tech talk: defense in depth privileged access management for hybrid enterprises

World®’16

TechTalk:DefenseInDepthPrivilegedAccessManagementforHybridEnterprisesShawnW.Hank- Sr.PrincipalConsultant,Cybersecurity- CATechnologies

SCT39T

SECURITY

2 ©2016CA.ALLRIGHTSRESERVED.@CAWORLD#CAWORLD

©2016CA.Allrightsreserved.Alltrademarksreferencedhereinbelongtotheirrespectivecompanies.

Thecontentprovidedinthis CAWorld2016presentationisintendedforinformationalpurposesonlyanddoesnotformanytypeofwarranty. The informationprovidedbyaCApartnerand/orCAcustomerhasnotbeenreviewedforaccuracybyCA.

ForInformationalPurposesOnlyTermsofthisPresentation


Abstract

Withover80%ofsecuritybreachesestimatedtoinvolveprivilegedcredentials,protectingprivilegeduseraccesshasbecomeanecessarymeasurenotonlytosuccessfullydefendanorganizationfromabreach,butalsoinsatisfyingauditandcompliancedemands.

InthisTechTalk,you’lllearnhowthemilitaryprincipleofdefenseindepthsecuritycanbeappliedtoprivilegedaccessmanagement.Onethatusescomprehensiveandintegratedsecuritycountermeasurestoprotectthe‘keystothekingdom’– yourprivilegedusersandthecredentialstheyusetoaccessyourmissioncriticalsystemsandresources.

You’llalsolearnhowthepowerfulcombinationof‘zero-trust’network-basedandhost-basedsecurityacrosstheyourhybridITenterpriseenvironmentmakesitmoredifficultforthe‘enemy’toovercomealayeredprivilegedaccessmanagementdefensesystemthantopenetrateasolitarybarrier.

ShawnW.HankCATechnologiesSr.PrincipalConsultantCybersecurity


Agenda

INTHENEWS

ALITTLEHISTORY

CLOSINGSUMMARY&QUESTIONS

2016TRENDS

PRIVILEGEDUSERS&IDENTITIES

KILLCHAIN

1

2

3

4

5

6


SettingtheStage…

PrivilegedUsers

What’sthecommonthreadinmostifnotallbreaches?

28,070Numberofattacksthe

average UScompanyhadin2015

38%Increasein#of

securityincidentsfrom2014to2015

94%PercentageofCxOs

believingtheircompanywillexperienceabreachin

twoyears

Averagecostofadatabreach

$3.79M

3.9BNumberofrecordslost

since2013

EveryDay1,358,671

EveryHour56,611

EveryMinute943

EverySecond16

Datare

cordsw

erelostorstolenwith

thefollowingfre

quen

cy

Compromisedaccountsandcredentialsof….

YourOrganizationCan'tAffordaLarge-ScaleCyber-Attack

http://breachlevelindex.com/#sthash.RZhGQkVZ.dpbshttps://securityintelligence.com/cost-of-a-data-breach-2015/

http://public.dhe.ibm.com/common/ssi/ecm/se/en/sel03074usen/SEL03074USEN.PDFhttp://www.vormetric.com/campaigns/datathreat/2016/

http://www.verizonenterprise.com/resources/report/rp_pci-report-2015_en_xg.pdf


NotableSecurityandPrivacyIncidents

§ Yahoo– 2012- 500millionrecords(user)in,“statesponsoredattack.1

§ Dropbox– 2012- 68Millionuseraccountscompromised– Initialattackviaphishing,credentialtheft2

§ LinkedIn– 2012- Originallyreported6.5millionaccounts,recentlythenumberballooned

to167million.3

§ MySpace– 2013- Over360millionrecords(personaldata)4

§ Tumblr– 2013- 65millionaccounts.5

§ Weebly– 2016- 43millionrecords,stillunderinvestigation6

§ Mossack Fonseca– 2016- 2.6TBdataleakonpoliticians,criminals,athletes7

PrivilegedAccessaCommonThreadforHacktivism,Cybercrime,andEspionage

“Fordigitalbusinesses,privilegedidentity

managementbecomesbothincrediblyimportant

andchallenging.It’simportantbecauseone

administratorwithmaliciousintentorthetheftofadministratorcredentialscanhavea

disastrouseffectonyourcustomers,revenuesandlong-termreputation.”

