Privileged accesss management for den csa user group CA Technologies

Privileged Access Management
Breaking The Kill Chain
Tabish Tanzeem, CISSP
Sr. Principal Consultant
November 2016

2 © 2015 CA. ALL RIGHTS RESERVED.
Agenda
STATISTICS AND INCIDENTS
WHAT ARE PRIVILEGED USERS?
WHAT IS THE CHALLENGE?
TOP 10 PAM BEST PRACTICES
MATURITY MODEL

Intersecting Forces Yield A Sea Change

The Hybrid Enterprise Management Plane
Ongoing Infrastructure Changes Introduce New Control Points, Risks
Hybrid Enterprise
Software Defined Data Center
SDDC Console & APIs
SaaS Applications
SaaS Consoles & APIs
Public Cloud - IaaS
Cloud Console & APIs
Traditional Data Center
Mainframe, Windows, Linux, Unix,
Networking
Enterprise Admin Tools
New Management Plane

Easier Access and Escalating Risks
 Cybercrime
– Target – 70 million credit cards stolen
– Home Depot - 56 million credit cards stolen
– JP Morgan Chase – 76 million account records stolen
 Material Impact to Operations
– CodeSpaces - forced out of business
– Sony Pictures – extensive disruption
– German Steel Mill – physical damage
– Saudi Aramco – physical systems damage and business
disruption
 Cyberespionage
– Anthem – 80 million personal records stolen
– Forbes.com and unidentified health insurer – targeted
(defense contractors, government workers) information
gathering of individual data

Economic Losses Are Staggering
Net Losses: Estimating the Global Loss of Cybercrime (Intel Security – June 2014). Cybercrime is a growth industry. The returns are great, and the
risks are low. We estimate that the annual cost to the global economy from cybercrime is more than $400 billion. A conservative estimate would be
$375 billion in losses, while the maximum could be as much as $575 billion. Even the smallest of these figures is more than the national income of
most countries and governments and companies underestimate how much risk they face from cybercrime and how quickly this risk can grow.
$400 Billion
Global Losses
from
Cybercrime
$300 Billion
Global Drug
Trafficking
Revenue
$300 Billion
GDP of
Singapore
$3 Trillion
Global Economic Impact of
Cybercrime in 10 Years
- McKinsey, World Economic Forum

The Common Thread?
“Stealing and
exploiting
privileged
accounts is a
critical success
factor for attackers
in 100 percent of
all advanced
attacks, regardless
of attack origin.”
- Cybersheath Security Report,
May 2014

Privileged Account Management Facts
 Privileged Accounts Exist Across Every Aspect of IT
 Privileged Accounts Grow in Numbers Everyday
 Existing Models of Managing Privileged Accounts Fall Short
 Every Major Breach Has Involved A Privileged Account
 Your Critically Valuable Privileged Accounts Are Targets!

Hacker Malware/APT
Privileged Accounts: The Emerging Front Line
On Premise
Employees/Partners
• Systems Admins
• Network Admins
• DB Admins
• Application Admins
Partners
Systems/NW/DB/Application Admins
Employees
Systems/NW/DB/A
pplication Admins
Public Cloud
Apps
Apps
VMware
Administrator
AWS Administrator
Microsoft Office
365
Administrator
Internet
Organizations typically have 3-4x more
Privileged Accounts and Credentials than
Employees!

1. On-Boarding/Off-Boarding Process
2. Least Privilege Everything
3. Strong Authentication
4. Separate Authentication from Access
Control
5. Protect Privileged Account Credentials
6. Eliminate Anonymous Activity
7. Implement Extra Protections for Sensitive
Assets
8. Alert/Respond to Attempted Policy
Violations
9. Log and Record Everything
10. Mind the Virtualization Gap
May 2014 © Copyright 2014, Xceedium, Inc. 10
Top 10 List
Best Practices for Privileged Identity Management

 On-boarding
– Identity verification & background checks
– Entitlement management
– Credential/multi-factor authentication
device issuance
– Approvals and workflow
– Certification/Attestation
 Off-boarding
– Reliable
– Timely
– Complete
#1 On/Off-Boarding Process

 Least Privilege Everything
– Least device/system access
– Least functional access
 Console
 CLI
 FTP
 API
– Least command level
 Drop, telnet, reboot…
#2 Least Privilege
Zero Trust Model
Start with no access
Add layers/systems as needed
Role-based

13 © 2015 CA. ALL RIGHTS RESERVED.May 2014 © Copyright 2014, Xceedium, Inc. 13
#3 Strong Authentication
OTP
Smart Card
Integrated User
Authentication
Roles
Network
Systems
Database
Virtual
Credentials
CRL/OCSP
Server
Active
Directory
SaaS
IaaS
 Federal Government Mandate
– OMB 11-11
– PPD 21
– PIV/CAC required for all
administrative access
 Commercial
– Best Practice for High Risk
Environments
 Strong Multi-factor
Authentication
Password
Safe

