Securing Privileged Access Across the Hybrid Enterprise

Transcription

1 Securing Privileged Access Across the Hybrid Enterprise Alan Hrabinski March 29, 2018 Data Connectors Toronto Alan Hrabinski March 29, 2018

2 Great Data Breaches

3 Great Data Breaches Yahoo, billion user accounts compromised In a truly remarkable turn of events, Yahoo in 2016 not only claimed the crown of Biggest Data Breach Ever with the September disclosure of a 2014 breach that affected 500 million users. It came back in December to disclose a breach from 2013 that compromised a whopping 1 billion user accounts. That's one for every seven or eight people on Earth. The unidentified 2013 hackers, said to be unconnected to those behind the 2014 break-in, got the whole shebang: names, dates of birth, addresses, security questions and answers and weakly protected passwords. (The passwords in the 2014 breach had better protection.) Impact - $ 350 million of market value on sale to Verizon

4 Great Data Breaches FriendFinder, million accounts compromised Casual-hookup and adult-content websites are perfectly legal in most Western nations, but that doesn't prevent data breaches involving them from being any less embarrassing. The FriendFinder network, comprising Adult Friend Finder, Penthouse.com, Cams.com, icams.com and Stripshow.com, was breached sometime in mid- October 2016, and details of user databases immediately began leaking out of cybercrime forums.

5 Great Data Breaches Equifax, million accounts compromised On Sept. 7, 2017, consumer-credit-reporting agency Equifax reported a security breach that took place from mid-may through July. While the breach, totaling 143 million users (later revised to 145 million), isn't the largest ever, it's one of the most damaging. Hackers gained access to a treasure trove of names, Social Security numbers, birth dates, street addresses and, in some instances, driver s license numbers. With those sets of information, miscreants can pose as you to set up credit cards, mortgages, loans and other important agreements.

6 Great Data Breaches National Security Administration, 2013 Up to 1.5 million secret documents Edward Snowden stole an estimated 1.5 million documents from the National Security Agency. At the time, Snowden worked as an intelligence contractor for Booz Allen Hamilton.

7 UBER 'SURPRISED' BY TOTALLY UNSURPRISING PENNSYLVANIA DATA BREACH LAWSUIT 600,000 drivers and license details 57 million users Paid $13.5 million to cover loss of 13,500 drivers PII 49 more states to go

8

9 Attackers and Tactics Verizon s 2017 Data Breach Investigations Report

10 Managing Privileged Accounts

11 What is a Privileged Account? An account that can: that can impact the integrity of a device, system, application, database, or data; that can create a material risk or have a material impact on your organization; and is outside the scope of your job responsibility.

12 Examples of Privileged Accounts Sys admins DBA Network admins Desktop admins Helpdesk staff Application admins Internal developers 3 rd party developers Contractors SaaS admins IaaS, PaaS, Cloud Social media admins Audit Mainframe IoT devices (Scanners, others) Domain admins Enterprise admins ESX admins Firewall admins Sudo Management tool accounts

13 Abusing Privileged Accounts Abuse E.g. Anthem ed records to a personal account Escalation E.g. Edward Snowden Fabricated digital keys, asked co-workers for their credentials Unauthorized access E.g. engineering firm - Steal credentials when leaving for competition colleague s and FTP site Human error E.g. health care providing access to all patients records Common issue: No one was controlling and monitoring privileged access

14 How to Manage and Control Administrative Privileges Identify tasks which absolutely require administrative privileges; Identify staff who are required, and are authorized, to carry out such tasks on a permanent basis or for a predetermined length of time; Create separate administrative accounts for those staff (ensuring administrators make an explicit decision to use administrative privileges), ensuring that those credentials have the least privilege required for their specific task; Ensure administrative accounts do not have the ability to access the Internet or read ; Ensure administrative tasks are performed, where possible, on a dedicated administrative computer that does not the ability to access the Internet or read e- mails; Ensure management infrastructure is isolated in a management restricted zone; Government of Canada, Communications Security Establishment, 2015

