SlideShare a Scribd company logo

More than Vaulting - Adapting to New Privileged Access Threats

Lance Peterman
Lance Peterman

The infrastructure and threat landscape is changing, how is your PAM program keeping up? In this talk, we look at the current state PAM reference architecture, then look at recent threats and incidents, and finally look at new approaches beyond vaulting to reduce privileged access risk.

Technology
1 of 40
Download to read offline
MORE THAN VAULTING: ADAPTING TO NEW PRIVILEGED ACCESS THREATS LANCE PETERMAN ENTERPRISE SECURITY ARCHITECT MERCK @LPETERMAN
ABOUT ME  Formerly IAM Strategy & Platform Lead at Merck  Also, Teach Software Architecture & Design at UNC-Charlotte  Also, Board & Founding member of IDPro  Opinions are my own  Twitter: @lpeterman
WHY WE CAN’T GET A PERFECT 10 IN THE VAULT
2 YEARS AGO…
MY USE CASE…
6
Existing & Emergent Patterns How Privilege is (mis)Used New Responses
EXISTING & EMERGENT PATTERNS
PAM Reference Architecture (2015) 9 Password Vault Session Management & Recording PAM Policy Management Discovery & Policy Enforcement Session Review Privileged Access Management SRM/Ticketing WorkflowPolicy Store Logging & Audit SIEM / Analytics CMDB / Change Management Information Technology Resources Access Certification Identity Management Non-person Credential Management Identity & Access Management
PAM Reference Architecture 2019 Access Certification Identity Management Non-person Credential Management Identity Governance & Administration Credential Vault Session Management & Recording PAM Policy Management Discovery & Policy Enforcement Session Review Privileged Access Management Secret/Key Management SRM/Ticketing WorkflowPolicy Store Logging & Audit SIEM CMDB / Change Management Information Technology & InfoSec Resources **Analytics/ AI/ML SOC/ Incident Response EPM & EDR Just in Time Administration
VAULTING
SESSION MANAGEMENT
LOCAL ADMIN MANAGEMENT/EPM
SECRETS/KEY MANAGEMENT Market is fragmented here – AWS, Ansible, Vault, CyberArk…lots more Does this belong in IAM? Similar challenge with CIAM & API management for many enterprises DevSecOps emergence is helping generate momentum for this, but cultural challenges remain…
SECRETS / KEY MANAGEMENT 15 Developers InfoSec
OTHER PATTERNS/ APPROACHES Just in Time Administration - Elevation vs. Vaulting for person & non-person accounts Analytics…got a minute, or 90? AI/ML – Lots of potential here, but can you get the right (and all) of the data for training SOC & Incident Response – How fast can you shut down privilege abuse/misuse?
HOW PRIVILEGE IS (MIS)USED
JUNE 27, 2017 6AM EDT
NOTPETYA
MIMIKATZ “CUTE KITTEN” • “Swiss army knife” (or multi-tool) of Windows credentials created by Benjamin Delpy (@gentilkiwi) • Needs local admin for ‘most’ functions • Leverages weaknesses/features in: • LSASS - Local Security Authority Subsystem Service – credentials stored in memory after use • Can leverage credentials stored as (depending on OS level): • Kerberos tickets • NTLM password hashes • LM password hashes • Clear-text passwords • GREAT Resource for understanding MimiKatz – ADSecurity.org
OTHER WINDOWS OS/PROTOCOL THREATS Kerberoasting Vulnerabilities in Kerberos (UN)Constrained Delegation (KCD) GPO Permissions Deeply Nested AD Groups - Do you really know where your privileges are… Notice that little of this is explicitly identity related? Or is it?
OTHER VECTORS • (I)IoT – Mirai showed us what default admin passwords can do • SaaS & IaaS accounts (ie. O365 & ec2 user) – How well do you know your privileged accounts not tied to central IDP? • Network – Much is shifting to layer 7, where are your privileges now? 26
SECRETS REVEALED
IOT EXPLOITS
INSIDER THREAT IS STILL A THING…
New Responses
TECHNOLOGY ARROWS Use EPM or similar tools to reduce/eliminate local admin privileges wherever possible If you don’t have secrets/key management, explore the need. Talk to your vendors. Have an IoT platform? Find out, explore gateways for segmentation Consider automated tools for privileged account discovery
MORE TECHNOLOGY ‘ARROWS’ Reduce privilege ‘scale’ through segmentation (ex. AD Red Forest) Eliminate credential caching where possible MFA for sensitive internal apps, even regular users Consider analytics for privilege abuse use cases but make sure you get the data
PROCESS ‘ARROWS’ • Reduce privilege ‘scale’ through segmentation (ex: SCCM admins), including number of admins per server • Consider software updates a threat vector (supply chain attack) • Leverage Least Privilege (LPM)wherever possible (see people arrows) • Defense in depth should be a mindset, look beyond Layer 7 for solutions
MORE PROCESS ‘ARROWS’ • Embed security & identity in your SDLC (Push Left, thanks Tanya Janca @shehackspurple) • Same for Change Management (CMDB is your most important identity asset) • If you use Policy, leverage it to the hilt for privileged access compliance
PEOPLE ‘ARROWS’ with Developers on Secrets & Local AdminPartner with InfoSec on expanding privilege analysis, focus on LPM, and Defense in DepthPartner with the business on identifying your high value assets (HVA), know what you’re protecting and whyPartner with everyone on MFA – pierce the veil on how it can be used and reduce frictionPartner Prioritize activities based on riskPrioritize
THIS IS A LOT, WHERE DO I START? 37 Measure Measure your results! Execute Execute – Fire! Select Select an arrow – Focus on Risk Mitigation – Aim! Identify Identify an RA activity – Ready! Partner Partner with the Business, Security, & Risk to start to understand your risks & current capabilities Use Use the reference architecture (revise if needed!)
RESOURCES • 2017 Talk - https://youtu.be/1HA2N_4c2jw • Local Admin rights blog post - https://identitybytes.com/index.php/2018/03/20/applying-a- rheostat-to-local-admin-rights/ • Secrets compromised - https://threatpost.com/22k-open-vulnerable-containers-found-exposed-on-the- net/132898/ • IoT compromised - https://www.bleepingcomputer.com/news/security/someone-is-taking-over- insecure-cameras-and-spying-on-device-owners/ • MimiKatz - https://www.wired.com/story/how-mimikatz-became-go-to-hacker-tool/ • ADSecurity.org Guide to MimiKatz - https://adsecurity.org/?page_id=1821 • ”Push Left” – Tanya Janca - https://code.likeagirl.io/pushing-left-like-a-boss-part-1-80f1f007da95 • Photo credits – Natalie Peterman
THANK YOU!!!

