Tech Talk: Defense In Depth Privileged Access Management for Hybrid Enterprises
-
Upload
ca-technologies -
Category
Technology
-
view
180 -
download
1
Transcript of Tech Talk: Defense In Depth Privileged Access Management for Hybrid Enterprises
World®’16
TechTalk:DefenseInDepthPrivilegedAccessManagementforHybridEnterprisesShawnW.Hank- Sr.PrincipalConsultant,Cybersecurity- CATechnologies
SCT39T
SECURITY
2 ©2016CA.ALLRIGHTSRESERVED.@CAWORLD#CAWORLD
©2016CA.Allrightsreserved.Alltrademarksreferencedhereinbelongtotheirrespectivecompanies.
Thecontentprovidedinthis CAWorld2016presentationisintendedforinformationalpurposesonlyanddoesnotformanytypeofwarranty. The informationprovidedbyaCApartnerand/orCAcustomerhasnotbeenreviewedforaccuracybyCA.
ForInformationalPurposesOnlyTermsofthisPresentation
3 ©2016CA.ALLRIGHTSRESERVED.@CAWORLD#CAWORLD
Abstract
Withover80%ofsecuritybreachesestimatedtoinvolveprivilegedcredentials,protectingprivilegeduseraccesshasbecomeanecessarymeasurenotonlytosuccessfullydefendanorganizationfromabreach,butalsoinsatisfyingauditandcompliancedemands.
InthisTechTalk,you’lllearnhowthemilitaryprincipleofdefenseindepthsecuritycanbeappliedtoprivilegedaccessmanagement.Onethatusescomprehensiveandintegratedsecuritycountermeasurestoprotectthe‘keystothekingdom’– yourprivilegedusersandthecredentialstheyusetoaccessyourmissioncriticalsystemsandresources.
You’llalsolearnhowthepowerfulcombinationof‘zero-trust’network-basedandhost-basedsecurityacrosstheyourhybridITenterpriseenvironmentmakesitmoredifficultforthe‘enemy’toovercomealayeredprivilegedaccessmanagementdefensesystemthantopenetrateasolitarybarrier.
ShawnW.HankCATechnologiesSr.PrincipalConsultantCybersecurity
4 ©2016CA.ALLRIGHTSRESERVED.@CAWORLD#CAWORLD
Agenda
INTHENEWS
ALITTLEHISTORY
CLOSINGSUMMARY&QUESTIONS
2016TRENDS
PRIVILEGEDUSERS&IDENTITIES
KILLCHAIN
1
2
3
4
5
6
PrivilegedUsers
What’sthecommonthreadinmostifnotallbreaches?
28,070Numberofattacksthe
average UScompanyhadin2015
38%Increasein#of
securityincidentsfrom2014to2015
94%PercentageofCxOs
believingtheircompanywillexperienceabreachin
twoyears
Averagecostofadatabreach
$3.79M
3.9BNumberofrecordslost
since2013
EveryDay1,358,671
EveryHour56,611
EveryMinute943
EverySecond16
Datare
cordsw
erelostorstolenwith
thefollowingfre
quen
cy
Compromisedaccountsandcredentialsof….