15 How to Manage and Control Administrative Privileges Implement restrictions such as time of day or login location; Implement multi-factor authentication for administrative accounts; Review administrative privilege regime (including audit, events and systems logs) periodically; and Ensure all audit information (e.g., audit records, audit reports) are collected and stored, where possible, in a physically separate system or tamper-resistant repository (e.g., Security Information and Event Management (SIEM)). Government of Canada, Communications Security Establishment, 2015

16 Privileged Accounts The Emerging Front Line ORGANIZATIONS TYPICALLY HAVE 3-4X MORE PRIVILEGED ACCOUNTS AND CREDENTIALS THAN EMPLOYEES! Microsoft Office 365 Administrator On Premise Employees/Partners Systems Admins Network Admins DB Admins Application Admins Apps VMware Administrator AWS Administrator Public Cloud Employees Systems/NW/DB/Applic ation Admins INTERNET Partners Systems/NW/DB/Application Admins Hacker Malware/APT Apps

17 How CA Manages Privileged Accounts

18 Addressing Security and Compliance Risks With Privileged Access Management STOP TARGETED ATTACKS MITIGATE INSIDER THREATS ACHIEVE & SUSTAIN COMPLIANCE IMPROVE EFFICIENCIES SECURE THE HYBRID ENTERPRISE

19 CA Privileged Access Manager Privileged Account Management for the Hybrid Enterprise Traditional Data Center Software Defined Data Center HYBRID ENTERPRISE Public Cloud - IaaS SaaS Applications Mainframe, Windows, Linux, Unix, Networking Enterprise Admin Tools SDDC Console and APIs Cloud Console and APIs SaaS Consoles and APIs A New Security Layer - Control and Audit All Privileged Access Vault Credentials for Users and Apps Centralized Authentication Federated Identity Privileged Single Sign-on Identity Integration Role-Based Access Control Monitor and Enforce Policy Record Sessions and Metadata Full Attribution Unified Policy Management CA Privileged Access Manager Enterprise-Class Core Hardware Appliance OVA Virtual Appliance AWS AMI

20 CA Privileged Access Manager in Action HYBRID CLOUD ENVIRONMENT Public Cloud Vault & Manage Credentials Positively Authenticate Users Restrict Access to Authorized Systems Federate Identity and Attributes (SSO) Monitor and Enforce Policy Record Sessions and Metadata Attribute Identity for Shared Accounts Private Cloud Integrated Controls and Unified Policy Management Traditional Data Center

21 Meaningful Gaps Enterprises Defenses are Static Compromised accounts Privileged access and insiders Untrusted end points Provisioning Provide new users with access to resources Authentication Validate identity when access requested Bad guys exploit this gap to their advantage Privileged Access Limit admin and system control access Identity & Access Management Manage and report on access provided SIEM IDS Enterprise security solutions don t adapt based on behavior how data is accessed, used or misused AWS

22 Threat Analytics Fills the Security Gap Enabling privileged access management with analytics Analytics enable security Continuous behavior monitoring of how valuable assets are accessed and used Mathematical models of individual entities detect behavior variations Same approach used in credit card security Automated triggering of adaptive controls to mitigate risk and limit damage Provide insight into risk, past activities and system operations CA is a market leader in providing data science based fraud analytics to banks

23 Threat Analytics for PAM Powerful analytic capabilities delivered in an easy-to-deploy, easy-to-use solution Raw data Advanced analytics Entity - relationship mapping Intuitive risk decisions & automated mitigations Focus on domain specific contextual data for PAM, initially authentication & connection events Future integration with other CA products (and their data) enable effortless and accurate access to event data System extracts critical information about activities and environment Locations System access Devices Sensitivity Behavior captured and modeled for fast evaluation Changes in model are evaluated to detect risk and malicious activity Trigger automated controls to mitigate risk Start a session recording Force a re-authentication Generate actionable alerts Enable context rich reporting