Recommended

CyberArk
CyberArkCyberArk
CyberArkJimmy Sze
 
Privleged Access Management
Privleged Access ManagementPrivleged Access Management
Privleged Access ManagementLance Peterman
 
Threat Detection using Analytics & Machine Learning
Threat Detection using Analytics & Machine LearningThreat Detection using Analytics & Machine Learning
Threat Detection using Analytics & Machine LearningPriyanka Aash
 
Privileged accesss management for den csa user group CA Technologies
Privileged accesss management for den csa user group CA TechnologiesPrivileged accesss management for den csa user group CA Technologies
Privileged accesss management for den csa user group CA TechnologiesTrish McGinity, CCSK
 
Secure Cloud Reference Architecture
Secure Cloud Reference ArchitectureSecure Cloud Reference Architecture
Secure Cloud Reference ArchitectureMithilesh Kumar - AWS, VCP,ITIL,SSCA
 
How to Build Security and Risk Management into Agile Environments
How to Build Security and Risk Management into Agile EnvironmentsHow to Build Security and Risk Management into Agile Environments
How to Build Security and Risk Management into Agile Environmentsdanb02
 
App sec - code insecurity basics
App sec - code insecurity basicsApp sec - code insecurity basics
App sec - code insecurity basicsChristopher Hamm
 
Con8813 securing privileged accounts with an integrated idm solution - final
Con8813 securing privileged accounts with an integrated idm solution - finalCon8813 securing privileged accounts with an integrated idm solution - final
Con8813 securing privileged accounts with an integrated idm solution - finalOracleIDM
 

Recommended

CyberArk
CyberArkCyberArk
CyberArkJimmy Sze
 
Privleged Access Management
Privleged Access ManagementPrivleged Access Management
Privleged Access ManagementLance Peterman
 
Threat Detection using Analytics & Machine Learning
Threat Detection using Analytics & Machine LearningThreat Detection using Analytics & Machine Learning
Threat Detection using Analytics & Machine LearningPriyanka Aash
 
Privileged accesss management for den csa user group CA Technologies
Privileged accesss management for den csa user group CA TechnologiesPrivileged accesss management for den csa user group CA Technologies
Privileged accesss management for den csa user group CA TechnologiesTrish McGinity, CCSK
 
Secure Cloud Reference Architecture
Secure Cloud Reference ArchitectureSecure Cloud Reference Architecture
Secure Cloud Reference ArchitectureMithilesh Kumar - AWS, VCP,ITIL,SSCA
 
How to Build Security and Risk Management into Agile Environments
How to Build Security and Risk Management into Agile EnvironmentsHow to Build Security and Risk Management into Agile Environments
How to Build Security and Risk Management into Agile Environmentsdanb02
 
App sec - code insecurity basics
App sec - code insecurity basicsApp sec - code insecurity basics
App sec - code insecurity basicsChristopher Hamm
 
Con8813 securing privileged accounts with an integrated idm solution - final
Con8813 securing privileged accounts with an integrated idm solution - finalCon8813 securing privileged accounts with an integrated idm solution - final
Con8813 securing privileged accounts with an integrated idm solution - finalOracleIDM
 
7 Reasons your existing SIEM is not enough
7 Reasons your existing SIEM is not enough7 Reasons your existing SIEM is not enough
7 Reasons your existing SIEM is not enoughCloudAccess
 
Micro Focus SRG Solution Mapping to the New BDDK Regulations for Turkish Fina...
Micro Focus SRG Solution Mapping to the New BDDK Regulations for Turkish Fina...Micro Focus SRG Solution Mapping to the New BDDK Regulations for Turkish Fina...
Micro Focus SRG Solution Mapping to the New BDDK Regulations for Turkish Fina...Emrah Alpa, CISSP CEH CCSK
 
Making Log Data Useful: SIEM and Log Management Together
Making Log Data Useful: SIEM and Log Management TogetherMaking Log Data Useful: SIEM and Log Management Together
Making Log Data Useful: SIEM and Log Management TogetherAnton Chuvakin
 
National Digital ID Platform Technical Forum
National Digital ID Platform Technical ForumNational Digital ID Platform Technical Forum
National Digital ID Platform Technical ForumNarudom Roongsiriwong, CISSP
 
Need Of Security Operations Over SIEM
Need Of Security Operations Over SIEMNeed Of Security Operations Over SIEM
Need Of Security Operations Over SIEMSiemplify
 
GTB DLP - Content Aware Security Suite
GTB DLP - Content Aware Security SuiteGTB DLP - Content Aware Security Suite
GTB DLP - Content Aware Security SuiteVCW Security Ltd
 
Need of SIEM when You have SOAR
Need of SIEM when You have SOARNeed of SIEM when You have SOAR
Need of SIEM when You have SOARSiemplify
 
[EMC] Source Code Protection
[EMC] Source Code Protection[EMC] Source Code Protection
[EMC] Source Code ProtectionPerforce
 
So You Got That SIEM. NOW What Do You Do?  by Dr. Anton Chuvakin
So You Got That SIEM. NOW What Do You Do?  by Dr. Anton ChuvakinSo You Got That SIEM. NOW What Do You Do?  by Dr. Anton Chuvakin
So You Got That SIEM. NOW What Do You Do?  by Dr. Anton ChuvakinAnton Chuvakin
 
Identity and Security in the Cloud
Identity and Security in the CloudIdentity and Security in the Cloud
Identity and Security in the CloudRichard Diver
 
The Future of Software Security Assurance
The Future of Software Security AssuranceThe Future of Software Security Assurance
The Future of Software Security AssuranceRafal Los
 
