Implementing NIST Cybersecurity Framework Standards with BeyondTrust Solutions

Transcription

1 TECH BRIEF Implementing NIST Cybersecurity Framework Standards with BeyondTrust Solutions Privileged Access Management & Vulnerability Management 0

2 Contents Cybersecurity Framework Overview... 2 The Role of Privileged Access Management in Meeting Cybersecurity Framework Requirements... 2 BeyondTrust Alignment to Framework Core Functions... 3 Identify... 3 Protect... 5 Detect Respond About BeyondTrust TECH TIP: In many cases features associated with successfully implementing a function or control may be found in multiple BeyondTrust products. If a specific product is not listed in the capabilities description, then several products help address the capability. For a deeper examination of specific capabilities as they align to specific NIST SP r4 controls please reference our guide Addressing NIST SP Requirements. 1

3 Cybersecurity Framework Overview In February 2014 the National Institute of Standards and Technology (NIST), in response to Executive Order 13636, released the Framework for Improving Critical Infrastructure Cybersecurity now referred to widely as the Cybersecurity Framework. The executive order called for the development of a risk-based framework for critical infrastructure organizations to voluntarily manage their cybersecurity risks. This standard was to be based on industry best practices and international standards. The adoption of the framework has steadily increased since its initial release. It has now become the standard for many organizations globally and is being adopted widely by U.S. Government agencies. The Cybersecurity Framework, developed in partnership between industry and government, was designed to provide a universal standard, yet be flexible enough to address an organization s unique risks and risk tolerance. It is a living document 1 that will be refined as technology and practices evolve and industry continues to provide feedback. The risk based approach developed for the framework is based on three sections: The Core, Implementation Tiers and Profile. The framework core is a set of desired actions, outcomes and references across critical infrastructure sectors. This core consists of five functions: Identify, Protect, Detect, Respond, and Recover. The recommendations within the core map back to several globally recognized standards, including NIST SP r4. The Role of Privileged Access Management in Meeting Cybersecurity Framework Requirements Controlling and monitoring privileged access is extremely important to mitigating the risks posed by insider threats, preventing data breaches, and meeting compliance requirements. But security and IT leaders must walk a fine line between protecting the organization s critical data to ensure business continuity, and enabling users and administrators to be productive. Disparate, disjointed tools deployed and managed in silos leave gaps in coverage over privileged access. This legacy model is expensive, difficult to manage, and requires too much time to show any meaningful risk reduction. It also impedes the adoption of best practices like those called out in the Cybersecurity Framework as well as compliance achievement with mandates like FISMA. The BeyondTrust PowerBroker family of solutions deliver the complete spectrum of privileged access management to meet the cybersecurity framework requirements mandated by United States Government. From establishing and enforcing least privilege on endpoints and servers, to securing enterprise credentials, PowerBroker unifies best-of-breed capabilities into a single, 1 Framework for Improving Critical Infrastructure Cybersecurity Version 1.0 NIST February 12,

4 integrated platform that acts as a central policy manager and primary reporting interface. Leveraging vulnerability data from BeyondTrust s Retina and other third party vulnerability assessment solutions (including ACAS) provides a complete picture of privileged system and asset security including for network, cloud and virtual assets. This zero-gap coverage reduces risk by ensuring that no assets are left unprotected. This unified approach enables agencies to take advantage of a modular implementation strategy, adding products and capabilities as each access control is implemented. BeyondTrust Alignment to Framework Core Functions For the purpose of this brief, we ll explore the Cybersecurity Framework functions that include areas of privileged access management, vulnerability management, behavioral and threat analytics guidelines and practices supported by BeyondTrust as they align to the specific NIST SP r4 controls referenced in the framework. Information is organized by the five functional areas of the framework: Identify, Protect, Detect, Respond, and Recover. IDENTIFY Asset Management ID. AM-2: Software platforms and applications within the organization are inventoried ID. AM-3: Organizational communication and data flows are mapped. ID. AM-4: External information systems are cataloged. BeyondTrust vulnerability management (Retina) solutions can scan and enumerate attributes about a system (i.e. Software, software version, machine name, and more). This information can be used for tracking and reporting. BeyondTrust provides a central repository of all the inventory collected. PowerBroker privileged access management (PAM)products: Allow for targeted policies that regulate which devices can communicate with each other, and assist in specified criteria that establishes what type of data is allowed. Provide authorization usage data to support interconnection security agreements. Provide a complete audit trail of actions taken by privileged users. Provide a secure, hardened RDP & SSH "Proxy. " The proxy approach helps to define protective boundaries between environments. Can implement both deny all policies, and deny all except policies for whitelisting Allow for security compliance checks before privilege commands or events are executed. The BeyondTrust IT Risk Management Platform utilizes a Microsoft SQL backend for its database. It can also integrate with change management databases from various vendors, 3