YourOrganizationCan'tAffordaLarge-ScaleCyber-Attack
http://breachlevelindex.com/#sthash.RZhGQkVZ.dpbshttps://securityintelligence.com/cost-of-a-data-breach-2015/
http://public.dhe.ibm.com/common/ssi/ecm/se/en/sel03074usen/SEL03074USEN.PDFhttp://www.vormetric.com/campaigns/datathreat/2016/
http://www.verizonenterprise.com/resources/report/rp_pci-report-2015_en_xg.pdf
7 ©2016CA.ALLRIGHTSRESERVED.@CAWORLD#CAWORLD
NotableSecurityandPrivacyIncidents
§ Yahoo– 2012- 500millionrecords(user)in,“statesponsoredattack.1
§ Dropbox– 2012- 68Millionuseraccountscompromised– Initialattackviaphishing,credentialtheft2
§ LinkedIn– 2012- Originallyreported6.5millionaccounts,recentlythenumberballooned
to167million.3
§ MySpace– 2013- Over360millionrecords(personaldata)4
§ Tumblr– 2013- 65millionaccounts.5
§ Weebly– 2016- 43millionrecords,stillunderinvestigation6
§ Mossack Fonseca– 2016- 2.6TBdataleakonpoliticians,criminals,athletes7
PrivilegedAccessaCommonThreadforHacktivism,Cybercrime,andEspionage
“Fordigitalbusinesses,privilegedidentity
managementbecomesbothincrediblyimportant
andchallenging.It’simportantbecauseone
administratorwithmaliciousintentorthetheftofadministratorcredentialscanhavea
disastrouseffectonyourcustomers,revenuesandlong-termreputation.”
- ForresterResearch
“CriticalQuestionsToAskYourPrivilegedIdentityManagementSolutionProvider",ForresterResearch,September9,2014.
8 ©2016CA.ALLRIGHTSRESERVED.@CAWORLD#CAWORLD
World’sBiggestDataBreachesSelectedLossesGreaterThan30,000Records(Updated15th Oct2016)
Source:http://www.informationisbeautiful.net/visualizations/worlds-biggest-data-breaches-hacks/
9 ©2016CA.ALLRIGHTSRESERVED.@CAWORLD#CAWORLD
EconomicLossesAreStaggering
NetLosses:EstimatingtheGlobalLossofCybercrime(IntelSecurity– June2014).Cybercrimeisagrowthindustry.Thereturnsaregreat,andtherisksarelow.Weestimatethattheannualcosttotheglobaleconomyfromcybercrimeismorethan$400billion.Aconservativeestimatewouldbe$375billioninlosses,whilethemaximumcouldbeasmuchas$575billion.Eventhesmallestofthesefiguresismorethanthenationalincomeofmostcountriesandgovernmentsandcompaniesunderestimatehowmuchrisktheyfacefromcybercrimeandhowquicklythisriskcangrow.
$400Billion
GlobalLossesfromCybercrime
$300Billion
GlobalDrugTraffickingRevenue
$300Billion
GDPofSingapore
$3TrillionGlobalEconomicImpactofCybercrimein10Years
- McKinsey,WorldEconomicForum
10 ©2016CA.ALLRIGHTSRESERVED.@CAWORLD#CAWORLD
CybercrimewillcostBusinessesOver$2Trillion
by2019saysJuniperResearch1
12 ©2016CA.ALLRIGHTSRESERVED.@CAWORLD#CAWORLD
Component CustomersthatReportedusingthisSecurityMeasure
BreachRate
Firewall 212 100%IDS/IPS 119 100%Webproxy 138 100%Networkanti-virus 75 100%EndpointAV 169 100%Otheranti-malware 33 100%
AsDoesFireEyeandMandiant
Over1,200trialdeploymentsand6monthsofdatashow:
Source:Mandiant/FireEye
15 ©2016CA.ALLRIGHTSRESERVED.@CAWORLD#CAWORLD
Outsidervs.Insider:Doesitreallymatter?
§ YES!!!!!
§ Between2013and2015,differentsourcesstatethatonly3to10%ofallbreacheswereCAUSED byinsiders withmaliciousintent– This3to10%wasmostcausedbyTGYFBFTDHRA
§ Thatguy(orgal)youfired,butforgottodisablehis/herremoteaccess.1
§ However,32%ofallbreachesINVOLVED aninsider– Thosewhowereinadvertentactors
§ Note:IBMclaimsthat60%ofallattackswere“carriedoutbyinsiders.”2
– Didn’tbreakdownthedifferencebetweenthosewithmaliciousintentinadvertentactors).3
16 ©2016CA.ALLRIGHTSRESERVED.@CAWORLD#CAWORLD
Outsidervs.Insider:Doesitreallymatter?
