CyberArk Security for the Heart of the Enterprise
-
Upload
marianna-king -
Category
Documents
-
view
259 -
download
2
description
Transcript of CyberArk Security for the Heart of the Enterprise
CyberArk Security for the Heart of the Enterprise
Bogdan Tobol Regional Sales Director North/Eastern Europe Anunak
Attack Summary Breach Overview What Happened?
Target: Financial institutions Attacker: Anunak cybercrime ring
Motivation: Monetary Goal: Steal money directly from banks Outcome:
>$25M stolen since 2H 2014 What Happened? Anunak launched
targeted attacks againstseveral banks Gained privileged access to
systems Transferred money to outside accounts Compromised ATMs to
steal cash What happened? The Carbanak attack was carried out by
members of the Anunak cybercrime ring, and primarily targeted
several Russian and Eastern European banks. The goal of the attack
was to steal money directly from banks, and their attacks were
quite successful. In the second half of 2014 alone, the Anunak
crime ring stole $25 million from the banks, and its estimated that
in total, theyve stolen hundreds of millions of dollars from banks,
payment processors and retailers. Large US Retailer: March 2014
Attack Summary
COMPANY OVERVIEW Industry Retail Employees 27,000 Headquarters USA
WHAT HAPPENED? Early 2014: 260,000 credit cards stolen from alarge
US retailer went up for sale Early 2015: The same retailer
announced asecond intrusion to POS systems This large North
American retailer operates more that 2,800 stores, has over 27,000
employees and generates an annual revenue near $4 billion. In March
of 2014, over 260,000 credit cards went up for sale on a prominent
crime shop named Rescator[dot]so. The one common thread between all
the cards for sale was that they were each used at stores belonging
to the same large US retailer. Notably, the cards for sale were
listed by zip code, enabling purchasers to buy locally to increase
the likelihood the cards would work. The inclusion of zip code
information was a intentional countermeasure to avoid geo blocks
placed by banks on credit cards following another major retail
breach. These bank-set geo blocks immediately restricted the
physical area in which cards could be used, meaning out of state
card purchasers would have no luck using the stolen cards. Learning
from this limitation, Rescator posted card zip code information so
that the card purchasers could buy locally to avoid the blocks. To
the researchers investigating this breach, however, the presence of
zip codes provided insight into just how many stores were breached.
While this retailer claimed that far fewer cards were actually
stolen and only a limited number of locations were impacted, the
evidence gathered from Rescators site suggested otherwise.The
evidence suggested that most if not all stores were breached, and
the true number of stolen cards was closer to 260,000. Today we
will discuss this attack, which occurred in early 2014, but its
also notable this same retailer recently confirmed a second POS
intrusion that put some card data at risk. It is still undetermined
if this is truly a second incident or if perhaps that first
incident was not fully remediated. Sony Pictures Entertainment
Breach Summary
Company Overview Industry: Media/Entertainment Revenue: $8 billion
Employees: 6,500 Headquarters: California, US What Happened: What
was taken: IP, IT information,employee PII, and more Alleged threat
actor: North Korea Likely motivation: Brand damage Impact: Complete
loss of IT control,brand damage, pulled moviepremier The Sony
Pictures Entertainment breach is arguably the most well-known data
breach due to its target, attack methods and outcome. Sony
employees walked into work and turned on their computers to find
the notice Hacked by GOP.The attackers publicly gave Sony an
ultimatum: pull the release of The Interview, or have all your data
publicly leaked. The facts: Sony Pictures is an $8 billion media
company with 6,500 employees, based in Southern California. At the
time of the attack, Sony was about to release the comedy The
Interview, in which unlikely assassins were hired to kill Kim
Jong-un, the supreme leader of North Korea. The perpetrators
claimed that the goal of this attack was to prevent the release of
The Interview and significantly embarrass Sony until they agreed.