Should You Be Automating
Should You Be AutomatingShould You Be Automating
Should You Be AutomatingSiemplify
 
Thales e-Security corporate presentation
Thales e-Security corporate presentationThales e-Security corporate presentation
Thales e-Security corporate presentationThales e-Security
 
Extended Detection and Response (XDR) An Overhyped Product Category With Ulti...
Extended Detection and Response (XDR) An Overhyped Product Category With Ulti...Extended Detection and Response (XDR) An Overhyped Product Category With Ulti...
Extended Detection and Response (XDR) An Overhyped Product Category With Ulti...Raffael Marty
 
presentacion Demo McAfee SIEM
presentacion Demo McAfee SIEMpresentacion Demo McAfee SIEM
presentacion Demo McAfee SIEMvictor bueno
 
Five Best and Five Worst Practices for SIEM by Dr. Anton Chuvakin
Five Best and Five Worst Practices for SIEM by Dr. Anton ChuvakinFive Best and Five Worst Practices for SIEM by Dr. Anton Chuvakin
Five Best and Five Worst Practices for SIEM by Dr. Anton ChuvakinAnton Chuvakin
 
Demisto Webinar - When Shrinkage is Good
Demisto Webinar - When Shrinkage is GoodDemisto Webinar - When Shrinkage is Good
Demisto Webinar - When Shrinkage is GoodRishi Bhargava
 
Presentacion demo mc afee siem
Presentacion demo mc afee siemPresentacion demo mc afee siem
Presentacion demo mc afee siemvictor bueno
 
Security Operations Strategies
Security Operations Strategies Security Operations Strategies
Security Operations Strategies Siemplify
 
IDY-T08 More than Vaulting: Adapting to New Privileged Access Threats
IDY-T08 More than Vaulting: Adapting to New Privileged Access ThreatsIDY-T08 More than Vaulting: Adapting to New Privileged Access Threats
IDY-T08 More than Vaulting: Adapting to New Privileged Access ThreatsLance Peterman
 
Revisiting Privileged Access in Today's Threat Landscape
Revisiting Privileged Access in Today's Threat LandscapeRevisiting Privileged Access in Today's Threat Landscape
Revisiting Privileged Access in Today's Threat LandscapeLance Peterman
 
Identity & Access Management - Securing Your Data in the 21st Century Enterprise
Identity & Access Management - Securing Your Data in the 21st Century EnterpriseIdentity & Access Management - Securing Your Data in the 21st Century Enterprise
Identity & Access Management - Securing Your Data in the 21st Century EnterpriseLance Peterman
 

More Related Content

What's hot

7 Reasons your existing SIEM is not enough
7 Reasons your existing SIEM is not enough7 Reasons your existing SIEM is not enough
7 Reasons your existing SIEM is not enoughCloudAccess
 
Micro Focus SRG Solution Mapping to the New BDDK Regulations for Turkish Fina...
Micro Focus SRG Solution Mapping to the New BDDK Regulations for Turkish Fina...Micro Focus SRG Solution Mapping to the New BDDK Regulations for Turkish Fina...
Micro Focus SRG Solution Mapping to the New BDDK Regulations for Turkish Fina...Emrah Alpa, CISSP CEH CCSK
 
Making Log Data Useful: SIEM and Log Management Together
Making Log Data Useful: SIEM and Log Management TogetherMaking Log Data Useful: SIEM and Log Management Together
Making Log Data Useful: SIEM and Log Management TogetherAnton Chuvakin
 
Need Of Security Operations Over SIEM
Need Of Security Operations Over SIEMNeed Of Security Operations Over SIEM
Need Of Security Operations Over SIEMSiemplify
 
GTB DLP - Content Aware Security Suite
GTB DLP - Content Aware Security SuiteGTB DLP - Content Aware Security Suite
GTB DLP - Content Aware Security SuiteVCW Security Ltd
 
Need of SIEM when You have SOAR
Need of SIEM when You have SOARNeed of SIEM when You have SOAR
Need of SIEM when You have SOARSiemplify
 
[EMC] Source Code Protection
[EMC] Source Code Protection[EMC] Source Code Protection
[EMC] Source Code ProtectionPerforce
 
So You Got That SIEM. NOW What Do You Do?  by Dr. Anton Chuvakin
So You Got That SIEM. NOW What Do You Do?  by Dr. Anton ChuvakinSo You Got That SIEM. NOW What Do You Do?  by Dr. Anton Chuvakin
So You Got That SIEM. NOW What Do You Do?  by Dr. Anton ChuvakinAnton Chuvakin
 
Identity and Security in the Cloud
Identity and Security in the CloudIdentity and Security in the Cloud
Identity and Security in the CloudRichard Diver
 
The Future of Software Security Assurance
The Future of Software Security AssuranceThe Future of Software Security Assurance
The Future of Software Security AssuranceRafal Los
 
Should You Be Automating
Should You Be AutomatingShould You Be Automating
Should You Be AutomatingSiemplify
 
Thales e-Security corporate presentation
Thales e-Security corporate presentationThales e-Security corporate presentation
Thales e-Security corporate presentationThales e-Security
 
Extended Detection and Response (XDR) An Overhyped Product Category With Ulti...
Extended Detection and Response (XDR) An Overhyped Product Category With Ulti...Extended Detection and Response (XDR) An Overhyped Product Category With Ulti...
Extended Detection and Response (XDR) An Overhyped Product Category With Ulti...Raffael Marty
 
presentacion Demo McAfee SIEM
presentacion Demo McAfee SIEMpresentacion Demo McAfee SIEM
presentacion Demo McAfee SIEMvictor bueno
 
Five Best and Five Worst Practices for SIEM by Dr. Anton Chuvakin
Five Best and Five Worst Practices for SIEM by Dr. Anton ChuvakinFive Best and Five Worst Practices for SIEM by Dr. Anton Chuvakin
Five Best and Five Worst Practices for SIEM by Dr. Anton ChuvakinAnton Chuvakin
 
Demisto Webinar - When Shrinkage is Good
Demisto Webinar - When Shrinkage is GoodDemisto Webinar - When Shrinkage is Good
Demisto Webinar - When Shrinkage is GoodRishi Bhargava
 
Presentacion demo mc afee siem
Presentacion demo mc afee siemPresentacion demo mc afee siem
Presentacion demo mc afee siemvictor bueno
 
Security Operations Strategies
Security Operations Strategies Security Operations Strategies
Security Operations Strategies Siemplify
 

What's hot (19)

7 Reasons your existing SIEM is not enough
7 Reasons your existing SIEM is not enough7 Reasons your existing SIEM is not enough
7 Reasons your existing SIEM is not enough
 
Micro Focus SRG Solution Mapping to the New BDDK Regulations for Turkish Fina...
Micro Focus SRG Solution Mapping to the New BDDK Regulations for Turkish Fina...Micro Focus SRG Solution Mapping to the New BDDK Regulations for Turkish Fina...
Micro Focus SRG Solution Mapping to the New BDDK Regulations for Turkish Fina...
 
