privileged accesss management for den csa user group ca technologies
TRANSCRIPT
Privileged Access Management Breaking The Kill Chain
Tabish Tanzeem, CISSPSr. Principal Consultant
November 2016
2 © 2015 CA. ALL RIGHTS RESERVED.
Agenda
STATISTICS AND INCIDENTS
WHAT ARE PRIVILEGED USERS?
WHAT IS THE CHALLENGE?
TOP 10 PAM BEST PRACTICES
MATURITY MODEL
3 © 2015 CA. ALL RIGHTS RESERVED.
Intersecting Forces Yield A Sea ChangeInfrastructure• Virtualization/SDDC• Public Cloud/SaaS
Threats• Cybercrime• Cyberespionage
Security Model• De-perimiterization• Identity
4 © 2015 CA. ALL RIGHTS RESERVED.
The Hybrid Enterprise Management PlaneOngoing Infrastructure Changes Introduce New Control Points, Risks
Hybrid Enterprise
Software Defined Data Center
SDDC Console & APIs
SaaS Applications
SaaS Consoles & APIs
Public Cloud - IaaS
Cloud Console & APIs
Traditional Data Center
Mainframe, Windows, Linux, Unix, Networking
Enterprise Admin Tools
New Management Plane
5 © 2015 CA. ALL RIGHTS RESERVED.
Easier Access and Escalating Risks
Cybercrime– Target – 70 million credit cards stolen– Home Depot - 56 million credit cards stolen– JP Morgan Chase – 76 million account records stolen
Material Impact to Operations– CodeSpaces - forced out of business– Sony Pictures – extensive disruption– German Steel Mill – physical damage– Saudi Aramco – physical systems damage and business
disruption Cyberespionage
– Anthem – 80 million personal records stolen– Forbes.com and unidentified health insurer – targeted
(defense contractors, government workers) information gathering of individual data
6 © 2015 CA. ALL RIGHTS RESERVED.
Economic Losses Are Staggering
Net Losses: Estimating the Global Loss of Cybercrime (Intel Security – June 2014). Cybercrime is a growth industry. The returns are great, and the risks are low. We estimate that the annual cost to the global economy from cybercrime is more than $400 billion. A conservative estimate would be $375 billion in losses, while the maximum could be as much as $575 billion. Even the smallest of these figures is more than the national income of most countries and governments and companies underestimate how much risk they face from cybercrime and how quickly this risk can grow.
$400 Billion
Global Losses from
Cybercrime
$300 Billion
Global Drug Trafficking Revenue
$300 Billion
GDP of Singapore
$3 Trillion
Global Economic Impact of Cybercrime in 10 Years
- McKinsey, World Economic Forum
7 © 2015 CA. ALL RIGHTS RESERVED.
The Common Thread?
“Stealing and exploiting privileged
accounts is a critical success
factor for attackers in 100 percent of
all advanced attacks, regardless
of attack origin.”- Cybersheath Security Report,
May 2014
8 © 2015 CA. ALL RIGHTS RESERVED.
Privileged Account Management Facts
Privileged Accounts Exist Across Every Aspect of IT
Privileged Accounts Grow in Numbers Everyday
Existing Models of Managing Privileged Accounts Fall Short
Every Major Breach Has Involved A Privileged Account
Your Critically Valuable Privileged Accounts Are Targets!
9 © 2015 CA. ALL RIGHTS RESERVED.
Hacker Malware/APT
Privileged Accounts: The Emerging Front LineOn Premise
Employees/Partners• Systems Admins• Network Admins• DB Admins• Application Admins
PartnersSystems/NW/DB/Application Admins
EmployeesSystems/NW/DB/Application Admins
Public Cloud
Apps
Apps
VMwareAdministrator
AWS Administrator
Microsoft Office 365 Administrator
Internet
Organizations typically have 3-4x more Privileged Accounts and Credentials than
Employees!
