SlideShare a Scribd company logo

Insomnihack 2018 - Securing Internal Resources Through Tiered Access

Download as PPTX, PDF
J
Joel M. Leo

I was invited to speak at Insomnihack 2018 (annual Swiss computer security conference) on the subject of tiered access. These are the slides I presented at my talk. It was better in person, with all the animations and anecdotal information I provided =)

Technology
1 of 33
Securing Assets Against Malicious Internal Users Through Tiered Access Joel M. Leo – 3/22/2018 Insomnihack 2018 - Securing Assets Against Malicious Internal Users Through Tiered Access -© 2018 Joel M. Leo 1
Disclaimer This presentation represents my own experience, thoughts, and opinions and is not representative of Gap, Inc.’s opinions or positions. This presentation is not endorsed or approved by Gap, Inc., nor does Gap, Inc. assume any responsibility or liability for the content, accuracy or completeness of the information presented. Insomnihack 2018 - Securing Assets Against Malicious Internal Users Through Tiered Access -© 2018 Joel M. Leo 2
About me • Live and work in Honolulu, Hawaii • Principal Systems Engineer and Active Directory Architect for Gap, Inc. • Trainer for ADSecurity.org ( https://www.adsecurity.org ) • Principal Consultant for Hi Tech Hui ( https://www.hitechhui.com ) • Consultant for several other organizations, focusing primarily on Active Directory Insomnihack 2018 - Securing Assets Against Malicious Internal Users Through Tiered Access -© 2018 Joel M. Leo @joelmleo https://www.linkedin.com/in/joelmleo 3
Contents  Background  Addressing the Problem Through Tiered Access  Important Considerations  Pitfalls  Alternatives  Conclusion  Q&A  Resources for Further Research Insomnihack 2018 - Securing Assets Against Malicious Internal Users Through Tiered Access -© 2018 Joel M. Leo 4
Background What’s the problem Earthman? Insomnihack 2018 - Securing Assets Against Malicious Internal Users Through Tiered Access -© 2018 Joel M. Leo 5
Insider Threats are Real I’ll take “Things I Already Knew” for $1,000, Alex • 90% of organizations feel vulnerable to insider attacks [1] • Organizations surveyed indicate “users with excessive privileges” is the highest risk factor (37%) for insider threats [2] • Insider threats are cited as the second highest concern (after ransomware,) while “User credentials and privileged accounts represented the most common data types” exfil’d [3] • US CERT has an Insider Threat Center to “conduct empirical research and analysis to develop solutions that combat insider threats” [4] • Edward Snowden [no citation needed] [1],[2] – Insider Threat Report 2018, by Crowd Research Partners http://crowdresearchpartners.com/portfolio/insider-threat-report/ [3] – SANS 2017 Data Protection Survey – SANS https://www.sans.org/reading-room/whitepapers/analyst/sensitive-data-risk-2017-data-protection-survey-37950 [4] – Carnegie Mellon University Software Engineering Institute - https://resources.sei.cmu.edu/library/asset-view.cfm?assetID=91513 Insomnihack 2018 - Securing Assets Against Malicious Internal Users Through Tiered Access -© 2018 Joel M. Leo 6
Problem Statement Network deployments often leave administrative resources and accounts exposed to abuse from inside the organization. Perimeter measures, such as firewalls, do not mitigate these risks. Other tools, including endpoint protection, alerting, etc., have varying levels of efficacy taken on their own. By segregating administrative accounts & resources away from standard accounts & resources, and separating administrative responsibilities and infrastructure in to “tiers,” we can greatly improve our organization’s security posture, helping to prevent internal misuse. However, there are numerous pitfalls that can result in the feels of security without actual improved security. I’ll try to help you avoid them. Insomnihack 2018 - Securing Assets Against Malicious Internal Users Through Tiered Access -© 2018 Joel M. Leo 7
These concerns are OS agnostic, but I’ll be focusing on Microsoft-based problems and solutions, with a particular focus on Active Directory and administrators that have control over the domains. Other operating systems will have their own concerns and methodologies against which this conceptual framework can be leveraged Insomnihack 2018 - Securing Assets Against Malicious Internal Users Through Tiered Access -© 2018 Joel M. Leo 8
Killchain Insomnihack 2018 - Securing Assets Against Malicious Internal Users Through Tiered Access -© 2018 Joel M. Leo Image credit: Microsoft https://docs.microsoft.com/en-us/advanced-threat-analytics/ata-threats 9
Null Tier, aka “The Swamp” Insomnihack 2018 - Securing Assets Against Malicious Internal Users Through Tiered Access -© 2018 Joel M. Leo 10
Null Tier Admin Insomnihack 2018 - Securing Assets Against Malicious Internal Users Through Tiered Access -© 2018 Joel M. Leo T3h intertubes 11
Null Tier Admin Compromise Insomnihack 2018 - Securing Assets Against Malicious Internal Users Through Tiered Access -© 2018 Joel M. Leo 12
Addressing the Problem Through Tiered Access Insomnihack 2018 - Securing Assets Against Malicious Internal Users Through Tiered Access -© 2018 Joel M. Leo 13
What Is Tiered Access? “Tiered access” in this context means A system by which administrative access to applications and infrastructure is separated from normal user access through “tiers,” improving security by controlling the flow of administrative access to, within, and between tiers A “tier” is a logical collection of roles, responsibilities, resources and infrastructure that work together to deliver a service in a relatively secure fashion, separated from other tiers and non-admin users and computers through policy and technical controls Fundamental goal is to ensure different tiers and regular users cannot mix to help protect against PtH/PtT and to limit exposure in the case of a compromise Insomnihack 2018 - Securing Assets Against Malicious Internal Users Through Tiered Access -© 2018 Joel M. Leo 14
Tiered Access High-Level Requirements • Defined tiers with all elements (servers, software, storage etc.) necessary to deliver a service • Based on org’s administrative responsibilities • AD • Storage • Workstations • Servers • Etc. • Clearly-defined administrative boundaries • Policy controls • Technical controls Insomnihack 2018 - Securing Assets Against Malicious Internal Users Through Tiered Access -© 2018 Joel M. Leo 15
Security Slide Rule The more security you have the less usability you have, and vice versa. Insomnihack 2018 - Securing Assets Against Malicious Internal Users Through Tiered Access -© 2018 Joel M. Leo Usability Security You need to identify the best balance of security and usability for your organization 16
Summary of Tiered Access Insomnihack 2018 - Securing Assets Against Malicious Internal Users Through Tiered Access -© 2018 Joel M. Leo Yellow Tier Green Tier 17
Admin Compromise, Interrupted Insomnihack 2018 - Securing Assets Against Malicious Internal Users Through Tiered Access -© 2018 Joel M. Leo 18
Extended Tiering Model Insomnihack 2018 - Securing Assets Against Malicious Internal Users Through Tiered Access -© 2018 Joel M. Leo 19
Important Considerations Successfully implementing tiered access requires coordination across multiple domains with orchestration between multiple technologies and concepts Insomnihack 2018 - Securing Assets Against Malicious Internal Users Through Tiered Access -© 2018 Joel M. Leo 20
Important Considerations 0x0 • Security requirements of the org are key • Reference the security slide rule. Where do your org’s needs lie? • Requires ongoing executive support • Should be considered a tactic within a larger security strategy • Organizational security policies need to be considered and potentially modified • The first/highest tier should be your domain controllers/domain admins • Addressing these first nets the biggest bang for the buck (or CHF) from a security perspective • Scope needs to be reasoned and clearly defined • “Scope creep” is a real thing • Language and nomenclature used needs to be consistent and understood throughout the org • “Red/Yellow/Green tier” vs. “Tier 0/1/2” vs. “Tier 2/1/0” etc. Insomnihack 2018 - Securing Assets Against Malicious Internal Users Through Tiered Access -© 2018 Joel M. Leo 21
Important Considerations 0x1 • Trust needs to be established appropriately • And revoked! Full role lifecycle management all the way through is requisite • RBAC is a huge component of this concept • If a technology doesn’t support RBAC toss it in the bin! • There will be some bleed-through between tiers that may need to be addressed • Ie. virtualized domain controllers – how do you control access to the files that comprise the VM? Should it be your domain admins, virtualization admins or storage admins? Root (hint: No)? • Support stack needs to be clear • All should know which support group to talk to for issues at the different tiers Insomnihack 2018 - Securing Assets Against Malicious Internal Users Through Tiered Access -© 2018 Joel M. Leo 22
Important Considerations 0x2 • Automate, automate, automate all the things, as much as possible • Self-service with structured approvals is handy • Bastion hosts/jump boxes • Hardened servers available only to members of the appropriate tier, which have access through technical controls to the appropriate admin interfaces and networks • Bastion workstations • Hardened workstations that only allow access to appropriate tier accounts and bastion hosts over appropriate networks • Credential Guard, Device Guard, endpoint protection, close monitoring etc. • Management (updates, config, etc.) should be separate from standard workstations • Yes, this means admins may need multiple workstations • SIEM/monitoring/alerting/defense is critical • Documentation is critical (design documents, role runbooks, etc.) Insomnihack 2018 - Securing Assets Against Malicious Internal Users Through Tiered Access -© 2018 Joel M. Leo 23
Important Considerations 0x3 • Which environments are in-scope? • AD DFL/FFL, supported DC OS, physical sites, etc. • Available technical controls • GPO, startup/shutdown/logon/logoff scripts, SCOM/SCCM, IPSec, MFA etc. • Which technologies should be considered, utilized, & addressed • Compute, networking, storage, virtualization, cloud, automation, identity management, UEBA, SIEM, etc. • Security is never done. There is no “secured,” only more or less secure • This is not a panacea – still need to follow general best practices around automation, user management, patching, configuration management, endpoint protection etc. Insomnihack 2018 - Securing Assets Against Malicious Internal Users Through Tiered Access -© 2018 Joel M. Leo 24
Pitfalls Insomnihack 2018 - Securing Assets Against Malicious Internal Users Through Tiered Access -© 2018 Joel M. Leo 25
Pitfalls 0x0 Or: oh, the things I’ve seen 0.o •Thinking this makes you “secure” • There is no such thing as “secure.” •Dictate action instead of collaborative planning •Mushy tier definition • Tiers should be clearly defined and documented •Incomplete execution • Half measures can leave you in a poor state Insomnihack 2018 - Securing Assets Against Malicious Internal Users Through Tiered Access -© 2018 Joel M. Leo 26
Pitfalls 0x1 •“Fire and Forget” • Review the infra and execution on a regular basis to ensure you’re meeting your goals and to see if there is room for improvement •Insufficient documentation • Documentation should be considered “living” and be validated as complete, then kept up to date over time as things evolve •Insufficient training • Along with documentation should come training. Admins’ processes will change in potentially dramatic fashion Insomnihack 2018 - Securing Assets Against Malicious Internal Users Through Tiered Access -© 2018 Joel M. Leo 27
Pitfalls 0x2 •No/insufficient monitoring • No news is good news, right? Right? •All ‘permit’ and no ‘deny’ • Implicit/explicit deny. Saying something shouldn’t be done isn’t the same as preventing it from being done. •Bespoke ACLs • ACLs should be clearly defined and should grant/deny based on groups, not individual accounts. Customizing ACLs ad hoc can expose the org more than is immediately clear. Insomnihack 2018 - Securing Assets Against Malicious Internal Users Through Tiered Access -© 2018 Joel M. Leo 28
Pitfalls 0x3 •Incomplete application of policy and/or technical controls •Restricted Groups vs. GPP for controlling local group membership •Not addressing existing sensitive group memberships and permissions Insomnihack 2018 - Securing Assets Against Malicious Internal Users Through Tiered Access -© 2018 Joel M. Leo 29
Pitfalls 0x4 •Reusing existing management infra for bastion hosts/workstations • These should be managed separately. If nothing else, ensure automation/management creds between tiers aren’t shared (SCOM “runas” and service accounts for instance) •Attempting “big bang” in existing environments • Tiered access can and should be approached in phases/stages/milestones • Go for the big ticket items first: Domain controllers/domain admins Insomnihack 2018 - Securing Assets Against Malicious Internal Users Through Tiered Access -© 2018 Joel M. Leo 30
Alternatives? • “Air-gapped” administration model • “Zero Trust” • Temporal group membership • Protected Users Group • “Red Forest” • Credential Guard • Device Guard Insomnihack 2018 - Securing Assets Against Malicious Internal Users Through Tiered Access -© 2018 Joel M. Leo 31
Conclusion Implementing the tiered access concept is challenging, cutting across a number of different technologies, organizational elements, and organizational concerns, but can result in greatly improved security for the organization that implements the concept well • Take the “Important Considerations” section in to account before you implement, preferably in the design phase • Even after implementation, the “Pitfalls” section can help you identify areas where your implementation may have fallen short, so they can be addressed in the future • Sometimes, the completed implementation barely resembles the original design. If it works and provides the desired functionality and security, update your documentation and go with it! Insomnihack 2018 - Securing Assets Against Malicious Internal Users Through Tiered Access -© 2018 Joel M. Leo 32
Q&A @joelmleo https://www.linkedin.com/in/joelmleo Insomnihack 2018 - Securing Assets Against Malicious Internal Users Through Tiered Access -© 2018 Joel M. Leo 33

