privilege security & next-generation technology · •pam & privilege security maturity o...
TRANSCRIPT
Privilege Security &
Next-Generation
Technology
Morey J. Haber
Chief Technology Officer
Agenda
• The Next-Gen Threat Landscape
o Infomatics, Breaches & the Attack Chain
o Securing Cloud, DevOps & IoT
o Privilege Security Threats
• PAM & Privilege Security Maturity
o Privileged Access Management
o Privilege Security Maturity Model
• How BeyondTrust Helps
The Next-Gen Threat Landscape
Innovation Leader
30+ years of firsts
• 1st fully-integrated PAM and VM platform
• 1st to provide vulnerability insights to inform privilege decisions
• 1st PAM vendor on all major cloud marketplaces
• 1st Unix/Linux, Mac and network device PAM solution
Strong roadmap
• Active threat response
• Context-aware PAM
• SaaS-based PAM platform
• DevOps secrets
management
Patented technology
• 7 patents granted
• 10 pending
Infonomics
"Infonomics is the theory, study, and discipline of asserting
economic significance to information. It provides the
framework for businesses to monetize, manage, and
measure information as an actual asset.
… Infonomics endeavors to apply both economic and asset
management principles and practices to the valuation,
handling, and deployment of information assets."
- Infonomics: How to Monetize, Manage, and Measure Information as an
Asset for Competitive Advantage by Douglas B. Laney
Notable Breaches
Credentials
hacked
Unpatched software exploited;
amplified by excessive privileges
Credentials
stolen
80% 28%of security breaches involve
privileged credentials
Forrester Wave: Privileged Identity
Management, Q3 2016
of breaches
involve insiders
(and growing)
2018 Verizon Data Breach
Investigations Report
95%of critical vulnerabilities in Microsoft
systems could be mitigated by
removing admin rights
2018 Microsoft Vulnerabilities Report
The Cyber Attack Chain
1. Perimeter
Exploitation
2. Privilege Hijacking
& Escalation
3. Lateral Movement
& Exfiltration
Attacker exploits asset
vulnerabilities to gain entry
… hijacks privileges or
leverages stolen/cracked
passwords
… and compromises other
network resources.
Vulnerable
Systems
Unmanaged Credentials
and Excessive Privileges
Limited
Visibility
Internal
Employees
Client-
Server
Partners &
Contractors
WWW
Mobile
Cloud &
IoT
Remote
Employees
DevOps /
A2A / A2DBThe New Enterprise
Evolving Infrastructure
Ex
pa
nd
ing
Ac
co
un
ts
More people, processes and
technology have access to your
systems and data than ever before.
Mainstream adoption
DevOps 60%
Cloud 15%
56%IoT
More Privileged Accounts
SaaS Admins
Cloud Admins
Application Admins
Privileged End Users
Developers
Machine Password & Keys
DevOps
DevOps Tools
Dynamic Virtual Environments
Containers
Microservices
Cloud & Hybrid Cloud
Cloud Management Platforms (AWS, Azure)
Virtualized Environments (VMWare, MSFT)
Virtualized Machines (UNIX, Linux, Windows)
SaaS Apps (Facebook, LinkedIn, Custom)
Attack Surface Evolution
Internet of Things
Roaming workstations
BYOD
Cameras
Sensors
Printers
More…
On-Premise
• Shared Administrator Accounts
• Desktops (Windows, Mac)
• Servers (Unix, Linux, Windows)
• Industrial Control Systems
• Security Infrastructure
• Network Infrastructure
• Applications & Application Servers
• Databases & Database Servers
• Machine Credentials (AtoA)
• Hypervisors & Virtual Machine
Cloud
Secure Cloud
EnablementDISCOVER &
INVENTORY
Asset
ManagementSCAN FOR
VULNERABILITIES
Vulnerability
Management
ENSURE
CONFIGURATION
COMPLIANCE
Hardening and
Best Practices
GAIN ACCOUNTA-
BILITY OVER
SHARED ACCOUNTS
ELIMINATE
HARD-CODED
PASSWORD
A2A Security
ENFORCE
APPROPRIATE
CREDENTIAL USAGE
Least Privilege
Management
Privileged
Management
SEGMENT
NETWORKS
Network Design
Password
Management
RESTRICT
PRIVILEGES
Cloud Security
Secure cloud
enablement
requires a
multidisciplinary
strategy!