10 © 2015 CA. ALL RIGHTS RESERVED.© Copyright 2014, Xceedium, Inc. 10
1. On-Boarding/Off-Boarding Process
2. Least Privilege Everything
3. Strong Authentication
4. Separate Authentication from Access Control
5. Protect Privileged Account Credentials
6. Eliminate Anonymous Activity
7. Implement Extra Protections for Sensitive Assets
8. Alert/Respond to Attempted Policy Violations
9. Log and Record Everything
10. Mind the Virtualization Gap
May 2014
Top 10 ListBest Practices for Privileged Identity Management
11 © 2015 CA. ALL RIGHTS RESERVED.© Copyright 2014, Xceedium, Inc. 11
On-boarding– Identity verification & background checks– Entitlement management– Credential/multi-factor authentication
device issuance– Approvals and workflow– Certification/Attestation
Off-boarding– Reliable– Timely– Complete
May 2014
#1 On/Off-Boarding ProcessBest Practices for Privileged Identity Management
12 © 2015 CA. ALL RIGHTS RESERVED.© Copyright 2014, Xceedium, Inc. 12
Least Privilege Everything– Least device/system access– Least functional access
Console CLI FTP API
– Least command level Drop, telnet, reboot…
May 2014
#2 Least PrivilegeBest Practices for Privileged Identity Management
Zero Trust ModelStart with no accessAdd layers/systems as neededRole-based
13 © 2015 CA. ALL RIGHTS RESERVED.© Copyright 2014, Xceedium, Inc. 13May 2014
#3 Strong AuthenticationBest Practices for Privileged Identity Management
OTPSmart Card
Integrated UserAuthentication
Roles
Network
Systems
Database
VirtualCredentials
CRL/OCSPServer
ActiveDirectory
SaaSIaaS
Federal Government Mandate– OMB 11-11– PPD 21– PIV/CAC required for all
administrative access
Commercial– Best Practice for High Risk
Environments
Strong Multi-factor Authentication
Password Safe
14 © 2015 CA. ALL RIGHTS RESERVED.© Copyright 2014, Xceedium, Inc. 14
Old School– Perimeter-based– Hard-crunchy outside…– Authentication was a proxy for Authorization
“Grass huts with steel doors…”
Separate authentication and authorization– Authentication to the privileged identity
management system establishes identity, only– No intrinsic access to resources– Authorization based on roles and
responsibilities; enforced by PIM system
May 2014
#4 Authentication ≠ AuthorizationBest Practices for Privileged Identity Management
Protected Environment
Servers
Databases
Network
Other Systems
CredentialSafe
EnterpriseDirectory
SaaSIaaS
AuthZ, FGA Control Command
15 © 2015 CA. ALL RIGHTS RESERVED.© Copyright 2014, Xceedium, Inc. 15
Privileged credentials and access are implicated in every attack– Phishing– Credential/Privilege misuse– Stolen third-party credentials– Default passwords
Control and manage credentials– Encrypted storage and use– Automated rotation and update
One-time passwords– Eliminate physical access via proxy– Supported by backup and “break glass”
capabilities
May 2014
#5 Protect CredentialsBest Practices for Privileged Identity Management
16 © 2015 CA. ALL RIGHTS RESERVED.© Copyright 2014, Xceedium, Inc. 16
Shared administrative accounts are endemic across IT– Administrative convenience– Technology constraints (root, admin…)
Enables anonymous, unattributed access– Easy to hide malicious activity– Complicates troubleshooting and forensic
examination– Compliance/audit violations
Map individual user activity and access to shared accounts in logs and recordings
May 2014
#6 Eliminate Anonymous AccessBest Practices for Privileged Identity Management
17 © 2015 CA. ALL RIGHTS RESERVED.© Copyright 2014, Xceedium, Inc. 17
Cloud Environments– Operational Risks– Financial Risks– Security Risks
Defense in Depth– Strengthen legacy UID and password mechanism– Key management– Implement multi-factor authentication, biometrics– Additional monitoring, audit of privileged user sessions
w/ publication of results– HSM for key protection – physical or virtual options
May 2014
#7 Extra ProtectionsBest Practices for Privileged Identity Management
18 © 2015 CA. ALL RIGHTS RESERVED.© Copyright 2014, Xceedium, Inc. 18
Alerts– Warnings and reminders to individuals
– Events to SIEM/SOC
Proactive Controls– Enforced White/Black Lists
– Enforced Limits on Permissions and Rights
– Interception of Prohibited Commands
– Session Termination
– Account Suspension
May 2014
#8 Alert/Block Policy ViolationsBest Practices for Privileged Identity Management
19 © 2015 CA. ALL RIGHTS RESERVED.© Copyright 2014, Xceedium, Inc. 19May 2014
#9 Log & Record EverythingBest Practices for Privileged Identity Management
CERT Insider Threat Center:
In more than 70% of the IP theft cases, insiders stole
information within 30 days of announcing their
resignation.