Recommended

IT Security Essentials
IT Security EssentialsIT Security Essentials
IT Security Essentials
Skoda Minotti
 
Mergers and Acquisition Security - Areas of Interest
Mergers and Acquisition Security - Areas of InterestMergers and Acquisition Security - Areas of Interest
Mergers and Acquisition Security - Areas of Interest
Matthew Rosenquist
 
Key Findings from the 2015 IBM Cyber Security Intelligence Index
Key Findings from the 2015 IBM Cyber Security Intelligence IndexKey Findings from the 2015 IBM Cyber Security Intelligence Index
Key Findings from the 2015 IBM Cyber Security Intelligence Index
IBM Security
 
Using Threat Intelligence to Address Your Growing Digital Risk
Using Threat Intelligence to Address Your Growing Digital RiskUsing Threat Intelligence to Address Your Growing Digital Risk
Using Threat Intelligence to Address Your Growing Digital Risk
SurfWatch Labs
 
Cyber Threat Intelligence
Cyber Threat IntelligenceCyber Threat Intelligence
Cyber Threat Intelligence
seadeloitte
 
M&A security - E-crime Congress 2017
M&A security - E-crime Congress 2017M&A security - E-crime Congress 2017
M&A security - E-crime Congress 2017
EQS Group
 
Mergers & Acquisitions security - (ISC)2 Secure Summit DACH
Mergers & Acquisitions security - (ISC)2 Secure Summit DACHMergers & Acquisitions security - (ISC)2 Secure Summit DACH
Mergers & Acquisitions security - (ISC)2 Secure Summit DACH
EQS Group
 
Cyber Crime Threat Landscape - A Focus on the Financial Industry
Cyber Crime Threat Landscape - A Focus on the Financial IndustryCyber Crime Threat Landscape - A Focus on the Financial Industry
Cyber Crime Threat Landscape - A Focus on the Financial Industry
William McBorrough
 

Recommended

IT Security Essentials
IT Security EssentialsIT Security Essentials
IT Security Essentials
Skoda Minotti
 
Mergers and Acquisition Security - Areas of Interest
Mergers and Acquisition Security - Areas of InterestMergers and Acquisition Security - Areas of Interest
Mergers and Acquisition Security - Areas of Interest
Matthew Rosenquist
 
Key Findings from the 2015 IBM Cyber Security Intelligence Index
Key Findings from the 2015 IBM Cyber Security Intelligence IndexKey Findings from the 2015 IBM Cyber Security Intelligence Index
Key Findings from the 2015 IBM Cyber Security Intelligence Index
IBM Security
 
