3. 3Asurion_Confidential
What is Identity and Access Management (IAM) at Asurion?
Identity Management: The systems and processes of managing enterprise digital identities. This
includes automated user and entitlement provisioning and management, as well as the oversight process
around user rights and entitlements including automated attestation.
Authentication Management: The systems and processes of managing authentication of both internal
and external identities and resources. This includes processes to audit and report on such authentications.
Directory Management: The systems and processes to store digital identities. This includes mainly
LDAP stores and the strategy and schema of such stores.
PKI Management: Public Key Infrastructure or PKI is a set of software, policies, and procedures needed to
create, manage, distribute, use, store, and revoke digital certificates.
Asurion IAM
4. 4Asurion_Confidential
What is Privilege Identity Management (PIM)?
Wikipedia: Privileged Identity Management (PIM) is a domain within Identity Management focused on the
special requirements of powerful accounts within the IT infrastructure of an enterprise. It is frequently used as
an Information Security and governance tool to help companies in meeting compliance regulations and to
prevent internal data breaches through the use of privileged accounts.
Managing the password of and who uses any account that has elevated rights on any
system.
Where the accounts are used
Who has access to the account information
Creation of the accounts
Automated password rotations
Auditing of what the accounts do.
What is PIM?
5. 5Asurion_Confidential
Why did Asurion deploy a PIM program?
IAM Program started in April 2014 but did not focus on anything but bellybuttons
Need to focus on Properly Managed Accounts:
The account complies with our password policy
The account is not used for anything other than intended purpose
The account can only be used by those authorized to do so
The account is monitored for compliance
PIM and Asurion
6. 6Asurion_Confidential
What Asurion looked like before PIM:
AD contacts
Sticky notes
Excel spreadsheets
Onboarding documentation
Wiki and SharePoint
Not updated always
Everyone knew passwords
Passwords never changed
The Past
8. 8Asurion_Confidential
Where is Asurion headed:
Local Admin Accounts
Appliance and HW Accounts
Directory Service Accounts
Programmatic Account Retrieval
Session Management
The Future
9. 9Asurion_Confidential
What have we learned so far:
Need to focus on PIM separately
Scope, keep it simple
Need to understand where accounts are used
Organization is key
Baby steps
Potential to break everything
Lessons Learned
11. WHO IS OBSERVEIT?
HQ Boston, MA / R&D Tel Aviv, Israel
Founded 2006
1,200+ Customers Worldwide
$20M Invested by Bain Capital
The Leading Provider Of
User Activity Monitoring To
Mitigate Insider Threats
13. CHALLENGE WITH ADDRESSING INSIDER THREATS
“It’s Hard to Distinguish
Abuse from Legitimate Use”
3 out of 4 InfoSec professionals say
260,000+
members
15. INSIDER THREAT INTELLIGENCE WITH OBSERVEIT
Collect
DetectRespond
• User Behavior Analytics
• Activity Alerting
• User Risk Scoring
• Visual User Recording
• Application Marking
• User Activity Logs
• Live Session Replay
• Interact With Users
• Shutdown Sessions
UNDERSTAND FIELD-LEVEL
APPLICATION USAGE
DETECT DATA MISUSE
AND APPLICATION ABUSE
INVESTIGATE RISKY USER
BEHAVIOR AND INTENT
USERS
16. Audit and Compliance
Employees
________________________
Data Extraction
and Fraud
Application
Access, Call
Centers, and
Watchlists
Third-parties
________________________
IP Theft and
Service Availability
Contractors,
Remote
Vendors,
Outsourced IT
Privileged Users
________________________
Access Abuse and
Data Privacy
Help Desk,
DBAs, HPAs,
SoD and Sys
Admins
COMPLETE COVERAGE WITH OBSERVEIT
Audit Controls for PCI / PII / PHI Data, Monitoring
Privileged and 3rd Party Access, Alerting for Access
to Sensitive systems
17. PRIVILEGED USER INTELLIGENCE
UNIX / LINUX Windows DBAs
Network Help Desk Programmers
WireShark PuTTY
Toad
RDPWinSCP
Reg EditorCMD PowerShell
DR JavaSSH
Unauthorized Changes / Access, Abusing Privileges, Local / Service Accounts
AD
SQL PLUS
18. CUSTOMER EXAMPLES
Monitoring Privileged Access PCI
Monitoring internal privileged users
with access to PCI systems
Detect unauthorized configuration
changes
Meeting internal and external audit
Monitoring Privileged Users for
PCI/SOX
Monitoring privileged users with access
to over 60 PCI/SOX applications
Real-time monitoring of unauthorized
account creation and firewall changes
Integrated with Lieberman Password
Vault and Avatier identity provisioning
We have over invested in Firewalls, A/V, DLP…. And yet, we still only have half the picture, we don’t understand what it is our users are actually doing.
And this is the challenge we have with Insider Threat – we don’t know what are users do with the access they have, and we Can’t distinguish between legitimate business use and abuse
Crowd-based research in cooperation with the 260,000+ member Information Security Community
With 6.0 we add Insider Threat Intelligence to our User Activity Monitoring Solution to Cover the full scope of insider threat.
Let’s talk about Insider Threat Intelligence with ObserveIT and what makes us so special and different.
First, we are focused, from the group up, on the USER – and Insider Threats are at their core a People Problem. This approach allows provides a clear picture of the risk users present and enable you to do something about it.
Our Insider Threat Intelligence takes a 3-step approach to protecting companies against Insider Threats.
We collect all user activity leveraging our agent technology and provide essentially screen scrapes all activity and index the textual information on the screen.
This includes “Collecting” the information need to distinguish abuse from legitimate use via Visual Screen Recording Technology, and transcribe what’s taking place into User Activity Logs.
Next, we have unique capabilities to detect risky insider activity with rule-based User Behavior Analytics, and Activity Alerting.
Finally, we can take action and quickly respond to users putting your business at risk with Live Session Response and Session Shutdown.
We apply our Insider Threat Intelligence across the full scope of Insider Threats: Employees, Privileged users and even trusted third-parties.
When dealing with Employees most customers are concerned data extraction and fraudulent activity within core applications. The use case can range from monitoring call center employees to individuals on HR Watch-lists.
With Privileged Users, we see customer looking to see if users are abusing their access or concerned about data leakage. It can range from Help Desk user to DBAs to enforcing Segregation of Duties. We also see a lot of customers looking to track all High Privilege Accounts like system admins on all their servers.
Third-parties is a big one and where our roots tie back too. Most customers are monitoring third-parties to trust, but verify their work and make sure IP isn’t leaving with them or that they aren’t bring down any servers. We see customers monitoring Contractors, Remote Vendors to Completely Outsourced IT shops.
Underpinning all of these groups is Audit and Compliance – whether it’s to satisfy Audit controls or map to a Security Framework.
Exchange Admins!!
Today we see a lot of customers handing out root privileges like after-dinner mints.
And when it comes to Privileged user monitoring, customer are concerned with unauthorized changes or access, admins abusing their privileges or what users are doing with local accounts.
Unauthorized Changes
Entitlement changes
Creation of Local Accounts
Password resets
Abusing Privileges
Admin / “Root” logins
Lateral Movement
‘rm’ ‘cp’ with ‘sudo’
Creating “backdoors”
‘leapfrog’ logins
Unnecessary Access
Unauthorized access
Unsecure ‘shell’
Unapproved ‘setuid’
“ObserveIT provides unparalleled visibility into what our privileged users are doing within our sensitive systems”
– Michael Holder, Global Head of IAM