Every command is
analyzed▸ Learn, Match, Act,
Update
WHAT TO LOOK FOR AND WHAT TO DO
Usually never runs visudo /etc/shadow – high riskCOMMANDS BEING RUN
Where are you connecting from, time, # of connectionsCONNECTION STATISTICS
Risk score every command: White, Grey, BlackEVERY COMMAND IS
ANALYZED
Invisible 2FA for Grey, Physical 2FA for BlackTAKE ACTION
Apache Spark, Pykit Sci, SSH proxiesTOOLS
32
OSS Tools and Plumbing
▸ Scikit Py,Weka▸ Apache Kafka▸ Apache Spark▸ Twilio▸ Nodejs
▸ Try SVM, Ladtree, Stumps
33
Register Servers
Dynamic DNSChange Keys
OSS Tools and Plumbing
Conclusion
2FA on Apps and Servers
SaaS PAM
SSH, RDP Session Control
Secret Storage
Access sharing
Reporting and Audits
Server PAM
PAM is important.
You can build your own system with OSS.
Many compliance workflows will benefit from PAM.
Challenges exist, but, solutions exist too.
THANK YOU!www.onionid.com [email protected]: +1-951-231-0557
https://www.linkedin.com/in/anirbanbanerjeephd
36
HIPAA
▸ (1) Integrity of ePHI Data—45 CFR 164.312(c)(1), (2), & (e)(2)(i). Controls must be put in place to verify legitimate changes to ePHI data until it is safely destroyed.
▸ (2) Availability of ePHI Data—45 CFR 164.308(a)(7)(ii). There needs to be documented polcies and procedures about making available copies of ePHI data. There must also be a way to recover information from a loss.
▸ (3) Authentication to ePHI Data Systems—45 CFR 164.312(d). There must be a way to verify the identity of a person attempting to gain access to any system containing or handling ePHI data.
▸ (4) Access Control in ePHI Data Systems—45 CFR 164.312(a)(1), (2), & (3). There needs to be in place a procedure so that inactive sessions are killed off, every user or device accessing ePHI data has a unique ID and there are strict access control requirements in place.
▸ (5) Audit of ePHI Data Systems—45 CFR 164.308(a)(5)(ii)(c) & 164.312(b). Controls need to be in place to not only monitor and report but also to audit access rights and actions taken when any device or person accesses ePHI data.
37
FFIEC
▸ (a) Conduct regular audits to review the access and permission levels to critical systems for employees and contractors. Implement least privileges access policies across the entire enterprise. In particular, do not allow users to have local administrator rights on workstations.
▸ (b) Change default password and settings for system-based credentials.
▸ (c) Prevent un-patched systems, such as home computers and personal mobile devices from connecting to internal-facing systems.
▸ (d) Implement monitoring controls to detect unauthorized devices connected to internal networks.
▸ (e) Use secure connections when remotely accessing systems and services (e.g., virtual private networks).
38
PCI DSS 3.2
▸ (1) Layer low friction 2FA techniques like Geofencing, Geoproximity, Fingerprint sensing instead of 6/8 digit based logins. The lower the friction of verifying your identity the better adoption you will see.
▸(2) Install command introspection mechanisms to prevent misuse of server level employee accounts. This ensures that even when accounts are compromised an account cannot be misused.
▸(3) Have in place automated audit mechanisms to see who has accessed data. Implement 2FA for authorization, not just authentication - follow a layered approach to security not an M&M one.
▸(4) Discover from your AD or LDAP who are the group leaders and what applications people are accessing. You can choose to also parse through any SIEM logs or analyze access patterns directly from the servers.
▸(5) Implement a way for layering 2FA on apps that do not support 2FA. You can look at some commercial products that can help or build in hooks to your forward web proxy or CASB solution using their APIs. Tying these APIs with Twilio type of services will make implementation easier.
39
ISO 27001
▸ 7.1.1 - Inventory of assets▸ 7.1.2 - ownership of assets▸ 7.1.3 - acceptable use of assets▸ 10.1.2 - change management▸ 10.1.3 - segregation of duties▸ 10.3.1 - capacity management▸ 10.10.1 - audit logging▸ 10.10.2 - monitoring system use
▸ Additionally - 11.1.1 , 11.2.4 , 11.6.1 , 13.1.1 , 13.2.3, 15.1.4, 15.1.5 15.2.1
40
CIS/CSC
▸ 5. Controlled use of administrative privileges - A PAM solution can tightly control what privileges are present for any account not only on servers but also on any 3rd party SaaS service.
▸ 6. Maintenance, Monitoring and Analysis of Logs - A PAM solution can feed in event information in syslog, JSON formats to a SIEM endpoint for analysis.
▸ 9. Limitation and controls for network ports and services - A PAM solution can make sure that certain accounts cannot use protocols like SSH over certain IP ranges and ports.
▸ 10. Data recovery capability - A PAM solution allows for delegation of access when an employee is fired so that no data loss is incurred in removal of access for the erstwhile employee.
▸ 11. Secure configurations for network devices like firewalls and routers - A PAM solution can ensure that only certain updates or patches can be applied to critical equipment managing the network. This can be achieved via command introspection.
▸ 14. Controlled access based on the need to know - A PAM solution is purpose built to solve this pain point. You should be able to choose who accesses what and what can they do with the access with most PAM solutions.
▸ 16. Account Monitoring and Control - same as above.▸ 19. Incidence Response and Management - PAM solutions are
often tied to into the dashboards that IR teams use. Its important for a PAM solution to export data in real time so that it can be used for IR by the team. This is already available in a few PAM solutions.