Using Threat Intelligence to Address Your Growing Digital Risk
Using Threat Intelligence to Address Your Growing Digital RiskUsing Threat Intelligence to Address Your Growing Digital Risk
Using Threat Intelligence to Address Your Growing Digital Risk
SurfWatch Labs
 
Cyber Threat Intelligence
Cyber Threat IntelligenceCyber Threat Intelligence
Cyber Threat Intelligence
seadeloitte
 
M&A security - E-crime Congress 2017
M&A security - E-crime Congress 2017M&A security - E-crime Congress 2017
M&A security - E-crime Congress 2017
EQS Group
 
Mergers & Acquisitions security - (ISC)2 Secure Summit DACH
Mergers & Acquisitions security - (ISC)2 Secure Summit DACHMergers & Acquisitions security - (ISC)2 Secure Summit DACH
Mergers & Acquisitions security - (ISC)2 Secure Summit DACH
EQS Group
 
Cyber Crime Threat Landscape - A Focus on the Financial Industry
Cyber Crime Threat Landscape - A Focus on the Financial IndustryCyber Crime Threat Landscape - A Focus on the Financial Industry
Cyber Crime Threat Landscape - A Focus on the Financial Industry
William McBorrough
 
Powerpoint v7
Powerpoint v7Powerpoint v7
Powerpoint v7
Veronica Pereira
 
Ibm security products portfolio
Ibm security products portfolioIbm security products portfolio
Ibm security products portfolio
Patrick Bouillaud
 
IT Security and Risk Mitigation
IT Security and Risk MitigationIT Security and Risk Mitigation
IT Security and Risk Mitigation
Mukalele Rogers
 
Information Security Benchmarking 2015
Information Security Benchmarking 2015Information Security Benchmarking 2015
Information Security Benchmarking 2015
Capgemini
 
Cybersecurity Risk Management for Financial Institutions
Cybersecurity Risk Management for Financial InstitutionsCybersecurity Risk Management for Financial Institutions
Cybersecurity Risk Management for Financial Institutions
Sarah Cirelli
 
CYBER SECURITY audit course report
CYBER SECURITY audit course reportCYBER SECURITY audit course report
CYBER SECURITY audit course report
PDEA's college of engineering, Pune
 
Dit yvol4iss40
Dit yvol4iss40Dit yvol4iss40
Dit yvol4iss40
Rick Lemieux
 
Protective Intelligence
Protective IntelligenceProtective Intelligence
Protective Intelligence
wbesse
 
Cyber Six: Managing Security in Internet
Cyber Six: Managing Security in InternetCyber Six: Managing Security in Internet
Cyber Six: Managing Security in Internet
Richardus Indrajit
 
Hunting for cyber threats targeting weapon systems
Hunting for cyber threats targeting weapon systemsHunting for cyber threats targeting weapon systems
Hunting for cyber threats targeting weapon systems
Fidelis Cybersecurity
 
IT Position of Trust Designation
IT Position of Trust DesignationIT Position of Trust Designation
IT Position of Trust Designation
Murray Security Services
 
Information Security vs IT - Key Roles & Responsibilities
Information Security vs IT - Key Roles & ResponsibilitiesInformation Security vs IT - Key Roles & Responsibilities
Information Security vs IT - Key Roles & Responsibilities
Kroll
 
Top 10 Security Challenges
Top 10 Security ChallengesTop 10 Security Challenges
Top 10 Security Challenges
Jorge Sebastiao
 
See How You Measure Up With MaaS360 Mobile Metrics
See How You Measure Up With MaaS360 Mobile MetricsSee How You Measure Up With MaaS360 Mobile Metrics
See How You Measure Up With MaaS360 Mobile Metrics
IBM Security
 
Stu r35 b
Stu r35 bStu r35 b
Stu r35 b
SelectedPresentations
 
Information security.pptx
Information security.pptxInformation security.pptx
Information security.pptx
Govt. P.G. College Sendhwa, Barwani (M.P.)
 
The Changing Security Landscape
The Changing Security LandscapeThe Changing Security Landscape
The Changing Security Landscape
Arrow ECS UK
 
Insights into cyber security and risk
Insights into cyber security and riskInsights into cyber security and risk
Insights into cyber security and risk
EY
 
Rothke rsa 2013 - the five habits of highly secure organizations
Rothke rsa 2013 - the five habits of highly secure organizationsRothke rsa 2013 - the five habits of highly secure organizations
Rothke rsa 2013 - the five habits of highly secure organizations
Ben Rothke
 
Nowhere to Hide: Expose Threats in Real-time with IBM QRadar Network Insights
Nowhere to Hide: Expose Threats in Real-time with IBM QRadar Network InsightsNowhere to Hide: Expose Threats in Real-time with IBM QRadar Network Insights
Nowhere to Hide: Expose Threats in Real-time with IBM QRadar Network Insights
IBM Security
 
How Facility Controls Systems Present Cybersecurity Challenges - OSIsoft
How Facility Controls Systems Present Cybersecurity Challenges - OSIsoftHow Facility Controls Systems Present Cybersecurity Challenges - OSIsoft
How Facility Controls Systems Present Cybersecurity Challenges - OSIsoft
OSIsoft, LLC
 
Cyber security series advanced persistent threats
Cyber security series advanced persistent threats Cyber security series advanced persistent threats
Cyber security series advanced persistent threats
Jim Kaplan CIA CFE
 

More Related Content

What's hot

Powerpoint v7
Powerpoint v7Powerpoint v7
Powerpoint v7
Veronica Pereira
 
Ibm security products portfolio
Ibm security products portfolioIbm security products portfolio
Ibm security products portfolio
Patrick Bouillaud
 
IT Security and Risk Mitigation
IT Security and Risk MitigationIT Security and Risk Mitigation
IT Security and Risk Mitigation
Mukalele Rogers
 
Information Security Benchmarking 2015
Information Security Benchmarking 2015Information Security Benchmarking 2015
Information Security Benchmarking 2015
Capgemini
 
Cybersecurity Risk Management for Financial Institutions
Cybersecurity Risk Management for Financial InstitutionsCybersecurity Risk Management for Financial Institutions
Cybersecurity Risk Management for Financial Institutions
Sarah Cirelli
 
CYBER SECURITY audit course report
CYBER SECURITY audit course reportCYBER SECURITY audit course report
CYBER SECURITY audit course report
PDEA's college of engineering, Pune
 
Dit yvol4iss40
Dit yvol4iss40Dit yvol4iss40
Dit yvol4iss40
Rick Lemieux
 
Protective Intelligence
Protective IntelligenceProtective Intelligence
Protective Intelligence
wbesse
 
Cyber Six: Managing Security in Internet
Cyber Six: Managing Security in InternetCyber Six: Managing Security in Internet
Cyber Six: Managing Security in Internet
Richardus Indrajit
 
Hunting for cyber threats targeting weapon systems
Hunting for cyber threats targeting weapon systemsHunting for cyber threats targeting weapon systems
Hunting for cyber threats targeting weapon systems
Fidelis Cybersecurity
 
IT Position of Trust Designation
IT Position of Trust DesignationIT Position of Trust Designation
IT Position of Trust Designation
Murray Security Services
 
Information Security vs IT - Key Roles & Responsibilities
Information Security vs IT - Key Roles & ResponsibilitiesInformation Security vs IT - Key Roles & Responsibilities
Information Security vs IT - Key Roles & Responsibilities
Kroll
 
Top 10 Security Challenges
Top 10 Security ChallengesTop 10 Security Challenges
Top 10 Security Challenges
Jorge Sebastiao
 
See How You Measure Up With MaaS360 Mobile Metrics
See How You Measure Up With MaaS360 Mobile MetricsSee How You Measure Up With MaaS360 Mobile Metrics
See How You Measure Up With MaaS360 Mobile Metrics
IBM Security
 
Stu r35 b
Stu r35 bStu r35 b
Stu r35 b
SelectedPresentations
 
Information security.pptx
Information security.pptxInformation security.pptx
Information security.pptx
Govt. P.G. College Sendhwa, Barwani (M.P.)
 