Making Log Data Useful: SIEM and Log Management Together
Making Log Data Useful: SIEM and Log Management TogetherMaking Log Data Useful: SIEM and Log Management Together
Making Log Data Useful: SIEM and Log Management Together
 
National Digital ID Platform Technical Forum
National Digital ID Platform Technical ForumNational Digital ID Platform Technical Forum
National Digital ID Platform Technical Forum
 
Need Of Security Operations Over SIEM
Need Of Security Operations Over SIEMNeed Of Security Operations Over SIEM
Need Of Security Operations Over SIEM
 
GTB DLP - Content Aware Security Suite
GTB DLP - Content Aware Security SuiteGTB DLP - Content Aware Security Suite
GTB DLP - Content Aware Security Suite
 
Need of SIEM when You have SOAR
Need of SIEM when You have SOARNeed of SIEM when You have SOAR
Need of SIEM when You have SOAR
 
[EMC] Source Code Protection
[EMC] Source Code Protection[EMC] Source Code Protection
[EMC] Source Code Protection
 
So You Got That SIEM. NOW What Do You Do?  by Dr. Anton Chuvakin
So You Got That SIEM. NOW What Do You Do?  by Dr. Anton ChuvakinSo You Got That SIEM. NOW What Do You Do?  by Dr. Anton Chuvakin
So You Got That SIEM. NOW What Do You Do?  by Dr. Anton Chuvakin
 
Identity and Security in the Cloud
Identity and Security in the CloudIdentity and Security in the Cloud
Identity and Security in the Cloud
 
The Future of Software Security Assurance
The Future of Software Security AssuranceThe Future of Software Security Assurance
The Future of Software Security Assurance
 
Should You Be Automating
Should You Be AutomatingShould You Be Automating
Should You Be Automating
 
Thales e-Security corporate presentation
Thales e-Security corporate presentationThales e-Security corporate presentation
Thales e-Security corporate presentation
 
Extended Detection and Response (XDR) An Overhyped Product Category With Ulti...
Extended Detection and Response (XDR) An Overhyped Product Category With Ulti...Extended Detection and Response (XDR) An Overhyped Product Category With Ulti...
Extended Detection and Response (XDR) An Overhyped Product Category With Ulti...
 
presentacion Demo McAfee SIEM
presentacion Demo McAfee SIEMpresentacion Demo McAfee SIEM
presentacion Demo McAfee SIEM
 
Five Best and Five Worst Practices for SIEM by Dr. Anton Chuvakin
Five Best and Five Worst Practices for SIEM by Dr. Anton ChuvakinFive Best and Five Worst Practices for SIEM by Dr. Anton Chuvakin
Five Best and Five Worst Practices for SIEM by Dr. Anton Chuvakin
 
Demisto Webinar - When Shrinkage is Good
Demisto Webinar - When Shrinkage is GoodDemisto Webinar - When Shrinkage is Good
Demisto Webinar - When Shrinkage is Good
 
Presentacion demo mc afee siem
Presentacion demo mc afee siemPresentacion demo mc afee siem
Presentacion demo mc afee siem
 
Security Operations Strategies
Security Operations Strategies Security Operations Strategies
Security Operations Strategies
 

Similar to More than Vaulting - Adapting to New Privileged Access Threats

IDY-T08 More than Vaulting: Adapting to New Privileged Access Threats
IDY-T08 More than Vaulting: Adapting to New Privileged Access ThreatsIDY-T08 More than Vaulting: Adapting to New Privileged Access Threats
IDY-T08 More than Vaulting: Adapting to New Privileged Access ThreatsLance Peterman
 
Revisiting Privileged Access in Today's Threat Landscape
Revisiting Privileged Access in Today's Threat LandscapeRevisiting Privileged Access in Today's Threat Landscape
Revisiting Privileged Access in Today's Threat LandscapeLance Peterman
 
Identity & Access Management - Securing Your Data in the 21st Century Enterprise
Identity & Access Management - Securing Your Data in the 21st Century EnterpriseIdentity & Access Management - Securing Your Data in the 21st Century Enterprise
Identity & Access Management - Securing Your Data in the 21st Century EnterpriseLance Peterman
 
Annual OktCyberfest 2019
Annual OktCyberfest 2019Annual OktCyberfest 2019
Annual OktCyberfest 2019Fahad Al-Hasan
 
Aligning Application Security to Compliance
Aligning Application Security to ComplianceAligning Application Security to Compliance
Aligning Application Security to ComplianceSecurity Innovation
 
An apporach to AIM - A strategy proposal and recommendation - ver 0.1
An apporach to AIM - A strategy proposal and recommendation - ver 0.1An apporach to AIM - A strategy proposal and recommendation - ver 0.1
An apporach to AIM - A strategy proposal and recommendation - ver 0.1Michael Clarkson
 
Threat Hunting, Detection, and Incident Response in the Cloud
Threat Hunting, Detection, and Incident Response in the CloudThreat Hunting, Detection, and Incident Response in the Cloud
Threat Hunting, Detection, and Incident Response in the CloudBen Johnson
 
Big Data For Threat Detection & Response
Big Data For Threat Detection & ResponseBig Data For Threat Detection & Response
Big Data For Threat Detection & ResponseHarry McLaren
 
knowthyself : Internal IT Security in SA
knowthyself : Internal IT Security in SA knowthyself : Internal IT Security in SA
knowthyself : Internal IT Security in SA SensePost
 