§ YES!!!!!
§ Between2013and2015,differentsourcesstatethatonly3to10%ofallbreacheswereCAUSED byinsiderswithmaliciousintent– This3to10%wasmostcausedbyTGYFBFTDHRA
§ Thatguy(orgal)youfired,butforgottodisablehis/herremoteaccess.1
§ However,32%ofallbreachesINVOLVED aninsider– Thosewhowereinadvertentactors
§ Note:IBMclaimsthat60%ofallattackswere“carriedoutbyinsiders.”2
– Didn’tbreakdownthedifferencebetweenthosewithmaliciousintentinadvertentactors).3
17 ©2016CA.ALLRIGHTSRESERVED.@CAWORLD#CAWORLD
2016Trends– Breachesvs.Identities
0
50
100
150
200
250
300
350
2013 2014 2015
Total#ofBreaches
Total#ofBreaches
0
100
200
300
400
500
600
2013 2014 2015
TotalIdentitiesExposed(inMillions)
TotalIdentitiesExposed(inMillions)
Source:SymantecInternetSecurityThreatReport2016
18 ©2016CA.ALLRIGHTSRESERVED.@CAWORLD#CAWORLD
2016Trends– ExposedIdentitiesperBreach
0
0.5
1
1.5
2
2.5
2013 2014 2015
Avg.IdentitiesExposedperBreach(inMillions)
Avg.IdentitiesExposedperBreach(inMillions)
01,0002,0003,0004,0005,0006,0007,0008,000
2013 2014 2015
MedianIdentitiesExposedperBreach
MedianIdentitiesExposedperBreach
Source:SymantecInternetSecurityThreatReport2016
19 ©2016CA.ALLRIGHTSRESERVED.@CAWORLD#CAWORLD
2016Trends– VulnerabilitiesandMalware
0
10
20
30
40
50
60
2012 2013 2014 2015
#ofZeroDayVulnerabilities
#ofZeroDayVulnerabilities
050100150200250300350400450500
2014 2015
NewMalware
NewMalware(andVariants)
Source:SymantecInternetSecurityThreatReport2016
20 ©2016CA.ALLRIGHTSRESERVED.@CAWORLD#CAWORLD
2016Trends– DaystoDiscoveryandAttackMethod
050100150200250300350400450
2012 2014 2015
DaystoBreachDiscovery
DaystoBreachDiscovery Topfivedatavarietiesbreachedbyphishingattacks,(n=905)
Source:2016VerizonDBIR
23 ©2016CA.ALLRIGHTSRESERVED.@CAWORLD#CAWORLD
WhatArePrivilegedIdentities?
§ Notidentities,perse;morelike(default)accountnamesandpermissions:– root,oradba,sys,system,scott,dbsnmp,sysadmin,SA,sapadmin,cisco
enable,Windowslocaladmin,namedadminaccounts– SaaS/IaaS/PaaSadminaccounts:rootaccount,superAdmin,federated
administrator– BladeLogicRSCD,bladmin,bladelogic,BLAdmin,RBACAdmin– apache,admin(Tomcat,Jboss,etc.)
25 ©2016CA.ALLRIGHTSRESERVED.@CAWORLD#CAWORLD
ContextualAuthentication
CARiskAuthentication™
Whereistheuser?
Whatistheusertryingtodo?
Istheactionconsistentwith
history?
Whatdeviceisbeingused?
CAAdvancedAuthenticationTwoBest-Of-BreedCapabilitiesinOneSolution
VersatileAuthentication
CAStrongAuthentication™
CAAuthID
Q&A OATHTokens
OTP–OutofBand
CAMobileOTP
26 ©2016CA.ALLRIGHTSRESERVED.@CAWORLD#CAWORLD
WhatifYouCould…
InitiateStep-UpAuthenticationTransparentlyCollectData AnalyzethisDatato
AssessRisk
27 ©2016CA.ALLRIGHTSRESERVED.@CAWORLD#CAWORLD
WelcometoCARiskAuthentication
RISKDATAAttributes
Whereistheuser? Whatdeviceisbeingused?
