Privilege Security &

Next-Generation

Technology

Morey J. Haber

Chief Technology Officer

mhaber@beyondtrust.com

Agenda

• The Next-Gen Threat Landscape

o Infomatics, Breaches & the Attack Chain

o Securing Cloud, DevOps & IoT

o Privilege Security Threats

• PAM & Privilege Security Maturity

o Privileged Access Management

o Privilege Security Maturity Model

• How BeyondTrust Helps

The Next-Gen Threat Landscape

Innovation Leader

30+ years of firsts

• 1st fully-integrated PAM and VM platform

• 1st to provide vulnerability insights to inform privilege decisions

• 1st PAM vendor on all major cloud marketplaces

• 1st Unix/Linux, Mac and network device PAM solution

Strong roadmap

• Active threat response

• Context-aware PAM

• SaaS-based PAM platform

• DevOps secrets

management

Patented technology

• 7 patents granted

• 10 pending

Infonomics

"Infonomics is the theory, study, and discipline of asserting

economic significance to information. It provides the

framework for businesses to monetize, manage, and

measure information as an actual asset.

… Infonomics endeavors to apply both economic and asset

management principles and practices to the valuation,

handling, and deployment of information assets."

- Infonomics: How to Monetize, Manage, and Measure Information as an

Asset for Competitive Advantage by Douglas B. Laney

Notable Breaches

Credentials

hacked

Unpatched software exploited;

amplified by excessive privileges

Credentials

stolen

80% 28%of security breaches involve

privileged credentials

Forrester Wave: Privileged Identity

Management, Q3 2016

of breaches

involve insiders

(and growing)

2018 Verizon Data Breach

Investigations Report

95%of critical vulnerabilities in Microsoft

systems could be mitigated by

removing admin rights

2018 Microsoft Vulnerabilities Report

The Cyber Attack Chain

1. Perimeter

Exploitation

2. Privilege Hijacking

& Escalation

3. Lateral Movement

& Exfiltration

Attacker exploits asset

vulnerabilities to gain entry

… hijacks privileges or

leverages stolen/cracked

passwords

… and compromises other

network resources.

Vulnerable

Systems

Unmanaged Credentials

and Excessive Privileges

Limited

Visibility

Internal

Employees

Client-

Server

Partners &

Contractors

WWW

Mobile

Cloud &

IoT

Remote

Employees

DevOps /

A2A / A2DBThe New Enterprise

Evolving Infrastructure

Ex

pa

nd

ing

Ac

co

un

ts

More people, processes and

technology have access to your

systems and data than ever before.

Mainstream adoption

DevOps 60%

Cloud 15%

56%IoT

More Privileged Accounts

SaaS Admins

Cloud Admins

Application Admins

Privileged End Users

Developers

Machine Password & Keys

DevOps

DevOps Tools

Dynamic Virtual Environments

Containers

Microservices

Cloud & Hybrid Cloud

Cloud Management Platforms (AWS, Azure)

Virtualized Environments (VMWare, MSFT)

Virtualized Machines (UNIX, Linux, Windows)

SaaS Apps (Facebook, LinkedIn, Custom)

Attack Surface Evolution

Internet of Things

Roaming workstations

BYOD

Cameras

Sensors

Printers

More…

On-Premise

• Shared Administrator Accounts

• Desktops (Windows, Mac)

• Servers (Unix, Linux, Windows)

• Industrial Control Systems

• Security Infrastructure

• Network Infrastructure

• Applications & Application Servers

• Databases & Database Servers

• Machine Credentials (AtoA)

• Hypervisors & Virtual Machine

Cloud

Secure Cloud

EnablementDISCOVER &

INVENTORY

Asset

ManagementSCAN FOR

VULNERABILITIES

Vulnerability

Management

ENSURE

CONFIGURATION

COMPLIANCE

Hardening and

Best Practices

GAIN ACCOUNTA-

BILITY OVER

SHARED ACCOUNTS

ELIMINATE

HARD-CODED

PASSWORD

A2A Security

ENFORCE

APPROPRIATE

CREDENTIAL USAGE

Least Privilege

Management

Privileged

Management

SEGMENT

NETWORKS

Network Design

Password

Management

RESTRICT

PRIVILEGES

Cloud Security

Secure cloud

enablement

requires a

multidisciplinary

strategy!