Security and Compliance with SharePoint and Office 365
Security and Compliance with SharePoint and Office 365Security and Compliance with SharePoint and Office 365
Security and Compliance with SharePoint and Office 365Richard Harbridge
 
Security engineering 101 when good design & security work together
Security engineering 101 when good design & security work togetherSecurity engineering 101 when good design & security work together
Security engineering 101 when good design & security work togetherWendy Knox Everette
 
ALTITUDE 2019 | Enabling Productivity with Agile Security
ALTITUDE 2019 | Enabling Productivity with Agile SecurityALTITUDE 2019 | Enabling Productivity with Agile Security
ALTITUDE 2019 | Enabling Productivity with Agile SecurityBetterCloud
 
RSA 2016 Security Analytics Presentation
RSA 2016 Security Analytics PresentationRSA 2016 Security Analytics Presentation
RSA 2016 Security Analytics PresentationAnton Chuvakin
 
The Path to IAM Maturity
The Path to IAM MaturityThe Path to IAM Maturity
The Path to IAM MaturityJerod Brennen
 
The Cloud 9 - Threat & Solutions 2016 by Bobby Dominguez
The Cloud 9 - Threat & Solutions 2016 by Bobby DominguezThe Cloud 9 - Threat & Solutions 2016 by Bobby Dominguez
The Cloud 9 - Threat & Solutions 2016 by Bobby DominguezEC-Council
 
Corona| COVID IT Tactical Security Preparedness: Threat Management
Corona| COVID IT Tactical Security Preparedness: Threat ManagementCorona| COVID IT Tactical Security Preparedness: Threat Management
Corona| COVID IT Tactical Security Preparedness: Threat ManagementRedZone Technologies
 
You may be compliant...
You may be compliant...You may be compliant...
You may be compliant...Greg Swedosh
 
You may be compliant, but are you really secure?
You may be compliant, but are you really secure?You may be compliant, but are you really secure?
You may be compliant, but are you really secure?Thomas Burg
 
Alex Hanway - Securing the Breach: Using a Holistic Data Protection Framework
Alex Hanway - Securing the Breach: Using a Holistic Data Protection FrameworkAlex Hanway - Securing the Breach: Using a Holistic Data Protection Framework
Alex Hanway - Securing the Breach: Using a Holistic Data Protection Frameworkcentralohioissa
 
TOP SAILPOINT INTERVIEW QUESTION
TOP SAILPOINT INTERVIEW QUESTIONTOP SAILPOINT INTERVIEW QUESTION
TOP SAILPOINT INTERVIEW QUESTIONInfosec Train
 

Similar to More than Vaulting - Adapting to New Privileged Access Threats (20)

IDY-T08 More than Vaulting: Adapting to New Privileged Access Threats
IDY-T08 More than Vaulting: Adapting to New Privileged Access ThreatsIDY-T08 More than Vaulting: Adapting to New Privileged Access Threats
IDY-T08 More than Vaulting: Adapting to New Privileged Access Threats
 
Revisiting Privileged Access in Today's Threat Landscape
Revisiting Privileged Access in Today's Threat LandscapeRevisiting Privileged Access in Today's Threat Landscape
Revisiting Privileged Access in Today's Threat Landscape
 
Identity & Access Management - Securing Your Data in the 21st Century Enterprise
Identity & Access Management - Securing Your Data in the 21st Century EnterpriseIdentity & Access Management - Securing Your Data in the 21st Century Enterprise
Identity & Access Management - Securing Your Data in the 21st Century Enterprise
 
Annual OktCyberfest 2019
Annual OktCyberfest 2019Annual OktCyberfest 2019
Annual OktCyberfest 2019
 
Aligning Application Security to Compliance
Aligning Application Security to ComplianceAligning Application Security to Compliance
Aligning Application Security to Compliance
 
An apporach to AIM - A strategy proposal and recommendation - ver 0.1
An apporach to AIM - A strategy proposal and recommendation - ver 0.1An apporach to AIM - A strategy proposal and recommendation - ver 0.1
An apporach to AIM - A strategy proposal and recommendation - ver 0.1
 
Threat Hunting, Detection, and Incident Response in the Cloud
Threat Hunting, Detection, and Incident Response in the CloudThreat Hunting, Detection, and Incident Response in the Cloud
Threat Hunting, Detection, and Incident Response in the Cloud
 
Big Data For Threat Detection & Response
Big Data For Threat Detection & ResponseBig Data For Threat Detection & Response
Big Data For Threat Detection & Response
 
knowthyself : Internal IT Security in SA
knowthyself : Internal IT Security in SA knowthyself : Internal IT Security in SA
knowthyself : Internal IT Security in SA
 
Security and Compliance with SharePoint and Office 365
Security and Compliance with SharePoint and Office 365Security and Compliance with SharePoint and Office 365
Security and Compliance with SharePoint and Office 365
 
Security engineering 101 when good design & security work together
Security engineering 101 when good design & security work togetherSecurity engineering 101 when good design & security work together
Security engineering 101 when good design & security work together
 
ALTITUDE 2019 | Enabling Productivity with Agile Security
ALTITUDE 2019 | Enabling Productivity with Agile SecurityALTITUDE 2019 | Enabling Productivity with Agile Security
ALTITUDE 2019 | Enabling Productivity with Agile Security
 
RSA 2016 Security Analytics Presentation
RSA 2016 Security Analytics PresentationRSA 2016 Security Analytics Presentation
RSA 2016 Security Analytics Presentation
 
The Path to IAM Maturity
The Path to IAM MaturityThe Path to IAM Maturity
The Path to IAM Maturity
 
The Cloud 9 - Threat & Solutions 2016 by Bobby Dominguez
The Cloud 9 - Threat & Solutions 2016 by Bobby DominguezThe Cloud 9 - Threat & Solutions 2016 by Bobby Dominguez
The Cloud 9 - Threat & Solutions 2016 by Bobby Dominguez
 
Corona| COVID IT Tactical Security Preparedness: Threat Management
Corona| COVID IT Tactical Security Preparedness: Threat ManagementCorona| COVID IT Tactical Security Preparedness: Threat Management
Corona| COVID IT Tactical Security Preparedness: Threat Management
 
You may be compliant...
You may be compliant...You may be compliant...
You may be compliant...
 