- ForresterResearch

“CriticalQuestionsToAskYourPrivilegedIdentityManagementSolutionProvider",ForresterResearch,September9,2014.


World’sBiggestDataBreachesSelectedLossesGreaterThan30,000Records(Updated15th Oct2016)

Source:http://www.informationisbeautiful.net/visualizations/worlds-biggest-data-breaches-hacks/


EconomicLossesAreStaggering

NetLosses:EstimatingtheGlobalLossofCybercrime(IntelSecurity– June2014).Cybercrimeisagrowthindustry.Thereturnsaregreat,andtherisksarelow.Weestimatethattheannualcosttotheglobaleconomyfromcybercrimeismorethan$400billion.Aconservativeestimatewouldbe$375billioninlosses,whilethemaximumcouldbeasmuchas$575billion.Eventhesmallestofthesefiguresismorethanthenationalincomeofmostcountriesandgovernmentsandcompaniesunderestimatehowmuchrisktheyfacefromcybercrimeandhowquicklythisriskcangrow.

$400Billion

GlobalLossesfromCybercrime

$300Billion

GlobalDrugTraffickingRevenue

$300Billion

GDPofSingapore

$3TrillionGlobalEconomicImpactofCybercrimein10Years

- McKinsey,WorldEconomicForum


CybercrimewillcostBusinessesOver$2Trillion

by2019saysJuniperResearch1


KPMGCorroboratesBreachStats


Component CustomersthatReportedusingthisSecurityMeasure

BreachRate

Firewall 212 100%IDS/IPS 119 100%Webproxy 138 100%Networkanti-virus 75 100%EndpointAV 169 100%Otheranti-malware 33 100%

AsDoesFireEyeandMandiant

Over1,200trialdeploymentsand6monthsofdatashow:

Source:Mandiant/FireEye


2015to2016Trends


PIM&PAM– ANewSecurityImperative

14


Outsidervs.Insider:Doesitreallymatter?

§ YES!!!!!

§ Between2013and2015,differentsourcesstatethatonly3to10%ofallbreacheswereCAUSED byinsiders withmaliciousintent– This3to10%wasmostcausedbyTGYFBFTDHRA

§ Thatguy(orgal)youfired,butforgottodisablehis/herremoteaccess.1

§ However,32%ofallbreachesINVOLVED aninsider– Thosewhowereinadvertentactors

§ Note:IBMclaimsthat60%ofallattackswere“carriedoutbyinsiders.”2

– Didn’tbreakdownthedifferencebetweenthosewithmaliciousintentinadvertentactors).3


Outsidervs.Insider:Doesitreallymatter?

§ YES!!!!!

§ Between2013and2015,differentsourcesstatethatonly3to10%ofallbreacheswereCAUSED byinsiderswithmaliciousintent– This3to10%wasmostcausedbyTGYFBFTDHRA

§ Thatguy(orgal)youfired,butforgottodisablehis/herremoteaccess.1

§ However,32%ofallbreachesINVOLVED aninsider– Thosewhowereinadvertentactors

§ Note:IBMclaimsthat60%ofallattackswere“carriedoutbyinsiders.”2

– Didn’tbreakdownthedifferencebetweenthosewithmaliciousintentinadvertentactors).3


2016Trends– Breachesvs.Identities

0

50

100

150

200

250

300

350

2013 2014 2015

Total#ofBreaches

Total#ofBreaches

0

100

200

300

400

500

600

2013 2014 2015

TotalIdentitiesExposed(inMillions)

TotalIdentitiesExposed(inMillions)