Attackers stole intellectual property, employee salary data,
personals, and detailed information about the IT infrastructure
among other things. Following the attack, Sony suffered complete
loss of control over its IT environment, suffered public
embarrassment, and ultimately pulled the movie release. More, Sonys
chief executive was forced to resign due to the content of publicly
released personals. Following an investigation, the US government
publicly attributed the attack to North Korea though there is
speculation that this may not be the full story. Privileged
Accounts are Targeted in All Advanced Attacks
APT intrudersprefer to leverage privileged accounts where possible,
such as Domain Administrators, service accounts with Domain
privileges, local Administrator accounts, and privileged user
accounts. 100% of breaches involved stolen credentials. SLIDE 8
Privileged Accounts Are A Built in Vulnerability Simply put,
Privileged Accounts are built-in vulnerabilities throughout your
infrastructure. Put yourself in the hackers shoesneed access to a
particular network segment or want to change firewall rules to
enable external communication?Want to gain access to the domain
controller?Want to dump the database table to capture a competitors
customer list? Unprotected, unmonitored privileged accounts are the
way to go. Mandiant, M-Trends and APT1 Report Privileged
Credentials are Everywhere
Privileged Accounts Routers, Firewalls, Hypervisors, Databases,
Applications Routers, Firewalls, Servers, Databases, Applications
Laptops, Tablets, Smartphones Power Plants, Factory Floors WiFi
Routers, Smart TVs Where are your privileged accounts?They are
everywhere in every piece of hardware and software.They exist
across the entire IT stack including data, applications, endpoints
and the network. A privileged user is any user that has the
capability to change, alter or impact the operational service of a
business process.So, in any organization, this includes not only
system administrators, but some people you may not consider
privileged users today.Think about some of your business users and
even social networking account managers.Do they have access
privileges to impact important business processes? Privilege is At
The Center of the Attack Lifecycle
Typical Lifecycle of a Cyber Attack Privilege is At The Center of
the Attack Lifecycle Hijacked Credentials Put the Attacker in
Control
Compromised Privileged Accounts Routers, Firewalls, Hypervisors,
Databases, Applications Power Plants, Factory Floors Enable
attackers to: Bypass security controls & monitoring Access all
of the data on the device Disrupt normal operation of the device
Cause physical damage Routers, Servers, Databases, Applications
Firewall WiFi Routers, Smart TVs Laptops, Tablets, Smartphones
CyberArk Breaks the Attack Chain CyberArk Delivers a New Critical
Security Layer
PERIMETER SECURITY SECURITY CONTROLS INSIDE THE NETWORK MONITORING
PRIVILEGED ACCOUNT SECURITY CyberArk provides a critical new layer
in the overall security strategy, because it delivers both
proactive protection and threat detection in the critical path of
privileged accounts, the target of every external and insider
attack. Privilege Account Security Across the Stack
Network Data End-point Applications Data Security Application
Security Privileged Account Security End Point Security Network
Security Solving The Privileged Account Security Problem
Enterprise Cloud SCADA/ICS Advanced, External Threats Insider
Threats Securing Application Credentials Securing Shared Admin
Accounts Threats Control & Accountability forPrivileged Users
Monitor & Record PrivilegedActivity Compliance Reporting Remote
User Access Control Audit & Compliance Weve talked a lot about
how critical privileged account security is to address advanced
threats and malicious insiders.But its important to know that
industry and government compliance standards and regulations
require the protection and monitoring of privileged accounts. We
address these issues in your physical on-premises environment,
across private, hybrid and public cloud environments as well as in
SCADA and industrial control environments where we already have
over 100 deployments. Comprehensive Controls on Privileged
Activity
Lock Down Credentials Isolate & Control Sessions Continuously
Monitor Protect privileged passwords and SSH keys Prevent malware
attacks and control privileged access Implement continuous
monitoring across all privileged accounts Enterprise Password Vault
SSH Key Manager Application Identity Manager Privileged Session
Manager On-Demand Privileges Unix OPM Windows Privileged Threat
Analytics The Problem: Users with admin rights can
Install kernel-mode root kits Install system-level level key
loggers Install Malicious ActiveX controls, including IE and
Explorer extensions Install spyware and adware Install malware;
Pass-the-Hash exploits Install and start services Stop existing
services (such as the firewall) Access data belonging to other
users Cause code to run whenever anybody else logs on to that
system Replace OS and other program files with Trojan horses
Disable/uninstall anti-virus Create and modify user accounts Reset
local passwords Render the machine unbootable And more How do you
handle events that generally require local admin rights?
