From	
  Governance	
  to	
  
Virtualiza2on:	
  
The	
  Expanding	
  Arena	
  of	
  
Privileged	
  Iden2ty	
  Management	
 ...
2	
  
Agenda	
  
Copyright	
  ©	
  2013	
  CA.	
  All	
  rights	
  reserved.	
  
è  The	
  Challenge	
  of	
  Privileged	...
Edward	
  Snowden	
  was	
  a	
  privileged	
  user	
  on	
  key	
  NSA	
  
systems	
  
	
  
“When	
  you’re	
  in	
  posi...
Privileged	
  iden00es	
  pose	
  a	
  par0cularly	
  significant	
  threat	
  to	
  
network	
  and	
  data	
  security	
 ...
There	
  are	
  three	
  types	
  of	
  insider	
  threats	
  and	
  two	
  primary	
  
principles	
  to	
  apply	
  to	
 ...
There	
  are	
  many	
  real-­‐world	
  –	
  and	
  public	
  –	
  examples	
  of	
  
insiders	
  causing	
  significant	
 ...
The	
  stages	
  of	
  an	
  external	
  aPack	
  
§  Basic	
  research	
  
§  Domain	
  
queries	
  
§  Port	
  scans	...
Tradi0onal	
  perimeter	
  and	
  infrastructure	
  security	
  
capabili0es	
  only	
  address	
  part	
  of	
  the	
  pr...
Content-­‐aware	
  iden0ty	
  &	
  access	
  management	
  bolster	
  an	
  
APT	
  defense!	
  
Log	
  and	
  audit	
  pr...
Effec0ve	
  Privileged	
  Iden0ty	
  Management	
  requires	
  a	
  
comprehensive	
  solu0on	
  
Privileged	
  
Iden0ty	
 ...
11	
  
Agenda	
  
Copyright	
  ©	
  2013	
  CA.	
  All	
  rights	
  reserved.	
  
è  The	
  Challenge	
  of	
  Privileged...
Jason	
  Cornish,	
  former	
  Shionogi	
  Pharma	
  IT	
  Staffer	
  
Pled	
  guilty	
  to	
  Feb	
  ‘11	
  computer	
  in...
Virtualiza0on	
  has	
  many	
  clear	
  benefits,	
  but	
  also	
  many	
  
o[en-­‐ignored	
  risks	
  
Capital	
  and	
 ...
New	
  class	
  of	
  privileged	
  iden00es	
  on	
  the	
  hypervisor	
  
14	
   Copyright	
  ©	
  2013	
  CA.	
  All	
 ...
Greater	
  impact	
  of	
  aPack	
  or	
  misconfigura0on	
  
15	
   Copyright	
  ©	
  2013	
  CA.	
  All	
  rights	
  rese...
New	
  compliance	
  requirements	
  
NIST	
  SP	
  800-­‐125:	
  Guide	
  to	
  Security	
  
for	
  Full	
  Virtualiza0on...
Dynamic	
  environment	
  can	
  lead	
  to	
  oversights	
  
17	
   Copyright	
  ©	
  2013	
  CA.	
  All	
  rights	
  res...
Copying	
  a	
  virtual	
  machine	
  image	
  is	
  equivalent	
  to	
  stealing	
  a	
  
server	
  from	
  a	
  datacent...
Virtual	
  Sprawl	
  
19	
   Copyright	
  ©	
  2013	
  CA.	
  All	
  rights	
  reserved.	
  
Securing	
  virtual	
  environments	
  requires	
  “the	
  
fundamentals”	
  as	
  well	
  as	
  a	
  game-­‐changing	
  c...
21	
  
Agenda	
  
Copyright	
  ©	
  2013	
  CA.	
  All	
  rights	
  reserved.	
  
è  The	
  Challenge	
  of	
  Privileged...
The	
  need	
  for	
  Privileged	
  Iden0ty	
  Governance	
  
Orphaned	
  Accounts	
  
Reduce	
  Audit	
  Burden	
  
Gain	...
Address	
  these	
  needs	
  by	
  combining	
  governance,	
  
management	
  and	
  monitoring	
  capabili0es	
  
Priv.	
...
What	
  Privileged	
  Iden0ty	
  Governance	
  can	
  tell	
  you	
  
How	
  can	
  they	
  
get	
  access?	
  