Into the cloud
In the cloud
From the cloud
Secure Cloud Transformation
• Cloud Management Platforms
• Shared Administrator Accounts
• Servers (Unix, Linux, Windows)
• Applications & Application Servers
• Databases & Database Servers
• Machine Credentials (A to A)
• Security & Network Infrastructure
• Hypervisors & Virtual Machines
• SaaS Applications
• DevOps Environments
• Containers & Micro Services
• IoT Devices
Virtual Machines, Dedicated Hardware | Marketplace Applications | IaaS, PaaS, & SaaS
The New Cloud Perimeter
Privilege Management for the Cloud
Cloud-Agnostic Private, Public and Hybrid Environments
• License flexibility
• Asset inventory integration
• Docker and container aware
• Discover online & offline instances
• Leverage Hypervisor APIs
• Agent technologies
• Respects OA and application hardening
• Fully automated for passwords & API
• Auditing, reporting and change-aware
• Proxy access
• Session management
• Regulatory compliance
DevOps
DevOps Security Strategy
DISCOVER &
INVENTORY
GAIN ACCOUNTABILITY
OVER SHARED ACCOUTS
ELIMINATE HARD-
CODED PASSWORDS
RESTRICT
PRIVILEGES
SCAN FOR
VULNERABILITIES
ENSURE CONFIGURATION
COMPLIANCEENFORCE APPROPRIATE
CREDENTIAL USAGE
SEGMENT
NETWORKS
Secure DevOps
Asset
Management
Password
Management
Privilege Management
Hardening and
Security Best
Practices
Vulnerability
Management
A2A Security
Least Privilege
Management
Network
Design
Privilege Automation for DevOps
• Only allow approved assets; identify
unacceptable variations
• Identify security risks and
automatically remediate them
• Ensure configuration hardening
• Eliminate all locations for hard-
coded credentials
• Platform-agnostic, from cloud to on
premise
• Limit all users, including privileged
access, in the DevOps automated
workflow
• Provide security and performance
visibility to ensure security and
automation success
IoT / IIoT
Privilege Management for IoT, IIoT, ICS,SCADA
Zones
Internet
Public
Private
Air-Gapped
Segmentation
Users
Servers
DMZ
Guest
Dumb Devices
Device Type & Risk
IoT IIoT ICS SCADA
Communications and Restricted Lateral Movement
Privileged Access
The Privileged IoT Perspective
• IoT asset and inventory management
• Risk assessment with vulnerability management
• Password management and privileged session access
• Command line least privilege management
• Policy and script repository
Privilege Security Threats
Privilege Security Threats
• Guessing
• Dictionary attacks
• Brute Force
• Pass the Hash
• Security questions
• Password resets
• Vulnerabilities
• Misconfigurations
• Exploits
• Malware
• Social engineering
• MFA flaws
• Default credentials
• Anonymous
• Predictable
• Shared credentials
• Temporary
• Reused
Insider Threats External Threats Hidden Threats
Accountability for Privileges
• Privileged account discovery
• Develop permissions model
• Rotate passwords and keys
• Workflow process and auditing
• Define session monitoring
• Segmentation
• User behavior analysis
Privileged Access Management &
Privilege Security Maturity
Privileged Access Management
• Provides an integrated approach to
enterprise password management
• Enforces least privilege on all endpoints with-
out compromising productivity or security
• Ensures administrator and root compliance
on Unix, Linux, Windows and Mac
• Identifies high-risk users and assets by
teaming behavioral analytics and risk data
with security intelligence from best-of-breed
