Privilege Security & Next-Generation Technology. Morey J. Haber Chief Technology Officer

Transcription

1 Privilege Security & Next-Generation Technology Morey J. Haber Chief Technology Officer

2 Agenda The Next-Gen Threat Landscape o Infomatics, Breaches & the Attack Chain o Securing Cloud, DevOps & IoT o Privilege Security Threats PAM & Privilege Security Maturity o Privileged Access Management o Privilege Security Maturity Model How BeyondTrust Helps

3 The Next-Gen Threat Landscape

4 Infonomics Innovation Leader "Infonomics 30+ years is of the firsts theory, study, and discipline of asserting economic 1 st fully-integrated significance PAM to information. and VM platform It provides the framework for businesses to monetize, manage, and measure 1 st PAM information vendor on as all major an actual cloud asset. marketplaces 1 st to provide vulnerability insights to inform privilege decisions 1 st Unix/Linux, Mac and network device PAM solution Infonomics endeavors to apply both economic and asset management principles and practices to the valuation, Strong roadmap Patented technology handling, and deployment of information assets." Active threat response 7 patents granted Context-aware PAM SaaS-based PAM platform DevOps secrets management 10 pending - Infonomics: How to Monetize, Manage, and Measure Information as an Asset for Competitive Advantage by Douglas B. Laney

5 Notable Breaches Credentials hacked Unpatched software exploited; amplified by excessive privileges Credentials stolen 95% 28% 80% of security breaches involve privileged credentials Forrester Wave: Privileged Identity Management, Q of critical vulnerabilities in Microsoft systems could be mitigated by removing admin rights 2018 Microsoft Vulnerabilities Report of breaches involve insiders (and growing) 2018 Verizon Data Breach Investigations Report

6 The Cyber Attack Chain 1. Perimeter Exploitation 2. Privilege Hijacking & Escalation 3. Lateral Movement & Exfiltration Attacker exploits asset vulnerabilities to gain entry Vulnerable Systems hijacks privileges or leverages stolen/cracked passwords Unmanaged Credentials and Excessive Privileges and compromises other network resources. Limited Visibility

7 Expanding Accounts Remote Employees DevOps / A2A / A2DB Cloud & IoT The New Enterprise More people, processes and technology have access to your systems and data than ever before. Mainstream adoption Internal Employees Partners & Contractors WWW Mobile DevOps 60% IoT 56% Cloud 15% Client- Server Evolving Infrastructure

8 Attack Surface Evolution Cloud & Hybrid Cloud Cloud Management Platforms (AWS, Azure) Virtualized Environments (VMWare, MSFT) Virtualized Machines (UNIX, Linux, Windows) SaaS Apps (Facebook, LinkedIn, Custom) Internet of Things Roaming workstations BYOD Cameras Sensors Printers More On-Premise Shared Administrator Accounts Desktops (Windows, Mac) Servers (Unix, Linux, Windows) Industrial Control Systems Security Infrastructure Network Infrastructure Applications & Application Servers Databases & Database Servers Machine Credentials (AtoA) Hypervisors & Virtual Machine DevOps DevOps Tools Dynamic Virtual Environments Containers Microservices More Privileged Accounts SaaS Admins Cloud Admins Application Admins Privileged End Users Developers Machine Password & Keys

9 Cloud

10 Secure Cloud Enablement RESTRICT PRIVILEGES Privileged Management DISCOVER & INVENTORY Asset Management SCAN FOR VULNERABILITIES Vulnerability Management SEGMENT NETWORKS Network Design Cloud Security ENSURE CONFIGURATION COMPLIANCE Hardening and Best Practices Secure cloud enablement requires a multidisciplinary strategy! ENFORCE APPROPRIATE CREDENTIAL USAGE Least Privilege Management ELIMINATE HARD-CODED PASSWORD GAIN ACCOUNTA- BILITY OVER SHARED ACCOUNTS Password Management A2A Security

11 Secure Cloud Transformation In the cloud From the cloud Into the cloud The New Cloud Perimeter Cloud Management Platforms Shared Administrator Accounts Servers (Unix, Linux, Windows) Applications & Application Servers Databases & Database Servers Machine Credentials (A to A) Security & Network Infrastructure Hypervisors & Virtual Machines SaaS Applications DevOps Environments Containers & Micro Services IoT Devices Virtual Machines, Dedicated Hardware Marketplace Applications IaaS, PaaS, & SaaS

12 Privilege Management for the Cloud Cloud-Agnostic Private, Public and Hybrid Environments License flexibility Asset inventory integration Docker and container aware Discover online & offline instances Leverage Hypervisor APIs Agent technologies Respects OA and application hardening Fully automated for passwords & API Auditing, reporting and change-aware Proxy access Session management Regulatory compliance

13 DevOps

14 DevOps Security Strategy RESTRICT PRIVILEGES DISCOVER & INVENTORY ELIMINATE HARD- CODED PASSWORDS GAIN ACCOUNTABILITY OVER SHARED ACCOUTS Privilege Management Asset Management A2A Security Password Management Secure DevOps Network Design Least Privilege Management Vulnerability Management Hardening and Security Best Practices SEGMENT NETWORKS ENFORCE APPROPRIATE CREDENTIAL USAGE SCAN FOR VULNERABILITIES ENSURE CONFIGURATION COMPLIANCE