24 Threat Analytics for PAM Advanced Behavior Analytics and Automated Mitigation Advanced Capabilities Automated detection, mitigation and alerting for critical threats that complements existing PAM, SIEM and SOC workflows and provide continuous intelligent monitoring Advanced behavior analytics enable enterprise to detect attacks using same approach used by banks to defeat credit card fraud - using historic and real-time activity to assess context and analyze risk Integrated risk mitigations and controls, including triggering session recording and re-authentication, close the door on insiders and attackers. Compelling Benefits Reduced risk - automated analytics provide both threat detection and contextual rich view of user behavior. Meaningful insight - simplifies risk mitigation, incident response and compliance provided via context rich user interfaces that expose and make it easy to access information regarding user, events and system activities. Quick time-to-value - Immediately delivers compelling user experience with human-understandable risk and insights Easy deployment - Deploys as single, virtual machine no special skills or significant effort required

25 Why CA?

26 Key CA Differentiators Scalability CA PAM requires only a pair of appliances to protect thousands of resources supporting upward of 4000 concurrent sessions. Competing solutions require multiple servers, supports far fewer concurrent sessions and is difficult and costly - to deploy. Quick Time-To-Value CA PAM is delivered as an appliance that can be installed in hours, compared to the weeks it takes to install and configure multiple servers with competing products. This means you can be up and running quickly, gain rapid time to protection across your hybrid enterprise, and relish ease of administration. Defense-In-Depth Only CA can offer a comprehensive solution for privileged access management, delivering both the broad protection and simplified deployment of a network-based solution, and the fine-grained protections enabled by a host-based product. Unlike other vendors, CA supports the needs of the enterprise today and in the future.

27 Why CA - Footprint Comparison of Leading Solutions Which infrastructure would you rather deploy, maintain and support? Competitor 1 Competitor 2 CA PAM Cluster CA PAM Components for 1500 Servers

28 What Others Are Saying Testimonial With CA Privileged Access Manager, we have greater visibility into the activities of our privileged users. In addition, we have significantly reduced our risks from insider threats. - Michael Nawrocki, Senior IT Architect, Telesis Corporation Testimonial The access control component is solid. It adds another layer of security from the basic OS security of Linux and Windows. - Quote from a review of CA Privileged Access Manager via IT Central Station TECHVALIDATE RESULTS 86% of surveyed IT organizations have significantly improved their confidence in protecting against breaches with CA Privileged Access Manager 88% of surveyed IT organizations were able to reduce security and compliance risks by more than 50% with CA Privileged Access Manager 90% of surveyed IT organizations addressed audit and compliance demands associated with controlling and managing privileged access with CA Privileged Access Manager

29 Recommendations

30 Recommendations Develop a privileged access management program Begin with the end in mind Include all privileged users Include all privileged access On-prem, cloud, SaaS, SDDN Include session recording Incorporate 2FA/MFA Automate analytics and event handling Prioritize highest risk access first Turn program into an advantage for administrators 30

31 Thank you

32 Alan Hrabinski Senior Security Strategist

33 Legal All trademarks, trade names, service marks and logos referenced herein belong to their respective companies. This document is for your informational purposes only. CA assumes no responsibility for the accuracy or completeness of the information. To the extent permitted by applicable law, CA provides this document as is without warranty of any kind, including, without limitation, any implied warranties of merchantability, fitness for a particular purpose, or noninfringement. In no event will CA be liable for any loss or damage, direct or indirect, from the use of this document, including, without limitation, lost profits, business interruption, goodwill or lost data, even if CA is expressly advised in advance of the possibility of such damages. CA does not provide legal advice. Neither this document nor any CA software product referenced herein shall serve as a substitute for your compliance with any laws (including but not limited to any act, statute, regulation, rule, directive, policy, standard, guideline, measure, requirement, administrative order, executive order, etc. (collectively, Laws )) referenced in this document. You should consult with competent legal counsel regarding any Laws referenced herein.