Privileged accesss management for den csa user group CA Technologies

Privileged Access Management Breaking The Kill Chain

Tabish Tanzeem, CISSPSr. Principal Consultant

November 2016

2 © 2015 CA. ALL RIGHTS RESERVED.

Agenda

STATISTICS AND INCIDENTS

WHAT ARE PRIVILEGED USERS?

WHAT IS THE CHALLENGE?

TOP 10 PAM BEST PRACTICES

MATURITY MODEL


Intersecting Forces Yield A Sea ChangeInfrastructure• Virtualization/SDDC• Public Cloud/SaaS

Threats• Cybercrime• Cyberespionage

Security Model• De-perimiterization• Identity


The Hybrid Enterprise Management PlaneOngoing Infrastructure Changes Introduce New Control Points, Risks

Hybrid Enterprise

Software Defined Data Center

SDDC Console & APIs

SaaS Applications

SaaS Consoles & APIs

Public Cloud - IaaS

Cloud Console & APIs

Traditional Data Center

Mainframe, Windows, Linux, Unix, Networking

Enterprise Admin Tools

New Management Plane


Easier Access and Escalating Risks

Cybercrime– Target – 70 million credit cards stolen– Home Depot - 56 million credit cards stolen– JP Morgan Chase – 76 million account records stolen

Material Impact to Operations– CodeSpaces - forced out of business– Sony Pictures – extensive disruption– German Steel Mill – physical damage– Saudi Aramco – physical systems damage and business

disruption Cyberespionage

– Anthem – 80 million personal records stolen– Forbes.com and unidentified health insurer – targeted

(defense contractors, government workers) information gathering of individual data


Economic Losses Are Staggering

Net Losses: Estimating the Global Loss of Cybercrime (Intel Security – June 2014). Cybercrime is a growth industry. The returns are great, and the risks are low. We estimate that the annual cost to the global economy from cybercrime is more than $400 billion. A conservative estimate would be $375 billion in losses, while the maximum could be as much as $575 billion. Even the smallest of these figures is more than the national income of most countries and governments and companies underestimate how much risk they face from cybercrime and how quickly this risk can grow.

$400 Billion

Global Losses from

Cybercrime

$300 Billion

Global Drug Trafficking Revenue

$300 Billion

GDP of Singapore

$3 Trillion

Global Economic Impact of Cybercrime in 10 Years

- McKinsey, World Economic Forum


The Common Thread?

“Stealing and exploiting privileged

accounts is a critical success

factor for attackers in 100 percent of

all advanced attacks, regardless

of attack origin.”- Cybersheath Security Report,

May 2014


Privileged Account Management Facts

Privileged Accounts Exist Across Every Aspect of IT

Privileged Accounts Grow in Numbers Everyday

Existing Models of Managing Privileged Accounts Fall Short

Every Major Breach Has Involved A Privileged Account

Your Critically Valuable Privileged Accounts Are Targets!


Hacker Malware/APT

Privileged Accounts: The Emerging Front LineOn Premise

Employees/Partners• Systems Admins• Network Admins• DB Admins• Application Admins

PartnersSystems/NW/DB/Application Admins

EmployeesSystems/NW/DB/Application Admins

Public Cloud

Apps

Apps

VMwareAdministrator

AWS Administrator

Microsoft Office 365 Administrator

Internet

Organizations typically have 3-4x more Privileged Accounts and Credentials than

Employees!

10 © 2015 CA. ALL RIGHTS RESERVED.© Copyright 2014, Xceedium, Inc. 10

1. On-Boarding/Off-Boarding Process

2. Least Privilege Everything

3. Strong Authentication

4. Separate Authentication from Access Control

5. Protect Privileged Account Credentials

6. Eliminate Anonymous Activity

7. Implement Extra Protections for Sensitive Assets

8. Alert/Respond to Attempted Policy Violations

9. Log and Record Everything

10. Mind the Virtualization Gap

May 2014

Top 10 ListBest Practices for Privileged Identity Management


On-boarding– Identity verification & background checks– Entitlement management– Credential/multi-factor authentication

