CyberArkPrivileged Account Security

Nedim Toroman, Business Development Manager

Veracomp

securITy

Critical Steps to Stopping Advanced Threats

Protect and Manage them

Control, Isolate and Monitor any Privileged Access

Discover all of your Privileged Accounts

Use Proactive Controls for Threat Detection

CyberArk’s Privileged Account Security Solution

Enterprise

Password

Vault®

Privileged

Session

Manager®

Application

Identity

Manager™

On-Demand

Privileges

Manager™

Management Portal/Web Access

Master Policy

Secure Digital Vault™

Privileged Threat Analytics

Shared

Technology

Platform

Proactive

Controls,

Monitoring &

Management

Behavioral

Analytics

Protect Detect Respond

SSH Key

Manager

CyberArk PIM Auto Discovery

Vmware ESX/ESXi

Linux virtual images

Windows virtual images

Unix/Linux Servers

Windows Services

Scheduled Tasks

IIS Pools

Windows

Desktops & Laptops

Windows Servers

Where do all the privileged and superuser accounts exist?

Critical Steps to Stopping Advanced Threats

Protect and Manage them

Control, Isolate and Monitor any Privileged Access

Discover all of your Privileged Accounts

Use Proactive Controls for Threat Detection

`

Layers of Security in the Digital Vault

Vault Safes

Tamper-Proof

Auditability

Comprehensive

Monitoring

Segregation of

Duties

Firewall Authentication

Hierarchical

Encryption

Session

Encryption

System User Pass

Unix root

Oracle SYS

Windows Administrator

z/OS DB2ADMIN

Cisco enable

IT

Vault

Enterprise IT Environment

Master Policy

1. Master policy and Platforms definition

2. Initial load & resetAutomatic Detection, Bulk upload, Manual

3. Request workflowDual control,

Integration with ticketing systems,

One-time passwords, exclusivity, groups

4. Direct connection to device

5. Auditor access

Security/

Risk Management

Auditors

Enterprise Password Vault Overview

Portal

Policy

Request to view Reports

Request access to WindowsAdministrator On prod.dom.us

tops3cr3t

tops3cr3t

tops3cr3t

tops3cr3t

tops3cr3t

tops3cr3t

tops3cr3t

tops3cr3t

tops3cr3t

tops3cr3t

lm7yT5wX5$aq+pTojsd$5fhy7qeF$1gviNa9%Oiue^$fgW

Policy

Virtual

Servers

Unix/Linux

Servers

iSeries

MainframesWindows

Servers

zSeries

MainframeDatabases Applications

Network

Devices

Security

Appliances

Websites

& Web Apps

OPM

Workflow

PSM

Workflow

EPV

Workflow

AIM

WorkflowMonitoring &

Reporting Workflow

Unix Admins Windows Admins DBAs VM AdminsExternal

Vendors

Business

Applications

Auditor/

Security & Risk

I just need to patch

the database

External Vendors

Support team need to

connect remotely

I need to check out

the password

I have this script that

connects with “root”

every night...

Great, what are your

“root” entitlements,

who used it and why?

Admin

Privileged Accounts Management – Use Cases

Critical Steps to Stopping Advanced Threats

Protect and Manage them

Control, Isolate and Monitor any Privileged Access

Discover all of your Privileged Accounts

Use Proactive Controls for Threat Detection

`

Routers and SwitchesVault

Windows/UNIX

Servers

Web Portals

1. Logon through PVWA

2. Connect

3. Fetch credential from Vault

4. Connect using native protocols

5. Store session recording

6. Activity is monitored via Logs forwarded to

SIEM/Syslog

4

5

Databases

Application

ESX\vCenters

1

HTTPS

2

RDP over HTTPS

PSM

3

CyberArk Privileged Session Manager

6

SIEM/Syslog

PSM for Secure Access

IT/ Auditors/Security Operations

Firewall

External

`Vendors

HTTPS

Secure Internal Network

Windows Servers

UNIX

Servers

& DBs

Routers and Switches

Toad

Passwords not divulged

Secure Isolation

Details session monitoring

Isolation

Monitor and Control

Internet

Command Search with ‘Click to Play’

13

Search for SQL commands that include the word 'Salary'

Click to Play ‘Point in Time’

PIM/PSM Suite

Network Devices

Virtual Servers

Windows

Windows Servers

UnixLinux

Unix /Linux Servers

AS400

iSeriesMainframes

Databases Applications Security Appliances

OS390

zSeriesMainframes

AIM

Workflow

PSM

Workflow

PSM and Real-Time monitoring

Syslog:

“Rob has accessedthe HR Database !”

RobertDavid

Critical Steps to Stopping Advanced Threats

Protect and Manage them

Control, Isolate and Monitor any Privileged Access

Discover all of your Privileged Accounts

Use Proactive Controls for Threat Detection`

Privileged Threat Analytics

Intelligence-based analytics for detecting suspicious

privileged user activity

Privileged

Threat

Analytics

Detects malicious privileged account

behavior

Detects and identifies

anomalies as they happen

Respond, disrupting the attack before

serious damage is done

Protection, Accountability, Intelligence

How Privileged Threat Analytics works

Normal

ALERT: SIEM & CyberArk

Behavioral Analysis

SIEM Solution

Behavioral Analysis: Self-learning statistical model based on a combination of patented algorithms, Vault access data, and target system data gathered from inbound SIEM integrations.CyberArk

Vault

Abnormal

PRIVILEGED ACCOUNT ACTIVITY

Privileged User

Critical System Access

• “…Attackers working hours generally, the attackers worked between 2AM and 10AM from Monday to Saturday included.”

• The attacks came during the day in China, which is after hours in Europe and the US

Critical Behavioral Indicator of Attacks –Time of Day

Based on Mandiant, research data

Access to Privileged Accounts During Irregular Hours: Ex.1

December 28th, 2012

February 13th, 2013

Source: Data of CyberArk customer analyzed in the CyberArk labs

Access to Privileged Accounts During Irregular Hours: Ex. 2

Excessive Access to Privileged Accounts

Abnormal sequence of 52 password retrieval activities in 8 hours

starting on March 20th

Privileged Threat Incident Details

PTA Reports

Hvala vam na pažnji!

• Kontakt – nedim.toroman@veracomp.ba

• Pitanja?

8.6.2015 securITy 26