Post on 08-Jan-2017
World®’16
CAPAMforHybridEnterprisesDeepDiveShawnW.Hank,Sr.PrincipalConsultant,CybersecurityCATechnologies,Inc.
SCX29E
SECURITY
2 ©2016CA.ALLRIGHTSRESERVED.@CAWORLD#CAWORLD
©2016CA.Allrightsreserved.Alltrademarksreferencedhereinbelongtotheirrespectivecompanies.
Thecontentprovidedinthis CAWorld2016presentationisintendedforinformationalpurposesonlyanddoesnotformanytypeofwarranty. The informationprovidedbyaCApartnerand/orCAcustomerhasnotbeenreviewedforaccuracybyCA.
ForInformationalPurposesOnlyTermsofthisPresentation
3 ©2016CA.ALLRIGHTSRESERVED.@CAWORLD#CAWORLD
Abstract
TheearlierPAMforHybridEnterprises(SXC04E)sessioncoveredabroadsetofCAPAMcapabilitiesasitrelatedtomanagingandcontrollingaccesstocriticalinfrastructureandprivilegedaccountsacrossthehybridenterprise.
Thisdeepdivesessionwillexpandontheearliersessionanddigintotheconfigurationandsetupofsomeofthesefunctionsandfeatures. AttendeeswillbeabletolearnabouttopicssuchasinteractingwiththePAMRESTAPI,AWSsupportfortargetserverdiscoveryandimport,theAWSAPIProxy,VMwareESX/ESXiandNSXfunctionality,PAMServerControlandSingleSignOnintegration,aswellasautodiscoveryoftargetserversandaccounts,andThreatAnalyticsforPAM.
ShawnW.HankCATechnologies,Inc.Sr.PrincipalConsultantCybersecurity
4 ©2016CA.ALLRIGHTSRESERVED.@CAWORLD#CAWORLD
Agenda
PAMRESTAPIs – APRIMER
PAM&AWS
THREATANALYTICSfor PAM
PAM&VMWAREESX/ESXI/NSX
PAMasan IDP/RPor SP
PAM&PAMSCINTEGRATION
1
2
3
4
5
6
5 ©2016CA.ALLRIGHTSRESERVED.@CAWORLD#CAWORLD
CAPAM’sRESTAPIAPrimer
§ Reduceconfiguration,maintenance,andadministrationbytakingadvantageofAPIstoconfigurePrivilegedAccess.– Yes,youcanPoint&Click
viatheUI,butwhywouldyouwanttodothat?
6 ©2016CA.ALLRIGHTSRESERVED.@CAWORLD#CAWORLD
CAPAM’sRESTAPIModesofOperation
§ Gets,Posts,Puts,Deletes– Getexistingobject
datafromPAM– Add/Createnew
objects– Modify/Update
existingobjects– Deleteobjectsthat
arenolongerneeded
7 ©2016CA.ALLRIGHTSRESERVED.@CAWORLD#CAWORLD
CAPAM’sRESTAPIAFewIdeas
§ Importalistofusersandgroupsfromarecentacquisition
§ Updatethetargetserversthatwererecentlyrefreshedinthedatacenter
§ Findallpoliciesforaspecificuser
§ Determinewhatgroup(s)aparticulardevicebelongsto.
