TECH BRIEF How BeyondTrust Helps Government Agencies Address Privileged Access Management to Improve Security
Contents Introduction... 2 Achieving CSIP Objectives... 2 Steps to improve protection... 3 Discovery... 3 Layered Defense Supports Least Privilege... 3 Provide Context to Vulnerabilities... 4 Detect... 5 Central management... 5 Recovery... 6 Session monitoring and recording... 7 The BeyondTrust IT Risk Management Platform for Federal Agencies... 7 Privileged Access Management... 7 Vulnerability Management... 8 About BeyondTrust... 9 1
Introduction Whether the goal is to compromise sensitive government data, steal personally identifiable information or disrupt normal operations, the sophistication of attacks is making it more difficult to safeguard the Federal government s cyber critical infrastructure. Large scale information breaches like those we see in the news often begin with an attacker exploiting a single external vulnerability on a low-level system or through contractor credentials, then capitalizing on privileges to gain access to critical systems and data. What can government agencies do to protect their environments from this constant threat? In June of 2015 the Federal CIO Initiated a 30-day Cybersecurity Sprint to accelerate the adoption of several key countermeasures. The result of that sprint informed the development of the Cybersecurity Strategy and Implementation Plan (CSIP) which incorporates ongoing progress reporting and corrective actions. It also emphasizes the government-wide adherence to NIST standards and FISMA Metrics. The CSIP lays the groundwork for strengthening cybersecurity in Federal civilian agencies through five objectives 1 : 1. Prioritized Identification and Protection of high value information and assets; 2. Timely Detection of and Rapid Response to Cyber Incidents; 3. Rapid Recovery from incidents when they occur and Accelerated Adoption of lessons learned from the Sprint assessment; 4. Recruitment and Retention of the most highly-qualified Cybersecurity Workforce talent the Federal Government can bring to bear, and 5. Efficient and Effective Acquisition and Deployment of Existing and Emerging Technology. For the purpose of this brief, we will explore Protection, Detection, and Recovery objectives. Achieving CSIP Objectives Protection Privileged user accounts are a known target for malicious actors 2 Because of the powerful role privileged accounts provide in access to critical infrastructure and sensitive information 1 M-16-04 Cybersecurity Strategy and Implementation Plan (CSIP) for the Federal Civilian Government 0ctober 30, 2015 2 M-16-04 Cybersecurity Strategy and Implementation Plan (CSIP) for the Federal Civilian Government 0ctober 30, 2015 2
they are at the center of many of the NIST standards and CSIP elements. There are a number of best practices that can be employed to protect these valuable assets. Reducing the attack surface Minimizing the use of administrative privileges Utilizing Strong Authentication Credentials (PIV) Ensuring repeatable processes and procedures Mitigating Vulnerabilities STEPS TO IMPROVE PROTECTION Discovery Understanding your environment and knowing where your assets are is the first step to reducing the attack surface. With the complexity of today s Federal information systems this can be a daunting task for agency IT teams. Relieve the burden and increase accuracy by deploying a solution that automatically discovers network, web, mobile, cloud and virtual infrastructure, then profiles asset configuration and accesses risk potential. This zero-gap coverage ensures that no assets are left unprotected. Layered Defense Supports Least Privilege In a recent benchmarking study 56% of government responders reported that they have no way of managing privileged credentials, and that 20% of users likely had more privilege than they need. 3 To secure privileged accounts and reduce the impact should a breach occur, agencies can apply a layered defensive approach that supports least privilege by granting privileges to applications and tasks, not users. This protects administrator credentials and provides IT professionals the control needed to close possible security gaps without impacting efficiency. Utilizing Strong Authentication Credentials (PIV) is an important part of a layered defense. To achieve optimal security, utilize solutions that support public key infrastructure integration with tools that control and audit access to privileged accounts including shared administrative accounts, application accounts, local administrative accounts, service accounts, database accounts, cloud and social media accounts, devices and SSH keys. PKI integration with solutions that address control over root account privileges in Unix and Linux environments further reduce risk and address compliance concerns. 3 BeyondTrust 2016 Privileged Benchmarking Study 3
Provide Context to Vulnerabilities 99% of exploited vulnerabilities occurred more than a year after the vulnerability was identified and published. 4 When mitigating vulnerabilities, security professionals are often saddled with volumes of rigid data and static reports. They are left to manually discern real threats and determine how to act upon them. It becomes extraordinarily difficult to deliver risk information in a context that supports decision making towards appropriate action. What s needed is a consistent repeatable automated process to arm these teams with the information required to best protect their organizations, achieve compliance and communicate risk enterprise-wide. They need a solution that helps to put vulnerability and risk information in the context of agency mission. To solve this, it is recommended that agencies utilize a solution that delivers reporting and analytics for stakeholders throughout the organization, enabling immediate action and speeding time to resolution. Ideally the solution should cover all device types across the organization, reducing the risks from gaps. Addressing every phase of vulnerability management from assessment to remediation eliminates the need for multiple tools. Automatically identifying and rectifying vulnerabilities across the entire network enables efficiencies to quickly secure an agencies environment. BeyondTrust s privileged access management solutions reduce the risk of privilege misuse and manage access control to assets. Regardless if the asset is physical or virtual, Microsoft Windows desktops or server, Apple OS X systems, or Unix and Linux servers, our solutions 4 2016 Verizon Data Break Investigations Report 4
