Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.
Case  Study:  
Privileged  Access  in  a  World  on  Time
Trey  Ray
SCT17S
SECURITY
IT  Manager  
FedEx
Cyber  Security  A...
2 COPYRIGHT  ©  2017  CA.  ALL  RIGHTS  RESERVED#CAWORLD #NOBARRIERS
©  2017  CA.  All  rights  reserved.  All  trademarks...
3 COPYRIGHT  ©  2017  CA.  ALL  RIGHTS  RESERVED#CAWORLD #NOBARRIERS
Abstract
Today  there  are  more  privileged  users  ...
A GLOBAL SHIPPING NETWORK
TO TAKE ON THE FUTURE
HOW TO BUILD
VIDEO:
“FEDEX”
TRT:	
  1:31
Privileged Access in a World on Time
Trey Ray, Laxmi Potana, and Michael
Scudiero
Privileged Access in a World of Cyber Risk
PCI DSS 3.2 Created The Urgency
2 Factor Authentication
Automated Password
Rotation & Vaulting
Command Filtering
Leapfrog Prevention
PREVENT
DVR & Command...
Active Directory domain admin
Windows Server Admin
Unix root
Database admin (DBA) and developer break-fix
App service acco...
Unix Root
Admin
Active Directory
Domain Admin
Windows Local
Admin Accounts
Developer Access
To Privileged Data
USE CASESTO...
Use Case: Active Directory Domain Admin
Domain Admin launches an RDP session from their own
PC/Laptop or from other Window...
Use Case: Active Directory Domain Admin
Domain Admin logs into CA PAM client w/2FA and
checks out a Domain Admin credentia...
Use Case: Unix Root
No consistent method for managing Unix root passwords
by the SysAdmin teams.
The Unix root passwords h...
Use Case: Unix Root
Unix SysAdmin logs into CA PAM client w/2FA to check
out the root password for a server when required....
Use Case: Developer DB Break-Fix
Developer escalates his database privileges temporarily
(24 hours) using an IDM pre-appro...
Use Case: Developer DB Break-Fix
Developer logs into CA PAM client w/2FA and checks
out a privileged database account.
Sec...
Use Case: Microsoft LAPS Console
Administrator launches the LAPS console from their local
machine.
LAPS privileges are gra...
Use Case: Microsoft LAPS Console
Administrator logs into CA PAM client w/2FA and checks
out a LAPS enabled credential.
CA ...
WHAT WE LEARNED
WILL HELP US SCALE
| | |DESIGN FOR HIGH
AVAILABILITY
EMPOWER
ADMINISTRATORS
PHASED
APPROACH
AWARENESS
PLAN...
21 COPYRIGHT  ©  2017  CA.  ALL  RIGHTS  RESERVED#CAWORLD #NOBARRIERS
Questions?
22 COPYRIGHT  ©  2017  CA.  ALL  RIGHTS  RESERVED#CAWORLD #NOBARRIERS
Stay  connected  at  communities.ca.com
Thank  you.
23 COPYRIGHT  ©  2017  CA.  ALL  RIGHTS  RESERVED#CAWORLD #NOBARRIERS
Security
For  more  information  on  Security,
pleas...
Upcoming SlideShare
Loading in …5
×

Case Study: Privileged Access in a World on Time

558 views

Published on

Today there are more privileged users than ever before. Providing access is not optional it is a business necessity. But how do you avoid excessive access? Providing the right access at the right time is the formula for reducing your risk and securing a world of data. At FedEx empowering the right people at the right time is not only good business, but it's also good security.