You may be compliant, but are you really secure?
You may be compliant, but are you really secure?You may be compliant, but are you really secure?
You may be compliant, but are you really secure?
 
Alex Hanway - Securing the Breach: Using a Holistic Data Protection Framework
Alex Hanway - Securing the Breach: Using a Holistic Data Protection FrameworkAlex Hanway - Securing the Breach: Using a Holistic Data Protection Framework
Alex Hanway - Securing the Breach: Using a Holistic Data Protection Framework
 
TOP SAILPOINT INTERVIEW QUESTION
TOP SAILPOINT INTERVIEW QUESTIONTOP SAILPOINT INTERVIEW QUESTION
TOP SAILPOINT INTERVIEW QUESTION
 

Recently uploaded

Software Delivery At the Speed of AI: Inflectra Invests In AI-Powered Quality
Software Delivery At the Speed of AI: Inflectra Invests In AI-Powered QualitySoftware Delivery At the Speed of AI: Inflectra Invests In AI-Powered Quality
Software Delivery At the Speed of AI: Inflectra Invests In AI-Powered QualityInflectra
 
Speed Wins: From Kafka to APIs in Minutes
Speed Wins: From Kafka to APIs in MinutesSpeed Wins: From Kafka to APIs in Minutes
Speed Wins: From Kafka to APIs in Minutesconfluent
 
Kubernetes & AI - Beauty and the Beast !?! @KCD Istanbul 2024
Kubernetes & AI - Beauty and the Beast !?! @KCD Istanbul 2024Kubernetes & AI - Beauty and the Beast !?! @KCD Istanbul 2024
Kubernetes & AI - Beauty and the Beast !?! @KCD Istanbul 2024Tobias Schneck
 
GenAISummit 2024 May 28 Sri Ambati Keynote: AGI Belongs to The Community in O...
GenAISummit 2024 May 28 Sri Ambati Keynote: AGI Belongs to The Community in O...GenAISummit 2024 May 28 Sri Ambati Keynote: AGI Belongs to The Community in O...
GenAISummit 2024 May 28 Sri Ambati Keynote: AGI Belongs to The Community in O...Sri Ambati
 
UiPath Test Automation using UiPath Test Suite series, part 1
UiPath Test Automation using UiPath Test Suite series, part 1UiPath Test Automation using UiPath Test Suite series, part 1
UiPath Test Automation using UiPath Test Suite series, part 1DianaGray10
 
From Siloed Products to Connected Ecosystem: Building a Sustainable and Scala...
From Siloed Products to Connected Ecosystem: Building a Sustainable and Scala...From Siloed Products to Connected Ecosystem: Building a Sustainable and Scala...
From Siloed Products to Connected Ecosystem: Building a Sustainable and Scala...Product School
 
De-mystifying Zero to One: Design Informed Techniques for Greenfield Innovati...
De-mystifying Zero to One: Design Informed Techniques for Greenfield Innovati...De-mystifying Zero to One: Design Informed Techniques for Greenfield Innovati...
De-mystifying Zero to One: Design Informed Techniques for Greenfield Innovati...Product School
 
UiPath Test Automation using UiPath Test Suite series, part 3
UiPath Test Automation using UiPath Test Suite series, part 3UiPath Test Automation using UiPath Test Suite series, part 3
UiPath Test Automation using UiPath Test Suite series, part 3DianaGray10
 
Essentials of Automations: Optimizing FME Workflows with Parameters
Essentials of Automations: Optimizing FME Workflows with ParametersEssentials of Automations: Optimizing FME Workflows with Parameters
Essentials of Automations: Optimizing FME Workflows with ParametersSafe Software
 
IoT Analytics Company Presentation May 2024
IoT Analytics Company Presentation May 2024IoT Analytics Company Presentation May 2024
IoT Analytics Company Presentation May 2024IoTAnalytics
 
Unpacking Value Delivery - Agile Oxford Meetup - May 2024.pptx
Unpacking Value Delivery - Agile Oxford Meetup - May 2024.pptxUnpacking Value Delivery - Agile Oxford Meetup - May 2024.pptx
Unpacking Value Delivery - Agile Oxford Meetup - May 2024.pptxDavid Michel
 
Behind the Scenes From the Manager's Chair: Decoding the Secrets of Successfu...
Behind the Scenes From the Manager's Chair: Decoding the Secrets of Successfu...Behind the Scenes From the Manager's Chair: Decoding the Secrets of Successfu...
Behind the Scenes From the Manager's Chair: Decoding the Secrets of Successfu...CzechDreamin
 
Search and Society: Reimagining Information Access for Radical Futures
Search and Society: Reimagining Information Access for Radical FuturesSearch and Society: Reimagining Information Access for Radical Futures
Search and Society: Reimagining Information Access for Radical FuturesBhaskar Mitra
 
Future Visions: Predictions to Guide and Time Tech Innovation, Peter Udo Diehl
Future Visions: Predictions to Guide and Time Tech Innovation, Peter Udo DiehlFuture Visions: Predictions to Guide and Time Tech Innovation, Peter Udo Diehl
Future Visions: Predictions to Guide and Time Tech Innovation, Peter Udo DiehlPeter Udo Diehl
 
Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...
Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...
Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...UiPathCommunity
 
To Graph or Not to Graph Knowledge Graph Architectures and LLMs
To Graph or Not to Graph Knowledge Graph Architectures and LLMsTo Graph or Not to Graph Knowledge Graph Architectures and LLMs
To Graph or Not to Graph Knowledge Graph Architectures and LLMsPaul Groth
 
When stars align: studies in data quality, knowledge graphs, and machine lear...
When stars align: studies in data quality, knowledge graphs, and machine lear...When stars align: studies in data quality, knowledge graphs, and machine lear...
When stars align: studies in data quality, knowledge graphs, and machine lear...Elena Simperl
 
Connector Corner: Automate dynamic content and events by pushing a button
Connector Corner: Automate dynamic content and events by pushing a buttonConnector Corner: Automate dynamic content and events by pushing a button
Connector Corner: Automate dynamic content and events by pushing a buttonDianaGray10
 