provide password management for local and cloud resources. BeyondTrust solutions can also assist organizations with implementing least privilege access on any desktop or server platform (Unix & Linux, Mac, or Windows). Detect Federal agencies have made great strides in sharing and receiving cyber threat information which supports defense against breaches before they happen. But information sharing alone is not enough to defend against the barrage of attacks agencies experience each day. Government organizations need an automated solution that sets a baseline for normal behavior, observes changes and alerts to possible anomalies that signal threat. This leads to earlier detection should an internal or external threat gain access to a system. The PowerBroker Privileged Access Management platform combines behavioral analytics, vulnerability and malware intelligence, and security data from best-of-breed security solutions to allow you to out-maneuver attackers and stop data breaches. PowerBroker leverages BeyondInsight Threat & Vulnerability Intelligence + Behavioral Analytics capabilities to: o Aggregate user and asset data to baseline and track behavior o Correlate asset, user and threat activity to reveal critical risks o Identify potential malware threats buried in asset activity data o Increase the ROI of your existing security solutions o Generate reports to inform and align security decisions CENTRAL MANAGEMENT When adopting a solution for identifying activity that is outside of the norm, or detecting possible breaches, it should provide centralized management of all privileged and vulnerability data in a single platform. To be truly effective it will also provide robust advanced threat analytics capabilities. In both CISP and the NIST Cybersecurity framework it has been made clear that detection alone is not enough. Agency teams must be armed with the information and tools to take action should a cybersecurity event be detected. The combined capabilities outlined above enable IT and security professionals to act on threats typically missed in many security analytics solutions. The right tool pinpoints specific, high-risk users and assets by correlating low-level privilege, vulnerability and threat data from a variety of security solutions and malware databases. Utilizing the right technology solutions supports added efficiency for agency IT security professionals, and reduces the time it takes to detect a problem. 5
Recovery The CSIP defines recover as the development and implementation of plans, processes and procedures for recovery and full restoration, in a timely manner of any capabilities or services that are impaired due to a cyber event. 5 Following guidelines established by NIST in SP 800-53, the Incident Response Control addresses how an organization should detect, prioritize, remediate and communicate any events that constitute a threat or breach to its information systems. In the event your organization experiences an incident agency IT professionals need to recover quickly and efficiently. CSIP guidance directly aligns to the recover layer of the NIST Cybersecurity framework core recover function. When choosing a solution for your agency you 5 M-16-04 Cybersecurity Strategy and Implementation Plan (CSIP) for the Federal Civilian Government 0ctober 30, 2015 6
want information identified and delivered in a consumable way. To be highly successful in getting ahead of a possible breach arm them with threat analytics that alert to possible trouble. SESSION MONITORING AND RECORDING To quickly and efficiently recover, depend on referenced keystroke logging and DVR style recording of all activity performed in a Unix or Linux environment to understand exactly what took place through the use of a compromised credential. Know the who, what, where and when of changes so a rollback and restore can be executed for any accidental or malicious changes or deletions to active directory or group policy. Finally, establish a system that can provide robust customizable reporting to every level of the organization to be FISMA compliant and keep all stakeholders accurately informed. It is certain that today s Federal Information environment is highly complex. Government IT professionals are in the trenches developing policies and procedures to secure their systems and be nimble enough to get ahead of the next threat. It is clear that having the right tools can make the difference between thwarting the next incident or reporting on one. The BeyondTrust IT Risk Management Platform for Federal Agencies As breaches and threats actors continue to refine their methods for penetrating agencies security perimeters, it is more critical than ever for IT security administrators to have a complete view of their IT landscape and its potential risks. The latest revision to SP 800-53 is further proof that organizations need to take both privilege access and vulnerability management into consideration when implementing new information security systems. The BeyondTrust IT Risk Management Platform helps agencies fulfill NIST requirements through its integrated suite of IT security solutions that reduce user-based risk and addresses security exposures. The platform provides IT security leaders with a single view of all assets and user activity. With behavioral analytics to understand anomalies, compliance reporting, and the ability to leverage third-party data, the platform reduces risks while helping to maximize the value of existing security investments. Available in software and hardware appliance formats, the BeyondTrust platform integrates two foundational security methodologies: PRIVILEGED ACCESS MANAGEMENT The BeyondTrust PowerBroker Privileged Access Management Platform is a modular, integrated solution to provide control and visibility over all privileged accounts and users. By uniting capabilities that many alternative providers offer as disjointed tools, the PowerBroker platform simplifies deployments, reduces costs, improves system security and reduces privilege risks. 7
VULNERABILITY MANAGEMENT BeyondTrust Vulnerability Management Solutions provide security professionals with vulnerability assessment and risk analysis in context. With BeyondTrust, IT teams can proactively identify security exposures, analyze business impact, and plan and conduct remediation across network, web, mobile, cloud and virtual infrastructures, and communicate that risk to operations and compliance teams to reduce risk. 8
About BeyondTrust BeyondTrust is a global cyber security company that believes preventing data breaches requires the right visibility to enable control over internal and external risks. We give you the visibility to confidently reduce risks and the control to take proactive, informed action against data breach threats. And because threats can come from anywhere, we built a platform that unifies the most effective technologies for addressing both internal and external risk: Privileged Access Management and Vulnerability Management. Our solutions grow with your needs, making sure you maintain control no matter where your organization goes. BeyondTrust's security solutions are trusted by over 4,000 customers worldwide, including over half of the Fortune 100 and hundreds of federal government organizations. To learn more about BeyondTrust, please visit www.beyondtrust.com. 9