 Old School
– Perimeter-based
– Hard-crunchy outside…
– Authentication was a proxy for Authorization
 “Grass huts with steel doors…”
 Separate authentication and authorization
– Authentication to the privileged identity
management system establishes identity, only
– No intrinsic access to resources
– Authorization based on roles and
responsibilities; enforced by PIM system
#4 Authentication ≠ Authorization
Protected Environment
Servers
Databases
Network
Other Systems
Credential
Safe
Enterprise
Directory
SaaS
IaaS
AuthZ, FGA
Control Command

 Privileged credentials and access are implicated
in every attack
– Phishing
– Credential/Privilege misuse
– Stolen third-party credentials
– Default passwords
 Control and manage credentials
– Encrypted storage and use
– Automated rotation and update
 One-time passwords
– Eliminate physical access via proxy
– Supported by backup and “break glass”
capabilities
#5 Protect Credentials

 Shared administrative accounts are endemic
across IT
– Administrative convenience
– Technology constraints (root, admin…)
 Enables anonymous, unattributed access
– Easy to hide malicious activity
– Complicates troubleshooting and forensic
examination
– Compliance/audit violations
 Map individual user activity and access to
shared accounts in logs and recordings
#6 Eliminate Anonymous Access

 Cloud Environments
– Operational Risks
– Financial Risks
– Security Risks
 Defense in Depth
– Strengthen legacy UID and password mechanism
– Key management
– Implement multi-factor authentication, biometrics
– Additional monitoring, audit of privileged user sessions
w/ publication of results
– HSM for key protection – physical or virtual options
#7 Extra Protections

 Alerts
– Warnings and reminders to individuals
– Events to SIEM/SOC
 Proactive Controls
– Enforced White/Black Lists
– Enforced Limits on Permissions and Rights
– Interception of Prohibited Commands
– Session Termination
– Account Suspension
#8 Alert/Block Policy Violations

19 © 2015 CA. ALL RIGHTS RESERVED.May 2014 © Copyright 2014, Xceedium, Inc. 19
#9 Log & Record Everything
CERT Insider Threat
Center:
In more than 70% of the
IP theft cases, insiders
stole information within
30 days of announcing
their resignation.
• RDP/Graphical Sessions
• Shell/CLI Sessions
• API Access
• Logging/SIEM/SOC
• Highlight attempted policy/access
control violations
• Publish audit results

 API-based access growing basis for DevOps
 Rebuild/Replace rather than re-configure
 Management API’s offer powerful capabilities,
but:
– Shared keys/credentials
– Limited attribution
– Limited logging and recording
– All the access control issues of traditional user
accounts
 Requires dedicated capabilities for controlling,
monitoring, and recording access; credential
protection
#10 Mind the API Gap

Privilege: Core of the Breach Kill Chain
Network Perimeter
EXTERNAL THREATS
INTERNAL THREATS
C&C, Data/IP
Exfiltration
Wreak HavocElevate Privilege
Lateral Movement,
Reconnaissance
Threat
Actor
Trusted
Insider
Gain/Expand Access
• Weak Authentication/Default
Passwords
• Stolen/Compromised Credentials
• Poor Password/Key Management
• Shared Accounts/Lack of Attribution
• Authentication = Access Control
• No Limits on Lateral Movement
• No Limits on Commands
• Lack of Monitoring/Analysis

Break The Kill Chain:
Strong Authentication
Network Perimeter
EXTERNAL THREATS
INTERNAL THREATS
C&C, Data/IP
Exfiltration
Lateral Movement,
Reconnaissance
Threat
Actor
Trusted
Insider
Gain/Expand Access Wreak HavocElevate Privilege
Lateral Movement,
Reconnaissance
• Strong Authentication
• AD/LDAP Integration
• Multifactor Hardware/Software
• PIV/CAC Card Support
• SAML
• Login Restriction
• Origin IP
• Time of Day
Strong
AuthN

Prevent Unauthorized Access
Network Perimeter
EXTERNAL THREATS
INTERNAL THREATS
C&C, Data/IP
Exfiltration
Lateral Movement,
Reconnaissance
Threat
Actor
Trusted
Insider
Lateral Movement,
Reconnaissance
• Zero Trust – Deny All, Permit by
Exception
• Role-Based Privileged User Access
Limits
• Privileged User Single Sign on
• Command Filtering
• Leapfrog Prevention
• Proactive Policy Violation
Prevention
Zero Trust
Access