Whatistheusertryingtodo?
Istheactionconsistentwithhistory?
§ Isthelocationinherentlysuspect?
§ Havetheybeentherebefore?
§ Whereweretheyrecently?
LOCATION§ Whatkindofdeviceisit?
§ Havetheyuseditbefore?
§ Hasitchangedsincetheylastusedit?
DEVICEDNA§ Isthisatypicalactionfortheuser?
§ Istheactioninherentlyrisky?
§ Havetheytakensimilaractionsbefore?
BEHAVIOR§ Isthisanormaltimeofdayforthem?
§ Istheirfrequencyofloginabnormal?
§ Istheircurrentactionconsistentwithprioractions?
HISTORY
28 ©2016CA.ALLRIGHTSRESERVED.@CAWORLD#CAWORLD
AndLet’sRememberMobile
§ Authenticationisdifferent
§ Appdevelopershaveachoice– Trustthedeviceunlockingmechanism(e.g.,TouchID)– Supplementdevicesecuritywithapplogin
§ Ifauthenticationisbuiltintoapp…– Doyoupromptforcredentialseverytimeappis
opened(notuser-friendly)– Ordoyousavecredentialsondevice(notverysecure)
29 ©2016CA.ALLRIGHTSRESERVED.@CAWORLD#CAWORLD
RiskAnalytics– Whyit’sCool
§ Effectiveanalyticstechniqueideallysuitedforcustomerswhereroutinefraudmarkingisnotavailable
§ Approachisbasedonassessingwhetherbehaviorisnormalorabnormal
§ Learnsquickly,startsactiveassessmentupondeployment
§ Noconfigurationortraining- adaptstotheuserpopulation
31 ©2016CA.ALLRIGHTSRESERVED.@CAWORLD#CAWORLD
SimplifyWorkforceExperienceSeamlessSingleSign-OntoHundredsofCloudApplications
§ Richpredefinedintegrationstopopularcloudapplications
§ SAMLconnectorenablesSSOtohundredsofapplications
§ Two-factorauthenticationsupplementsstrongpasswordlogintotheLaunchpad
§ Self-servicepasswordmanagementandforgottenpasswordrecovery
32 ©2016CA.ALLRIGHTSRESERVED.@CAWORLD#CAWORLD
ControlandManageCloudIdentitySprawlEnableRule-BasedProvisioningandIdentityLifecycleAutomation
§ Rule-basedprovisioning,de-provisioningandentitlementassignment
§ Automatedidentitylifecyclemanagementaspeoplejoin,moveorleave
§ ExtensibleandAPIdrivenidentitylifecyclemanagement
33 ©2016CA.ALLRIGHTSRESERVED.@CAWORLD#CAWORLD
SimplifyWorkforceExperienceRapidTime-To-ValueinBridgingWithCASingleSign-On
§ PredefinedintegrationwithCASingleSign-On
§ FewclickstoimportexistingCASSOprotectedresources
§ ExistingCASSOpoliciesdynamicallyevaluatedtodeterminewhogetsaccess
§ OptiontoenableCASSOastheidentityprovider
34 ©2016CA.ALLRIGHTSRESERVED.@CAWORLD#CAWORLD
SingleSign-on
Authentication(SaaS-firstmodel) CAIdentity
Service
Userprovisioning&deprovisioning
SingleSign-onRogueandorphanaccountdetectionandremediation
CASingleSign-On
On-premisesapps
SaaSApps
Peoplesource(optional)
Authentication(Hybridmodel)
SingleSign-on
SaaS-FirstandHybridDeploymentModelsLeverageExistingOn-PremisesIAMInvestments
36 ©2016CA.ALLRIGHTSRESERVED.@CAWORLD#CAWORLD
CAPrivilegedAccessManagerPrivilegedAccountManagementfortheHybridEnterprise