The Changing Security Landscape
The Changing Security LandscapeThe Changing Security Landscape
The Changing Security Landscape
Arrow ECS UK
 
Insights into cyber security and risk
Insights into cyber security and riskInsights into cyber security and risk
Insights into cyber security and risk
EY
 
Rothke rsa 2013 - the five habits of highly secure organizations
Rothke rsa 2013 - the five habits of highly secure organizationsRothke rsa 2013 - the five habits of highly secure organizations
Rothke rsa 2013 - the five habits of highly secure organizations
Ben Rothke
 
Nowhere to Hide: Expose Threats in Real-time with IBM QRadar Network Insights
Nowhere to Hide: Expose Threats in Real-time with IBM QRadar Network InsightsNowhere to Hide: Expose Threats in Real-time with IBM QRadar Network Insights
Nowhere to Hide: Expose Threats in Real-time with IBM QRadar Network Insights
IBM Security
 

What's hot (20)

Powerpoint v7
Powerpoint v7Powerpoint v7
Powerpoint v7
 
Ibm security products portfolio
Ibm security products portfolioIbm security products portfolio
Ibm security products portfolio
 
IT Security and Risk Mitigation
IT Security and Risk MitigationIT Security and Risk Mitigation
IT Security and Risk Mitigation
 
Information Security Benchmarking 2015
Information Security Benchmarking 2015Information Security Benchmarking 2015
Information Security Benchmarking 2015
 
Cybersecurity Risk Management for Financial Institutions
Cybersecurity Risk Management for Financial InstitutionsCybersecurity Risk Management for Financial Institutions
Cybersecurity Risk Management for Financial Institutions
 
CYBER SECURITY audit course report
CYBER SECURITY audit course reportCYBER SECURITY audit course report
CYBER SECURITY audit course report
 
Dit yvol4iss40
Dit yvol4iss40Dit yvol4iss40
Dit yvol4iss40
 
Protective Intelligence
Protective IntelligenceProtective Intelligence
Protective Intelligence
 
Cyber Six: Managing Security in Internet
Cyber Six: Managing Security in InternetCyber Six: Managing Security in Internet
Cyber Six: Managing Security in Internet
 
Hunting for cyber threats targeting weapon systems
Hunting for cyber threats targeting weapon systemsHunting for cyber threats targeting weapon systems
Hunting for cyber threats targeting weapon systems
 
IT Position of Trust Designation
IT Position of Trust DesignationIT Position of Trust Designation
IT Position of Trust Designation
 
Information Security vs IT - Key Roles & Responsibilities
Information Security vs IT - Key Roles & ResponsibilitiesInformation Security vs IT - Key Roles & Responsibilities
Information Security vs IT - Key Roles & Responsibilities
 
Top 10 Security Challenges
Top 10 Security ChallengesTop 10 Security Challenges
Top 10 Security Challenges
 
See How You Measure Up With MaaS360 Mobile Metrics
See How You Measure Up With MaaS360 Mobile MetricsSee How You Measure Up With MaaS360 Mobile Metrics
See How You Measure Up With MaaS360 Mobile Metrics
 
Stu r35 b
Stu r35 bStu r35 b
Stu r35 b
 
Information security.pptx
Information security.pptxInformation security.pptx
Information security.pptx
 
The Changing Security Landscape
The Changing Security LandscapeThe Changing Security Landscape
The Changing Security Landscape
 
Insights into cyber security and risk
Insights into cyber security and riskInsights into cyber security and risk
Insights into cyber security and risk
 
Rothke rsa 2013 - the five habits of highly secure organizations
Rothke rsa 2013 - the five habits of highly secure organizationsRothke rsa 2013 - the five habits of highly secure organizations
Rothke rsa 2013 - the five habits of highly secure organizations
 
Nowhere to Hide: Expose Threats in Real-time with IBM QRadar Network Insights
Nowhere to Hide: Expose Threats in Real-time with IBM QRadar Network InsightsNowhere to Hide: Expose Threats in Real-time with IBM QRadar Network Insights
Nowhere to Hide: Expose Threats in Real-time with IBM QRadar Network Insights
 

Similar to Insomnihack 2018 - Securing Internal Resources Through Tiered Access

How Facility Controls Systems Present Cybersecurity Challenges - OSIsoft
How Facility Controls Systems Present Cybersecurity Challenges - OSIsoftHow Facility Controls Systems Present Cybersecurity Challenges - OSIsoft
How Facility Controls Systems Present Cybersecurity Challenges - OSIsoft
OSIsoft, LLC
 
Cyber security series advanced persistent threats
Cyber security series advanced persistent threats Cyber security series advanced persistent threats
Cyber security series advanced persistent threats
Jim Kaplan CIA CFE
 
Proactive Risk Management and Compliance in a World of Digital Disruption
Proactive Risk Management and Compliance in a World of Digital DisruptionProactive Risk Management and Compliance in a World of Digital Disruption
Proactive Risk Management and Compliance in a World of Digital Disruption
Mike Wons
 
SAST in the SDLC: Building a plan for 'going left'
SAST in the SDLC: Building a plan for 'going left'SAST in the SDLC: Building a plan for 'going left'
SAST in the SDLC: Building a plan for 'going left'
WHSZachJones
 
Leveraging Compliance to “Help” Prevent a Future Breach
Leveraging Compliance to “Help” Prevent a Future BreachLeveraging Compliance to “Help” Prevent a Future Breach
Leveraging Compliance to “Help” Prevent a Future Breach
Kevin Murphy
 
Topic11
Topic11Topic11
Topic11
Anne Starr
 
IBM X-Force Threat Intelligence: Why Insider Threats Challenge Critical Busin...
IBM X-Force Threat Intelligence: Why Insider Threats Challenge Critical Busin...IBM X-Force Threat Intelligence: Why Insider Threats Challenge Critical Busin...
IBM X-Force Threat Intelligence: Why Insider Threats Challenge Critical Busin...
IBM Security
 
)k
)k)k
)k
Anne Starr
 
Cybertopic_1security
Cybertopic_1securityCybertopic_1security
Cybertopic_1security
Anne Starr
 
gkkSecurity essentials domain 1
gkkSecurity essentials domain 1gkkSecurity essentials domain 1
gkkSecurity essentials domain 1
Anne Starr
 
Dynamic Cyber Defense
Dynamic Cyber DefenseDynamic Cyber Defense
Dynamic Cyber Defense
EnergySec
 
Making the Case for Stronger Endpoint Data Visibility
Making the Case for Stronger Endpoint Data VisibilityMaking the Case for Stronger Endpoint Data Visibility
Making the Case for Stronger Endpoint Data Visibility
dianadvo
 
Information security - what is going on 2016
Information security - what is going on 2016Information security - what is going on 2016
Information security - what is going on 2016
Tomppa Järvinen
 
X-Force Threat Intelligence: Fight Insider Threats & Protect Your Sensitive Data
X-Force Threat Intelligence: Fight Insider Threats & Protect Your Sensitive DataX-Force Threat Intelligence: Fight Insider Threats & Protect Your Sensitive Data
X-Force Threat Intelligence: Fight Insider Threats & Protect Your Sensitive Data
IBM Security
 
Reducing Attack Surface in Budget Constrained Environments
Reducing Attack Surface in Budget Constrained EnvironmentsReducing Attack Surface in Budget Constrained Environments
Reducing Attack Surface in Budget Constrained Environments
Denim Group
 
IRJET- Minimize Phishing Attacks: Securing Spear Attacks
IRJET- Minimize Phishing Attacks: Securing Spear AttacksIRJET- Minimize Phishing Attacks: Securing Spear Attacks
IRJET- Minimize Phishing Attacks: Securing Spear Attacks
IRJET Journal
 
ThinAir Endpoint Visibility Security HIMSS2018 Brian_Reed
ThinAir Endpoint Visibility Security HIMSS2018 Brian_ReedThinAir Endpoint Visibility Security HIMSS2018 Brian_Reed
ThinAir Endpoint Visibility Security HIMSS2018 Brian_Reed
ThinAir
 
