Privilege Security & Next-Generation Technology Morey J. Haber Chief Technology Officer mhaber@beyondtrust.com
Agenda The Next-Gen Threat Landscape o Infomatics, Breaches & the Attack Chain o Securing Cloud, DevOps & IoT o Privilege Security Threats PAM & Privilege Security Maturity o Privileged Access Management o Privilege Security Maturity Model How BeyondTrust Helps
The Next-Gen Threat Landscape
Infonomics Innovation Leader "Infonomics 30+ years is of the firsts theory, study, and discipline of asserting economic 1 st fully-integrated significance PAM to information. and VM platform It provides the framework for businesses to monetize, manage, and measure 1 st PAM information vendor on as all major an actual cloud asset. marketplaces 1 st to provide vulnerability insights to inform privilege decisions 1 st Unix/Linux, Mac and network device PAM solution Infonomics endeavors to apply both economic and asset management principles and practices to the valuation, Strong roadmap Patented technology handling, and deployment of information assets." Active threat response 7 patents granted Context-aware PAM SaaS-based PAM platform DevOps secrets management 10 pending - Infonomics: How to Monetize, Manage, and Measure Information as an Asset for Competitive Advantage by Douglas B. Laney
Notable Breaches Credentials hacked Unpatched software exploited; amplified by excessive privileges Credentials stolen 95% 28% 80% of security breaches involve privileged credentials Forrester Wave: Privileged Identity Management, Q3 2016 of critical vulnerabilities in Microsoft systems could be mitigated by removing admin rights 2018 Microsoft Vulnerabilities Report of breaches involve insiders (and growing) 2018 Verizon Data Breach Investigations Report
The Cyber Attack Chain 1. Perimeter Exploitation 2. Privilege Hijacking & Escalation 3. Lateral Movement & Exfiltration Attacker exploits asset vulnerabilities to gain entry Vulnerable Systems hijacks privileges or leverages stolen/cracked passwords Unmanaged Credentials and Excessive Privileges and compromises other network resources. Limited Visibility
Expanding Accounts Remote Employees DevOps / A2A / A2DB Cloud & IoT The New Enterprise More people, processes and technology have access to your systems and data than ever before. Mainstream adoption Internal Employees Partners & Contractors WWW Mobile DevOps 60% IoT 56% Cloud 15% Client- Server Evolving Infrastructure
Attack Surface Evolution Cloud & Hybrid Cloud Cloud Management Platforms (AWS, Azure) Virtualized Environments (VMWare, MSFT) Virtualized Machines (UNIX, Linux, Windows) SaaS Apps (Facebook, LinkedIn, Custom) Internet of Things Roaming workstations BYOD Cameras Sensors Printers More On-Premise Shared Administrator Accounts Desktops (Windows, Mac) Servers (Unix, Linux, Windows) Industrial Control Systems Security Infrastructure Network Infrastructure Applications & Application Servers Databases & Database Servers Machine Credentials (AtoA) Hypervisors & Virtual Machine DevOps DevOps Tools Dynamic Virtual Environments Containers Microservices More Privileged Accounts SaaS Admins Cloud Admins Application Admins Privileged End Users Developers Machine Password & Keys
Cloud
Secure Cloud Enablement RESTRICT PRIVILEGES Privileged Management DISCOVER & INVENTORY Asset Management SCAN FOR VULNERABILITIES Vulnerability Management SEGMENT NETWORKS Network Design Cloud Security ENSURE CONFIGURATION COMPLIANCE Hardening and Best Practices Secure cloud enablement requires a multidisciplinary strategy! ENFORCE APPROPRIATE CREDENTIAL USAGE Least Privilege Management ELIMINATE HARD-CODED PASSWORD GAIN ACCOUNTA- BILITY OVER SHARED ACCOUNTS Password Management A2A Security
Secure Cloud Transformation In the cloud From the cloud Into the cloud The New Cloud Perimeter Cloud Management Platforms Shared Administrator Accounts Servers (Unix, Linux, Windows) Applications & Application Servers Databases & Database Servers Machine Credentials (A to A) Security & Network Infrastructure Hypervisors & Virtual Machines SaaS Applications DevOps Environments Containers & Micro Services IoT Devices Virtual Machines, Dedicated Hardware Marketplace Applications IaaS, PaaS, & SaaS
Privilege Management for the Cloud Cloud-Agnostic Private, Public and Hybrid Environments License flexibility Asset inventory integration Docker and container aware Discover online & offline instances Leverage Hypervisor APIs Agent technologies Respects OA and application hardening Fully automated for passwords & API Auditing, reporting and change-aware Proxy access Session management Regulatory compliance
DevOps
DevOps Security Strategy RESTRICT PRIVILEGES DISCOVER & INVENTORY ELIMINATE HARD- CODED PASSWORDS GAIN ACCOUNTABILITY OVER SHARED ACCOUTS Privilege Management Asset Management A2A Security Password Management Secure DevOps Network Design Least Privilege Management Vulnerability Management Hardening and Security Best Practices SEGMENT NETWORKS ENFORCE APPROPRIATE CREDENTIAL USAGE SCAN FOR VULNERABILITIES ENSURE CONFIGURATION COMPLIANCE