8 ©2016CA.ALLRIGHTSRESERVED.@CAWORLD#CAWORLD
CAPAM’sRESTAPI– ExampleAPICallsusingPostman
9 ©2016CA.ALLRIGHTSRESERVED.@CAWORLD#CAWORLD
CAPAM’sRESTAPI– ExampleAPICallsusingPAW
10 ©2016CA.ALLRIGHTSRESERVED.@CAWORLD#CAWORLD
CAPAM’sRESTAPI– ExampleAPICallsusingabrowser
11 ©2016CA.ALLRIGHTSRESERVED.@CAWORLD#CAWORLD
CAPrivilegedAccessManager&AWS
12 ©2016CA.ALLRIGHTSRESERVED.@CAWORLD#CAWORLD
CAPAMandAWS
§ FederationviaSTSandSAML
§ SSOandWebSessionRecording
§ Autodiscovery&autoimportofdevices
§ S3Recording
IaaSsupportforthemarketleadingIaaSprovider
AWSTargetDevice
s
AD/LDAP
RadiusServer
AWSTargetDevice
s
AWSTargetDevice
s
PIV/CACRevocationServer
ADFSServer
AWSManagementConsole
Account1Region1ZoneA
AWSTargetDevice
s
AWSTargetDevice
s
AWSTargetDevice
s
AWSManagementConsole
Account2Region1ZoneC
AWSTargetDevice
s
AWSTargetDevice
s
AWSTargetDevice
s
AWSManagementConsole
Account3Region3ZoneB
AWSTargetDevice
s
AWSTargetDevice
s
AWSTargetDevice
s
AWSManagementConsole
Account4Region4ZoneD
Account5Region1ZoneA
CAPAMAMI
AWSIAMCredentialAPI
13 ©2016CA.ALLRIGHTSRESERVED.@CAWORLD#CAWORLD
AWSAPIProxy
RolesBasedPrivilegedFederatedAccessControl&SingleSign-OnforProgrammaticandManualAWSAPIAccess:
• FullFederatedCredentialProvisioningforaccesstotheAWSPublic,Government,andVPCClouds
SeparationofDutiesfortheAWSAPIConsoleInterface:
• RolesareenforcedbyaCentralxAPIPolicyManagerforallAPIAccess
FullAuditTrailandSessionRecordingAcross:• AllAPIaccessisrecordedandlogged
bythexAPIProxyServerUS East 1
US East 1aUS East 1b
Public 2
DisposableInstances(Future)
Private 1
Private 2
AAP 1
MySQL DBInstance
AAP 2
MySQL DBInstance
Public 1
Amazon S3
Internet
Apps
Splunk
AuditAPIcalls&responses
14 ©2016CA.ALLRIGHTSRESERVED.@CAWORLD#CAWORLD
CAPrivilegedAccessManager&VMwareESX/ESXi/NSX
15 ©2016CA.ALLRIGHTSRESERVED.@CAWORLD#CAWORLD
§ Auto-Discovery&provisioningGuestVMs&GroupsviaAPI
§ RolesBasedPrivilegedAccessControl&Single
§ SeparationofDutiesforvCenterConsole
§ FullAuditTrail&SessionRecording
§ Password&AccessKeyManagement
§ StrongAuthorization &AttributedUse
PAM&VMwareESX/ESXi
ESX/ESXiHypervisor
vCenterConsole
CAPAMOVA
GuestVMorGroup
GuestVMorGroup
GuestVMorGroup
GuestVMorGroup
GuestVMorGroup
GuestVMorGroup
EnterpriseDirectory
CAPAM- Physical
PrivilegedUsers
16 ©2016CA.ALLRIGHTSRESERVED.@CAWORLD#CAWORLD
CAPAM– VMwareConfiguration
§ Config– 3rd Party§ VMwarevCenter
(vSphere)
§ SupportmultiplevCenterinstances
§ Local/RADIUS/TACACS/LDAP/ADintegrationforauthenticationtovSphereWeborvCenterClient
17 ©2016CA.ALLRIGHTSRESERVED.@CAWORLD#CAWORLD
CAPrivilegedAccessManagerforVMwareNSXCapabilitySummary
§ VaultingandfulllifecyclemanagementofpasswordsandSSHaccesskeys§ NSX-basedresources,NSXManagerandAPI,otherenterpriseresources