security solutions
• Achieves unified visibility over accounts,
applications, and assets that they protect
ENTERPRISE
PASSWORD
MANAGEMENT
PRIVILEGE
MANAGEMENT
SESSION
MANAGEMENT
ADVANCED
REPORTING &
ANALYTICS
USER
BEHAVIOR
MONITORING
ACTIVE
DIRECTORY
BRIDGING
Privileged
Access
Management
IT ECOSYSTEM INTEGRATION
NEW ENTERPRISE DEPLOYMENT: CLOUD, DEVOPS, NETWORK/IOT/ICS/SCADA
UNIFIED MANAGEMENT, REPORTING & THREAT ANALYTICS
Asset discovery &
vulnerability
scanning
FIM, system-level
control
A2A & A2DB
FIM, VBAM, event
log monitoringSession recording &
monitoring
The Journey to Privilege-Centric Security
Account discovery
Server least
privilege / command
elevation &
delegation
Password/key storage
& rotation
Endpoint least
privilege / command
elevation &
delegation
IDENTIFY &
INVENTORY
ELIMINATE EXCESSIVE PRIVILEGES &
GAIN GRANULAR COMMAND AND
TASK-LEVEL CONTROL
Time
Ma
turity
Session
management
IMPROVE ACCOUNTABILITY &
CONTROL OVER SHARED
CREDENTIALS
About BeyondTrust
Privilege-Centric
Security for the New
EnterpriseIdentity-
Focused
Not network
focused
Centralized
& Modular
Integrates w/
best-of-breed
solutions
Future-
Ready
Built for next-
gen IT
environments
Dynamic
Locations,
teams, contexts
Risk-
Based
Accounts for
user & asset risk
Privilege security solutions control, monitor and
audit privileged access to systems and data
across the expanding enterprise.
Infrastructure
Endpoints
Secure Remote
Access
Secure credentials with
Privileged Identity and
manage sessions with
Privileged Access
Empower and protect your
service desk with the most
secure Remote Support
software
Password & Session
Management
Gain accountability over
shared accounts
Eliminate hard-coded
passwords
Monitor privileged sessions
and user behavior
Enforce appropriate
credential usage
Eliminate Admin\root rights
Enforce Application &
command control
Efficiently delegate Windows,
Mac, Unix & Linux privileges
and elevate
Enforce appropriate use
Risk based privilege decisions
Privilege
Management
On-Premise
PowerBroker Privileged Access Management Platform
Cloud Hybrid
Innovation Leader
30+ years of firsts
• 1st fully-integrated PAM and VM platform
• 1st to provide vulnerability insights to inform privilege decisions
• 1st PAM vendor on all major cloud marketplaces
• 1st Unix/Linux, Mac and network device PAM solution
Strong roadmap
• Active threat response
• Context-aware PAM
• SaaS-based PAM platform
• DevOps secrets
management
Patented technology
• 7 patents granted
• 10 pending
Innovation Leader
30+ years of firsts
• 1st fully-integrated PAM and VM platform
• 1st to provide vulnerability insights to inform privilege decisions
• 1st PAM vendor on all major cloud marketplaces
• 1st Unix/Linux, Mac and network device PAM solution
Strong roadmap
• Active threat response
• Context-aware PAM
• SaaS-based PAM platform
• DevOps secrets
management
Patented technology
• 7 patents granted
• 10 pending
Table1. PASM Vendors and Their Key Capabilities
PAM Industry Leader
Leader: Forrester PIM Wave, 2016 Leader: Gartner Market Guide for PAM, 2017
Morey J. Haber
• 20+ years security experience
• Articles on Secure World, Dark Reading, CSO
Online, etc.
• Author of “Privileged Attack Vectors: Building
Effective Cyber-Defense Strategies to Protect
Organizations” & ”Asset Attack Vectors”
(covering Vulnerability Management) – both
available from Apress Media