case study: privileged access in a world on time

Case  Study:  Privileged  Access  in  a  World  on  Time

Trey  Ray

SCT17S

SECURITY

IT  Manager  FedEx

Cyber  Security  AdvisorFedEx

Laxmi PotanaSr.  Cyber  Security  AnalystFedEx

Michael  Scudiero

2 COPYRIGHT  ©  2017  CA.  ALL  RIGHTS  RESERVED#CAWORLD #NOBARRIERS

©  2017  CA.  All  rights  reserved.  All  trademarks  referenced  herein  belong  to  their  respective  companies.

The  content  provided  in  this CA  World  2017  presentation  is  intended  for  informational  purposes  only  and  does  not  form  any  type  of  warranty. The information  provided  by  a  CA  partner  and/or  CA  customer  has  not  been  reviewed  for  accuracy  by  CA.  

For  Informational  Purposes  Only  Terms  of  This  Presentation

3 COPYRIGHT  ©  2017  CA.  ALL  RIGHTS  RESERVED#CAWORLD #NOBARRIERS

Abstract

Today  there  are  more  privileged  users  than  ever  before.  Providing  access  is  not  optional  it  is  a  business  necessity.  But  how  do  you  avoid  excessive  access?  Providing  the  right  access  at  the  right  time  with  CA  Privileged  Access  Manager  is  the  formula  for  reducing  your  risk  and  securing  a  world  of  data.  At  FedEx  empowering  the  right  people  at  the  right  time  is  not  only  good  business  it's  also  good  security.

Trey  RayFedExIT  Manager

Laxmi PotanaFedExCyber  Security  Advisor

Michael  ScudieroFedExSr.  Cyber  Security  Analyst

A GLOBAL SHIPPING NETWORK TO TAKE ON THE FUTURE

HOW TO BUILD

VIDEO:“FEDEX”TRT:  1:31

Privileged Access in a World on TimeTrey Ray, Laxmi Potana, and Michael

Scudiero

Privileged Access in a World of Cyber Risk

PCI DSS 3.2 Created The Urgency

2 Factor Authentication

Automated Password Rotation & Vaulting

Command Filtering

Leapfrog Prevention

PREVENT

DVR & Command Line Session Recording Available

Logging of All PAM User Activity

SIEM Integration & Alerting

DETECT

Built-in Reports on All Integrated Accounts and Passwords

Metrics Displayed in Admin Dashboard

REPORT

Privileged Access is Preventive & Detective

Active Directory domain adminWindows Server AdminUnix rootDatabase admin (DBA) and developer break-fixApp service accountsWeb PortalsVMware Hypervisor adminTACACSCorporate social media accountsAny shared privileged account in the environment

If privileged accounts are the “Keys to the Kingdom,” then PAM is the lockbox for

the keys.

Managing the Keys to Running the World on Time

Unix RootAdmin

Active DirectoryDomain Admin

Windows LocalAdmin Accounts

Developer AccessTo Privileged Data

USE CASESTO CONTROL PRIVILEGED ACCESS

Use Case: Active Directory Domain Admin

Domain Admin launches an RDP session from their own PC/Laptop or from other Windows server in the domainusing a personal admin account.

This practice is subject to the “Pass the Hash” vulnerability whereby the domain administrator’s credentials can be harvested by an attacker and used to gain privileged access to the domain.

Before PAM Integration

Use Case: Active Directory Domain Admin

Domain Admin logs into CA PAM client w/2FA and checks out a Domain Admin credential.

RDP session to a Domain Controller is launched using CA PAM transparent login with PAM managed credentials.

The Domain Admin credentials are never exposed to the administrator endpoint which eliminates the "Pass the Hash" vulnerability.

Session is optionally recorded for audit purposes.

After PAM Integration

Use Case: Unix Root

No consistent method for managing Unix root passwords by the SysAdmin teams.

The Unix root passwords had to be rotated manually on a regularly scheduled interval.

No attribution for Unix root account usage

Before PAM Integration

Use Case: Unix Root

Unix SysAdmin logs into CA PAM client w/2FA to check out the root password for a server when required.

SSH session to Unix server is launched using CA PAM transparent login with PAM managed credentials.

The root password is never displayed to the SysAdmin.

Command filtering prevents accidents (rm –rf *.*)

Session is optionally recorded for audit purposes.

After PAM Integration

Use Case: Developer DB Break-Fix

Developer escalates his database privileges temporarily(24 hours) using an IDM pre-approved break/fix workflow.

Since the developer uses his own personal user account for the escalated database access, the window of opportunity for an attacker to gain access using compromised credentials is lengthy.

Before PAM Integration

Use Case: Developer DB Break-Fix

Developer logs into CA PAM client w/2FA and checks out a privileged database account.

Secure SQL session to database is launched using CA PAM transparent login with PAM managed credentials.

The database password is never displayed to the developer.

Session is optionally recorded for audit purposes.

After PAM Integration

Use Case: Microsoft LAPS Console

Administrator launches the LAPS console from their local machine.

LAPS privileges are granted directly to the human admins via an AD group.

An adversary utilizing a compromised human admin account would be able to view local Windows admin credentials for many devices in LAPS.

Before PAM Integration

Use Case: Microsoft LAPS Console

Administrator logs into CA PAM client w/2FA and checks out a LAPS enabled credential.

CA PAM launches the LAPS console via RDP published application.

The LAPS enabled credential is rotated at the end of the session and once a day.

LAPS session is optionally recorded for audit purposes.

After PAM Integration

WHAT WE LEARNEDWILL HELP US SCALE

| | |DESIGN FOR HIGH AVAILABILITY

EMPOWERADMINISTRATORS

PHASEDAPPROACH

AWARENESS PLANNING

21 COPYRIGHT  ©  2017  CA.  ALL  RIGHTS  RESERVED#CAWORLD #NOBARRIERS

Questions?

22 COPYRIGHT  ©  2017  CA.  ALL  RIGHTS  RESERVED#CAWORLD #NOBARRIERS

Stay  connected  at  communities.ca.com

Thank  you.

23 COPYRIGHT  ©  2017  CA.  ALL  RIGHTS  RESERVED#CAWORLD #NOBARRIERS

Security

For  more  information  on  Security,please  visit:  http://cainc.to/CAW17-­Security