The New Cyber Battleground:
Inside Your Network
Chad Froomkin
Major Account Executive
Southeast
1
Why are we here?
90%
of organizations breached
59%
of organizations breached more than once
$3,500,000
Average cost per incident to investigate and remediate
Ponemon Institute - Cost of Data Breach: Global Analysis,
2014
2
Cisco Talos, Deliotte Financial Advisory service, Deloitte & Touche LLP, Mandiant, RSA, Verizon RISK CyberArk Threat Report: Privileged Account Exploits Shift the front lines of Cyber Security,
2014
The new cyber battleground: Inside your network
Over 90% of organizations have been breached
• In the past: “I can stop everything at the perimeter”
• Today: “I can’t stop anything at the perimeter”
Information security focus shifts to inside the network
• Over 35% of breaches are internal – driven by malicious and unintentional insiders
• Compromised credentials empower any attacker to act as an insider
Compliance and audit requirements focus on privileged accounts
• Privileged accounts provide access to the most sensitive and valuable assets
• Information exposure damages brand reputation and customer confidence
3
What do we know?
54%
94%
243
100%
Of compromised
systems contained
malware
Of breaches are
reported by third
parties
Median number of
days advanced
attackers are on the
network before being
detected
Of breaches
involved stolen
credentials
“We have to assume we have already been breached”
Brian Krebs (Krebs on Security)
Mandiant, M-Trends and APT1 Report,
2014
4
Privileged accounts are targeted in all
advanced attacks
“…100% of breaches
involved stolen
credentials.”
Mandiant, M-Trends and APT1 Report,
2014
5
“APT intruders…prefer to
leverage privileged accounts
where possible, such as Domain
Administrators, service accounts
with Domain privileges, local
Administrator accounts, and
privileged user accounts.”
Privileged accounts are targeted in all
advanced attacks
“Anything that involves
serious intellectual property
will be contained in highly secure
systems and privileged accounts
are the only way hackers can
get in.”
Avivah Litan, Vice President and
Distinguished Analyst at Gartner,
2014
6
Privileged accounts are targeted in all
advanced attacks
“…that’s how I know I’m dealing
with a sophisticated adversary…
if they are targeting privileged
accounts, I’ve got a serious APT
problem…”
CyberSheath
APT Privileged Account Exploitation
Securing Organizations against
Advanced, Targeted Attacks,
2013
7
Perimeter defenses are consistently breached
Over 28 Billion spent on IT security in 2014!!!
Over 90% of organizations breached
Cisco Talos, Deliotte Financial Advisory service, Deloitte & Touche LLP, Mandiant, RSA, Verizon RISK CyberArk Threat Report: Privileged Account Exploits Shift the front lines of Cyber Security,
2014
8
Privileged Account Security:
Now a critical security layer
9
Privilege is at the center of the attack lifecycle
Typical Lifecycle of a Cyber Attack
10
Scope of Privileged Account “attack surface”
underestimated
In Your Estimation, How Many Privileged Accounts
Are There In Your Organization?
35%
30%
25%
20%
15%
10%
5%
0%
1-250
251-500
501-1,000
1,001-5,000
5,001+
Don't know
Cyber - Privileged Account Security & Compliance Survey, 2014 (Enterprises > 5000 Employees)
11
Many organizations only use partial measures
28%
How Do You Monitor Or Record
Privileged Account Activity?
Do you monitor and record
privileged activity?
25%
20%
15%
10%
5%
0%
Paper-based Homegrown
SW
IAM
Solutions
PIM
Software
SIEMs
DAM
Cyber - Privileged Account Security & Compliance Survey, 2014
12
72%
Other
Privileged Accounts create a HUGE attack surface
Privileged accounts exist in every
connected device, database,
application, industrial controller and
more!