For more information on Security, please visit: http://cainc.to/CAW17-­Security

Published in: Technology
  • Be the first to comment

  • Be the first to like this

Case Study: Privileged Access in a World on Time

  1. 1. Case  Study:   Privileged  Access  in  a  World  on  Time Trey  Ray SCT17S SECURITY IT  Manager   FedEx Cyber  Security  Advisor FedEx Laxmi Potana Sr.  Cyber  Security  Analyst FedEx Michael  Scudiero
  2. 2. 2 COPYRIGHT  ©  2017  CA.  ALL  RIGHTS  RESERVED#CAWORLD #NOBARRIERS ©  2017  CA.  All  rights  reserved.  All  trademarks  referenced  herein  belong  to  their  respective  companies. The  content  provided  in  this CA  World  2017  presentation  is  intended  for  informational  purposes  only  and  does  not  form  any  type   of  warranty. The information  provided  by  a  CA  partner  and/or  CA  customer  has  not  been  reviewed  for  accuracy  by  CA.   For  Informational  Purposes  Only   Terms  of  This  Presentation
  3. 3. 3 COPYRIGHT  ©  2017  CA.  ALL  RIGHTS  RESERVED#CAWORLD #NOBARRIERS Abstract Today  there  are  more  privileged  users  than  ever  before.  Providing  access  is  not  optional   it  is  a  business  necessity.  But  how  do  you  avoid  excessive  access?  Providing  the  right   access  at  the  right  time  with  CA  Privileged  Access  Manager  is  the  formula  for  reducing   your  risk  and  securing  a  world  of  data.  At  FedEx  empowering  the  right  people  at  the   right  time  is  not  only  good  business  it's  also  good  security. Trey  Ray FedEx IT  Manager Laxmi Potana FedEx Cyber  Security  Advisor Michael  Scudiero FedEx Sr.  Cyber  Security  Analyst
  4. 4. A GLOBAL SHIPPING NETWORK TO TAKE ON THE FUTURE HOW TO BUILD
  5. 5. VIDEO: “FEDEX” TRT:  1:31
  6. 6. Privileged Access in a World on Time Trey Ray, Laxmi Potana, and Michael Scudiero
  7. 7. Privileged Access in a World of Cyber Risk
  8. 8. PCI DSS 3.2 Created The Urgency
  9. 9. 2 Factor Authentication Automated Password Rotation & Vaulting Command Filtering Leapfrog Prevention PREVENT DVR & Command Line Session Recording Available Logging of All PAM User Activity SIEM Integration & Alerting DETECT Built-in Reports on All Integrated Accounts and Passwords Metrics Displayed in Admin Dashboard REPORT Privileged Access is Preventive & Detective
  10. 10. Active Directory domain admin Windows Server Admin Unix root Database admin (DBA) and developer break-fix App service accounts Web Portals VMware Hypervisor admin TACACS Corporate social media accounts Any shared privileged account in the environment If privileged accounts are the “Keys to the Kingdom,” then PAM is the lockbox for the keys. Managing the Keys to Running the World on Time
  11. 11. Unix Root Admin Active Directory Domain Admin Windows Local Admin Accounts Developer Access To Privileged Data USE CASESTO CONTROL PRIVILEGED ACCESS
  12. 12. Use Case: Active Directory Domain Admin Domain Admin launches an RDP session from their own PC/Laptop or from other Windows server in the domain using a personal admin account. This practice is subject to the “Pass the Hash” vulnerability whereby the domain administrator’s credentials can be harvested by an attacker and used to gain privileged access to the domain. Before PAM Integration
  13. 13. Use Case: Active Directory Domain Admin Domain Admin logs into CA PAM client w/2FA and checks out a Domain Admin credential. RDP session to a Domain Controller is launched using CA PAM transparent login with PAM managed credentials. The Domain Admin credentials are never exposed to the administrator endpoint which eliminates the "Pass the Hash" vulnerability. Session is optionally recorded for audit purposes. After PAM Integration
  14. 14. Use Case: Unix Root No consistent method for managing Unix root passwords by the SysAdmin teams. The Unix root passwords had to be rotated manually on a regularly scheduled interval. No attribution for Unix root account usage Before PAM Integration
  15. 15. Use Case: Unix Root Unix SysAdmin logs into CA PAM client w/2FA to check out the root password for a server when required. SSH session to Unix server is launched using CA PAM transparent login with PAM managed credentials. The root password is never displayed to the SysAdmin. Command filtering prevents accidents (rm –rf *.*) Session is optionally recorded for audit purposes. After PAM Integration
  16. 16. Use Case: Developer DB Break-Fix Developer escalates his database privileges temporarily (24 hours) using an IDM pre-approved break/fix workflow. Since the developer uses his own personal user account for the escalated database access, the window of opportunity for an attacker to gain access using compromised credentials is lengthy. Before PAM Integration
  17. 17. Use Case: Developer DB Break-Fix Developer logs into CA PAM client w/2FA and checks out a privileged database account. Secure SQL session to database is launched using CA PAM transparent login with PAM managed credentials. The database password is never displayed to the developer. Session is optionally recorded for audit purposes. After PAM Integration
  18. 18. Use Case: Microsoft LAPS Console Administrator launches the LAPS console from their local machine. LAPS privileges are granted directly to the human admins via an AD group. An adversary utilizing a compromised human admin account would be able to view local Windows admin credentials for many devices in LAPS. Before PAM Integration
  19. 19. Use Case: Microsoft LAPS Console Administrator logs into CA PAM client w/2FA and checks out a LAPS enabled credential. CA PAM launches the LAPS console via RDP published application. The LAPS enabled credential is rotated at the end of the session and once a day. LAPS session is optionally recorded for audit purposes. After PAM Integration
  20. 20. WHAT WE LEARNED WILL HELP US SCALE | | |DESIGN FOR HIGH AVAILABILITY EMPOWER ADMINISTRATORS PHASED APPROACH AWARENESS PLANNING
  21. 21. 21 COPYRIGHT  ©  2017  CA.  ALL  RIGHTS  RESERVED#CAWORLD #NOBARRIERS Questions?
  22. 22. 22 COPYRIGHT  ©  2017  CA.  ALL  RIGHTS  RESERVED#CAWORLD #NOBARRIERS Stay  connected  at  communities.ca.com Thank  you.
  23. 23. 23 COPYRIGHT  ©  2017  CA.  ALL  RIGHTS  RESERVED#CAWORLD #NOBARRIERS Security For  more  information  on  Security, please  visit:  http://cainc.to/CAW17-­Security

×