HYBRIDENTERPRISETraditionalDataCenter
Mainframe,Windows,Linux,Unix,Networking
EnterpriseAdminTools
SoftwareDefinedDataCenter
SDDCConsoleandAPIs
PublicCloud- IaaS
CloudConsoleandAPIs
SaaSApplications
SaaSConsolesandAPIs
HardwareAppliance AWSAMIOVFVirtualAppliance
IdentityIntegration Enterprise-ClassCore
CAPrivilegedAccessManager
§ VaultCredentials§ CentralizedAuthentication§ FederatedIdentity§ PrivilegedSingleSign-on
§ Role-BasedAccessControl§ MonitorandEnforcePolicy§ RecordSessionsandMetadata§ FullAttribution
ANewSecurityLayer- ControlandAuditAllPrivilegedAccess
UnifiedPolicyManagement
37 ©2016CA.ALLRIGHTSRESERVED.@CAWORLD#CAWORLD
HYBRIDCLOUDENVIRONMENT
IntegratedControlsandUnifiedPolicyManagement
Positively
AuthenticateUsers
Vault&
Manage
Cred
entia
ls
RestrictA
ccessto
Authorize
dSystem
s
Fede
rateIdentity
andAttributes(SSO
)
Mon
itora
nd
EnforcePo
licy
RecordSessio
ns
andMetadata
AttributeIdentity
forS
haredAccoun
ts
TraditionalDataCenter
PrivateCloud
PublicCloud
CAPrivilegedAccessManagerinaction
39 ©2016CA.ALLRIGHTSRESERVED.@CAWORLD#CAWORLD
Host-BasedFine-GrainedAccessControls
Challenge§ Broadpowergrantedtoprivilegedusers
§ Manywaystobecomesuperusers
§ Lackfine-grainedcontrols
§ Limitedaccountability
§ Questionableauditintegrity
Fine-GrainedAccessControls
40 ©2016CA.ALLRIGHTSRESERVED.@CAWORLD#CAWORLD
Host-BasedFine-GrainedAccessControls
Solution:CAPAMServerControl§ Superusershavenospecialprivileges§ Segregationofduties§ Transparenttousers§ Fine-grainedcontrols§ Centralizedpolicymanagement§ Fileandprocessprotection§ Surrogateaccesscontrols§ Sudoreplacement§ KeystrokeLogging§ BroadOSsupport
Fine-GrainedAccessControls
ManagedServer
LeastPrivilegeAccess(withFine-GrainedControls)
SharedPrivilegedAccount(root)
Resources
CAPAMServerControlwillcontrol&auditaccessbasedon
theORIGINAL UserID
Processes
Files/Folders
UserIDs
SudoReplacement
41 ©2016CA.ALLRIGHTSRESERVED.@CAWORLD#CAWORLD
ManagedServer
LeastPrivilegeAccess(withFine-GrainedControls)
SharedPrivilegedAccount(root)
Resources
CAPAMServerControlwillcontrol&auditaccessbasedonthe
ORIGINAL UserID
Processes
Files/Folders
UserIDs
SudoReplacement
MikeCAPAM
Contractor/Partner
OutsideOrganization
DBAdmin(Bob)
Auditor
SystemsAdmin(Mike)
InsideOrganization
CAPAM
CAPAMServerControlComplementsCAPAMPAMAppliance
42 ©2016CA.ALLRIGHTSRESERVED.@CAWORLD#CAWORLD
CAPrivilegedAccessManagerServerControl
Preventthebreach
Defendagainstprivilegeescalationsandaccesstosensitiveresources
Preventcompromiseofnewsystemsanddataexfiltration
Oversight
LoginControls
Lockdownofports/services/Applications
File,directoryandprocessprotection