Optimizing NoSQL Performance Through Observability
Optimizing NoSQL Performance Through ObservabilityOptimizing NoSQL Performance Through Observability
Optimizing NoSQL Performance Through ObservabilityScyllaDB
 
In-Depth Performance Testing Guide for IT Professionals
In-Depth Performance Testing Guide for IT ProfessionalsIn-Depth Performance Testing Guide for IT Professionals
In-Depth Performance Testing Guide for IT ProfessionalsExpeed Software
 

Recently uploaded (20)

Software Delivery At the Speed of AI: Inflectra Invests In AI-Powered Quality
Software Delivery At the Speed of AI: Inflectra Invests In AI-Powered QualitySoftware Delivery At the Speed of AI: Inflectra Invests In AI-Powered Quality
Software Delivery At the Speed of AI: Inflectra Invests In AI-Powered Quality
 
Speed Wins: From Kafka to APIs in Minutes
Speed Wins: From Kafka to APIs in MinutesSpeed Wins: From Kafka to APIs in Minutes
Speed Wins: From Kafka to APIs in Minutes
 
Kubernetes & AI - Beauty and the Beast !?! @KCD Istanbul 2024
Kubernetes & AI - Beauty and the Beast !?! @KCD Istanbul 2024Kubernetes & AI - Beauty and the Beast !?! @KCD Istanbul 2024
Kubernetes & AI - Beauty and the Beast !?! @KCD Istanbul 2024
 
GenAISummit 2024 May 28 Sri Ambati Keynote: AGI Belongs to The Community in O...
GenAISummit 2024 May 28 Sri Ambati Keynote: AGI Belongs to The Community in O...GenAISummit 2024 May 28 Sri Ambati Keynote: AGI Belongs to The Community in O...
GenAISummit 2024 May 28 Sri Ambati Keynote: AGI Belongs to The Community in O...
 
UiPath Test Automation using UiPath Test Suite series, part 1
UiPath Test Automation using UiPath Test Suite series, part 1UiPath Test Automation using UiPath Test Suite series, part 1
UiPath Test Automation using UiPath Test Suite series, part 1
 
From Siloed Products to Connected Ecosystem: Building a Sustainable and Scala...
From Siloed Products to Connected Ecosystem: Building a Sustainable and Scala...From Siloed Products to Connected Ecosystem: Building a Sustainable and Scala...
From Siloed Products to Connected Ecosystem: Building a Sustainable and Scala...
 
De-mystifying Zero to One: Design Informed Techniques for Greenfield Innovati...
De-mystifying Zero to One: Design Informed Techniques for Greenfield Innovati...De-mystifying Zero to One: Design Informed Techniques for Greenfield Innovati...
De-mystifying Zero to One: Design Informed Techniques for Greenfield Innovati...
 
UiPath Test Automation using UiPath Test Suite series, part 3
UiPath Test Automation using UiPath Test Suite series, part 3UiPath Test Automation using UiPath Test Suite series, part 3
UiPath Test Automation using UiPath Test Suite series, part 3
 
Essentials of Automations: Optimizing FME Workflows with Parameters
Essentials of Automations: Optimizing FME Workflows with ParametersEssentials of Automations: Optimizing FME Workflows with Parameters
Essentials of Automations: Optimizing FME Workflows with Parameters
 
IoT Analytics Company Presentation May 2024
IoT Analytics Company Presentation May 2024IoT Analytics Company Presentation May 2024
IoT Analytics Company Presentation May 2024
 
Unpacking Value Delivery - Agile Oxford Meetup - May 2024.pptx
Unpacking Value Delivery - Agile Oxford Meetup - May 2024.pptxUnpacking Value Delivery - Agile Oxford Meetup - May 2024.pptx
Unpacking Value Delivery - Agile Oxford Meetup - May 2024.pptx
 
Behind the Scenes From the Manager's Chair: Decoding the Secrets of Successfu...
Behind the Scenes From the Manager's Chair: Decoding the Secrets of Successfu...Behind the Scenes From the Manager's Chair: Decoding the Secrets of Successfu...
Behind the Scenes From the Manager's Chair: Decoding the Secrets of Successfu...
 
Search and Society: Reimagining Information Access for Radical Futures
Search and Society: Reimagining Information Access for Radical FuturesSearch and Society: Reimagining Information Access for Radical Futures
Search and Society: Reimagining Information Access for Radical Futures
 
Future Visions: Predictions to Guide and Time Tech Innovation, Peter Udo Diehl
Future Visions: Predictions to Guide and Time Tech Innovation, Peter Udo DiehlFuture Visions: Predictions to Guide and Time Tech Innovation, Peter Udo Diehl
Future Visions: Predictions to Guide and Time Tech Innovation, Peter Udo Diehl
 
Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...
Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...
Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...
 
To Graph or Not to Graph Knowledge Graph Architectures and LLMs
To Graph or Not to Graph Knowledge Graph Architectures and LLMsTo Graph or Not to Graph Knowledge Graph Architectures and LLMs
To Graph or Not to Graph Knowledge Graph Architectures and LLMs
 
When stars align: studies in data quality, knowledge graphs, and machine lear...
When stars align: studies in data quality, knowledge graphs, and machine lear...When stars align: studies in data quality, knowledge graphs, and machine lear...
When stars align: studies in data quality, knowledge graphs, and machine lear...
 