5 Risk Assessment ID. AM-5: Resources (e. g., hardware, devices, data, and software) are prioritized based on their classification, criticality, and business value. ID. RA-1: Asset vulnerabilities are identified and documented. like ServiceNow, which provides cataloging, by means of our free built in connectors. BeyondTrust vulnerability management solutions provide the capability to logically group assets/scans based on attributes and characteristics important to an agency. This capability is called Smart Groups and is one feature that differentiates our technology from others in this space. The BeyondTrust IT Risk Management Platform includes an enterprise-class network security scanner. This solution: Can launch enterprise scans on a scheduled or ad hoc basis. Organizations can perform both credentialed and non-credentialed scans to retrieve asset information. Will process all information discovered by the security scanner and will enumerate software, platform, and configurations, and compare the findings against known vulnerabilities and best practices. The platform will process all information discovered by the security scanner and provide a vulnerability impact report. ID. RA-2: Threat and vulnerability information is received from information sharing forums and sources. ID. RA-3: Threats both internal and external, are identified and documented. ID. RA-4: Potential business impacts and likelihoods are identified. The BeyondTrust vulnerability management solution, Retina, associates vulnerabilities with several databases of known exploits from multiple penetration testing tools such as Core, Metasploit, Exploit DB and Canvas in addition to many others. Retina and BeyondSaaS can perform vulnerability and access scans across both internal and external systems, and will identify and document potential threats, and even help tie risk scores to the various items found. Retina can assist in classifying vulnerability information as well as various other auditable events. Retina will perform vulnerability and access scans across an environment and help tie risk scores to the various items found. 4

6 ID. RA-5: Threats, vulnerabilities, likelihoods, and impacts are used to determine risk. ID. RA-6: Risk responses are identified and prioritized. The BeyondTrust IT Risk Management Platform includes a built-in threat management feature, which: Allows correlation of user activity with vulnerability data, to determine where an attack originated, and its history within the protected environment. Processes all information discovered by the security scanner and will enumerate software, platform, and configurations, and compare the findings against known vulnerabilities, exploits, and best practices, and provide a vulnerability impact report. Incorporates pivot grid technology to allow for analysis of scan results and comparing security assessments. The BeyondTrust IT Risk Management platform can: Assist with the identification, prioritization and remediation of flaws in information systems. Assist with the deployment of security patches. Provide many vulnerability trending reports that assist in measuring time between identification and remediation. PROTECT Access Control PR. AC-1: Identities and credentials are managed for authorized devices and users. PowerBroker privileged access management (PAM) solutions: Provide controls to assist with the identification of accounts based on targeted functions. Group based policy allows delegated rights to be assigned to managers of information system accounts. Authorized users and Groups of users may be defined to determine rights and roles of access to information systems and accounts. Provide control and audit of access to privileged accounts such as shared administrative accounts, application accounts, local administrative accounts, service accounts, database accounts, cloud and social media accounts, devices and SSH keys. Manage system and account passwords providing a variety of password policies covering complexity, rotation, release and expiration for credentialed users considering their complexity, lifetime as well as prohibiting re-use. Passwords can also be managed long term with restricted access/use to authorized individuals and services. 5