• RDP/Graphical Sessions• Shell/CLI Sessions• API Access• Logging/SIEM/SOC• Highlight attempted policy/access
control violations• Publish audit results
20 © 2015 CA. ALL RIGHTS RESERVED.© Copyright 2014, Xceedium, Inc. 20
API-based access growing basis for DevOps
Rebuild/Replace rather than re-configure
Management API’s offer powerful capabilities, but:– Shared keys/credentials– Limited attribution– Limited logging and recording– All the access control issues of traditional user
accounts
Requires dedicated capabilities for controlling, monitoring, and recording access; credential protection
May 2014
#10 Mind the API GapBest Practices for Privileged Identity Management
21 © 2015 CA. ALL RIGHTS RESERVED.
Privilege: Core of the Breach Kill Chain
Network Perimeter
EXTERNAL THREATS
INTERNAL THREATS
C&C, Data/IPExfiltration
Wreak HavocElevate Privilege
Lateral Movement,Reconnaissance
Threat Actor
Trusted Insider
Gain/Expand Access
•Weak Authentication/Default Passwords• Stolen/Compromised Credentials• Poor Password/Key Management• Shared Accounts/Lack of Attribution• Authentication = Access Control• No Limits on Lateral Movement• No Limits on Commands• Lack of Monitoring/Analysis
22 © 2015 CA. ALL RIGHTS RESERVED.
Break The Kill Chain:
Strong Authentication
Network Perimeter
EXTERNAL THREATS
INTERNAL THREATS
C&C, Data/IPExfiltration
Wreak HavocElevate Privilege
Lateral Movement,Reconnaissance
Threat Actor
Trusted Insider
Gain/Expand Access Wreak HavocElevate Privilege
Lateral Movement,Reconnaissance
• Strong Authentication• AD/LDAP Integration•Multifactor Hardware/Software• PIV/CAC Card Support• SAML
• Login Restriction• Origin IP• Time of Day
Strong AuthN
23 © 2015 CA. ALL RIGHTS RESERVED.
Break The Kill Chain:
Prevent Unauthorized Access
Network Perimeter
EXTERNAL THREATS
INTERNAL THREATS
C&C, Data/IPExfiltration
Wreak HavocElevate Privilege
Lateral Movement,Reconnaissance
Threat Actor
Trusted Insider
Gain/Expand Access Wreak HavocElevate Privilege
Lateral Movement,Reconnaissance
• Zero Trust – Deny All, Permit by Exception• Role-Based Privileged User Access
Limits• Privileged User Single Sign on• Command Filtering• Leapfrog Prevention• Proactive Policy Violation
Prevention
Zero Trust Access
24 © 2015 CA. ALL RIGHTS RESERVED.
Break The Kill Chain:
Improve Forensics, Deter Violations
Network Perimeter
EXTERNAL THREATS
INTERNAL THREATS
C&C, Data/IPExfiltration
Wreak HavocElevate Privilege
Lateral Movement,Reconnaissance
Threat Actor
Trusted Insider
Gain/Expand Access Wreak HavocElevate Privilege
Lateral Movement,Reconnaissance
• Continuous monitoring and logging•Warnings, Session Termination,
Alerts• DVR-like recording and playback of
sessions• Activity Log Reporting• Privileged Account Use Attribution• SIEM/SYSLOG Analytics
Log, Deter
25 © 2015 CA. ALL RIGHTS RESERVED.