How	
  to	...
Iden0ty	
  Governance	
  and	
  Role	
  Management	
  
Iden0ty	
  
Governance	
  
Role	
  
Management	
  
Monitor	
  acces...
Use	
  analy0cs	
  to	
  iden0fy	
  privileged	
  users	
  
26	
   Copyright	
  ©	
  2013	
  CA.	
  All	
  rights	
  reser...
Users	
  IDs	
  should	
  be	
  correlated	
  to	
  iden0fy	
  mul0ple	
  IDs	
  
belonging	
  to	
  the	
  same	
  person...
Cer0fica0on	
  	
  should	
  include	
  usage	
  informa0on	
  to	
  iden0fy	
  
suspicious	
  ac0vi0es	
  
28	
   Copyrigh...
How	
  you	
  can	
  get	
  there!	
  
	
  
Collect	
  Account	
  &	
  
En0tlement	
  Info	
  
Analyze	
  IDs	
  
&	
  
En...
The	
  business	
  value	
  of	
  Privileged	
  Iden0ty	
  Governance	
  
Prevent	
  breaches	
  due	
  to	
  improper	
  ...
31	
  
Agenda	
  
Copyright	
  ©	
  2013	
  CA.	
  All	
  rights	
  reserved.	
  
è  The	
  Challenge	
  of	
  Privileged...
Social	
  media	
  accounts	
  are	
  privileged	
  iden00es!	
  
32	
   Copyright	
  ©	
  2013	
  CA.	
  All	
  rights	
 ...
33	
  
Confusion	
  between	
  personal	
  and	
  corporate	
  TwiPer	
  
accounts	
  –	
  controls	
  are	
  needed!	
  
...
34	
  
Agenda	
  
Copyright	
  ©	
  2013	
  CA.	
  All	
  rights	
  reserved.	
  
è  The	
  Challenge	
  of	
  Privileged...
Ques0ons?	
  
35	
   Copyright	
  ©	
  2013	
  CA.	
  All	
  rights	
  reserved.	
  
Appendix	
  
Legal	
  No0ce	
  
Copyright	
  ©	
  2013	
  CA.	
  	
  All	
  rights	
  reserved.	
  Linux®	
  is	
  the	
  registered	
 ...
Upcoming SlideShare
Loading in …5
×

CIS13: From Governance to Virtualization: The Expanding Arena of Privileged Identity Management

458 views
281 views

Published on

Russell Miller, Director, Solutions Marketing, CA
Securing privileged identities is essential to reducing the risk of not only insider attacks, but from outsiders as well. Learn how to expand your thinking about privileged identities to address the latest trends and threats.

Published in: Technology, News & Politics
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
458
On SlideShare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
12
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

CIS13: From Governance to Virtualization: The Expanding Arena of Privileged Identity Management