7 PR. AC-3: Remote access is managed. PR. AC-4: Access permissions are managed, incorporated the principles of least privilege and separation of duties. PR. AC-5: Network integrity is protected, incorporating network segregation, where appropriate. The PowerBroker privileged access management (PAM)platform incorporates role-based access control policies that limit and restrict access to only authorized users. PowerBroker implements cryptographic mechanisms to protect the confidentiality and integrity of remote access solutions, and force information system routes for all remote accesses through managed network access control points. PowerBroker Password Safe, PowerBroker for Unix & Linux and PowerBroker for Windows can automatically terminate a user s session based on idle time or a preset length of time that a session is active. Sessions can also be manually terminated. BeyondTrust privileged access management (PAM) and vulnerability management solutions are designed around the principle of least privilege. They provide the controls required to dictate a user s access rights, allowable application launches, as well as the rights associated with those applications. In addition, all actions attempted or taken by end-users can be reported for addition analysis and forensics. Patented privilege elevation capabilities grant privileges to applications and tasks not users without providing administrator credentials. BeyondTrust enables organizations to leverage vulnerability data from Retina and other PowerBroker privileged access management (PAM) platform products for a complete picture of privileged application and asset security. PowerBroker centrally controls privileged access management policies and deployment, and report to multiple stakeholders. Reporting is available for all actions attempted or take by users to enable additional analysis and forensics. Both PowerBroker for Unix & Linux and PowerBroker Identity Services allow for targeted policies that regulate which devices can communicate with each other, and assist in specified criteria that establishes what type of data is allowed. This solution provides a granular policy engine which allows administrators to dissect information transfer between security domains, and based on real-time findings, trigger enforcement of organizational policy. PowerBroker enables agencies to allow and direct all access to sensitive assets via a centralized channel. This 6

8 Data Security Information Protection Processes and Procedures PR. DS-1: Data-atrest is protected. PR. DS-2: Data-intransit is protected. PR. DS-3: Assets are formally managed throughout removal, transfers, and disposition. PR. DS-4: Adequate capacity to ensure availability is maintained. PR. DS-5: Protections against data leaks are implemented. PR. DS-7: The development and testing environment(s) are separate from the production environment. PR.IP-1: A baseline configuration of information technology/industrial control systems is created and maintained access is further secured through security controls, access policies, and session monitoring. Data-at-rest stored within our products is protected using AES 256 encryption. Data-in-transit is encrypted via HTTPS/TLS and certificates, as well as SSL and Hash Values/Checksums on installers. BeyondTrust vulnerability management solutions can scan and enumerate attributes about a system (i.e. software, software version, machine name, etc.) This information can be used for tracking and reporting. Audit records generated by the BeyondTrust audit event can be transferred, archived and/or moved as required by the system administrator and organizational defined storage requirements. BeyondTrust privileged access management (PAM) and vulnerability management solutions are designed around the principle of least privilege. They provide the controls required to dictate a user s access rights, allowable application launches, as well as the rights associated with those applications. In addition, all actions attempted or taken by end-users can be reported for addition analysis and forensics. Patented privilege elevation capabilities grant privileges to applications and tasks not users without providing administrator credentials. Leverage vulnerability data from Retina and other PowerBroker PAM platform products for a complete picture of privileged application and asset security. Centrally control privileged access management policies and deployment, and report to multiple stakeholders. Retina, the BeyondTrust vulnerability management solution, can scan and report against configuration compliance benchmarks BeyondTrust products can be used in both a Development / Test environment and a Production environment. Retina, the BeyondTrust vulnerability management solution, can scan and report against SCAP configuration benchmarks. This can help validate if configuration changes have been applied to systems. The PowerBroker PAM platform can be: o Configured to allow/block the execution/installation of applications based on their signature. 7

9 PR. IP-3: Configuration change control processes are in place. PR. IP-7: Protection processes are continuously improved. o Implemented to support a least privilege model, limiting privileges including those that allow changes to systems. o Configured to monitor, log or alert when certain system changes occur. Retina, the BeyondTrust vulnerability management solution, can: Limit the access/privilege of a user until approvals are received. Scan and report against configuration compliance benchmarks. This can help validate if configuration changes have been applied to systems. Delta reports can be used to quickly identify system changes. BeyondTrust privileged access management (PAM) and vulnerability management solutions o Control and audit across supported platforms and information systems. o Provide a detailed audit trail as well as an executive style report to assist in assessing security controls effectiveness. o Provide detailed asset information to assist in the security assessment. o Include a comprehensive audit and reporting console to help organizations determine what controls have been implemented. Reports can be run ad hoc or subscribed to be received on a regular basis. o Reporting and analytics console supports full rolesbased access controls to support an organization's defined roles or individuals. o Return valuable information that is used for assessment. The solution allows for role-based access control when viewing such assessment data to support a clear separation of duties. o Provide reports for privileged user access, privilege commands that are executed, as well as vulnerability data. Continuous Monitoring is supported across a variety of BeyondTrust solutions. o BeyondTrust privileged access management (PAM)and vulnerability management solutions provide a mechanism to perform continuous monitoring based on the organization's defined metrics. Many commonly used metrics are predefined within the solution. These continuous 8

