Upload
lorraine-oliver
View
222
Download
0
Tags:
Embed Size (px)
Citation preview
1
The New Cyber Battleground:Inside Your Network
Chad Froomkin
Major Account Executive
Southeast
2
Why are we here?
90% of organizations breached
59%of organizations breached more than once
$3,500,000Average cost per incident to investigate and remediate Ponemon Institute - Cost of Data Breach: Global Analysis, 2014
Cisco Talos, Deliotte Financial Advisory service, Deloitte & Touche LLP, Mandiant, RSA, Verizon RISK - CyberArk Threat Report: Privileged Account Exploits Shift the front lines of Cyber Security, 2014
3
The new cyber battleground: Inside your network
Over 90% of organizations have been breached
• In the past: “I can stop everything at the perimeter”
• Today: “I can’t stop anything at the perimeter”
Information security focus shifts to inside the network
• Over 35% of breaches are internal – driven by malicious and unintentional insiders
• Compromised credentials empower any attacker to act as an insider
Compliance and audit requirements focus on privileged accounts
• Privileged accounts provide access to the most sensitive and valuable assets
• Information exposure damages brand reputation and customer confidence
4
What do we know?
54% 94% 243 100%Of compromised
systems contained malware
Of breaches are reported by third
parties
Median number of days advanced
attackers are on the network before being
detected
Of breaches involved stolen
credentials
Mandiant, M-Trends and APT1 Report, 2014
“We have to assume we have already been breached”Brian Krebs
(Krebs on Security)
5
Privileged accounts are targeted in all advanced attacks
Mandiant, M-Trends and APT1 Report, 2014
“…100% of breaches involved stolen
credentials.”
“APT intruders…prefer to leverage privileged accounts
where possible, such as Domain Administrators, service accounts
with Domain privileges, local Administrator accounts, and privileged user accounts.”
6
Privileged accounts are targeted in all advanced attacks
Avivah Litan, Vice President and Distinguished Analyst at Gartner, 2014
“Anything that involvesserious intellectual property
will be contained in highly secure systems and privileged accounts
are the only way hackers canget in.”
7
Privileged accounts are targeted in all advanced attacks
CyberSheathAPT Privileged Account ExploitationSecuring Organizations against Advanced, Targeted Attacks,2013
“…that’s how I know I’m dealingwith a sophisticated adversary…
if they are targeting privileged accounts, I’ve got a serious APT
problem…”
8
Perimeter defenses are consistently breached
Over 28 Billion spent on IT security in 2014!!!
Over 90% of organizations breached
Cisco Talos, Deliotte Financial Advisory service, Deloitte & Touche LLP, Mandiant, RSA, Verizon RISK - CyberArk Threat Report: Privileged Account Exploits Shift the front lines of Cyber Security, 2014
9
Privileged Account Security:Now a critical security layer
10
Typical Lifecycle of a Cyber AttackPrivilege is at the center of the attack lifecycle
11
Scope of Privileged Account “attack surface” underestimated
1-250 251-500 501-1,000 1,001-5,000 5,001+ Don't know0%
5%
10%
15%
20%
25%
30%
35%
In Your Estimation, How Many Privileged Accounts Are There In Your Organization?
Cyber - Privileged Account Security & Compliance Survey, 2014 (Enterprises > 5000 Employees)
12
Many organizations only use partial measures
Paper-based Homegrown SW
IAM Solutions PIM Software SIEMs DAM Other0%
5%
10%
15%
20%
25%
How Do You Monitor Or Record Privi-leged Account Activity?
Cyber - Privileged Account Security & Compliance Survey, 2014
72%
28%
Do you monitor and recordprivileged activity?
13
Privileged Accounts create a HUGE attack surface
Privileged accounts exist in every connected device, database, application, industrial controller and more!