Breaking down the cyber security framework closing critical it security gaps
Breaking down the cyber security framework closing critical it security gapsBreaking down the cyber security framework closing critical it security gaps
Breaking down the cyber security framework closing critical it security gaps
IBM Security
 
Risk Mitigation Plan Based On Inputs Provided
Risk Mitigation Plan Based On Inputs ProvidedRisk Mitigation Plan Based On Inputs Provided
Risk Mitigation Plan Based On Inputs Provided
Tiffany Graham
 
U nit 4
U nit 4U nit 4
U nit 4
Integral university, India
 

Similar to Insomnihack 2018 - Securing Internal Resources Through Tiered Access (20)

How Facility Controls Systems Present Cybersecurity Challenges - OSIsoft
How Facility Controls Systems Present Cybersecurity Challenges - OSIsoftHow Facility Controls Systems Present Cybersecurity Challenges - OSIsoft
How Facility Controls Systems Present Cybersecurity Challenges - OSIsoft
 
Cyber security series advanced persistent threats
Cyber security series advanced persistent threats Cyber security series advanced persistent threats
Cyber security series advanced persistent threats
 
Proactive Risk Management and Compliance in a World of Digital Disruption
Proactive Risk Management and Compliance in a World of Digital DisruptionProactive Risk Management and Compliance in a World of Digital Disruption
Proactive Risk Management and Compliance in a World of Digital Disruption
 
SAST in the SDLC: Building a plan for 'going left'
SAST in the SDLC: Building a plan for 'going left'SAST in the SDLC: Building a plan for 'going left'
SAST in the SDLC: Building a plan for 'going left'
 
Leveraging Compliance to “Help” Prevent a Future Breach
Leveraging Compliance to “Help” Prevent a Future BreachLeveraging Compliance to “Help” Prevent a Future Breach
Leveraging Compliance to “Help” Prevent a Future Breach
 
Topic11
Topic11Topic11
Topic11
 
IBM X-Force Threat Intelligence: Why Insider Threats Challenge Critical Busin...
IBM X-Force Threat Intelligence: Why Insider Threats Challenge Critical Busin...IBM X-Force Threat Intelligence: Why Insider Threats Challenge Critical Busin...
IBM X-Force Threat Intelligence: Why Insider Threats Challenge Critical Busin...
 
)k
)k)k
)k
 
Cybertopic_1security
Cybertopic_1securityCybertopic_1security
Cybertopic_1security
 
gkkSecurity essentials domain 1
gkkSecurity essentials domain 1gkkSecurity essentials domain 1
gkkSecurity essentials domain 1
 
Dynamic Cyber Defense
Dynamic Cyber DefenseDynamic Cyber Defense
Dynamic Cyber Defense
 
Making the Case for Stronger Endpoint Data Visibility
Making the Case for Stronger Endpoint Data VisibilityMaking the Case for Stronger Endpoint Data Visibility
Making the Case for Stronger Endpoint Data Visibility
 
Information security - what is going on 2016
Information security - what is going on 2016Information security - what is going on 2016
Information security - what is going on 2016
 
X-Force Threat Intelligence: Fight Insider Threats & Protect Your Sensitive Data
X-Force Threat Intelligence: Fight Insider Threats & Protect Your Sensitive DataX-Force Threat Intelligence: Fight Insider Threats & Protect Your Sensitive Data
X-Force Threat Intelligence: Fight Insider Threats & Protect Your Sensitive Data
 
Reducing Attack Surface in Budget Constrained Environments
Reducing Attack Surface in Budget Constrained EnvironmentsReducing Attack Surface in Budget Constrained Environments
Reducing Attack Surface in Budget Constrained Environments
 
IRJET- Minimize Phishing Attacks: Securing Spear Attacks
IRJET- Minimize Phishing Attacks: Securing Spear AttacksIRJET- Minimize Phishing Attacks: Securing Spear Attacks
IRJET- Minimize Phishing Attacks: Securing Spear Attacks
 
ThinAir Endpoint Visibility Security HIMSS2018 Brian_Reed
ThinAir Endpoint Visibility Security HIMSS2018 Brian_ReedThinAir Endpoint Visibility Security HIMSS2018 Brian_Reed
ThinAir Endpoint Visibility Security HIMSS2018 Brian_Reed
 
Breaking down the cyber security framework closing critical it security gaps
Breaking down the cyber security framework closing critical it security gapsBreaking down the cyber security framework closing critical it security gaps
Breaking down the cyber security framework closing critical it security gaps
 
Risk Mitigation Plan Based On Inputs Provided
Risk Mitigation Plan Based On Inputs ProvidedRisk Mitigation Plan Based On Inputs Provided
Risk Mitigation Plan Based On Inputs Provided
 
U nit 4
U nit 4U nit 4
U nit 4
 

Recently uploaded

"Choosing proper type of scaling", Olena Syrota
"Choosing proper type of scaling", Olena Syrota"Choosing proper type of scaling", Olena Syrota
"Choosing proper type of scaling", Olena Syrota
Fwdays
 
Crafting Excellence: A Comprehensive Guide to iOS Mobile App Development Serv...
Crafting Excellence: A Comprehensive Guide to iOS Mobile App Development Serv...Crafting Excellence: A Comprehensive Guide to iOS Mobile App Development Serv...
Crafting Excellence: A Comprehensive Guide to iOS Mobile App Development Serv...
Pitangent Analytics & Technology Solutions Pvt. Ltd
 
Christine's Product Research Presentation.pptx
Christine's Product Research Presentation.pptxChristine's Product Research Presentation.pptx
Christine's Product Research Presentation.pptx
christinelarrosa
 
[OReilly Superstream] Occupy the Space: A grassroots guide to engineering (an...
[OReilly Superstream] Occupy the Space: A grassroots guide to engineering (an...[OReilly Superstream] Occupy the Space: A grassroots guide to engineering (an...
[OReilly Superstream] Occupy the Space: A grassroots guide to engineering (an...
Jason Yip
 
PRODUCT LISTING OPTIMIZATION PRESENTATION.pptx
PRODUCT LISTING OPTIMIZATION PRESENTATION.pptxPRODUCT LISTING OPTIMIZATION PRESENTATION.pptx
PRODUCT LISTING OPTIMIZATION PRESENTATION.pptx
christinelarrosa
 
Connector Corner: Seamlessly power UiPath Apps, GenAI with prebuilt connectors
Connector Corner: Seamlessly power UiPath Apps, GenAI with prebuilt connectorsConnector Corner: Seamlessly power UiPath Apps, GenAI with prebuilt connectors
Connector Corner: Seamlessly power UiPath Apps, GenAI with prebuilt connectors
DianaGray10
 
zkStudyClub - LatticeFold: A Lattice-based Folding Scheme and its Application...
zkStudyClub - LatticeFold: A Lattice-based Folding Scheme and its Application...zkStudyClub - LatticeFold: A Lattice-based Folding Scheme and its Application...
zkStudyClub - LatticeFold: A Lattice-based Folding Scheme and its Application...
Alex Pruden
 
A Deep Dive into ScyllaDB's Architecture
A Deep Dive into ScyllaDB's ArchitectureA Deep Dive into ScyllaDB's Architecture
A Deep Dive into ScyllaDB's Architecture
ScyllaDB
 
Overcoming the PLG Trap: Lessons from Canva's Head of Sales & Head of EMEA Da...
Overcoming the PLG Trap: Lessons from Canva's Head of Sales & Head of EMEA Da...Overcoming the PLG Trap: Lessons from Canva's Head of Sales & Head of EMEA Da...
Overcoming the PLG Trap: Lessons from Canva's Head of Sales & Head of EMEA Da...
saastr
 
Introduction of Cybersecurity with OSS at Code Europe 2024
Introduction of Cybersecurity with OSS at Code Europe 2024Introduction of Cybersecurity with OSS at Code Europe 2024
Introduction of Cybersecurity with OSS at Code Europe 2024
Hiroshi SHIBATA
 
JavaLand 2024: Application Development Green Masterplan
JavaLand 2024: Application Development Green MasterplanJavaLand 2024: Application Development Green Masterplan
JavaLand 2024: Application Development Green Masterplan
Miro Wengner
 