Pain varies based on role and current state of admin privilege
management Users have local admin rights Local admin rights are
removed Scenario: Buyer: Operations Team Pain: Spends lots of
timing fixingdamage and remediating incidents onusers laptops Pain:
Handles consistent help desk callsas users need privileges to
install and runapproved applications Desktop Engineering IT
Planning andEngineering Director of IT How much time and effort do
you spend responding to endpoint incidents? How do you handle
events that generally require local admin rights? Security Team
Pain: Limited ability to protect theorganizations due to a
giant,unmanaged attack surface Pain: Forced to manage privilege
creep,as users regain local admin rights to runbusiness
applications Security Analyst Security Architect Director of IT
Security How many security incidents could you prevent each year by
eliminating local admin rights? How do you revoke local admin
rights once they are no longer needed by business users? Recap:
Least Privilege + App Control = Reduced Risk
Application Control Limit privileges for business andadministrative
users Gap: Malicious applications that dontneed privileges can
still get in Only allow whitelisted, trustedapplications Gap:
Applications that require privilegesrequires users to have local
admin priv. Why is this important: When we look at data around
advanced attacks, most start with phishings against non-privileged
business users. The numbers show that a campaign of just 10s yields
a greater than 90% chance that at least one person will become the
criminals prey.Once the attacker is in, they can exploit local
admin privileges to advance the attack and Individually, least
privilege alone limits the privileges for business and
administrative users, which is a good thing.But, if an organization
has removed admin rights but is not monitoring and controlling
which applications are allowed to run in their environment, and a
rogue application containing malware that does not require admin
rights to run can enter your infrastructure, execute and penetrate
the environment. Alternatively, if youre only doing application
control, than you can be stuck in a situation where a whitelist
application requires privileges to run. In this case, in order the
run the application, the IT team has to give local admin privileges
back to the users.Over time, organizations can end up with most of
their users having local admin rights if they need applications
that require privileges. Despite the individual shortcomings, when
used together, these can controls can be extremely effective.
Combined, we can: Reduce the attack surface by preventing known bad
applications from executing Limit what malware can do by limiting
the privileges granted to unknown applications Combined least
privilege and application control enable organizations to reduce
the attack surface and block the progression of malware-based
attacks Privileged Accounts are Targeted in All Advanced
Attacks
Anything that involves serious intellectual property will be
contained in highly secure systems and privileged accounts are the
only way hackers can get in. SLIDE 8 Privileged Accounts Are A
Built in Vulnerability Simply put, Privileged Accounts are built-in
vulnerabilities throughout your infrastructure. Put yourself in the
hackers shoesneed access to a particular network segment or want to
change firewall rules to enable external communication?Want to gain
access to the domain controller?Want to dump the database table to
capture a competitors customer list? Unprotected, unmonitored
privileged accounts are the way to go. Avivah Litan, Vice President
and Distinguished Analyst at Gartner, 2012 Can We Really Isolate
All Critical Networks?
The assumption that all critical networkcould be isolated is very
problematic: Removable media Mistakes and temporary connections
Remote access How do we design a truly secureremote access system?
