PRIVILEGED ACCESS MANAGEMENT: The Key to Protecting Your Business Amid Cybercrime s Current Boom
Cybercrime Is a Growth Industry Thanks to numerous, headline-making incidents in recent years, cybercrime has risen toward the top of the concern list for many organizations and the customers with whom they do business. You ve heard many of the stories. Major health insurers, such as Anthem, Premera BlueCross and CareFirst had personal information for millions of their customers stolen. Sony Pictures experienced a breach that not only embarrassed employees and adversely impacted the release of the high-profile film, The Interview, but also damaged systems and applications making it extremely difficult for the company to conduct business. The list goes on. Some you maybe haven t heard, like the one about CodeSpaces, a provider of version management services to developers. When attackers were able to gain access to its cloud-based management consoles, they deleted the company s entire infrastructure and backups ultimately forcing CodeSpaces out of business. The bad news for organizations like yours is, thanks to the demands of the application economy and the transition to hybrid infrastructures, protecting against these threats has only gotten more challenging. THE REALITY IS, CYBERCRIME IS A GROWTH INDUSTRY. $400 BILLION TRILLION CYBERCRIME POTENTIAL Intel Security estimates that the annual cost to the global economy from cybercrime is more than $400 billion. 1 $3 McKinsey believes that number will skyrocket to $3 trillion in 10 years. 2 1 Intel Security, Net Losses: Estimating the Global Loss of Cybercrime, June, 2014. 2 World Economic Forum in collaboration with McKinsey & Company, Risk and Responsibility in a Hyperconnected World, January, 2014. 2
New Vulnerabilities in the Application Economy To not only survive, but thrive in the application economy, many businesses are undergoing a digital transformation in which they add digital components to all of their products and services. This means having to develop for and integrate with a variety of APIs, microservices, cloud applications and infrastructures while continuing to manage, optimize and protect their current environments. This transformation has created a whole new set of attack surfaces that must be defended, in addition to the existing infrastructure you ve been protecting for years. These new points of vulnerability include: HYBRID ENVIRONMENTS: As your IT environment has evolved to include software-defined data centers and networks, and expanded outside of your four walls to incorporate public cloud resources and software-as-a-service (SaaS) applications, the traditional way of approaching administration and management quickly falls apart mainly because it fails to protect new attack surfaces like management consoles and APIs. ADMINISTRATIVE POWER: In addition, administrators have concentrated power in these evolving environments, because they can define or redefine an organization s entire IT infrastructure with just the push of a button. AUTOMATION TOOLS: In more sophisticated IT shops, some of these processes see no human intervention at all. Tasks like provisioning, administration and management are automated with scripts or tools like Chef and Puppet often using hard-coded administrative credentials that are ripe for theft and misuse. When you add up these vulnerabilities, it becomes clear how much havoc an attacker could wreak in your environment if he or she were able to gain the appropriate access. 3
The Risks of Privileged Accounts and Credentials Did you know that stealing and exploiting privileged accounts is a critical success factor for attackers in 100 percent of all advanced attacks, regardless of attack origin? 3 Sounds like more bad news, right? Thankfully, there is a positive angle you can take on this fact. If privileged accounts are the common thread amongst the innumerable attack types and vulnerability points, then these accounts and the credentials associated with them are exactly where you should focus your protection efforts. By 2018, the inability of organizations to properly scope and contain privileged access will be responsible for up to 60 percent of insider misuse and data theft incidents, up from more than 40 percent today. 4 For many, it s tough to focus on privileged users as a group, because its population can be so diverse. For example, it can include privileged insiders that work for you, privileged outsiders that represent third-party vendors and contractors, and even privileged unknowns who are securing shadow IT resources without your knowledge. This begs the question, if you can t even get a clear tally of who represents your privileged user population, how can you hope to protect these accounts? By securing those credentials at each stop along the breach kill chain. 3 CyberSheath Services International, The Role of Privileged Accounts in High Profile Breaches, May, 2014. 4 Gartner, Inc., Twelve Best Practices for Privileged Access Management, Anmal Singth and Felix Gaehtgens, October 8, 2015. 4
Getting to Know the Kill Chain What is a kill chain? It s the series of steps an attacker typically follows when carrying out a breach. Threat Actor Network Perimeter EXTERNAL THREATS C&C, Data/IP Exfiltration While the chain can comprise numerous steps, there are four key ones in which privileged credentials represent the cornerstone of an attack. These include: Gain/Expand Access Lateral Movement, Reconnaissance Elevate Privilege Wreak Havoc GAIN AND EXPAND ACCESS: To access the network, insiders might exploit the credentials they already have, while outsiders will exploit a vulnerability in the system (e.g., via a spear-phishing attack) to steal the necessary credentials. ELEVATE PRIVILEGES: Once inside, attackers will often try to elevate their privileges, so they can issue commands and gain access to whatever resources they re after. INVESTIGATE AND MOVE LATERALLY: Attackers rarely land in the exact spot where the data they re seeking (e.g., credit card records, personal information, etc.) is located, so they ll investigate and move around in the network to get closer to their ultimate goal. WREAK HAVOC: Once they have the credentials they need and have found exactly what they re looking for, the attackers are free to wreak havoc (e.g., theft, business disruption, etc.). Explore what you can do during each step to manage your privileged identities and secure your business. 5