CredentialsManagement
§ TACACS+,AD/LDAP,RADIUS,RSA,SMSMobileToken,SAML,PIV/CAC§ VMwarevSphere®,NSXAPIs,VMware®NSXManager™,otherphysical/virtual
resourcesacrossenterprise
FederatedSSO
§ IntegratedwithNSXManager;ServiceComposerserviceinsertion§ DynamicapplicationofaccesscontrolpoliciesbasedonNSXsecuritypolicies§ EnforcedviaNSXmicro-segmentation
AccessPolicyEnforcement
§ Completelogsandfullsessionrecording§ AllaccesstoNSXresourcesincludingNSXManagerandAPI
AccessPolicyEnforcement
18 ©2016CA.ALLRIGHTSRESERVED.@CAWORLD#CAWORLD
CAPAMforVMwareNSX– NSXManagerRESTAPIProxy
ThelastmileforfullNSXManageradministrationvisibility§ UsersandscriptstalktotheProxy,nottoNSXManager,withdifferentcredentials,which
mayrotateonapolicyorschedule§ CAPAMvaults– androtates– theNSXManagercredentials§ IntegrateswithApplicationtoApplication(A2A)
Closingthe“APILoop”totheNSXmanagementplane
Consumer NSXManager
NAP
NSXManagerAPIProxy
Logs A2ARequests ChangePassword
Z-sideRequest/ResponseA-sideRequest/Response
CAPrivilegedAccessManager
19 ©2016CA.ALLRIGHTSRESERVED.@CAWORLD#CAWORLD
CAPAMforVMwareNSX– AccessRestrictor
DFWRulesaddedandremovedon-demand§ Rulesaddedwhenconnectionsareopenedandremovedwhenclosed§ Removesthehumanelementandpotentialforerror§ Enablesahighly-secure“denyall”environmentwhereexceptionsareforcedthroughCA
PAMandonlyCAPAMmayaccessprotectedresources
Automatic,runtime,ephemeralDistributedFirewallRulesmaintainedbyCAPAM
Client
UserTargetVM
NSXManager
DFWCAPrivilegedAccessManager
20 ©2016CA.ALLRIGHTSRESERVED.@CAWORLD#CAWORLD
CAPAMforVMwareNSX– DynamicTaggingandGrouping
CAPAMPolicyinlockstepwithNSXSecurityTagsandGroups§ NSXSecurityTagsandGroupssyncedwithCAPAMandtiedtoPolicies§ AsVMsenter/leaveNSXSecurityGroups,CAPAMAccessisprovisioned/removed
SynchronizeCAPAMpolicieswithchangesintheNSXsecurityposture
VMwarevCenterVMNetwork
NSXManager
Sync
CAPrivilegedAccessManager
21 ©2016CA.ALLRIGHTSRESERVED.@CAWORLD#CAWORLD
CAPAMforVMwareNSX– ServiceComposerIntegration
DeepintegrationwithServiceComposer§ AsVMsenterorleaveNSXSecurityGroups,CAPAMwill:
- Enableordisablesessionrecording- Terminatesessions- ForceCAPAMsessionre-authentication
TriggereventsinCAPAMviaNSXServiceComposerworkflows
User
Session
NSXPartnerEcosystemProduct
NSXManager
VMwarevCenter
Admin
ApplyTag
ApplyTag
Enable/DisableSessionRecording
TerminateSessions
XsuiteRe-Authentication
CAPrivilegedAccessManager
22 ©2016CA.ALLRIGHTSRESERVED.@CAWORLD#CAWORLD
CAPrivilegedAccessManager&SingleSignOn
23 ©2016CA.ALLRIGHTSRESERVED.@CAWORLD#CAWORLD
PAM&SSOwithCASingleSign-OnRP/SPtoanUpstreamIDPusinganon-prem IDP
§ IntegrationwithCASingleSign-OnbyenableCASSOastheidentityprovider
§ ExistingCASSOpoliciesdynamicallyevaluatedtodeterminewhogetsaccess