15 Privilege Automation for DevOps Only allow approved assets; identify unacceptable variations Identify security risks and automatically remediate them Ensure configuration hardening Eliminate all locations for hardcoded credentials Platform-agnostic, from cloud to on premise Limit all users, including privileged access, in the DevOps automated workflow Provide security and performance visibility to ensure security and automation success

16 IoT / IIoT

17 Privilege Management for IoT, IIoT, ICS,SCADA Zones Internet Communications and Restricted Lateral Movement Privileged Access Segmentation Public Private Air-Gapped Users Servers DMZ Guest Dumb Devices Device Type & Risk IoT IIoT ICS SCADA

18 The Privileged IoT Perspective IoT asset and inventory management Risk assessment with vulnerability management Password management and privileged session access Command line least privilege management Policy and script repository

19 Privilege Security Threats

20 Privilege Security Threats Guessing Dictionary attacks Brute Force Pass the Hash Security questions Password resets Vulnerabilities Misconfigurations Exploits Malware Social engineering MFA flaws Default credentials Anonymous Predictable Shared credentials Temporary Reused Insider Threats External Threats Hidden Threats

21 Accountability for Privileges Privileged account discovery Develop permissions model Rotate passwords and keys Workflow process and auditing Define session monitoring Segmentation User behavior analysis

22 Privileged Access Management & Privilege Security Maturity

23 Privileged Access Management Provides an integrated approach to enterprise password management ENTERPRISE PASSWORD MANAGEMENT Enforces least privilege on all endpoints without compromising productivity or security Ensures administrator and root compliance on Unix, Linux, Windows and Mac Identifies high-risk users and assets by teaming behavioral analytics and risk data with security intelligence from best-of-breed security solutions ACTIVE DIRECTORY BRIDGING USER BEHAVIOR MONITORING Privileged Access Management PRIVILEGE MANAGEMENT SESSION MANAGEMENT Achieves unified visibility over accounts, applications, and assets that they protect ADVANCED REPORTING & ANALYTICS

24 Maturity The Journey to Privilege-Centric Security IT ECOSYSTEM INTEGRATION NEW ENTERPRISE DEPLOYMENT: CLOUD, DEVOPS, NETWORK/IOT/ICS/SCADA UNIFIED MANAGEMENT, REPORTING & THREAT ANALYTICS Asset discovery & vulnerability scanning Account discovery A2A & A2DB Password/key storage & rotation Session recording & monitoring Session management FIM, VBAM, event log monitoring Endpoint least privilege / command elevation & delegation FIM, system-level control Server least privilege / command elevation & delegation IDENTIFY & INVENTORY IMPROVE ACCOUNTABILITY & CONTROL OVER SHARED CREDENTIALS ELIMINATE EXCESSIVE PRIVILEGES & GAIN GRANULAR COMMAND AND TASK-LEVEL CONTROL Time

25 About BeyondTrust

26 Privilege-Centric Security for the New Enterprise Risk- Based Accounts for user & asset risk Dynamic Locations, teams, contexts Identity- Focused Not network focused Privilege security solutions control, monitor and audit privileged access to systems and data across the expanding enterprise. Centralized & Modular Integrates w/ best-of-breed solutions Future- Ready Built for nextgen IT environments

27 PowerBroker Privileged Access Management Platform Password & Session Management Secure Remote Access Privilege Management Infrastructure Endpoints Gain accountability over shared accounts Eliminate hard-coded passwords Monitor privileged sessions and user behavior Enforce appropriate credential usage Secure credentials with Privileged Identity and manage sessions with Privileged Access Empower and protect your service desk with the most secure Remote Support software Eliminate Admin\root rights Enforce Application & command control Efficiently delegate Windows, Mac, Unix & Linux privileges and elevate Enforce appropriate use Risk based privilege decisions Cloud Hybrid On-Premise

28 Innovation Leader 30+ years of firsts 1 st fully-integrated PAM and VM platform 1 st to provide vulnerability insights to inform privilege decisions 1 st PAM vendor on all major cloud marketplaces 1 st Unix/Linux, Mac and network device PAM solution Strong roadmap Active threat response Context-aware PAM SaaS-based PAM platform DevOps secrets management Patented technology 7 patents granted 10 pending

29 PAM Industry Leader Leader: Forrester PIM Wave, 2016 Leader: Gartner Market Guide for PAM, 2017 Table1. PASM Vendors and Their Key Capabilities

30 Morey J. Haber 20+ years security experience Articles on Secure World, Dark Reading, CSO Online, etc. Author of Privileged Attack Vectors: Building Effective Cyber-Defense Strategies to Protect Organizations & Asset Attack Vectors (covering Vulnerability Management) both available from Apress Media

31 Questions? Morey J. Haber Chief Technology Officer