A design that will also help secureagainst the first two types of
threat Securing Access Into the ICS/OT Network
Corporate Network Third party vendor DMZ firewall VPN Web Portal
Supervisor DMZ PSM Password Session Recording ICS firewall ICS
Network Vault UNIX Servers Databases SCADA Devices Routers &
Switches Windows Servers Anti Virus & Content Filtering SSH
Keys: A Critical Privileged Account Problem
SSH keys are commonly used by users and machines to access
Privileged Accounts.They are an attack vector commonly used to gain
access to critical systems. of companies report being impacted by
SSH key related compromises* 51% *Source: Ponemon Institute Layers
of Security in the Digital Vault
Hierarchical Encryption Vault Safes Tamper-Proof Auditability
Comprehensive Monitoring Session Encryption The CyberArk Digital
Vault was built from the ground up with security in mind.The
Digital Vault include seven layers of security to ensure the
highest levels of protection of your most sensitive credentials,
files, and audit logs. The vault includes: Layered encryption to
protect data in storage and at rest A built in firewall to ensure
that only authorized traffic is able to access the vault
Integration with a variety of strong authentication methods to
assure the identity of your users Segregation of duties to ensure
that ensure privileged credentials can only be accessed by
authorized users for approved business reasons Comprehensive
monitoring to rapidly detect system issues and security events
Segregation of Duties Authentication Firewall Sensitive Information
Management Easy, Secure and Compliant File Sharing
SHARE Sensitive documents between users To complement CyberArks PAS
solution, CyberArk also offers Sensitive Information Management to
help organizations protect their most sensitive documents while
enabling secure collaboration between internal teams, partners, and
customers. Sensitive Information Management enables easy, secure
and compliant file sharing between authorized users and
applications. Users can create safes to share files with trusted
users and applications. Granular access controls and strong levels
of encryption mean that trusted parties can share and access
sensitive files while keeping those files safe from unauthorized
eyes. Segregation of duties means IT teams are able to administer
and support platform without having access to any of the
underlying, sensitive files. - With SIM, trusted users are able to
easily exchange sensitive documents without putting the information
at risk SIMs automated distribution and collection capabilities
also enable trusted systems to share large amounts of data. As an
example, several of our customers use SIM to automatically transfer
employee time and pay information to ADP systems to simplify and
secure payroll processes. To help our customers meet compliance,
SIM enables IT teams to audit file access.They can audit who and
what has access to which safes to ensure that access controls are
properly enforced.They can also report on who has accessed which
files, and if certain files were viewed or downloaded.The full,
tamper-proof audit trail combined with easy reporting enables IT
teams and auditors to pull the precise data needed to prove
compliance with applicable industry regulations. Lastly, SIM
supports a variety of interfaces and can accessed in a variety of
ways including web access via a portal, an Outlook add-in to
securely send files via, and a mobile app to access and share files
via tablets while on-the-go.The flexibility in access choices
enables users to stay productive whether they are in the office,
working from home or on the road while keeping sensitive
information secure. AUTOMATE AUDIT File transfers between
applications File sharing and access to sensitive documents
CyberArk Overview Trusted experts in privileged accountsecurity
1,900 privileged account security customers 40% of Fortune 100 30%
GROWTH 40% 56% Approach privileged accounts as a security challenge
Designed and built from the ground up for security Twelve years of
innovation in privileged account controls, monitoring and analytics
First with vault, first with monitoring, first with analytics Over
100 software engineers, multiple patents CyberArk is the trusted
expert in Privileged Account Security we focus our innovation and
security expertise solely on these privileged accounts.And, our
approach is purely from a security perspective, rather than an
identity management and automation perspective.We view this as a
security challenge and have designed our products from the ground
up with that in mind. We have 1800 global customers, including 40%
of the Fortune 100 and 18% of the Global 2000, so we have seen more
and done more with privileged accounts than any other vendor out
there. We have over 12 years of innovation built into our
solution.We were the first to bring a password vaulting solution to
market, the first enterprise-scalable application identity
management solution, the first to offer integrated session
monitoring with isolation and control and most recently we released
privileged threat analytics, the first vendor to release a targeted
analytics product aimed at detecting unusual behavior on privileged
accounts. CyberArk has the industrys only comprehensive privileged
account security solution. CyberArk serves customers in more than
65 countries and sells its products and services direct as well as
through an extensive network of more than 200 global partners.
CyberArk is a well-funded, profitable and cash flow positive
company. Our growth accelerated to 56% year-over-year in 2014, we
have a strong balance sheet and have been profitable for several
years. Only comprehensive privileged account security solution One
solution, focused exclusively on privileged accounts
Enterprise-proven IDC Names CyberArk the PAM Market Leader
CyberArk is the PAM pure-play big gorilla with the most revenue and
largest customer base. SOURCE: "IDC MarketScape: Worldwide
Privileged Access Management 2014 Vendor Assessment, by Pete
Lindstrom , December 2014, IDC Document#253303 Trusted by Customers
Worldwide
Over 1,900 Global Customers 40% of Fortune 100 19% of Global 2000
Thank you