10 PR. IP-12: A vulnerability management plan is developed and implemented. monitoring mechanisms can be tailored to meet an organizations frequency requirements. o The PowerBroker privileged access management (PAM) platform provides privileged command execution and file integrity monitoring. This information can be presented for both scheduled reports and alerting, insuring compliance. o The BeyondTrust IT Risk Management Platform offers an advanced threat analytics feature that analyzes and pinpoints anomalies within the data collected from BeyondTrust privileged access management and vulnerability management solutions as well as third party feeds. These clusters can help identify patterns indicating malicious activity. This includes a reporting feature that allows for quicker and easier ways to summarize audit data, targeting the most meaningful information quickly and easily based on internal and external filters. o Features within the BeyondTrust IT Risk Management platform allow for the discovery of and reporting on security related trends within an organization. This information can be distributed directly from the tool or sent to external systems. The BeyondTrust IT Risk Management Platform: Includes an enterprise-class network security scanner. Scans can be performed on a scheduled basis and ad hoc. Organizations can perform both credentialed and non-credentialed scans to retrieve asset information. Will process all information discovered by the security scanner and will enumerate software, platform, and configurations, and compare the findings against known vulnerabilities and best practices, then provide a vulnerability impact report. Incorporates pivot grid technology to allow for analysis of scan results and comparison security assessments. Can be used to remediate vulnerabilities with prescriptive guidance. Utilizes role-based access control when disseminating reporting and analytic information. Is configured to receive regular updates as new vulnerabilities are discovered. Allows for granular configuration when determining what system information is discovered during network security scans. Allows for both credentialed and non-credentialed scans of information systems. 9

11 Protective Technology PR. PT-1: Audit/log records are determined, documented, implemented, and reviewed in accordance with policy. PR. PT-3: Access to systems and assets is controlled, incorporating the principle of least functionality. PR. PT-4: Communications and control networks are protected. Includes numerous reporting options allowing for the comparison of collected vulnerability data between defined dates or against an initial baseline. These also include identification of vulnerabilities that have been previously exploited in the wild. Includes a built-in threat management feature, which allows correlation of user activity with vulnerability data, to determine where an attack originated, and its history within the protected environment. Integrates password management directly with the scanner allowing for automatic password retrieval and rotation when performing credentialed scans. BeyondTrust audit records contain the standard who, what, where and when; along with many other relevant tracking details specific to the platform or product that is generating the audit event. Session recording is offered on systems that make sense, and detailed time line audit trails are provided everywhere else. Once authenticated by the solution, all actions performed by an individual are audited. These audit logs can be reviewed to quickly trace all actions that were performed by that individual during that session or previous sessions. PowerBroker privileged access management (PAM) solutions: Provide the controls required to dictate a user s access rights, allowable application launches, as well as the rights associated with those applications. In addition, all actions attempted or taken by end-users can be reported for addition analysis and forensics Incorporate Role Based Access Controls (RBAC) policies that limit and restrict access to only authorized users. These can be implemented based on individual or group membership. Support dynamic privilege management to ensure that privileges are immediately implemented on policy change. Privileged role assignments may be monitored, logged, and revoked when roles change within the organization. Adaptive workflow allows access to be based upon day, date, time and location. The PowerBroker privileged access management (PAM) platform incorporates role-based access control policies that limit and restrict access to only authorized users. BeyondTrust solutions help implement cryptographic mechanisms to protect the confidentiality and integrity 10