Into the cloud

In the cloud

From the cloud

Secure Cloud Transformation

• Cloud Management Platforms

• Shared Administrator Accounts

• Servers (Unix, Linux, Windows)

• Applications & Application Servers

• Databases & Database Servers

• Machine Credentials (A to A)

• Security & Network Infrastructure

• Hypervisors & Virtual Machines

• SaaS Applications

• DevOps Environments

• Containers & Micro Services

• IoT Devices

Virtual Machines, Dedicated Hardware | Marketplace Applications | IaaS, PaaS, & SaaS

The New Cloud Perimeter

Privilege Management for the Cloud

Cloud-Agnostic Private, Public and Hybrid Environments

• License flexibility

• Asset inventory integration

• Docker and container aware

• Discover online & offline instances

• Leverage Hypervisor APIs

• Agent technologies

• Respects OA and application hardening

• Fully automated for passwords & API

• Auditing, reporting and change-aware

• Proxy access

• Session management

• Regulatory compliance

DevOps

DevOps Security Strategy

DISCOVER &

INVENTORY

GAIN ACCOUNTABILITY

OVER SHARED ACCOUTS

ELIMINATE HARD-

CODED PASSWORDS

RESTRICT

PRIVILEGES

SCAN FOR

VULNERABILITIES

ENSURE CONFIGURATION

COMPLIANCEENFORCE APPROPRIATE

CREDENTIAL USAGE

SEGMENT

NETWORKS

Secure DevOps

Asset

Management

Password

Management

Privilege Management

Hardening and

Security Best

Practices

Vulnerability

Management

A2A Security

Least Privilege

Management

Network

Design

Privilege Automation for DevOps

• Only allow approved assets; identify

unacceptable variations

• Identify security risks and

automatically remediate them

• Ensure configuration hardening

• Eliminate all locations for hard-

coded credentials

• Platform-agnostic, from cloud to on

premise

• Limit all users, including privileged

access, in the DevOps automated

workflow

• Provide security and performance

visibility to ensure security and

automation success

IoT / IIoT

Privilege Management for IoT, IIoT, ICS,SCADA

Zones

Internet

Public

Private

Air-Gapped

Segmentation

Users

Servers

DMZ

Guest

Dumb Devices

Device Type & Risk

IoT IIoT ICS SCADA

Communications and Restricted Lateral Movement

Privileged Access

The Privileged IoT Perspective

• IoT asset and inventory management

• Risk assessment with vulnerability management

• Password management and privileged session access

• Command line least privilege management

• Policy and script repository

Privilege Security Threats

Privilege Security Threats

• Guessing

• Dictionary attacks

• Brute Force

• Pass the Hash

• Security questions

• Password resets

• Vulnerabilities

• Misconfigurations

• Exploits

• Malware

• Social engineering

• MFA flaws

• Default credentials

• Anonymous

• Predictable

• Shared credentials

• Temporary

• Reused

Insider Threats External Threats Hidden Threats

Accountability for Privileges

• Privileged account discovery

• Develop permissions model

• Rotate passwords and keys

• Workflow process and auditing

• Define session monitoring

• Segmentation

• User behavior analysis

Privileged Access Management &

Privilege Security Maturity

Privileged Access Management

• Provides an integrated approach to

enterprise password management

• Enforces least privilege on all endpoints with-

out compromising productivity or security

• Ensures administrator and root compliance

on Unix, Linux, Windows and Mac

• Identifies high-risk users and assets by

teaming behavioral analytics and risk data

with security intelligence from best-of-breed

security solutions