  1. 1. From  Governance  to   Virtualiza2on:   The  Expanding  Arena  of   Privileged  Iden2ty  Management   Russell  Miller   Director,  Solu0ons  Marke0ng  
  2. 2. 2   Agenda   Copyright  ©  2013  CA.  All  rights  reserved.   è  The  Challenge  of  Privileged  Iden22es   è  The  State  of  Virtualiza2on  Security   è  Privileged  Iden2ty  Governance   è  Social  Media   è  Q&A  
  3. 3. Edward  Snowden  was  a  privileged  user  on  key  NSA   systems     “When  you’re  in  posi2ons  of   privileged  access,  like  a  systems   administrator  for  these  sort  of   intelligence  community  agencies,   you’re  exposed  to  a  lot  more   informa2on  on  a  broader  scale   than  the  average  employee.”     -­‐  Edward  Snowden   Source:  hSp://www.guardian.co.uk/world/2013/jun/09/edward-­‐snowden-­‐nsa-­‐whistleblower-­‐surveillance?guni=Network%20front:network-­‐front%20full-­‐ width-­‐1%20bento-­‐box:Bento%20box:Posi2on1   3   Copyright  ©  2013  CA.  All  rights  reserved.  
  4. 4. Privileged  iden00es  pose  a  par0cularly  significant  threat  to   network  and  data  security   All-­‐Powerful   Access   Lack  of   Accountability   Risk   §  Unrestricted   “root”  or   “Administrator”   access   §  No  segrega2on   of  du2es   §  Use  of  shared   accounts   §  Poor  log  integrity   and  quality   Virtualiza0on  magnifies  these  challenges!   Copyright  ©  2013  CA.  All  rights  reserved.  4   The  Problem  With  Privileged  Iden00es  
  5. 5. There  are  three  types  of  insider  threats  and  two  primary   principles  to  apply  to  mi0gate  the  risk   §  Deter  malicious   insiders   §  Trace  ac0ons  to   individuals   § Limit  damage  done   by  a  malicious  or   exploited  insider   § “Stop  Stupid!”   Implement   Least  Privilege   Access   Ensure   Accountability   Types  of   Insider  Threats   Exploited   Insiders   Malicious   Insiders   Careless   Insiders   ?   Ac0ons  to  Take   5   Copyright  ©  2013  CA.  All  rights  reserved.  
  6. 6. There  are  many  real-­‐world  –  and  public  –  examples  of   insiders  causing  significant  damage   Copyright  ©  2013  CA.  All  rights  reserved.  6   hSp://www.wired.com/threatlevel/2008/07/sf-­‐city-­‐charged/   hSp://www.theregister.co.uk/2011/02/28/bri2sh_airlines_it_expert_convicted/   hSp://www.darkreading.com/security/news/212903570/it-­‐worker-­‐indicted-­‐for-­‐sefng-­‐malware-­‐bomb-­‐at-­‐fannie-­‐mae.html   hSp://www.darkreading.com/authen2ca2on/167901072/security/security-­‐management/229100384/a-­‐glaring-­‐lesson-­‐in-­‐shared-­‐passwords.html   hSp://www.infosecurity-­‐magazine.com/view/18237/insider-­‐data-­‐breach-­‐costs-­‐bank-­‐of-­‐america-­‐over-­‐10-­‐million-­‐says-­‐secret-­‐service/   hSp://www.eweek.com/security-­‐watch/former-­‐gucci-­‐employee-­‐indicted-­‐for-­‐it-­‐rampage.html   hSp://www.darkreading.com/security/news/223800029/ex-­‐tsa-­‐employee-­‐indicted-­‐for-­‐tampering-­‐with-­‐database-­‐of-­‐terrorist-­‐suspects.html  
  7. 7. The  stages  of  an  external  aPack   §  Basic  research   §  Domain   queries   §  Port  scans   §  Vulnerability   scans   §  “Spear   Phishing”   §  Social   Engineering   §  Zero  day   vulnerability   exploita0on   §  OS  &   applica0on   vulnerability   exploita0on   §  Administra0ve   access   §  Compromise  of   new  systems   §  Con0nuous   export  of   sensi0ve  data   §  Effect  service   availability   §  Covering  of   tracks   §  Rootkits   Reconnaissance   Ini0al  Entry   Escala0on  of   Privileges   Con0nuous   Exploita0on   Stages  of  an  External  APack   7   Copyright  ©  2013  CA.  All  rights  reserved.  
  8. 8. Tradi0onal  perimeter  and  infrastructure  security   capabili0es  only  address  part  of  the  problem!   Perimeter  security   An0-­‐virus   Phishing  protec0on   Server  hardening   Capture  and  review  server  and  device  audit  logs   Reconnaissance   Ini0al  Entry   Escala0on  of   Privileges   Con0nuous   Exploita0on   8   Copyright  ©  2013  CA.  All  rights  reserved.   Stages  of  an  External  APack  
