7 Steps to Complete Privileged Account Management INFOSECURITY BU… · Privileged Access...
Transcript of 7 Steps to Complete Privileged Account Management INFOSECURITY BU… · Privileged Access...
7 Steps to Complete
Privileged Account
Management
September 5, 2017
Fabricio Simao – Country Manager
AGENDA
• Implications of less mature privileged
account management
• What does a more mature approach look
like?
• A 7-step process for growing your privileged
account management maturity
• Business results
• Q&A
BeyondTrust is a cyber security software company that helps
organizations control their user privileges and passwords so
they can’t be used inappropriately or in a data breach.
Our platform unifies the most effective technologies for
addressing internal and external risk:
Privileged Access Management
Vulnerability Management
Threat & Behavioral Analytics
3
The PAM Industry Leader
Leader: Forrester PIM Wave, Q3 2016
• Top-ranked Current Offering (product) among all 10 vendors
reviewed.
• “BeyondTrust excels with its privileged session management
capabilities.”
• “BeyondTrust […] provides the machine learning and
predictive behavior analytics capabilities.”
Leader: Gartner Market Guide for PAM, August 2017
• Most capabilities across both PASM and PEDM.
• Recognized for: Built-in app-to-app password management,
vulnerability management inputs, and cloud delivery
options.
• Most complete and affordable solution: BeyondTrust offers
the most capabilities bundled together without additional
costs or unneeded complexities.
Key Verticals: Fortune 500 Representation
5
12 of 18 Fortune 500
Commercial Banking
5 of 10 Fortune 500
Aerospace / Defense
22 of 40Fortune 500
Energy / Utility / Chemical
19 of 26Fortune 500
Tech / Software
5 of 8Fortune 500
Entertainment
15 of 33Fortune 500
Healthcare / Pharmaceuticals
13 of 35Fortune 500
Retail / Consumer
9 of 12Fortune 500
Communications
Quick self-assessment: Where are you in your
privileged account management maturity?
You are not alone
Centrally
49%
Individually 51%
How are passwords managed?
Adequate 42%
Inadequate or worse
58%
Controls on Tier-1 Systems
Source: BeyondTrust Privilege Gone Wild survey to
700+ security and IT professionals
Immature privileged account management
Accounts
Assets
Users
Systems
Activity
Manual processes for managing privileged passwords, including
spreadsheets, physical safes or wetware
Lack of auditing and control over root and privileged accounts
Nearly all users in the organization have administrator access on
their machines
No session monitoring or recording of privileged use
No visibility over changes made to AD or ability to roll back
Disorganized and chaotic directory services infrastructure, with
multiple logons required and inconsistent policy
No singular clear picture of threats or what to do about them
Implications of a less mature approach to PAM
Less discipline ► Missed activity ► Greater risk of breaches ►
Financial, reputational, compliance impacts
Breach Implications
2nd largest health care
insurance provider
➢ 80 million people effected over 10 months
Major home improvement
retailer
➢ 53 million people at risk; Third-party
vendor’s credentials used to gain access
Largest bank in the US ➢ 76 million households and 7 million
businesses effected; Compromised
through a single employee’s password
Mature Privileged Account Management
Accounts
Assets
Users
Systems
Activity
Automated password and session management of all shared and
dedicated accounts
Rules-based least privilege with accountability across the organization
Multi-factor authentication, smart card or advanced token
authentication like Duo
Automatic recording of keystrokes/video
Integrated threat analytics to improve decision making
Full auditing and recovery of changes across the environment
Single sign-on for heterogeneous systems leveraging familiar
infrastructure
Automated scanning, patching and reporting of vulnerable systems
Network segmentation and jump servers
7 Steps to Complete
Privileged Account
Management
Improve accountability and control over privileged
passwords – SAPM, PSM, AAPM
►Why this is a problem
► Embedded or hardcoded passwords
► A2A and A2DB access
► Rotation is unreliable and manual
► Session monitoring is complex and
time consuming
►Top 5 capabilities:
1. Discovery and auto-onboarding
2. Automatically rotate SSH keys and
passwords
3. Adaptive workflow-based options
for access control
4. Password and session
management together
5. Ability to utilize native tools for
session management, not third-
party tools or Java
1
Opportunity for integration:
Solving remote password change
challenges and elevation of
applications for real user
credentials.