The Microsoft 365 Migration Tutorial For Beginner.pptx
The Microsoft 365 Migration Tutorial For Beginner.pptxThe Microsoft 365 Migration Tutorial For Beginner.pptx
The Microsoft 365 Migration Tutorial For Beginner.pptx
operationspcvita
 
Y-Combinator seed pitch deck template PP
Y-Combinator seed pitch deck template PPY-Combinator seed pitch deck template PP
Y-Combinator seed pitch deck template PP
c5vrf27qcz
 
Mutation Testing for Task-Oriented Chatbots
Mutation Testing for Task-Oriented ChatbotsMutation Testing for Task-Oriented Chatbots
Mutation Testing for Task-Oriented Chatbots
Pablo Gómez Abajo
 
Session 1 - Intro to Robotic Process Automation.pdf
Session 1 - Intro to Robotic Process Automation.pdfSession 1 - Intro to Robotic Process Automation.pdf
Session 1 - Intro to Robotic Process Automation.pdf
UiPathCommunity
 
Astute Business Solutions | Oracle Cloud Partner |
Astute Business Solutions | Oracle Cloud Partner |Astute Business Solutions | Oracle Cloud Partner |
Astute Business Solutions | Oracle Cloud Partner |
AstuteBusiness
 
"$10 thousand per minute of downtime: architecture, queues, streaming and fin...
"$10 thousand per minute of downtime: architecture, queues, streaming and fin..."$10 thousand per minute of downtime: architecture, queues, streaming and fin...
"$10 thousand per minute of downtime: architecture, queues, streaming and fin...
Fwdays
 
inQuba Webinar Mastering Customer Journey Management with Dr Graham Hill
inQuba Webinar Mastering Customer Journey Management with Dr Graham HillinQuba Webinar Mastering Customer Journey Management with Dr Graham Hill
inQuba Webinar Mastering Customer Journey Management with Dr Graham Hill
LizaNolte
 
Taking AI to the Next Level in Manufacturing.pdf
Taking AI to the Next Level in Manufacturing.pdfTaking AI to the Next Level in Manufacturing.pdf
Taking AI to the Next Level in Manufacturing.pdf
ssuserfac0301
 
“Temporal Event Neural Networks: A More Efficient Alternative to the Transfor...
“Temporal Event Neural Networks: A More Efficient Alternative to the Transfor...“Temporal Event Neural Networks: A More Efficient Alternative to the Transfor...
“Temporal Event Neural Networks: A More Efficient Alternative to the Transfor...
Edge AI and Vision Alliance
 

Recently uploaded (20)

"Choosing proper type of scaling", Olena Syrota
"Choosing proper type of scaling", Olena Syrota"Choosing proper type of scaling", Olena Syrota
"Choosing proper type of scaling", Olena Syrota
 
Crafting Excellence: A Comprehensive Guide to iOS Mobile App Development Serv...
Crafting Excellence: A Comprehensive Guide to iOS Mobile App Development Serv...Crafting Excellence: A Comprehensive Guide to iOS Mobile App Development Serv...
Crafting Excellence: A Comprehensive Guide to iOS Mobile App Development Serv...
 
Christine's Product Research Presentation.pptx
Christine's Product Research Presentation.pptxChristine's Product Research Presentation.pptx
Christine's Product Research Presentation.pptx
 
[OReilly Superstream] Occupy the Space: A grassroots guide to engineering (an...
[OReilly Superstream] Occupy the Space: A grassroots guide to engineering (an...[OReilly Superstream] Occupy the Space: A grassroots guide to engineering (an...
[OReilly Superstream] Occupy the Space: A grassroots guide to engineering (an...
 
PRODUCT LISTING OPTIMIZATION PRESENTATION.pptx
PRODUCT LISTING OPTIMIZATION PRESENTATION.pptxPRODUCT LISTING OPTIMIZATION PRESENTATION.pptx
PRODUCT LISTING OPTIMIZATION PRESENTATION.pptx
 
Connector Corner: Seamlessly power UiPath Apps, GenAI with prebuilt connectors
Connector Corner: Seamlessly power UiPath Apps, GenAI with prebuilt connectorsConnector Corner: Seamlessly power UiPath Apps, GenAI with prebuilt connectors
Connector Corner: Seamlessly power UiPath Apps, GenAI with prebuilt connectors
 
zkStudyClub - LatticeFold: A Lattice-based Folding Scheme and its Application...
zkStudyClub - LatticeFold: A Lattice-based Folding Scheme and its Application...zkStudyClub - LatticeFold: A Lattice-based Folding Scheme and its Application...
zkStudyClub - LatticeFold: A Lattice-based Folding Scheme and its Application...
 
A Deep Dive into ScyllaDB's Architecture
A Deep Dive into ScyllaDB's ArchitectureA Deep Dive into ScyllaDB's Architecture
A Deep Dive into ScyllaDB's Architecture
 
Overcoming the PLG Trap: Lessons from Canva's Head of Sales & Head of EMEA Da...
Overcoming the PLG Trap: Lessons from Canva's Head of Sales & Head of EMEA Da...Overcoming the PLG Trap: Lessons from Canva's Head of Sales & Head of EMEA Da...
Overcoming the PLG Trap: Lessons from Canva's Head of Sales & Head of EMEA Da...
 
Introduction of Cybersecurity with OSS at Code Europe 2024
Introduction of Cybersecurity with OSS at Code Europe 2024Introduction of Cybersecurity with OSS at Code Europe 2024
Introduction of Cybersecurity with OSS at Code Europe 2024
 
JavaLand 2024: Application Development Green Masterplan
JavaLand 2024: Application Development Green MasterplanJavaLand 2024: Application Development Green Masterplan
JavaLand 2024: Application Development Green Masterplan
 
The Microsoft 365 Migration Tutorial For Beginner.pptx
The Microsoft 365 Migration Tutorial For Beginner.pptxThe Microsoft 365 Migration Tutorial For Beginner.pptx
The Microsoft 365 Migration Tutorial For Beginner.pptx
 
Y-Combinator seed pitch deck template PP
Y-Combinator seed pitch deck template PPY-Combinator seed pitch deck template PP
Y-Combinator seed pitch deck template PP
 
Mutation Testing for Task-Oriented Chatbots
Mutation Testing for Task-Oriented ChatbotsMutation Testing for Task-Oriented Chatbots
Mutation Testing for Task-Oriented Chatbots
 
Session 1 - Intro to Robotic Process Automation.pdf
Session 1 - Intro to Robotic Process Automation.pdfSession 1 - Intro to Robotic Process Automation.pdf
Session 1 - Intro to Robotic Process Automation.pdf
 
Astute Business Solutions | Oracle Cloud Partner |
Astute Business Solutions | Oracle Cloud Partner |Astute Business Solutions | Oracle Cloud Partner |
Astute Business Solutions | Oracle Cloud Partner |
 
"$10 thousand per minute of downtime: architecture, queues, streaming and fin...
"$10 thousand per minute of downtime: architecture, queues, streaming and fin..."$10 thousand per minute of downtime: architecture, queues, streaming and fin...
"$10 thousand per minute of downtime: architecture, queues, streaming and fin...
 
inQuba Webinar Mastering Customer Journey Management with Dr Graham Hill
inQuba Webinar Mastering Customer Journey Management with Dr Graham HillinQuba Webinar Mastering Customer Journey Management with Dr Graham Hill
inQuba Webinar Mastering Customer Journey Management with Dr Graham Hill
 
Taking AI to the Next Level in Manufacturing.pdf
Taking AI to the Next Level in Manufacturing.pdfTaking AI to the Next Level in Manufacturing.pdf
Taking AI to the Next Level in Manufacturing.pdf
 
“Temporal Event Neural Networks: A More Efficient Alternative to the Transfor...
“Temporal Event Neural Networks: A More Efficient Alternative to the Transfor...“Temporal Event Neural Networks: A More Efficient Alternative to the Transfor...
“Temporal Event Neural Networks: A More Efficient Alternative to the Transfor...
 