Typically a ~3X ratio of privileged
accounts to employees
13
What, Where & Why of Privileged Accounts
Scope
• Cloud providers
Elevated Personal
• Personal accounts w/
elevated permissions
Used by
Used for
• Privileged operations
• IT staff
• Any employee
• Access to sensitive
information
• Web sites
• IT staff
All Powerful
• Emergency
• Sys admins/Net admins
root
• Fire-call
•Manage
DBAs
Difficult•• UNIX
to
Control,
&
Monitor
Cisco Enable
• Disaster recovery
• Administrator
Shared
Privileged Accounts
• Oracle SYS
• Local Administrators
• Help desk
• Developers
• Social media mgrs
• Privileged operations
• Access to sensitive
information
ERP admin
Pose • Devastating
Risk
if Misused
• Legacy
applications
• Applications/scripts
Application Accounts
(App2App)
• Hard coded/ embedded
App IDs
• Windows Services
• Service Accounts
• Batch jobs, etc
• Scheduled Tasks
• Developers
14
• Online database access
• Batch processing
• App-2-App
communication
Telecom breaches draw attention to insider access
issues
▪ August 2014 : A global top 5 Telecommunications company reported that, for the 2nd time in
2014, a privileged insider gained unauthorized access to customer information.
“ We’ve recently determined that one of our employees violated our strict privacy and security
guidelines by accessing your account without authorization and while doing so, would have
been able to view and may have obtained your account information, including your social
security number and driver's license number ”
▪ Yet another reminder that true technical controls need to be put in place to better manage
the privileges and access that employees have to data and systems.
15
Chinese hack U.S. weather systems & satellite
network
▪ October 2014: A federal agency recently had four of its websites attacked by
hackers from China. To block the attackers, government officials were forced to
shut down a handful of its services.
▪ Post breach, security testing discovered multiple weaknesses:
￭
16
“Weak or default passwords and operating system vulnerabilities with well
documented exploits”
￭
Significant problems with remote access
￭
Assessment results lacked supporting evidence – lack of audit logs
The framework of a retail breach
•
Escalation of privileges
*For example* Via Pass the
Hash
• Once necessary
privileges are
obtained Install
malware on POS
• Install Remote
Administration Tools Ex-filtrate data
• Access Via
compromised 3rd
party account
Goal
17
The Privileged Account Security maturity model
Manage and monitor
Expand scope and
automate
Discover and control
Baseline
maturity
Medium
maturity
18
High
maturity
1) Baseline Maturity
Discover and
control
Baseline
maturity
19
 Inventory the privileged
accounts
 Limit standard user
accounts
 Establish on- and offboarding processes
 Remove non-expiring
passwords
 Securely store passwords
 Ensure attribution
2) Medium Maturity
Manage and
monitor
Medium
maturity
20
 Schedule password
changes
 Utilize one-time
passwords
 Implement session
recording
 Prevent human usage of
service accounts
 Control application
accounts
 Detect anomalies
3) High Maturity
Expand scope and
automate
High
maturity
21
 Use multi-factor
authentication
 Replace all hard-coded
passwords in applications
 Employ next-generation
jump-servers
 Implement approval and
monitoring workflows
 Proactively detect
malicious behavior
Critical steps to stopping advanced threats
Discover all of your privileged accounts
Protect and manage privileged account credentials
Control, isolate and monitor privileged access to
servers and databases
Use real-time privileged account intelligence to
detect and respond to in-progress attacks
22
Enterprise account usage today
Windows Admins
I need the
password to map a
drive
Virtual
Servers
23
Unix/Linux
Servers
Unix Admins
DBAs
I need my service
provider to connect
remotely with root
Windows
Servers
iSeries
Mainframes
VM Admins
I just need root to
patch a database
zSeries
Mainframe
Databases
Applications
External
Vendors
Business
Applications
I have this script
that needs to run
as root every night
Network
Devices
Security
Appliances
Auditor/
Security & Risk
What are your root
entitlements, who
used it, when did
they use it and
why?
Websites
& Web Apps
Requirements for an effective Privileged Account
Security Solution
Granular
Privileged
Access Controls
Privileged User
Access Controls
Protecting &
Isolating
Sensitive
Assets
Application
Identity
Controls
Privileged
Activity Monitoring
24
Break the attack chain!!!
25
DNA - Discovery & Audit
Discover where your
privileged accounts exist
Clearly assess privileged
account security risks
Identify all privileged
passwords, SSH keys, and
password hashes
Collect reliable and
comprehensive audit
information
26
The CyberArk Team:
Chad Froomkin – Major Account Executive
Southeast: NC/SC/TN
(770) 322-4201
Chad.Froomkin@cyberark.com
Doug Brecher – Internal Account Executive
Southeast
(617) 796-3264
Doug.Brecher@cyberark.com
27