device issuance– Approvals and workflow– Certification/Attestation

Off-boarding– Reliable– Timely– Complete

May 2014

#1 On/Off-Boarding ProcessBest Practices for Privileged Identity Management


Least Privilege Everything– Least device/system access– Least functional access

Console CLI FTP API

– Least command level Drop, telnet, reboot…

May 2014

#2 Least PrivilegeBest Practices for Privileged Identity Management

Zero Trust ModelStart with no accessAdd layers/systems as neededRole-based

13 © 2015 CA. ALL RIGHTS RESERVED.© Copyright 2014, Xceedium, Inc. 13May 2014

#3 Strong AuthenticationBest Practices for Privileged Identity Management

OTPSmart Card

Integrated UserAuthentication

Roles

Network

Systems

Database

VirtualCredentials

CRL/OCSPServer

ActiveDirectory

SaaSIaaS

Federal Government Mandate– OMB 11-11– PPD 21– PIV/CAC required for all

administrative access

Commercial– Best Practice for High Risk

Environments

Strong Multi-factor Authentication

Password Safe


Old School– Perimeter-based– Hard-crunchy outside…– Authentication was a proxy for Authorization

“Grass huts with steel doors…”

Separate authentication and authorization– Authentication to the privileged identity

management system establishes identity, only– No intrinsic access to resources– Authorization based on roles and

responsibilities; enforced by PIM system

May 2014

#4 Authentication ≠ AuthorizationBest Practices for Privileged Identity Management

Protected Environment

Servers

Databases

Network

Other Systems

CredentialSafe

EnterpriseDirectory

SaaSIaaS

AuthZ, FGA Control Command


Privileged credentials and access are implicated in every attack– Phishing– Credential/Privilege misuse– Stolen third-party credentials– Default passwords

Control and manage credentials– Encrypted storage and use– Automated rotation and update

One-time passwords– Eliminate physical access via proxy– Supported by backup and “break glass”

capabilities

May 2014

#5 Protect CredentialsBest Practices for Privileged Identity Management


Shared administrative accounts are endemic across IT– Administrative convenience– Technology constraints (root, admin…)

Enables anonymous, unattributed access– Easy to hide malicious activity– Complicates troubleshooting and forensic

examination– Compliance/audit violations

Map individual user activity and access to shared accounts in logs and recordings

May 2014

#6 Eliminate Anonymous AccessBest Practices for Privileged Identity Management


Cloud Environments– Operational Risks– Financial Risks– Security Risks

Defense in Depth– Strengthen legacy UID and password mechanism– Key management– Implement multi-factor authentication, biometrics– Additional monitoring, audit of privileged user sessions

w/ publication of results– HSM for key protection – physical or virtual options

May 2014

#7 Extra ProtectionsBest Practices for Privileged Identity Management


Alerts– Warnings and reminders to individuals

– Events to SIEM/SOC

Proactive Controls– Enforced White/Black Lists

– Enforced Limits on Permissions and Rights

– Interception of Prohibited Commands

– Session Termination

– Account Suspension

May 2014

#8 Alert/Block Policy ViolationsBest Practices for Privileged Identity Management

19 © 2015 CA. ALL RIGHTS RESERVED.© Copyright 2014, Xceedium, Inc. 19May 2014

#9 Log & Record EverythingBest Practices for Privileged Identity Management

CERT Insider Threat Center:

In more than 70% of the IP theft cases, insiders stole

information within 30 days of announcing their

resignation.

• RDP/Graphical Sessions• Shell/CLI Sessions• API Access• Logging/SIEM/SOC• Highlight attempted policy/access

control violations• Publish audit results


API-based access growing basis for DevOps

Rebuild/Replace rather than re-configure

Management API’s offer powerful capabilities, but:– Shared keys/credentials– Limited attribution– Limited logging and recording– All the access control issues of traditional user

accounts

Requires dedicated capabilities for controlling, monitoring, and recording access; credential protection

May 2014

#10 Mind the API GapBest Practices for Privileged Identity Management


Privilege: Core of the Breach Kill Chain

Network Perimeter

EXTERNAL THREATS

INTERNAL THREATS

C&C, Data/IPExfiltration

Wreak HavocElevate Privilege

Lateral Movement,Reconnaissance

Threat Actor

Trusted Insider

Gain/Expand Access

•Weak Authentication/Default Passwords• Stolen/Compromised Credentials• Poor Password/Key Management• Shared Accounts/Lack of Attribution• Authentication = Access Control• No Limits on Lateral Movement• No Limits on Commands• Lack of Monitoring/Analysis


Break The Kill Chain:

Strong Authentication

Network Perimeter

EXTERNAL THREATS

INTERNAL THREATS




Threat Actor

Trusted Insider

Gain/Expand Access Wreak HavocElevate Privilege


• Strong Authentication• AD/LDAP Integration•Multifactor Hardware/Software• PIV/CAC Card Support• SAML