Privileged Access Management Maturity Levels
ADHO
C BASE
LIN
E MAN
AGED
ADVANCED
Review
Redefine
Optimize
26 © 2015 CA. ALL RIGHTS RESERVED.
Privileged Access Management Focus Areas Privileged Users/Shared Accounts
– root, oradba, sapadmin, cisco enable, Windows local admin, named admin accts, SaaS/IaaS admin accts
Service & Application Accounts
– COTS App Accounts, App Servers, DevOps Systems, Scheduled Tasks, Batch Jobs, Scripts
Activity Monitoring
– SIEM, Network Monitoring, Change Management, Session Recording, Analytics
Identity Management Integration
– CA Identity Suite, Oracle IAM, SailPoint, IBM ID Mgt
Fine Grained Tools– CA PAM SC, Symantec CSP, Dell UPM, PowerBroker, ViewFinity
27 © 2015 CA. ALL RIGHTS RESERVED.
Privileged Access Management Maturity ModelLevel 1:
Adhoc/ManualLevel 2:Baseline
Level 3:Managed
Level 4:Advanced
Privileged
User/Shared
Accounts
Service &
Application
Accounts
Monitoring &
Threat
Detection
Identity
Management
Integration
Fine-grained
Controls/SoD
Manual ControlsFor
Priv. Accounts
Structured ControlsBasic Vault
Account InventorySDLC Integration
Credential Vault with RBACCentral Password Policies
Account Discovery MFA
Passwordless (SAML/OAUTH/TGS)Cloud/SaaS/SDN Integration
HSM Integration
Ad Hoc Application Account ManagementHard Coded Passwords
Manual ApplicationAccount Management
Centralized ApplicationAccount Management
Eliminate Hardcoded PasswordsREST API Integration
Governed ApplicationAccount Management
DevOps Integration
Ad Hoc Audit & ControlsActivity Monitoring
Decentralized Activitylogging
SIEM IntegrationAcct AttributionSNMP Alerting
Session Recording
Dual AuthorizationMeta-Data
Service Desk IntegrationAnalytics Integration
Manual ProcessFor Priv. Access
Automated Privileged Identity Mgmt.
Integrated PrivilegedAccess Requests Basic Governance
Fully Delegated Administration Governed Privileged
Access w/SoD
Open Source Tools and Scripts
DecentralizedTools (Silos)
Command FilteringRestricted Shell
Leap Frog Prevention
Centrally Managed Kernel Interceptor
with Cred Vault Integration
28 © 2015 CA. ALL RIGHTS RESERVED.
Critical Questions Do you have an inventory of privileged accounts?
– Operational and Application…custom scripts?
Do you have a record of who has access to passwords?
How is access to privileged accounts granted?
Are privileged accounts included in the SDLC process?– What about 3rd Party Developers and Contractors?
How often do you change privileged account passwords?
What is your process for changing privileged account passwords?
How do you track privileged account use?
How do you grant emergency access to privileged accounts?
Do you require a change ticket for privileged account use?
Are segregation of duties enforced on privileged accts?
Is there a certification process for privileged accounts?
How are new privileged accounts created?
How are privileged accounts retired?
Is MFA required to access privileged accounts?
Any fine grain controls in place to restrict the scope of privileged acct, if so what and how are they managed?
How are cloud based privileged accounts managed?
Is privileged account use monitored for suspicious activity? And through out your hybrid enterprise?
29 © 2015 CA. ALL RIGHTS RESERVED.
Conclusions and Recommendations
Privileged identity must be a highly protected core asset (process & technology)
A Zero-Trust model should be adopted for all privileged access (including applications); Some process re-engineering is a reasonable trade-off for the additional security and risk mitigation
Next generation PIM platforms will make this more manageable, but defense in depth is still required
Organizations need to employ Protection, Detection, and Response Frameworks specifically focused on Privileged Identities (and associated keys)
Sr. Principal [email protected]
@TabishTanzeemCA
Tabish Tanzeem
slideshare.net/CAInc
linkedin.com/pub/noam-dror/0/34b/82b/
ca.com/Security
Q&A