  9. 9. Content-­‐aware  iden0ty  &  access  management  bolster  an   APT  defense!   Log  and  audit  privileged  user  ac0vity   Perimeter  security   Least  privilege  access   An0-­‐virus   Phishing  protec0on   Employee  educa0on   Virtualiza0on  security   Externalized/   unexpected  security   Server  hardening   Shared  account  management   Capture  and  review  server  and  device  audit  logs   Data  controls  &  analysis   Advanced  authen0ca0on  &  fraud  preven0on   Iden0ty  &  Access  Governance   Capabili0es  of  CA  Security   Reconnaissance   Ini0al  Entry   Escala0on  of   Privileges   Con0nuous   Exploita0on   9   Copyright  ©  2013  CA.  All  rights  reserved.   Stages  of  an  External  APack  
  10. 10. Effec0ve  Privileged  Iden0ty  Management  requires  a   comprehensive  solu0on   Privileged   Iden0ty   Management   Copyright  ©  2013  CA.  All  rights  reserved.  10   Hypervisor   VM   VM   VM   Shared  Account   Management   Fine-­‐ Grained   Access   Controls   User  Ac2vity   Repor2ng  /   Session  Recording   UNIX   Authen2ca2on   Bridging   Virtualiza2on   Security  
  11. 11. 11   Agenda   Copyright  ©  2013  CA.  All  rights  reserved.   è  The  Challenge  of  Privileged  Iden22es   è  The  State  of  Virtualiza2on  Security   è  Privileged  Iden2ty  Governance   è  Social  Media   è  Q&A  
  12. 12. Jason  Cornish,  former  Shionogi  Pharma  IT  Staffer   Pled  guilty  to  Feb  ‘11  computer  intrusion   A  recent  incident  demonstrates  the  real-­‐world  poten0al   for  damage  in  a  virtual  environment   –  Wiped  out  88  virtual  servers     on  15  VMware  hosts:  email,     order  tracking,  financial,     &  other  services   –  Shionogi’s  opera2ons  frozen  for  days   §  unable  to  ship  product   §  unable  to  issue  checks   §  unable  to  send  email   All  of  this  was  accomplished  from  a  McDonald’s   12   Copyright  ©  2013  CA.  All  rights  reserved.  
  13. 13. Virtualiza0on  has  many  clear  benefits,  but  also  many   o[en-­‐ignored  risks   Capital  and  opera2onal  cost  savings   Great  availability  /  recovery   Ease  of  disaster  recovery   Hardware  independence   Improved  service  levels   New  class  of  privileged  iden22es  on  the   hypervisor   Greater  impact  of  aSack  or   misconfigura2on   New  compliance  requirements   Dynamic  environment  leads  to  oversights   Easy  copying  of  virtual  machines   Virtual  Sprawl   Posi0ves   Nega0ves/Risks   What  happens  when  an   organiza0on  goes  virtual?   Copyright  ©  2013  CA.  All  rights  reserved.  13  
  14. 14. New  class  of  privileged  iden00es  on  the  hypervisor   14   Copyright  ©  2013  CA.  All  rights  reserved.  
  15. 15. Greater  impact  of  aPack  or  misconfigura0on   15   Copyright  ©  2013  CA.  All  rights  reserved.  
  16. 16. New  compliance  requirements   NIST  SP  800-­‐125:  Guide  to  Security   for  Full  Virtualiza0on  Technologies     Payment  Card  Industry  (PCI)  PCI-­‐DSS   2.0,  Virtualiza0on  Guidelines   16   Copyright  ©  2013  CA.  All  rights  reserved.  
  17. 17. Dynamic  environment  can  lead  to  oversights   17   Copyright  ©  2013  CA.  All  rights  reserved.  
  18. 18. Copying  a  virtual  machine  image  is  equivalent  to  stealing  a   server  from  a  datacenter   18   Copyright  ©  2013  CA.  All  rights  reserved.  
  19. 19. Virtual  Sprawl   19   Copyright  ©  2013  CA.  All  rights  reserved.  
  20. 20. Securing  virtual  environments  requires  “the   fundamentals”  as  well  as  a  game-­‐changing  capability   Least  Privilege   Access   Infrastructure   Hardening   Shared  Account   Management   User  Ac0vity   Repor0ng   Virtualiza0on-­‐Aware   Automa0on  of     Security  Controls   New!   Security  fundamentals  that  now  need  to   be  applied  to  the  hypervisor   20   Copyright  ©  2013  CA.  All  rights  reserved.  
  21. 21. 21   Agenda   Copyright  ©  2013  CA.  All  rights  reserved.   è  The  Challenge  of  Privileged  Iden22es   è  The  State  of  Virtualiza2on  Security   è  Privileged  Iden2ty  Governance   è  Social  Media   è  Q&A  
  22. 22. The  need  for  Privileged  Iden0ty  Governance   Orphaned  Accounts   Reduce  Audit  Burden   Gain  Visibility  into  Privileged   Account  Usage   Privilege  Creep   22   Copyright  ©  2013  CA.  All  rights  reserved.  