Improve Forensics, Deter Violations
Network Perimeter
EXTERNAL THREATS
INTERNAL THREATS
C&C, Data/IP
Exfiltration
Lateral Movement,
Reconnaissance
Threat
Actor
Trusted
Insider
Lateral Movement,
Reconnaissance
• Continuous monitoring and logging
• Warnings, Session Termination,
Alerts
• DVR-like recording and playback of
sessions
• Activity Log Reporting
• Privileged Account Use Attribution
• SIEM/SYSLOG Analytics
Log, Deter

Privileged Access Management Maturity Levels
ADHOC
BASELINE
MANAGED
ADVANCED
Review
Redefine
Optimize

Privileged Access Management Focus Areas
 Privileged Users/Shared Accounts
– root, oradba, sapadmin, cisco enable, Windows local admin, named admin accts, SaaS/IaaS admin accts
 Service & Application Accounts
– COTS App Accounts, App Servers, DevOps Systems, Scheduled Tasks, Batch Jobs, Scripts
 Activity Monitoring
– SIEM, Network Monitoring, Change Management, Session Recording, Analytics
 Identity Management Integration
– CA Identity Suite, Oracle IAM, SailPoint, IBM ID Mgt
 Fine Grained Tools
– CA PAM SC, Symantec CSP, Dell UPM, PowerBroker, ViewFinity

Privileged Access Management Maturity Model
Level 1:
Adhoc/Manual
Level 2:
Baseline
Level 3:
Managed
Level 4:
Advanced
Privileged
User/Shared
Accounts
Service &
Application
Accounts
Monitoring &
Threat
Detection
Identity
Management
Integration
Fine-grained
Controls/SoD
Manual Controls
For
Priv. Accounts
Structured Controls
Basic Vault
Account Inventory
SDLC Integration
Credential Vault with RBAC
Central Password Policies
Account Discovery
MFA
Passwordless (SAML/OAUTH/TGS)
Cloud/SaaS/SDN Integration
HSM Integration
Ad Hoc Application
Account Management
Hard Coded Passwords
Manual Application
Account Management
Centralized Application
Account Management
Eliminate Hardcoded Passwords
REST API Integration
Governed Application
Account Management
DevOps Integration
Ad Hoc Audit & Controls
Activity Monitoring
Decentralized Activity
logging
SIEM Integration
Acct Attribution
SNMP Alerting
Session Recording
Dual Authorization
Meta-Data
Service Desk Integration
Analytics Integration
Manual Process
For Priv. Access
Automated
Privileged Identity Mgmt.
Integrated Privileged
Access Requests
Basic Governance
Fully Delegated Administration
Governed Privileged
Access w/SoD
Open Source
Tools and Scripts
Decentralized
Tools (Silos)
Command Filtering
Restricted Shell
Leap Frog Prevention
Centrally Managed
Kernel Interceptor
with Cred Vault Integration

Critical Questions
 Do you have an inventory of privileged accounts?
– Operational and Application…custom scripts?
 Do you have a record of who has access to passwords?
 How is access to privileged accounts granted?
 Are privileged accounts included in the SDLC process?
– What about 3rd Party Developers and Contractors?
 How often do you change privileged account passwords?
 What is your process for changing privileged account
passwords?
 How do you track privileged account use?
 How do you grant emergency access to privileged
accounts?
 Do you require a change ticket for privileged account use?
 Are segregation of duties enforced on privileged accts?
 Is there a certification process for privileged accounts?
 How are new privileged accounts created?
 How are privileged accounts retired?
 Is MFA required to access privileged accounts?
 Any fine grain controls in place to restrict the scope of
privileged acct, if so what and how are they managed?
 How are cloud based privileged accounts managed?
 Is privileged account use monitored for suspicious activity?
And through out your hybrid enterprise?

Conclusions and Recommendations
 Privileged identity must be a highly protected core asset (process & technology)
 A Zero-Trust model should be adopted for all privileged access (including applications);
Some process re-engineering is a reasonable trade-off for the additional security and
risk mitigation
 Next generation PIM platforms will make this more manageable, but defense in depth is
still required
 Organizations need to employ Protection, Detection, and Response Frameworks
specifically focused on Privileged Identities (and associated keys)

Sr. Principal Consultant
Tabish.tanzeem@ca.com
@TabishTanzeemCA
Tabish Tanzeem
slideshare.net/CAInc
linkedin.com/pub/noam-dror/0/34b/82b/
ca.com/Security
Q&A

Privileged accesss management for den csa user group CA Technologies

Recommended

Recommended

More Related Content

What's hot

What's hot (20)

Viewers also liked

Viewers also liked (12)

Similar to Privileged accesss management for den csa user group CA Technologies

Similar to Privileged accesss management for den csa user group CA Technologies (20)

More from Trish McGinity, CCSK

More from Trish McGinity, CCSK (16)

Recently uploaded

Recently uploaded (20)

Privileged accesss management for den csa user group CA Technologies