Implement least privilege, application control for Windows
& Mac desktops – SUPM 2
► Why this is a problem
► Standard users with local admin
rights – free for all
► Cultural implications
► Sometimes certain applications
require elevated privileges to run
► Top 5 capabilities:
1. Default all users to standard;
elevate by app
2. Enforce restrictions on software
installs, config changes
3. Eliminate end users requiring two
accounts
4. Match apps to rules automatically
based on asset based policies
5. Monitor sessions, capture screens
and log keystrokesOpportunity for integration:
Least privilege decisions for
applications based on vulnerability,
risk, or compliance profile
Leverage application-level risk to make better privilege
decisions 3
► Why this is a problem
► Elevating an application with a high
vulnerability or risk score
► Lack of context over how to prioritize
a vulnerability
► Top 5 capabilities:
1. Discover network, web, mobile,
cloud and virtual infrastructure
2. Profile asset configuration and risk
potential
3. Analyze threat potential and return
on remediation
4. Remediate vulnerabilities via
integrated patch management
5. Report on vulnerabilities,
compliance, benchmarksOpportunity for integration:
Correlate low-level data from a
variety of third-party solutions to
uncover critical threats
Implement least privilege in Unix and Linux environments –
SUPM 4
► Why this is a problem
► Business critical, tier-1 applications
are attractive targets for adversaries
► Root passwords and super-user
status
► Sudo may not be enough
► Top 5 capabilities:
1. Control and audit over commands
down to the system level
2. Flexible policy language
3. Extensive support for many Unix
and Linux platforms
4. Record and index all sessions
5. Change management of all
settings and policy configurations
Opportunity for integration:
Centralized management of
sudoers files.
Unify management, policy, reporting and threat analytics
under a single pane of glass 5
► Why this is a problem
► Management and policy complexity
► No view of risk from inside and
outside
► Top 5 capabilities:
1. Discover and group assets and
accounts
2. Centralize all privilege policy
3. Report on compliance,
benchmarks and threats
4. Correlate low-level data to uncover
critical threats
5. Centralize workflow, ticketing,
notification for IT and security
Integrate Unix, Linux and Mac into Windows – AD
Bridge 6
► Why this is a problem
► Unix, Linux and Mac are each a silo
► Complexity of managing a
heterogeneous environment
► Lack of policy consistency
► Multiple directories to manage
► Top 5 capabilities:
1. No requirement to modify Active
Directory schema
2. Single sign-on for any enterprise
application that supports Kerberos
or LDAP
3. Provide a single familiar tool set to
manage both Windows and Unix
systems
4. Allow users to use their AD
credentials to gain access to Unix,
Linux and Mac
5. Open community support
Opportunity for integration:
Extend AD bridge capability to
Unix, Linux and Mac privilege
management
Perform real-time change auditing and recovery 7
► Why this is a problem
► Keeping up with changes made to
AD
► Business disruption from missed
changes
► Complex environments
► Top 5 capabilities:
1. Audit and roll back changes from a
single product
2. Restore from the AD recycle bin
without having to extract backups
3. Audit, report and recover across a
complex Windows environment
4. One-click access to non-owner
mailbox reporting in Exchange
5. Single dashboard
Opportunity for integration:
Single platform for all change
management
Concluding
Outcomes
Control over accounts, assets, users, systems and
activity
Uniform, streamlined PAM system (central repository)
Visibility across the environment (analytics on who does what)
regardless of platform
Firm foundation, regardless of which platform users are coming
from (application, operating system or database)
Business Results
Low total cost of ownership
Fast time to value
Deliver the best information to make the best risk-based
decisions -> less risk
Network Security
Scanning
Enterprise
Vulnerability
Management
Dynamic Web
Application Scanning
Cloud-Based
Perimeter Scanning
Privileged Password
Management
Privilege
Management
Auditing &
Protection
Active Directory
Bridging
The BeyondInsight IT Risk Management Platform
EXTENSIVE
REPORTING
CENTRAL DATA
WAREHOUSE
ASSET
DISCOVERY
ASSET
PROFILING
ASSET SMART
GROUPS
USER
MANAGEMENT
WORKFLOW AND
NOTIFICATION
THIRD-PARTY
INTEGRATION
RetinaVulnerability Management Solutions
PowerBrokerPrivileged Account Management Solutions
ADVANCED THREAT
ANALYTICS
NETWORK
INFRASTRUCTURE
MOBILE, VIRTUAL
AND CLOUD
APPLICATIONS &
DATABASESSERVERS & DESKTOPS
ACTIVE DIRECTORY,
EXCHANGE, FILE SYS.
Let’s try again: Where are you in your privileged
account management maturity?
Thank You!
Fabricio Simao – Country Manager