• Login Restriction• Origin IP• Time of Day

Strong AuthN



Prevent Unauthorized Access

Network Perimeter

EXTERNAL THREATS

INTERNAL THREATS




Threat Actor

Trusted Insider



• Zero Trust – Deny All, Permit by Exception• Role-Based Privileged User Access

Limits• Privileged User Single Sign on• Command Filtering• Leapfrog Prevention• Proactive Policy Violation

Prevention

Zero Trust Access



Improve Forensics, Deter Violations

Network Perimeter

EXTERNAL THREATS

INTERNAL THREATS




Threat Actor

Trusted Insider



• Continuous monitoring and logging•Warnings, Session Termination,

Alerts• DVR-like recording and playback of

sessions• Activity Log Reporting• Privileged Account Use Attribution• SIEM/SYSLOG Analytics

Log, Deter


Privileged Access Management Maturity Levels

ADHO

C BASE

LIN

E MAN

AGED

ADVANCED

Review

Redefine

Optimize


Privileged Access Management Focus Areas Privileged Users/Shared Accounts

– root, oradba, sapadmin, cisco enable, Windows local admin, named admin accts, SaaS/IaaS admin accts

Service & Application Accounts

– COTS App Accounts, App Servers, DevOps Systems, Scheduled Tasks, Batch Jobs, Scripts

Activity Monitoring

– SIEM, Network Monitoring, Change Management, Session Recording, Analytics

Identity Management Integration

– CA Identity Suite, Oracle IAM, SailPoint, IBM ID Mgt

Fine Grained Tools– CA PAM SC, Symantec CSP, Dell UPM, PowerBroker, ViewFinity


Privileged Access Management Maturity ModelLevel 1:

Adhoc/ManualLevel 2:Baseline

Level 3:Managed

Level 4:Advanced

Privileged

User/Shared

Accounts

Service &

Application

Accounts

Monitoring &

Threat

Detection

Identity

Management

Integration

Fine-grained

Controls/SoD

Manual ControlsFor

Priv. Accounts

Structured ControlsBasic Vault

Account InventorySDLC Integration

Credential Vault with RBACCentral Password Policies

Account Discovery MFA

Passwordless (SAML/OAUTH/TGS)Cloud/SaaS/SDN Integration

HSM Integration

Ad Hoc Application Account ManagementHard Coded Passwords

Manual ApplicationAccount Management

Centralized ApplicationAccount Management

Eliminate Hardcoded PasswordsREST API Integration

Governed ApplicationAccount Management

DevOps Integration

Ad Hoc Audit & ControlsActivity Monitoring

Decentralized Activitylogging

SIEM IntegrationAcct AttributionSNMP Alerting

Session Recording

Dual AuthorizationMeta-Data

Service Desk IntegrationAnalytics Integration

Manual ProcessFor Priv. Access

Automated Privileged Identity Mgmt.

Integrated PrivilegedAccess Requests Basic Governance

Fully Delegated Administration Governed Privileged

Access w/SoD

Open Source Tools and Scripts

DecentralizedTools (Silos)

Command FilteringRestricted Shell

Leap Frog Prevention

Centrally Managed Kernel Interceptor

with Cred Vault Integration


Critical Questions Do you have an inventory of privileged accounts?

– Operational and Application…custom scripts?

Do you have a record of who has access to passwords?

How is access to privileged accounts granted?

Are privileged accounts included in the SDLC process?– What about 3rd Party Developers and Contractors?

How often do you change privileged account passwords?

What is your process for changing privileged account passwords?

How do you track privileged account use?

How do you grant emergency access to privileged accounts?

Do you require a change ticket for privileged account use?

Are segregation of duties enforced on privileged accts?

Is there a certification process for privileged accounts?

How are new privileged accounts created?

How are privileged accounts retired?

Is MFA required to access privileged accounts?

Any fine grain controls in place to restrict the scope of privileged acct, if so what and how are they managed?

How are cloud based privileged accounts managed?

Is privileged account use monitored for suspicious activity? And through out your hybrid enterprise?


Conclusions and Recommendations

Privileged identity must be a highly protected core asset (process & technology)

A Zero-Trust model should be adopted for all privileged access (including applications); Some process re-engineering is a reasonable trade-off for the additional security and risk mitigation

Next generation PIM platforms will make this more manageable, but defense in depth is still required

Organizations need to employ Protection, Detection, and Response Frameworks specifically focused on Privileged Identities (and associated keys)

Sr. Principal [email protected]

@TabishTanzeemCA

Tabish Tanzeem

slideshare.net/CAInc

linkedin.com/pub/noam-dror/0/34b/82b/

ca.com/Security

Q&A