Insomnihack 2018 - Securing Internal Resources Through Tiered Access

  • 1. Securing Assets Against Malicious Internal Users Through Tiered Access Joel M. Leo – 3/22/2018 Insomnihack 2018 - Securing Assets Against Malicious Internal Users Through Tiered Access -© 2018 Joel M. Leo 1
  • 2. Disclaimer This presentation represents my own experience, thoughts, and opinions and is not representative of Gap, Inc.’s opinions or positions. This presentation is not endorsed or approved by Gap, Inc., nor does Gap, Inc. assume any responsibility or liability for the content, accuracy or completeness of the information presented. Insomnihack 2018 - Securing Assets Against Malicious Internal Users Through Tiered Access -© 2018 Joel M. Leo 2
  • 3. About me • Live and work in Honolulu, Hawaii • Principal Systems Engineer and Active Directory Architect for Gap, Inc. • Trainer for ADSecurity.org ( https://www.adsecurity.org ) • Principal Consultant for Hi Tech Hui ( https://www.hitechhui.com ) • Consultant for several other organizations, focusing primarily on Active Directory Insomnihack 2018 - Securing Assets Against Malicious Internal Users Through Tiered Access -© 2018 Joel M. Leo @joelmleo https://www.linkedin.com/in/joelmleo 3
  • 4. Contents  Background  Addressing the Problem Through Tiered Access  Important Considerations  Pitfalls  Alternatives  Conclusion  Q&A  Resources for Further Research Insomnihack 2018 - Securing Assets Against Malicious Internal Users Through Tiered Access -© 2018 Joel M. Leo 4
  • 5. Background What’s the problem Earthman? Insomnihack 2018 - Securing Assets Against Malicious Internal Users Through Tiered Access -© 2018 Joel M. Leo 5
  • 6. Insider Threats are Real I’ll take “Things I Already Knew” for $1,000, Alex • 90% of organizations feel vulnerable to insider attacks [1] • Organizations surveyed indicate “users with excessive privileges” is the highest risk factor (37%) for insider threats [2] • Insider threats are cited as the second highest concern (after ransomware,) while “User credentials and privileged accounts represented the most common data types” exfil’d [3] • US CERT has an Insider Threat Center to “conduct empirical research and analysis to develop solutions that combat insider threats” [4] • Edward Snowden [no citation needed] [1],[2] – Insider Threat Report 2018, by Crowd Research Partners http://crowdresearchpartners.com/portfolio/insider-threat-report/ [3] – SANS 2017 Data Protection Survey – SANS https://www.sans.org/reading-room/whitepapers/analyst/sensitive-data-risk-2017-data-protection-survey-37950 [4] – Carnegie Mellon University Software Engineering Institute - https://resources.sei.cmu.edu/library/asset-view.cfm?assetID=91513 Insomnihack 2018 - Securing Assets Against Malicious Internal Users Through Tiered Access -© 2018 Joel M. Leo 6
  • 7. Problem Statement Network deployments often leave administrative resources and accounts exposed to abuse from inside the organization. Perimeter measures, such as firewalls, do not mitigate these risks. Other tools, including endpoint protection, alerting, etc., have varying levels of efficacy taken on their own. By segregating administrative accounts & resources away from standard accounts & resources, and separating administrative responsibilities and infrastructure in to “tiers,” we can greatly improve our organization’s security posture, helping to prevent internal misuse. However, there are numerous pitfalls that can result in the feels of security without actual improved security. I’ll try to help you avoid them. Insomnihack 2018 - Securing Assets Against Malicious Internal Users Through Tiered Access -© 2018 Joel M. Leo 7
  • 8. These concerns are OS agnostic, but I’ll be focusing on Microsoft-based problems and solutions, with a particular focus on Active Directory and administrators that have control over the domains. Other operating systems will have their own concerns and methodologies against which this conceptual framework can be leveraged Insomnihack 2018 - Securing Assets Against Malicious Internal Users Through Tiered Access -© 2018 Joel M. Leo 8
  • 9. Killchain Insomnihack 2018 - Securing Assets Against Malicious Internal Users Through Tiered Access -© 2018 Joel M. Leo Image credit: Microsoft https://docs.microsoft.com/en-us/advanced-threat-analytics/ata-threats 9
  • 10. Null Tier, aka “The Swamp” Insomnihack 2018 - Securing Assets Against Malicious Internal Users Through Tiered Access -© 2018 Joel M. Leo 10
  • 11. Null Tier Admin Insomnihack 2018 - Securing Assets Against Malicious Internal Users Through Tiered Access -© 2018 Joel M. Leo T3h intertubes 11
  • 12. Null Tier Admin Compromise Insomnihack 2018 - Securing Assets Against Malicious Internal Users Through Tiered Access -© 2018 Joel M. Leo 12
  • 13. Addressing the Problem Through Tiered Access Insomnihack 2018 - Securing Assets Against Malicious Internal Users Through Tiered Access -© 2018 Joel M. Leo 13
  • 14. What Is Tiered Access? “Tiered access” in this context means A system by which administrative access to applications and infrastructure is separated from normal user access through “tiers,” improving security by controlling the flow of administrative access to, within, and between tiers A “tier” is a logical collection of roles, responsibilities, resources and infrastructure that work together to deliver a service in a relatively secure fashion, separated from other tiers and non-admin users and computers through policy and technical controls Fundamental goal is to ensure different tiers and regular users cannot mix to help protect against PtH/PtT and to limit exposure in the case of a compromise Insomnihack 2018 - Securing Assets Against Malicious Internal Users Through Tiered Access -© 2018 Joel M. Leo 14
  • 15. Tiered Access High-Level Requirements • Defined tiers with all elements (servers, software, storage etc.) necessary to deliver a service • Based on org’s administrative responsibilities • AD • Storage • Workstations • Servers • Etc. • Clearly-defined administrative boundaries • Policy controls • Technical controls Insomnihack 2018 - Securing Assets Against Malicious Internal Users Through Tiered Access -© 2018 Joel M. Leo 15
  • 16. Security Slide Rule The more security you have the less usability you have, and vice versa. Insomnihack 2018 - Securing Assets Against Malicious Internal Users Through Tiered Access -© 2018 Joel M. Leo Usability Security You need to identify the best balance of security and usability for your organization 16
  • 17. Summary of Tiered Access Insomnihack 2018 - Securing Assets Against Malicious Internal Users Through Tiered Access -© 2018 Joel M. Leo Yellow Tier Green Tier 17
  • 18. Admin Compromise, Interrupted Insomnihack 2018 - Securing Assets Against Malicious Internal Users Through Tiered Access -© 2018 Joel M. Leo 18
  • 19. Extended Tiering Model Insomnihack 2018 - Securing Assets Against Malicious Internal Users Through Tiered Access -© 2018 Joel M. Leo 19
  • 20. Important Considerations Successfully implementing tiered access requires coordination across multiple domains with orchestration between multiple technologies and concepts Insomnihack 2018 - Securing Assets Against Malicious Internal Users Through Tiered Access -© 2018 Joel M. Leo 20
  • 21. Important Considerations 0x0 • Security requirements of the org are key • Reference the security slide rule. Where do your org’s needs lie? • Requires ongoing executive support • Should be considered a tactic within a larger security strategy • Organizational security policies need to be considered and potentially modified • The first/highest tier should be your domain controllers/domain admins • Addressing these first nets the biggest bang for the buck (or CHF) from a security perspective • Scope needs to be reasoned and clearly defined • “Scope creep” is a real thing • Language and nomenclature used needs to be consistent and understood throughout the org • “Red/Yellow/Green tier” vs. “Tier 0/1/2” vs. “Tier 2/1/0” etc. Insomnihack 2018 - Securing Assets Against Malicious Internal Users Through Tiered Access -© 2018 Joel M. Leo 21
  • 22. Important Considerations 0x1 • Trust needs to be established appropriately • And revoked! Full role lifecycle management all the way through is requisite • RBAC is a huge component of this concept • If a technology doesn’t support RBAC toss it in the bin! • There will be some bleed-through between tiers that may need to be addressed • Ie. virtualized domain controllers – how do you control access to the files that comprise the VM? Should it be your domain admins, virtualization admins or storage admins? Root (hint: No)? • Support stack needs to be clear • All should know which support group to talk to for issues at the different tiers Insomnihack 2018 - Securing Assets Against Malicious Internal Users Through Tiered Access -© 2018 Joel M. Leo 22
  • 23. Important Considerations 0x2 • Automate, automate, automate all the things, as much as possible • Self-service with structured approvals is handy • Bastion hosts/jump boxes • Hardened servers available only to members of the appropriate tier, which have access through technical controls to the appropriate admin interfaces and networks • Bastion workstations • Hardened workstations that only allow access to appropriate tier accounts and bastion hosts over appropriate networks • Credential Guard, Device Guard, endpoint protection, close monitoring etc. • Management (updates, config, etc.) should be separate from standard workstations • Yes, this means admins may need multiple workstations • SIEM/monitoring/alerting/defense is critical • Documentation is critical (design documents, role runbooks, etc.) Insomnihack 2018 - Securing Assets Against Malicious Internal Users Through Tiered Access -© 2018 Joel M. Leo 23
  • 24. Important Considerations 0x3 • Which environments are in-scope? • AD DFL/FFL, supported DC OS, physical sites, etc. • Available technical controls • GPO, startup/shutdown/logon/logoff scripts, SCOM/SCCM, IPSec, MFA etc. • Which technologies should be considered, utilized, & addressed • Compute, networking, storage, virtualization, cloud, automation, identity management, UEBA, SIEM, etc. • Security is never done. There is no “secured,” only more or less secure • This is not a panacea – still need to follow general best practices around automation, user management, patching, configuration management, endpoint protection etc. Insomnihack 2018 - Securing Assets Against Malicious Internal Users Through Tiered Access -© 2018 Joel M. Leo 24
  • 25. Pitfalls Insomnihack 2018 - Securing Assets Against Malicious Internal Users Through Tiered Access -© 2018 Joel M. Leo 25
  • 26. Pitfalls 0x0 Or: oh, the things I’ve seen 0.o •Thinking this makes you “secure” • There is no such thing as “secure.” •Dictate action instead of collaborative planning •Mushy tier definition • Tiers should be clearly defined and documented •Incomplete execution • Half measures can leave you in a poor state Insomnihack 2018 - Securing Assets Against Malicious Internal Users Through Tiered Access -© 2018 Joel M. Leo 26
  • 27. Pitfalls 0x1 •“Fire and Forget” • Review the infra and execution on a regular basis to ensure you’re meeting your goals and to see if there is room for improvement •Insufficient documentation • Documentation should be considered “living” and be validated as complete, then kept up to date over time as things evolve •Insufficient training • Along with documentation should come training. Admins’ processes will change in potentially dramatic fashion Insomnihack 2018 - Securing Assets Against Malicious Internal Users Through Tiered Access -© 2018 Joel M. Leo 27
  • 28. Pitfalls 0x2 •No/insufficient monitoring • No news is good news, right? Right? •All ‘permit’ and no ‘deny’ • Implicit/explicit deny. Saying something shouldn’t be done isn’t the same as preventing it from being done. •Bespoke ACLs • ACLs should be clearly defined and should grant/deny based on groups, not individual accounts. Customizing ACLs ad hoc can expose the org more than is immediately clear. Insomnihack 2018 - Securing Assets Against Malicious Internal Users Through Tiered Access -© 2018 Joel M. Leo 28
  • 29. Pitfalls 0x3 •Incomplete application of policy and/or technical controls •Restricted Groups vs. GPP for controlling local group membership •Not addressing existing sensitive group memberships and permissions Insomnihack 2018 - Securing Assets Against Malicious Internal Users Through Tiered Access -© 2018 Joel M. Leo 29
  • 30. Pitfalls 0x4 •Reusing existing management infra for bastion hosts/workstations • These should be managed separately. If nothing else, ensure automation/management creds between tiers aren’t shared (SCOM “runas” and service accounts for instance) •Attempting “big bang” in existing environments • Tiered access can and should be approached in phases/stages/milestones • Go for the big ticket items first: Domain controllers/domain admins Insomnihack 2018 - Securing Assets Against Malicious Internal Users Through Tiered Access -© 2018 Joel M. Leo 30
  • 31. Alternatives? • “Air-gapped” administration model • “Zero Trust” • Temporal group membership • Protected Users Group • “Red Forest” • Credential Guard • Device Guard Insomnihack 2018 - Securing Assets Against Malicious Internal Users Through Tiered Access -© 2018 Joel M. Leo 31
  • 32. Conclusion Implementing the tiered access concept is challenging, cutting across a number of different technologies, organizational elements, and organizational concerns, but can result in greatly improved security for the organization that implements the concept well • Take the “Important Considerations” section in to account before you implement, preferably in the design phase • Even after implementation, the “Pitfalls” section can help you identify areas where your implementation may have fallen short, so they can be addressed in the future • Sometimes, the completed implementation barely resembles the original design. If it works and provides the desired functionality and security, update your documentation and go with it! Insomnihack 2018 - Securing Assets Against Malicious Internal Users Through Tiered Access -© 2018 Joel M. Leo 32
  • 33. Q&A @joelmleo https://www.linkedin.com/in/joelmleo Insomnihack 2018 - Securing Assets Against Malicious Internal Users Through Tiered Access -© 2018 Joel M. Leo 33