Source:SymantecInternetSecurityThreatReport2016


2016Trends– ExposedIdentitiesperBreach

0

0.5

1

1.5

2

2.5

2013 2014 2015

Avg.IdentitiesExposedperBreach(inMillions)

Avg.IdentitiesExposedperBreach(inMillions)

01,0002,0003,0004,0005,0006,0007,0008,000

2013 2014 2015

MedianIdentitiesExposedperBreach

MedianIdentitiesExposedperBreach



2016Trends– VulnerabilitiesandMalware

0

10

20

30

40

50

60

2012 2013 2014 2015

#ofZeroDayVulnerabilities

#ofZeroDayVulnerabilities

050100150200250300350400450500

2014 2015

NewMalware

NewMalware(andVariants)



2016Trends– DaystoDiscoveryandAttackMethod

050100150200250300350400450

2012 2014 2015

DaystoBreachDiscovery

DaystoBreachDiscovery Topfivedatavarietiesbreachedbyphishingattacks,(n=905)

Source:2016VerizonDBIR


PrivilegedUsersandIdentities


WhoArePrivilegedUsers?

PonemonInstitute,June2014


WhatArePrivilegedIdentities?

§ Notidentities,perse;morelike(default)accountnamesandpermissions:– root,oradba,sys,system,scott,dbsnmp,sysadmin,SA,sapadmin,cisco

enable,Windowslocaladmin,namedadminaccounts– SaaS/IaaS/PaaSadminaccounts:rootaccount,superAdmin,federated

administrator– BladeLogicRSCD,bladmin,bladelogic,BLAdmin,RBACAdmin– apache,admin(Tomcat,Jboss,etc.)


CAAdvancedAuthentication


ContextualAuthentication

CARiskAuthentication™

Whereistheuser?

Whatistheusertryingtodo?

Istheactionconsistentwith

history?

Whatdeviceisbeingused?

CAAdvancedAuthenticationTwoBest-Of-BreedCapabilitiesinOneSolution

VersatileAuthentication

CAStrongAuthentication™

CAAuthID

Q&A OATHTokens

OTP–OutofBand

CAMobileOTP


WhatifYouCould…

InitiateStep-UpAuthenticationTransparentlyCollectData AnalyzethisDatato

AssessRisk


WelcometoCARiskAuthentication

RISKDATAAttributes

Whereistheuser? Whatdeviceisbeingused?

Whatistheusertryingtodo?

Istheactionconsistentwithhistory?

§ Isthelocationinherentlysuspect?

§ Havetheybeentherebefore?

§ Whereweretheyrecently?

LOCATION§ Whatkindofdeviceisit?

§ Havetheyuseditbefore?

§ Hasitchangedsincetheylastusedit?

DEVICEDNA§ Isthisatypicalactionfortheuser?

§ Istheactioninherentlyrisky?

§ Havetheytakensimilaractionsbefore?

BEHAVIOR§ Isthisanormaltimeofdayforthem?

§ Istheirfrequencyofloginabnormal?

§ Istheircurrentactionconsistentwithprioractions?

HISTORY


AndLet’sRememberMobile

§ Authenticationisdifferent

§ Appdevelopershaveachoice– Trustthedeviceunlockingmechanism(e.g.,TouchID)– Supplementdevicesecuritywithapplogin

§ Ifauthenticationisbuiltintoapp…– Doyoupromptforcredentialseverytimeappis

opened(notuser-friendly)– Ordoyousavecredentialsondevice(notverysecure)


RiskAnalytics– Whyit’sCool

§ Effectiveanalyticstechniqueideallysuitedforcustomerswhereroutinefraudmarkingisnotavailable

§ Approachisbasedonassessingwhetherbehaviorisnormalorabnormal

§ Learnsquickly,startsactiveassessmentupondeployment

§ Noconfigurationortraining- adaptstotheuserpopulation


CAIdentitySuite


SimplifyWorkforceExperienceSeamlessSingleSign-OntoHundredsofCloudApplications

§ Richpredefinedintegrationstopopularcloudapplications

§ SAMLconnectorenablesSSOtohundredsofapplications

§ Two-factorauthenticationsupplementsstrongpasswordlogintotheLaunchpad

§ Self-servicepasswordmanagementandforgottenpasswordrecovery


ControlandManageCloudIdentitySprawlEnableRule-BasedProvisioningandIdentityLifecycleAutomation