  23. 23. Address  these  needs  by  combining  governance,   management  and  monitoring  capabili0es   Priv.  Iden0ty  Governance   Privileged  Iden0ty  Mgmt.   User  Ac0vity  Repor0ng   §  User  Mgmt.   §  Workflow   §  Cer2fica2on   §  Fine-­‐grained   access  controls   §  Shared  account   management   §  Video  recording   §  Analy2cs  and   searchability   ID   Gov.   23   Copyright  ©  2013  CA.  All  rights  reserved.  
  24. 24. What  Privileged  Iden0ty  Governance  can  tell  you   How  can  they   get  access?   How  to  control   access   What  was   accessed  and   when?   What  can   people  access?   24   Copyright  ©  2013  CA.  All  rights  reserved.  
  25. 25. Iden0ty  Governance  and  Role  Management   Iden0ty   Governance   Role   Management   Monitor  access  rights  with  reports/dashboards   Discover  and  propose  poten2al  roles  based  on   access  paSerns  and  organiza2onal  characteris2cs   Establish  centralized  segrega2on  of  du2es  and  other   business  and  regulatory  iden2ty  policies   Discover  business  structure  and  turn  millions  of   access  rights  into  100’s  of  roles   Adapt  model  as  business  changes   Automate  en2tlements  cer2fica2on  for  users,  roles   and  resources   25   Copyright  ©  2013  CA.  All  rights  reserved.  
  26. 26. Use  analy0cs  to  iden0fy  privileged  users   26   Copyright  ©  2013  CA.  All  rights  reserved.   Iden00es   Systems  
  27. 27. Users  IDs  should  be  correlated  to  iden0fy  mul0ple  IDs   belonging  to  the  same  person  –  and  cleaned  up!   Russ.Miller   MILLERR   RMIL04   RBM102   Name:  Russell  Miller   Employee  ID:  rmiller123   Loca2on:  Boston   Etc.   1   Audit  Privilege  Quality   2   Detect  Excep2ons   3   Unique  ID  correla2on   4   Clean-­‐up   27   Copyright  ©  2013  CA.  All  rights  reserved.  
  28. 28. Cer0fica0on    should  include  usage  informa0on  to  iden0fy   suspicious  ac0vi0es   28   Copyright  ©  2013  CA.  All  rights  reserved.  
  29. 29. How  you  can  get  there!     Collect  Account  &   En0tlement  Info   Analyze  IDs   &   En0tlements   Administer   &  Control   Accounts   Audit  &   Cer0fy   Accounts   Steps  to  Govern  Privileged  Iden00es   29   Copyright  ©  2013  CA.  All  rights  reserved.   System   Accounts   Service   Accounts   Shared   Accounts   Named   Accounts  
  30. 30. The  business  value  of  Privileged  Iden0ty  Governance   Prevent  breaches  due  to  improper  Admin  ac2ons   or  data  exposure     Reduce  the  burden  of  audit  and  compliance  efforts     Improve  efficiency  of  iden2ty  compliance  &   processes         Gain  visibility  into  administrator  access  and  actual   usage   2   3   1   4   30   Copyright  ©  2013  CA.  All  rights  reserved.  
  31. 31. 31   Agenda   Copyright  ©  2013  CA.  All  rights  reserved.   è  The  Challenge  of  Privileged  Iden22es   è  The  State  of  Virtualiza2on  Security   è  Privileged  Iden2ty  Governance   è  Social  Media   è  Q&A  
  32. 32. Social  media  accounts  are  privileged  iden00es!   32   Copyright  ©  2013  CA.  All  rights  reserved.   Insider  Threat   External  Threat  
  33. 33. 33   Confusion  between  personal  and  corporate  TwiPer   accounts  –  controls  are  needed!   Copyright  ©  2013  CA.  All  rights  reserved.  
  34. 34. 34   Agenda   Copyright  ©  2013  CA.  All  rights  reserved.   è  The  Challenge  of  Privileged  Iden22es   è  The  State  of  Virtualiza2on  Security   è  Privileged  Iden2ty  Governance   è  Social  Media   è  Q&A  
  35. 35. Ques0ons?   35   Copyright  ©  2013  CA.  All  rights  reserved.  
  36. 36. Appendix  
  37. 37. Legal  No0ce   Copyright  ©  2013  CA.    All  rights  reserved.  Linux®  is  the  registered  trademark  of  Linus  Torvalds  in  the  U.S.  and  other  countries.    All   trademarks,  trade  names,  service  marks  and  logos  referenced  herein  belong  to  their  respec2ve  companies.  No  unauthorized  use,   copying  or  distribu2on  permiSed.         37   Copyright  ©  2013  CA.  All  rights  reserved.  

×