Typically a ~3X ratio of privileged accounts to employees
14
What, Where & Why of Privileged Accounts
Scope Used by Used for
Elevated Personal• Cloud providers• Personal accounts w/ elevated permissions
• IT staff • Any employee
• Privileged operations• Access to sensitive
information• Web sites
Shared Privileged Accounts
• Administrator• UNIX root• Cisco Enable• Oracle SYS• Local Administrators• ERP admin
• IT staff • Sys admins/Net admins• DBAs• Help desk• Developers• Social media mgrs• Legacy applications
• Emergency• Fire-call• Disaster recovery• Privileged operations• Access to sensitive
information
Application Accounts(App2App)
• Hard coded/ embedded App IDs
• Service Accounts
• Applications/scripts• Windows Services• Scheduled Tasks• Batch jobs, etc• Developers
• Online database access• Batch processing• App-2-App
communication
All PowerfulDifficult to Control, Manage & Monitor
Pose Devastating Risk if Misused
15
Telecom breaches draw attention to insider access issues
▪ August 2014 : A global top 5 Telecommunications company reported that, for the 2nd time in 2014, a privileged insider gained unauthorized access to customer information.
“ We’ve recently determined that one of our employees violated our strict privacy and security guidelines by accessing your account without authorization and while doing so, would have
been able to view and may have obtained your account information, including your social security number and driver's license number ”
▪ Yet another reminder that true technical controls need to be put in place to better manage the privileges and access that employees have to data and systems.
16
Chinese hack U.S. weather systems & satellite network
▪ October 2014: A federal agency recently had four of its websites attacked by hackers from China. To block the attackers, government officials were forced to shut down a handful of its services.
▪ Post breach, security testing discovered multiple weaknesses:■ “Weak or default passwords and operating system vulnerabilities with well
documented exploits” ■ Significant problems with remote access ■ Assessment results lacked supporting evidence – lack of audit logs
17
• Once necessary privileges are obtained Install malware on POS
• Install Remote Administration Tools - Ex-filtrate data
• Access Via compromised 3rd
party account
• Escalation of privileges
*For example* Via Pass the Hash
The framework of a retail breach
Goal
18
The Privileged Account Security maturity model
Baseline maturity
Mediummaturity
Highmaturity
Discover and control
Manage and monitor
Expand scope and automate
19
1) Baseline Maturity
Baseline maturity
Discover and control
Inventory the privileged accounts
Limit standard user accounts
Establish on- and off-boarding processes
Remove non-expiring passwords
Securely store passwords Ensure attribution
20
Schedule password changes
Utilize one-time passwords
Implement session recording
Prevent human usage of service accounts
Control application accounts
Detect anomalies
2) Medium Maturity
Mediummaturity
Manage and monitor
21
3) High Maturity
Highmaturity
Expand scope and automate
Use multi-factor authentication
Replace all hard-coded passwords in applications
Employ next-generation jump-servers
Implement approval and monitoring workflows
Proactively detect malicious behavior
22
Critical steps to stopping advanced threats
Protect and manage privileged account credentials
Control, isolate and monitor privileged access to servers and databases
Use real-time privileged account intelligence to detect and respond to in-progress attacks
Discover all of your privileged accounts
23
Virtual Servers
Unix/Linux
Servers
iSeriesMainframes
WindowsServers
zSeriesMainfram
e
Databases
Applications Network Devices
SecurityAppliance
s
Websites& Web Apps
Unix AdminsWindows Admins
DBAs VM Admins ExternalVendors
Business Applications
Auditor/Security & Risk
I need the password to map a
drive
I need my service provider to connect remotely with root
I just need root to patch a database
I have this script that needs to run
as root every night
What are your root entitlements, who used it, when did
they use it and why?
Enterprise account usage today
What are your root entitlements, who used it, when did
they use it and why?
?
24
Requirements for an effective Privileged Account Security Solution
Granular Privileged
Access Controls
Privileged User Access
Controls
Protecting & Isolating Sensitive Assets
PrivilegedActivity
Monitoring
ApplicationIdentityControls
25
Break the attack chain!!!
26
DNA - Discovery & Audit
Discover where your privileged accounts exist
Clearly assess privileged account security risks
Identify all privileged passwords, SSH keys, and password hashes
Collect reliable and comprehensive audit information
27
The CyberArk Team:
Chad Froomkin – Major Account Executive Southeast: NC/SC/TN
(770) 322-4201
Doug Brecher – Internal Account Executive Southeast
(617) 796-3264