• Achieves unified visibility over accounts,

applications, and assets that they protect

ENTERPRISE

PASSWORD

MANAGEMENT

PRIVILEGE

MANAGEMENT

SESSION

MANAGEMENT

ADVANCED

REPORTING &

ANALYTICS

USER

BEHAVIOR

MONITORING

ACTIVE

DIRECTORY

BRIDGING

Privileged

Access

Management

IT ECOSYSTEM INTEGRATION

NEW ENTERPRISE DEPLOYMENT: CLOUD, DEVOPS, NETWORK/IOT/ICS/SCADA

UNIFIED MANAGEMENT, REPORTING & THREAT ANALYTICS

Asset discovery &

vulnerability

scanning

FIM, system-level

control

A2A & A2DB

FIM, VBAM, event

log monitoringSession recording &

monitoring

The Journey to Privilege-Centric Security

Account discovery

Server least

privilege / command

elevation &

delegation

Password/key storage

& rotation

Endpoint least

privilege / command

elevation &

delegation

IDENTIFY &

INVENTORY

ELIMINATE EXCESSIVE PRIVILEGES &

GAIN GRANULAR COMMAND AND

TASK-LEVEL CONTROL

Time

Ma

turity

Session

management

IMPROVE ACCOUNTABILITY &

CONTROL OVER SHARED

CREDENTIALS

About BeyondTrust

Privilege-Centric

Security for the New

EnterpriseIdentity-

Focused

Not network

focused

Centralized

& Modular

Integrates w/

best-of-breed

solutions

Future-

Ready

Built for next-

gen IT

environments

Dynamic

Locations,

teams, contexts

Risk-

Based

Accounts for

user & asset risk

Privilege security solutions control, monitor and

audit privileged access to systems and data

across the expanding enterprise.

Infrastructure

Endpoints

Secure Remote

Access

Secure credentials with

Privileged Identity and

manage sessions with

Privileged Access

Empower and protect your

service desk with the most

secure Remote Support

software

Password & Session

Management

Gain accountability over

shared accounts

Eliminate hard-coded

passwords

Monitor privileged sessions

and user behavior

Enforce appropriate

credential usage

Eliminate Admin\root rights

Enforce Application &

command control

Efficiently delegate Windows,

Mac, Unix & Linux privileges

and elevate

Enforce appropriate use

Risk based privilege decisions

Privilege

Management

On-Premise

PowerBroker Privileged Access Management Platform

Cloud Hybrid

Innovation Leader

30+ years of firsts

• 1st fully-integrated PAM and VM platform

• 1st to provide vulnerability insights to inform privilege decisions

• 1st PAM vendor on all major cloud marketplaces

• 1st Unix/Linux, Mac and network device PAM solution

Strong roadmap

• Active threat response

• Context-aware PAM

• SaaS-based PAM platform

• DevOps secrets

management

Patented technology

• 7 patents granted

• 10 pending

Innovation Leader

30+ years of firsts

• 1st fully-integrated PAM and VM platform

• 1st to provide vulnerability insights to inform privilege decisions

• 1st PAM vendor on all major cloud marketplaces

• 1st Unix/Linux, Mac and network device PAM solution

Strong roadmap

• Active threat response

• Context-aware PAM

• SaaS-based PAM platform

• DevOps secrets

management

Patented technology

• 7 patents granted

• 10 pending

Table1. PASM Vendors and Their Key Capabilities

PAM Industry Leader

Leader: Forrester PIM Wave, 2016 Leader: Gartner Market Guide for PAM, 2017

Morey J. Haber

• 20+ years security experience

• Articles on Secure World, Dark Reading, CSO

Online, etc.

• Author of “Privileged Attack Vectors: Building

Effective Cyber-Defense Strategies to Protect

Organizations” & ”Asset Attack Vectors”

(covering Vulnerability Management) – both

available from Apress Media

Questions?

Morey J. Haber

Chief Technology Officer

mhaber@beyondtrust.com