Connector Corner: Automate dynamic content and events by pushing a button
Connector Corner: Automate dynamic content and events by pushing a buttonConnector Corner: Automate dynamic content and events by pushing a button
Connector Corner: Automate dynamic content and events by pushing a button
 
Optimizing NoSQL Performance Through Observability
Optimizing NoSQL Performance Through ObservabilityOptimizing NoSQL Performance Through Observability
Optimizing NoSQL Performance Through Observability
 
In-Depth Performance Testing Guide for IT Professionals
In-Depth Performance Testing Guide for IT ProfessionalsIn-Depth Performance Testing Guide for IT Professionals
In-Depth Performance Testing Guide for IT Professionals
 

More than Vaulting - Adapting to New Privileged Access Threats

  • 1. MORE THAN VAULTING: ADAPTING TO NEW PRIVILEGED ACCESS THREATS LANCE PETERMAN ENTERPRISE SECURITY ARCHITECT MERCK @LPETERMAN
  • 2. ABOUT ME  Formerly IAM Strategy & Platform Lead at Merck  Also, Teach Software Architecture & Design at UNC-Charlotte  Also, Board & Founding member of IDPro  Opinions are my own  Twitter: @lpeterman
  • 3. WHY WE CAN’T GET A PERFECT 10 IN THE VAULT
  • 6. 6
  • 7. Existing & Emergent Patterns How Privilege is (mis)Used New Responses
  • 9. PAM Reference Architecture (2015) 9 Password Vault Session Management & Recording PAM Policy Management Discovery & Policy Enforcement Session Review Privileged Access Management SRM/Ticketing WorkflowPolicy Store Logging & Audit SIEM / Analytics CMDB / Change Management Information Technology Resources Access Certification Identity Management Non-person Credential Management Identity & Access Management
  • 10. PAM Reference Architecture 2019 Access Certification Identity Management Non-person Credential Management Identity Governance & Administration Credential Vault Session Management & Recording PAM Policy Management Discovery & Policy Enforcement Session Review Privileged Access Management Secret/Key Management SRM/Ticketing WorkflowPolicy Store Logging & Audit SIEM CMDB / Change Management Information Technology & InfoSec Resources **Analytics/ AI/ML SOC/ Incident Response EPM & EDR Just in Time Administration
  • 14. SECRETS/KEY MANAGEMENT Market is fragmented here – AWS, Ansible, Vault, CyberArk…lots more Does this belong in IAM? Similar challenge with CIAM & API management for many enterprises DevSecOps emergence is helping generate momentum for this, but cultural challenges remain…
  • 15. SECRETS / KEY MANAGEMENT 15 Developers InfoSec
  • 16. OTHER PATTERNS/ APPROACHES Just in Time Administration - Elevation vs. Vaulting for person & non-person accounts Analytics…got a minute, or 90? AI/ML – Lots of potential here, but can you get the right (and all) of the data for training SOC & Incident Response – How fast can you shut down privilege abuse/misuse?
  • 18.
  • 19. JUNE 27, 2017 6AM EDT
  • 21.
  • 22. MIMIKATZ “CUTE KITTEN” • “Swiss army knife” (or multi-tool) of Windows credentials created by Benjamin Delpy (@gentilkiwi) • Needs local admin for ‘most’ functions • Leverages weaknesses/features in: • LSASS - Local Security Authority Subsystem Service – credentials stored in memory after use • Can leverage credentials stored as (depending on OS level): • Kerberos tickets • NTLM password hashes • LM password hashes • Clear-text passwords • GREAT Resource for understanding MimiKatz – ADSecurity.org
  • 23.
  • 24.
  • 25. OTHER WINDOWS OS/PROTOCOL THREATS Kerberoasting Vulnerabilities in Kerberos (UN)Constrained Delegation (KCD) GPO Permissions Deeply Nested AD Groups - Do you really know where your privileges are… Notice that little of this is explicitly identity related? Or is it?
  • 26. OTHER VECTORS • (I)IoT – Mirai showed us what default admin passwords can do • SaaS & IaaS accounts (ie. O365 & ec2 user) – How well do you know your privileged accounts not tied to central IDP? • Network – Much is shifting to layer 7, where are your privileges now? 26
  • 30.
  • 32. TECHNOLOGY ARROWS Use EPM or similar tools to reduce/eliminate local admin privileges wherever possible If you don’t have secrets/key management, explore the need. Talk to your vendors. Have an IoT platform? Find out, explore gateways for segmentation Consider automated tools for privileged account discovery
  • 33. MORE TECHNOLOGY ‘ARROWS’ Reduce privilege ‘scale’ through segmentation (ex. AD Red Forest) Eliminate credential caching where possible MFA for sensitive internal apps, even regular users Consider analytics for privilege abuse use cases but make sure you get the data
  • 34. PROCESS ‘ARROWS’ • Reduce privilege ‘scale’ through segmentation (ex: SCCM admins), including number of admins per server • Consider software updates a threat vector (supply chain attack) • Leverage Least Privilege (LPM)wherever possible (see people arrows) • Defense in depth should be a mindset, look beyond Layer 7 for solutions
  • 35. MORE PROCESS ‘ARROWS’ • Embed security & identity in your SDLC (Push Left, thanks Tanya Janca @shehackspurple) • Same for Change Management (CMDB is your most important identity asset) • If you use Policy, leverage it to the hilt for privileged access compliance
  • 36. PEOPLE ‘ARROWS’ with Developers on Secrets & Local AdminPartner with InfoSec on expanding privilege analysis, focus on LPM, and Defense in DepthPartner with the business on identifying your high value assets (HVA), know what you’re protecting and whyPartner with everyone on MFA – pierce the veil on how it can be used and reduce frictionPartner Prioritize activities based on riskPrioritize
  • 37. THIS IS A LOT, WHERE DO I START? 37 Measure Measure your results! Execute Execute – Fire! Select Select an arrow – Focus on Risk Mitigation – Aim! Identify Identify an RA activity – Ready! Partner Partner with the Business, Security, & Risk to start to understand your risks & current capabilities Use Use the reference architecture (revise if needed!)
  • 38.
  • 39. RESOURCES • 2017 Talk - https://youtu.be/1HA2N_4c2jw • Local Admin rights blog post - https://identitybytes.com/index.php/2018/03/20/applying-a- rheostat-to-local-admin-rights/ • Secrets compromised - https://threatpost.com/22k-open-vulnerable-containers-found-exposed-on-the- net/132898/ • IoT compromised - https://www.bleepingcomputer.com/news/security/someone-is-taking-over- insecure-cameras-and-spying-on-device-owners/ • MimiKatz - https://www.wired.com/story/how-mimikatz-became-go-to-hacker-tool/ • ADSecurity.org Guide to MimiKatz - https://adsecurity.org/?page_id=1821 • ”Push Left” – Tanya Janca - https://code.likeagirl.io/pushing-left-like-a-boss-part-1-80f1f007da95 • Photo credits – Natalie Peterman