Editor's Notes

  1. Side benefit of helping to prevent external compromise Bill Cheswick from Bell Labs famously described years ago as “a crunchy shell around a soft, chewy center.”
  2. Spend some time discussing the killchain Attempt to break the chain by ensuring highly privileged accounts have access to a limited subset of apps and infra
  3. Environment is fairly default User A logs in to his workstation with his domain user account Local administrator but not a domain admin Workstation has a number of productivity applications User A goes about his daily business for his employer
  4. Admin A is on the admin team and as such is granted admin privileges across a broad swath of the org Admin A grabs her coffee in the morning Logs in to her workstation Her account is a local admin and is also a domain admin Workstation has a number of applications she uses for her daily work; email, productivity apps as well as administrative tools, etc. Admin A goes about her daily business accessing applications and servers, fixing broken things and watching the occasional funny cat video on t3h intertubes
  5. Multiple insider threat compromise scenarios (illustrated) User A is actually Mr. Hackerman Installs malicious software (he’s already a local admin per the previous slide) – keylogger, mimikatz, powershell empire, WSL running Kali etc. Requests assistance from Admin A, who being the helpful person she is, obliges by logging on with her account, which is a domain admin Mr. Hackerman now has domain admin hash or creds, even if she rdp’d in Mr. Hackerman can now reuse those creds maliciously 2) – Mr. Hackerman installs mitm llmnr (responder) etc. to catch creds on the network 3)
  6. Tiered access helps secure access through restricting access to like-tiered accounts and resources Role accounts Bastion workstations Defined tiers Nomenclature varies No access to lower tiers No access from lower to higher tiers Some possible exceptions on a temporary and very limited basis Regular user accounts are unable to access either tier, and tiered accounts are unable to access regular resources etc. Privsep/least privilege Key point – regular users should not be greatly impacted by implementing tiered admin access
  7. Bastion hosts If there’s time, expand a bit on the concept Resources in-tier Red = domain controllers Yellow = member servers Green = workstations, tablets etc.
  8. All can be pieces of a functional structure, but are not solutions on their own Air gapped – very onerous, but nearly unimpeachable security Zero trust – “internal networks are not inherently more trustworthy than external” - good start Temporal groups – triggers can be set on compromised endpoints that wait for an identity to auth that has the desired access. Trigger kicks off, executing script that persists access either on a different account or via some other mechanism Protected user groups– keylogger will still happily grab the creds Red forest – on its own is insufficient Credential/device guard – good protection locally, but no protection against creds being captured on the network or privileges being misused