Privilege Automation for DevOps Only allow approved assets; identify unacceptable variations Identify security risks and automatically remediate them Ensure configuration hardening Eliminate all locations for hardcoded credentials Platform-agnostic, from cloud to on premise Limit all users, including privileged access, in the DevOps automated workflow Provide security and performance visibility to ensure security and automation success
IoT / IIoT
Privilege Management for IoT, IIoT, ICS,SCADA Zones Internet Communications and Restricted Lateral Movement Privileged Access Segmentation Public Private Air-Gapped Users Servers DMZ Guest Dumb Devices Device Type & Risk IoT IIoT ICS SCADA
The Privileged IoT Perspective IoT asset and inventory management Risk assessment with vulnerability management Password management and privileged session access Command line least privilege management Policy and script repository
Privilege Security Threats
Privilege Security Threats Guessing Dictionary attacks Brute Force Pass the Hash Security questions Password resets Vulnerabilities Misconfigurations Exploits Malware Social engineering MFA flaws Default credentials Anonymous Predictable Shared credentials Temporary Reused Insider Threats External Threats Hidden Threats
Accountability for Privileges Privileged account discovery Develop permissions model Rotate passwords and keys Workflow process and auditing Define session monitoring Segmentation User behavior analysis
Privileged Access Management & Privilege Security Maturity
Privileged Access Management Provides an integrated approach to enterprise password management ENTERPRISE PASSWORD MANAGEMENT Enforces least privilege on all endpoints without compromising productivity or security Ensures administrator and root compliance on Unix, Linux, Windows and Mac Identifies high-risk users and assets by teaming behavioral analytics and risk data with security intelligence from best-of-breed security solutions ACTIVE DIRECTORY BRIDGING USER BEHAVIOR MONITORING Privileged Access Management PRIVILEGE MANAGEMENT SESSION MANAGEMENT Achieves unified visibility over accounts, applications, and assets that they protect ADVANCED REPORTING & ANALYTICS
Maturity The Journey to Privilege-Centric Security IT ECOSYSTEM INTEGRATION NEW ENTERPRISE DEPLOYMENT: CLOUD, DEVOPS, NETWORK/IOT/ICS/SCADA UNIFIED MANAGEMENT, REPORTING & THREAT ANALYTICS Asset discovery & vulnerability scanning Account discovery A2A & A2DB Password/key storage & rotation Session recording & monitoring Session management FIM, VBAM, event log monitoring Endpoint least privilege / command elevation & delegation FIM, system-level control Server least privilege / command elevation & delegation IDENTIFY & INVENTORY IMPROVE ACCOUNTABILITY & CONTROL OVER SHARED CREDENTIALS ELIMINATE EXCESSIVE PRIVILEGES & GAIN GRANULAR COMMAND AND TASK-LEVEL CONTROL Time
About BeyondTrust
Privilege-Centric Security for the New Enterprise Risk- Based Accounts for user & asset risk Dynamic Locations, teams, contexts Identity- Focused Not network focused Privilege security solutions control, monitor and audit privileged access to systems and data across the expanding enterprise. Centralized & Modular Integrates w/ best-of-breed solutions Future- Ready Built for nextgen IT environments
PowerBroker Privileged Access Management Platform Password & Session Management Secure Remote Access Privilege Management Infrastructure Endpoints Gain accountability over shared accounts Eliminate hard-coded passwords Monitor privileged sessions and user behavior Enforce appropriate credential usage Secure credentials with Privileged Identity and manage sessions with Privileged Access Empower and protect your service desk with the most secure Remote Support software Eliminate Admin\root rights Enforce Application & command control Efficiently delegate Windows, Mac, Unix & Linux privileges and elevate Enforce appropriate use Risk based privilege decisions Cloud Hybrid On-Premise
Innovation Leader 30+ years of firsts 1 st fully-integrated PAM and VM platform 1 st to provide vulnerability insights to inform privilege decisions 1 st PAM vendor on all major cloud marketplaces 1 st Unix/Linux, Mac and network device PAM solution Strong roadmap Active threat response Context-aware PAM SaaS-based PAM platform DevOps secrets management Patented technology 7 patents granted 10 pending
PAM Industry Leader Leader: Forrester PIM Wave, 2016 Leader: Gartner Market Guide for PAM, 2017 Table1. PASM Vendors and Their Key Capabilities
Morey J. Haber 20+ years security experience Articles on Secure World, Dark Reading, CSO Online, etc. Author of Privileged Attack Vectors: Building Effective Cyber-Defense Strategies to Protect Organizations & Asset Attack Vectors (covering Vulnerability Management) both available from Apress Media
Questions? Morey J. Haber Chief Technology Officer mhaber@beyondtrust.com