12 of remote access solutions, and force information system routes for all remote accesses through managed network access control points. PowerBroker Password Safe, PowerBroker for Unix & Linux and PowerBroker for Windows can automatically terminate a user s session based on idle time or a preset length of time that a session is active. Sessions can also be manually terminated. All communication is encrypted via HTTPS/TLS, and certificates. The password database is encrypted using AES 256. DETECT Anomalies and Events DE. AE-1: A baseline of network operations and expected data flows for users and systems is established and managed. DE. AE-2: Detected events are analyzed to understand attack targets and methods. Both PowerBroker for Unix & Linux and PowerBroker Identity Services allow for targeted policies that regulate which devices can communicate with each other, and assist in specified criteria that establishes what type of data is allowed. This solution provides a granular policy engine which allows administrators to dissect information transfer between security domains, and based on real-time findings, trigger enforcement of organizational policy. Based on a set of identifiers PowerBroker privileged access management (PAM) platform products can be set to allow/disallow commands or authentication, thereby limiting or enforcing data structure and content. BeyondTrust Privilege Management solutions provide o Authorization usage data to support interconnection security agreements. o A complete audit trail of actions taken by privileged users. o A secure, hardened RDP & SSH "Proxy." The Beyond Trust proxy approach helps to define protective boundaries between environments. The BeyondTrust IT Risk Management Platform o Acts as a security information and event management platform for BeyondTrust privileged access management (PAM) and vulnerability management solutions which provides centralized logging with audit and reporting capabilities. o Offers an advanced threat analytics feature that analyzes and pinpoints anomalies within the data collected from BeyondTrust privileged access management and vulnerability management solutions as well as third party feeds. These clusters 11

13 can help identify patterns indicating malicious activity. o Includes a reporting feature that allows for quicker and easier ways to summarize audit data, targeting the most meaningful information quickly and easily based on internal and external filters. BeyondTrust privileged access management (PAM) and vulnerability management solutions o Provide a mechanism to perform continuous monitoring based on the organization's defined metrics. Many commonly used metrics are predefined within the solution. These continuous monitoring mechanisms can be tailored to meet an organizations frequency requirements. o Provide a security dashboard view to gain insight into an organizations security status based on defined metrics. The PowerBroker privileged access management (PAM) platform provides privileged command execution and file integrity monitoring. This information can be presented for both scheduled reports and alerting, insuring compliance. DE. AE-3: Event data are aggregated and correlated from multiple sources and sensors. DE. AE-4: Impact of events is determined. BeyondTrust IT Risk Management Platform offers an advanced threat analytics feature that analyzes and pinpoints anomalies within the data collected from BeyondTrust privileged access management (PAM) and vulnerability management solutions as well as third party feeds. These clusters can help identify patterns indicating malicious activity. The BeyondTrust IT Risk Management Platform will perform vulnerability and access scans across an environment and help tie risk scores to the various items found. In BeyondTrust privileged access management (PAM) and vulnerability management solutions, because a user is authenticated by either a local group membership, LDAP, or Active Directory, that users identity is captured regardless of organizational boundaries. Once authenticated by the solution, all actions performed by an individual are audited. These audit logs can be reviewed to quickly trace all actions that were 12

14 Security Continuous Monitoring DE. CM-1: The network is monitored to detect potential cybersecurity events. DE. CM-2: The physical environment is monitored to detect potential cybersecurity events. performed by that individual during that session or previous sessions. BeyondTrust privileged access management (PAM) and vulnerability management solutions provide a mechanism to perform continuous monitoring based on the organization's defined metrics. Many commonly used metrics are predefined within the solution. These continuous monitoring mechanisms can be tailored to meet an organizations frequency requirements. The PowerBroker privileged access management (PAM) platform provides privileged command execution and file integrity monitoring. This information can be presented for both scheduled reports and alerting, insuring compliance. BeyondTrust privileged access management (PAM) and vulnerability management solutions provide a security dashboard view to gain insight into an organizations security status based on defined metrics. The BeyondTrust IT Risk Management Platform offers an advanced threat analytics feature that analyzes and pinpoints anomalies within the data collected from BeyondTrust privileged access management and vulnerability management solutions as well as third party feeds. These clusters can help identify patterns indicating malicious activity The BeyondTrust IT Risk Management Platform allows environments to be scanned for usage and configuration, and can scan system accounts to determine privilege set up and use. In the PowerBroker privileged access management (PAM) platform, all actions performed by a user/administrator are logged and time-stamped. Reports can be generated to view a complete audit-trail. All audit information can be retrieved and presented in the most common formats. Audit information can be adjusted to meet any organizational requirements. The BeyondTrust IT Risk Management Platform offers an advanced threat analytics feature that analyzes and pinpoints anomalies within the data collected from BeyondTrust privileged access management (PAM) and vulnerability management solutions as well as third party feeds. Including when a system has been disconnected, or data has been downloaded to a removable drive, or other 13