STEP 1 Preventing Unauthorized Access Threat Actor Network Perimeter EXTERNAL TH EATS L THREATS C&C, Data/IP Exfiltration Gain/Expand Access Elevate Privilege Wreak Havoc Lateral Movement, Reconnaissance If you can prevent an unauthorized user insider or outsider from gaining access to the system in the first place, you can stop an attack before it even starts. Strong authentication is the best way to secure credentials at this step. To achieve strong authentication, you must ensure that: All credentials run through the same privileged identity management system The privileged identity system integrates with existing identity stores, such as Active Directory or LDAP directories Multi-factor authentication is employed in some fashion (e.g., soft smartphone tokens, physical key cards, etc.) Login restrictions are used based on where and when users require access (e.g., IP address or time of day) Credentials are protected in an encrypted data store and rotated periodically 6
STEP 2 Limiting Privilege Escalation, Investigation and Lateral Movement Threat Actor Network Perimeter EXTERNAL THREATS EXTERNAL THREATS C&C, Data/IP Exfiltration ss Gain/Expand Access Elevate Privilege Elevate Privilege Wreak Havoc Lateral Movement, Reconnaissance In many networks, it s common for users to have access to more resources than they actually need across the entire network which means attackers can cause maximum damage quickly and benign users can even cause problems inadvertently. This is why granular access controls are so important. To prevent unauthorized access, you need to ensure that: A zero trust policy forces users to be authenticated before granting access to only the systems they need to do their jobs Role-based access controls and single sign-on capabilities work in concert to define and present permissions to users as they log in Policies are enforced via command filters and black and white lists that enable precise control over what users can and cannot do on a system Attempts by users to move laterally between unauthorized systems are proactively shut down 7
STEP 3 Monitoring, Recording and Auditing Activity Threat Actor Network Perimeter EXTERNAL THREATS EXTERNAL THREATS C&C, Data/IP Exfiltration Gain/Expand Access Elevate Privilege Wreak Havoc Lateral Movement, Reconnaissance Whether it s a trusted insider who wandered into the wrong area or an attacker with malicious intent, there s a good likelihood that users will gain access they shouldn t have at some point. The challenge, then, is to improve visibility and forensics around user activity within sensitive systems. To deter violations at this late stage of the kill chain, you need to ensure that: User sessions are continuously monitored, logged and recorded, so they can be played back in DVR-like fashion All session activity graphical and text-based and meta data is recorded, like when sessions began and any attempted policy violations All privileged account activity is attributed to a specific user, to avoid the muddling that can happen with shared accounts Analytics capabilities include the ability to proactively detect inappropriate behavior by integrating privileged user activity with existing SIEM data 8
About the Solution from CA Technologies CA Privileged Access Manager is a simple-to-deploy, automated, proven solution for privileged access management delivered in a single appliance protecting physical, virtual and cloud environments. Available as a rack-mounted, hardened hardware appliance, an Open Virtualization Format (OVF) Virtual Appliance or an Amazon Machine Instance (AMI), CA Privileged Access Manager enhances security by protecting sensitive administrative credentials, such as root and administrator passwords, controlling privileged user access and proactively enforcing policies and monitoring and recording privileged user activity across all IT resources. Key features include: Privileged Access Control for IT Resources: Unify privileged user policies across physical data center assets, virtual infrastructure, public cloud and hybrid environments. Comprehensive Monitoring, Alerting and Recording: Log events, generate alerts and warnings or even terminate sessions. Capture continuous, tamper-evident logging and video recording of administrative sessions. Protection for Hybrid-Cloud Consoles: Provide privileged users access only to authorized hybrid-cloud infrastructure, with all activity fully monitored and recorded. Positive Privileged User Authentication: Leverage existing IAM infrastructure through integration with Active Directory, LDAPcompliant directories, RADIUS, TACACS+, smartcards, hardware tokens and more. Fast Time to Protection: Quickly deploy CA Privileged Access Manager as a hardened device or a virtual machine, protecting your enterprise resources with one scalable, agentless solution. 9
Are You Doing Enough to Protect Your Business During Cybercrime s Current Boom? CA Privileged Access Manager can help you answer that question with a confident yes. Learn how at ca.com/privileged-access CA Technologies (NASDAQ: CA) creates software that fuels transformation for companies and enables them to seize the opportunities of the application economy. Software is at the heart of every business, in every industry. From planning to development to management and security, CA is working with companies worldwide to change the way we live, transact and communicate across mobile, private and public cloud, distributed and mainframe environments. Learn more at ca.com. Copyright 2015 CA, Inc. All rights reserved. All marks used herein may belong to their respective companies. This document does not contain any warranties and is provided for informational purposes only. Any functionality descriptions may be unique to the customers depicted herein and actual product performance may vary. CS200-170091