§ Rule-basedprovisioning,de-provisioningandentitlementassignment

§ Automatedidentitylifecyclemanagementaspeoplejoin,moveorleave

§ ExtensibleandAPIdrivenidentitylifecyclemanagement


SimplifyWorkforceExperienceRapidTime-To-ValueinBridgingWithCASingleSign-On

§ PredefinedintegrationwithCASingleSign-On

§ FewclickstoimportexistingCASSOprotectedresources

§ ExistingCASSOpoliciesdynamicallyevaluatedtodeterminewhogetsaccess

§ OptiontoenableCASSOastheidentityprovider


SingleSign-on

Authentication(SaaS-firstmodel) CAIdentity

Service

Userprovisioning&deprovisioning

SingleSign-onRogueandorphanaccountdetectionandremediation

CASingleSign-On

On-premisesapps

SaaSApps

Peoplesource(optional)

Authentication(Hybridmodel)

SingleSign-on

SaaS-FirstandHybridDeploymentModelsLeverageExistingOn-PremisesIAMInvestments


CA PrivilegedAccessManager(CAPAM)


CAPrivilegedAccessManagerPrivilegedAccountManagementfortheHybridEnterprise

HYBRIDENTERPRISETraditionalDataCenter

Mainframe,Windows,Linux,Unix,Networking

EnterpriseAdminTools

SoftwareDefinedDataCenter

SDDCConsoleandAPIs

PublicCloud- IaaS

CloudConsoleandAPIs

SaaSApplications

SaaSConsolesandAPIs

HardwareAppliance AWSAMIOVFVirtualAppliance

IdentityIntegration Enterprise-ClassCore

CAPrivilegedAccessManager

§ VaultCredentials§ CentralizedAuthentication§ FederatedIdentity§ PrivilegedSingleSign-on

§ Role-BasedAccessControl§ MonitorandEnforcePolicy§ RecordSessionsandMetadata§ FullAttribution

ANewSecurityLayer- ControlandAuditAllPrivilegedAccess

UnifiedPolicyManagement


HYBRIDCLOUDENVIRONMENT

IntegratedControlsandUnifiedPolicyManagement

Positively

AuthenticateUsers

Vault&

Manage

Cred

entia

ls

RestrictA

ccessto

Authorize

dSystem

s

Fede

rateIdentity

andAttributes(SSO

)

Mon

itora

nd

EnforcePo

licy

RecordSessio

ns

andMetadata

AttributeIdentity

forS

haredAccoun

ts

TraditionalDataCenter

PrivateCloud

PublicCloud

CAPrivilegedAccessManagerinaction


CA PAMServerControl


Host-BasedFine-GrainedAccessControls

Challenge§ Broadpowergrantedtoprivilegedusers

§ Manywaystobecomesuperusers

§ Lackfine-grainedcontrols

§ Limitedaccountability

§ Questionableauditintegrity

Fine-GrainedAccessControls


Host-BasedFine-GrainedAccessControls

Solution:CAPAMServerControl§ Superusershavenospecialprivileges§ Segregationofduties§ Transparenttousers§ Fine-grainedcontrols§ Centralizedpolicymanagement§ Fileandprocessprotection§ Surrogateaccesscontrols§ Sudoreplacement§ KeystrokeLogging§ BroadOSsupport

Fine-GrainedAccessControls

ManagedServer

LeastPrivilegeAccess(withFine-GrainedControls)

SharedPrivilegedAccount(root)

Resources

CAPAMServerControlwillcontrol&auditaccessbasedon

theORIGINAL UserID

Processes

Files/Folders

UserIDs

SudoReplacement


ManagedServer

LeastPrivilegeAccess(withFine-GrainedControls)