15 DE. CM-3: Personnel activity is monitored to detect potential cybersecurity events. DE. CM-4: Malicious code is detected. DE. CM-6: External service provider activity is monitored to detect potential cybersecurity events. DE. CM-7: Monitoring for unauthorized personnel, connections, devices, and similar types of activity. These clusters can help identify patterns indicating malicious activity. BeyondTrust privileged access management (PAM)and vulnerability management solutions provide a mechanism to perform continuous monitoring based on the organization's defined metrics. Many commonly used metrics are predefined within the solution. These continuous monitoring mechanisms can be tailored to meet an organizations frequency requirements. In the PowerBroker privileged access management (PAM) platform, all actions performed by a user/administrator are logged and time-stamped. Reports can be generated to view a complete audit-trail. Once authenticated by the solution, all actions performed by an individual are audited. These audit logs can be reviewed to quickly trace all actions that were performed by that individual during that session or previous sessions. PowerBroker for Windows, together with The BeyondTrust IT Risk Management Platform, evaluates all recorded application data for the presence of known malicious code. This information is used in real-time, at application launch to deny or quarantine and report on further attempts to execute this software throughout the enterprise. In the PowerBroker privileged access management (PAM) platform, all actions performed by a user/administrator are logged and time-stamped. Reports can be generated to view a complete audit-trail. Once authenticated by the solution, all actions performed by an individual are audited. These audit logs can be reviewed to quickly trace all actions that were performed by that individual during that session or previous sessions. Anomalies to normal or expected activity are identified and reported on as potential cybersecurity events, allowing security personnel to investigate and preemptively remediate. Once installed and configured, Powerbroker privileged access management (PAM) solutions will automatically monitor for unauthorized activity. Its core functionality will: o o Control user access to enterprise systems. Limit their activity to only those tasks necessary to do their jobs. 14

16 software is performed. DE. CM-8: Vulnerability scans are performed. o Prevent users from performing unauthorized activities. o Prevent unauthorized personnel from accessing enterprise systems. o Report on attempts by user to perform unauthorized actions. o Report on attempts by unauthorized personnel to access enterprise systems. o Connections, device or software installation, are initiated by users, so any unauthorized install would be prevented by PowerBroker, and the attempt would be logged and reported. The BeyondTrust IT Risk Management Platform o Includes an enterprise-class network security scanner. Scans can be performed on a scheduled basis and ad hoc. Organizations can perform both credentialed and non-credentialed scans to retrieve asset information. o Will process all information discovered by the security scanner and will enumerate software, platform, and configurations, and compare the findings against known vulnerabilities and best practices. The platform will process all information discovered by the security scanner and provide a vulnerability impact report. o Incorporates pivot grid technology to allow for analysis of scan results and comparison security assessments. o Can be used to remediate vulnerabilities. o Utilizes role-based access control when disseminating reporting and analytic information. o Is configured to receive regular updates as new vulnerabilities are discovered. o Allows for granular configuration when determining what system information is discovered during network security scans. o Allows for both credentialed and non-credentialed scans of information systems. PowerBroker Password Safe integrates directly with the scanner allowing for automatic password retrieval and rotation when performing credentialed scans. o Includes numerous reporting options allowing for the comparison of collected vulnerability data between defined dates or against an initial baseline. These also include identification of vulnerabilities that have been previously exploited in the wild. 15

17 Detection Processes DE. DP-1: Roles and responsibilities for detection are well defined to ensure accountability. DE. DP-2: Detection activities comply with all applicable requirements. DE. DP-3: Detection processes are tested. o Includes a built-in threat management feature, which allows correlation of user activity with vulnerability data, to determine where an attack originated, and its history within the protected environment. The BeyondTrust Retina Network Security Scanner incorporates a very broad and deep array of vulnerabilities and target assets definitions. PowerBroker provides accountability to a user in detecting their activities by using the identity information that is defined and authenticated in either a local group membership, LDAP, or Active Directory. This includes their roles and responsibilities across organization boundaries. BeyondTrust privileged access management (PAM)and vulnerability management solutions: Control and audit across supported platforms and information systems. Provide a detailed audit trail as well as an executive style report to assist in assessing security controls effectiveness. Include a comprehensive audit and reporting console to help organizations determine what controls have been implemented. Reports can be run ad hoc or subscribed to be received on a regular basis. Reporting and analytics console supports full roles-based access controls to support an organization's defined roles or individuals. Provide detailed asset information to assist in the security assessment. The solution allows for role-based access control when viewing such assessment data to support a clear separation of duties. Provide reports for privileged user access, privilege commands that are executed, as well as vulnerability data. The PowerBroker privileged access management (PAM) platform provides privileged command execution and file integrity monitoring. This information can be presented for both scheduled reports and alerting, insuring compliance. BeyondTrust privileged access management (PAM) and vulnerability management solutions provide a security dashboard view to gain insight into an organizations security status based on defined metrics. 16