Trustedprogramexecution,ApplicationJailing
Privilegedaccountprotection
Windowsregistryprotection
Inboundandoutboundnetworkcontrols
Centrallymanagesecurityandaccesspolicies
Entitlementreportingonaccesspolicies
44 ©2016CA.ALLRIGHTSRESERVED.@CAWORLD#CAWORLD
PrivilegedIdentity&AccessManagementAnEssentialComponentofDefense-In-Depth
Log&auditprivilegeduseractivity
Perimetersecurity
Leastprivilegeaccess
Anti-virus
Phishingprotection
EmployeeEducation
CloudControlsExternalizedunexpectedcontrols
Serverhardening
CredentialVault&SessionControl
Captureandreviewserveranddeviceauditlogs
Datacontrols&analysis
Advancedauthentication&fraudprevention
Identity&AccessGovernance
1
3
7
8
9
CAPrivilegedAccessManager
Reconnaissance InitialEntry EscalationofPrivileges
ContinuousExploitation
CAPAMServerControl
CAIdentitySuite&IdentityService
CAAdvancedAuthentication
4
5 6
2
AllCASecuritySolutions
45 ©2016CA.ALLRIGHTSRESERVED.@CAWORLD#CAWORLD
Ifyouwalkwaywithonemessage,letitbethis:
Identity istheMostImportantAssetofyourorganizationandtheymustbeprotected.
46 ©2016CA.ALLRIGHTSRESERVED.@CAWORLD#CAWORLD
CA’sIdentity&AccessPortfolioCanHelpYouSecurePrivilegedAccess&IdentityManagement
§ Strongauthentication,includingMFA§ Credentialmanagement§ Policy-based,leastprivilegeaccesscontrol§ Sessionrecording,filtering,auditing,attribution§ Applicationpasswordmanagement§ Comprehensive,hybridenterpriseprotection§ Self-contained,hardenedappliance§ ThreatAnalytics
IDENTITY-BASEDSECURITY
§ Missioncriticalprotectionofserverresources:- Files,folders,processes,registries
§ Highly-granularaccesscontrols§ Segregateddutiesofsuper-users§ SecuredTaskDelegation(sudo)§ EnforceTrustedComputingBase§ Auditingandattributionforanalytics
HOST-BASEDSECURITY
CAPrivilegedAccessManager CAPrivilegedAccessManagerServerControl
§Ac
cessre
quests
§Ce
rtificatio
n§
Riskana
lytic
s
CAID
ENTITYSUITE
CAAdvancedAuthentication
DEFENSEINDEPTHTHROUGHOUTTHESTACK!
47 ©2016CA.ALLRIGHTSRESERVED.@CAWORLD#CAWORLD
RecommendedSessions
SESSION# TITLE DATE/TIME
SCT30S DevelopingandImplementingaSuccessfulInsiderThreatStrategyandPlan 11/17/2016at3:45pm
SCT05T ThreatAnalyticsforPAM 11/17/2016at4:30pm
48 ©2016CA.ALLRIGHTSRESERVED.@CAWORLD#CAWORLD
Don’tMissOurINTERACTIVESecurityDemoExperience!
SNEAKPEEK!
World®’16©2016CA.ALLRIGHTSRESERVED.@CAWORLD#CAWORLD48
49 ©2016CA.ALLRIGHTSRESERVED.@CAWORLD#CAWORLD
Wewanttohearfromyou!
§ ITCentralisaleadingtechnologyreviewsite.CAhasthemtohelpgenerateproductreviewsforourSecurityproducts
§ ITCSstaffwillbeatmostsessions.Ifyouwouldliketoofferaproductreview,pleaseaskthemaftertheclass,orgobytheirbooth
Note:§ Onlytakes5-7mins§ Youhavetotalcontroloverthereview§ Itcanbeanonymous,ifrequired