SharedPrivilegedAccount(root)

Resources

CAPAMServerControlwillcontrol&auditaccessbasedonthe

ORIGINAL UserID

Processes

Files/Folders

UserIDs

SudoReplacement

MikeCAPAM

Contractor/Partner

OutsideOrganization

DBAdmin(Bob)

Auditor

SystemsAdmin(Mike)

InsideOrganization

CAPAM

CAPAMServerControlComplementsCAPAMPAMAppliance


CAPrivilegedAccessManagerServerControl

Preventthebreach

Defendagainstprivilegeescalationsandaccesstosensitiveresources

Preventcompromiseofnewsystemsanddataexfiltration

Oversight

LoginControls

Lockdownofports/services/Applications

File,directoryandprocessprotection

Trustedprogramexecution,ApplicationJailing

Privilegedaccountprotection

Windowsregistryprotection

Inboundandoutboundnetworkcontrols

Centrallymanagesecurityandaccesspolicies

Entitlementreportingonaccesspolicies


CASecuritySolutionsIntheContextofaBreachKillChain…


PrivilegedIdentity&AccessManagementAnEssentialComponentofDefense-In-Depth

Log&auditprivilegeduseractivity

Perimetersecurity

Leastprivilegeaccess

Anti-virus

Phishingprotection

EmployeeEducation

CloudControlsExternalizedunexpectedcontrols

Serverhardening

CredentialVault&SessionControl

Captureandreviewserveranddeviceauditlogs

Datacontrols&analysis

Advancedauthentication&fraudprevention

Identity&AccessGovernance

1

3

7

8

9

CAPrivilegedAccessManager

Reconnaissance InitialEntry EscalationofPrivileges

ContinuousExploitation

CAPAMServerControl

CAIdentitySuite&IdentityService


4

5 6

2

AllCASecuritySolutions


Ifyouwalkwaywithonemessage,letitbethis:

Identity istheMostImportantAssetofyourorganizationandtheymustbeprotected.


CA’sIdentity&AccessPortfolioCanHelpYouSecurePrivilegedAccess&IdentityManagement

§ Strongauthentication,includingMFA§ Credentialmanagement§ Policy-based,leastprivilegeaccesscontrol§ Sessionrecording,filtering,auditing,attribution§ Applicationpasswordmanagement§ Comprehensive,hybridenterpriseprotection§ Self-contained,hardenedappliance§ ThreatAnalytics

IDENTITY-BASEDSECURITY

§ Missioncriticalprotectionofserverresources:- Files,folders,processes,registries

§ Highly-granularaccesscontrols§ Segregateddutiesofsuper-users§ SecuredTaskDelegation(sudo)§ EnforceTrustedComputingBase§ Auditingandattributionforanalytics

HOST-BASEDSECURITY

CAPrivilegedAccessManager CAPrivilegedAccessManagerServerControl

§Ac

cessre

quests

§Ce

rtificatio

n§

Riskana

lytic

s

CAID

ENTITYSUITE


DEFENSEINDEPTHTHROUGHOUTTHESTACK!


RecommendedSessions

SESSION# TITLE DATE/TIME

SCT30S DevelopingandImplementingaSuccessfulInsiderThreatStrategyandPlan 11/17/2016at3:45pm

SCT05T ThreatAnalyticsforPAM 11/17/2016at4:30pm


Wewanttohearfromyou!

§ ITCentralisaleadingtechnologyreviewsite.CAhasthemtohelpgenerateproductreviewsforourSecurityproducts

§ ITCSstaffwillbeatmostsessions.Ifyouwouldliketoofferaproductreview,pleaseaskthemaftertheclass,orgobytheirbooth

Note:§ Onlytakes5-7mins§ Youhavetotalcontroloverthereview§ Itcanbeanonymous,ifrequired


Security

FormoreinformationonSecurity,pleasevisit:http://cainc.to/EtfYyw

tech talk: defense in depth privileged access management for hybrid enterprises

Technology