18 DE. DP-4: Event detection information is communicated to appropriate parties. DE. DP-5: Detection processes are continuously improved. BeyondTrust unifies best-of-breed capabilities into a single, integrated platform that acts as a central policy manager and primary reporting interface. The BeyondTrust IT Risk Management Platform: o Centrally controls privileged access management policies and deployment, and report to multiple stakeholders. o Offers an advanced threat analytics feature that analyzes and pinpoints anomalies within the data collected from BeyondTrust solutions as well as third party feeds. These clusters can help identify patterns indicating malicious activity. o Can be used to monitor events from all BeyondTrust solutions connected to it. o Can generate automated s/alerts based on various usage conditions including usage and access changes. BeyondTrust solutions support improved detection processes over time. Since detection is based on correlation of data, the greater volume and diversity of the data over time, the greater the result. RESPOND Communications Analysis RS. CO-2: Events are reported consistent with established criteria. RS. CO-3: Information is shared consistent with response plans. RS. CO-5: Voluntary information sharing occurs with external stakeholders to achieve broader cybersecurity situational awareness. RS. AN-1: Notifications from detection systems are investigated. The BeyondTrust IT Risk Management Platform provides various types and style of reports based on established criteria such as Executive, Auditor, Administrator, Approver, etc. Reports generated by the BeyondTrust IT Risk Management Platform can be scheduled for delivery based on various factors including report type, how often, who receives what report, delivery method, etc. The BeyondTrust IT Risk Management Platform includes over 270 reports in addition to the ability to create custom reports as desired. The output of these reports can be shared with external stakeholders. The BeyondTrust IT Risk Management Platform can import data from not only our PowerBroker and Retina security products, but also Third Party security tools. After import, our Threat Analytics function combines and correlates the data to help predict where a cyber event may be developing. 17

19 Mitigation RS. AN-2: The impact of the incident is understood. RS. AN-3: Forensics are performed. RS. MI-1: Incidents are contained. RS. MI-3: Newly identified vulnerabilities are mitigated or documented as accepted risks. The BeyondTrust IT Risk Management Platform can help with the configuration and interpretation of events and alerts generated by BeyondTrust products such that the impact of an incident is clearly defined. BeyondTrust solutions are designed around the principle of least privilege. They provide the controls required that dictate a user s access rights, allowable application launches, and rights associated with those applications. In addition, all actions attempted or taken by end-users can be reported for additional analysis and forensics. PowerBroker privileged access management (PAM) solutions can automatically terminate a users session based on idle time or a pre-set length of time a session is active, or sessions can be manually terminated. The BeyondTrust IT Risk Management Platform: Includes an enterprise-class network security scanner. Scans can be performed on a scheduled basis and ad hoc. Organizations can perform both credentialed and non-credentialed scans to retrieve asset information. Will process all information discovered by the security scanner and will enumerate software, platform, and configurations, and compare the findings against known vulnerabilities and best practices. The platform will process all information discovered by the security scanner and provide a vulnerability impact report. Incorporates pivot grid technology to allow for analysis of scan results and comparison security assessments. Can be used to remediate vulnerabilities. Is configured to receive regular updates as new vulnerabilities are discovered. 18

20 About BeyondTrust BeyondTrust is a global security company that believes preventing data breaches requires the right visibility to enable control over internal and external risks. We give you the visibility to confidently reduce risks and the control to take proactive, informed action against data breach threats. And because threats can come from anywhere, we built a platform that unifies the most effective technologies for addressing both internal and external risk: privileged access management and vulnerability management. Our solutions grow with your needs, making sure you maintain control no matter where your organization goes. BeyondTrust's security solutions are trusted by over 4,000 customers worldwide, including over half of the Fortune 100. To learn more about BeyondTrust, please visit 19