§ OptionalJust-in-Timeprovisioningfeatures
24 ©2016CA.ALLRIGHTSRESERVED.@CAWORLD#CAWORLD
IdentitySuite- ProvisioningConnectorforCAPAM
Extensiveconnector:– PAMAccounts
(localandremote)– Roles– Groups– Policies– Devices&Device
Groups
25 ©2016CA.ALLRIGHTSRESERVED.@CAWORLD#CAWORLD
AccessRequestforPAM
26 ©2016CA.ALLRIGHTSRESERVED.@CAWORLD#CAWORLD
PAM&SSOwithCAIdentityServiceRP/SPtoanUpstreamIDPusingaSaaS-basedIDP
27 ©2016CA.ALLRIGHTSRESERVED.@CAWORLD#CAWORLD
Control&ManageCloudIdentitySprawl
§ Rule-basedprovisioning,de-provisioningandentitlementassignment
§ Automatedidentitylifecyclemanagementaspeoplejoin,moveorleave
§ ExtensibleandAPIdrivenidentitylifecyclemanagement
Enablerule-basedprovisioningandidentitylifecycleautomation
28 ©2016CA.ALLRIGHTSRESERVED.@CAWORLD#CAWORLD
CAPAMasanRP/SPWithCAIdentityServiceastheUpstreamIDP
29 ©2016CA.ALLRIGHTSRESERVED.@CAWORLD#CAWORLD
30 ©2016CA.ALLRIGHTSRESERVED.@CAWORLD#CAWORLD
SingleSign-on
Authentication(SaaS-firstmodel) CAIdentity
Service
Userprovisioning&de-provisioning
SingleSign-onRogueandorphanaccountdetectionandremediation
CASingleSign-On
On-premisesapps
SaaSApps
Peoplesource(optional)
Authentication(Hybridmodel)
SingleSign-on
SaaS-First&HybridDeploymentModelsLeverageexistingon-premisesIAMinvestments
31 ©2016CA.ALLRIGHTSRESERVED.@CAWORLD#CAWORLD
CAPAMasanIDPThreatAnalyticsIntegration,butwillworkforanyServiceProvider
32 ©2016CA.ALLRIGHTSRESERVED.@CAWORLD#CAWORLD
CAPAMasanIDPThreatAnalyticsIntegration,butwillworkforanyServiceProvider
33 ©2016CA.ALLRIGHTSRESERVED.@CAWORLD#CAWORLD
CAPAMasanIDP– ConfigureSPApplyallnecessarySAMLSSOAttributesasrequiredbythetarget
34 ©2016CA.ALLRIGHTSRESERVED.@CAWORLD#CAWORLD
CAPrivilegedAccessManager&PAMServerControl
35 ©2016CA.ALLRIGHTSRESERVED.@CAWORLD#CAWORLD
TheCASolutionPortfolioIdentitySuite,IdentityService,PAM&PAMSC
§Ac
cessre
quests
§Ce
rtificatio
n§
Riskana
lytic
s
§ Strongauthentication,includingMFA§ Credentialmanagement§ Policy-based,leastprivilegeaccesscontrol§ Commandfiltering§ Sessionrecording,auditing,attribution§ Applicationpasswordmanagement§ Comprehensive,hybridenterpriseprotection§ Self-contained,hardenedappliance
§
§ In-depthprotectionforcriticalservers§ Highly-granularaccesscontrols§ Segregateddutiesofsuper-users§ Controlledaccesstosystemresourcessuchas
files,folders,processesandregistries§ SecuredTaskDelegation(sudo)§ EnforceTrustedComputingBase
IDENTITY-BASEDSECURITY HOST-BASEDSECURITY
DEFENSEINDEPTH
CAPrivilegedAccessManager CAPrivilegedAccessManagerServerControl
CAID
ENTITYSUITE
36 ©2016CA.ALLRIGHTSRESERVED.@CAWORLD#CAWORLD
ThreatAnalyticsforPAM:Super-ChargingPAM!Domain-specificanalyticstodefendagainstrealworldattacks
Compromisedidentity
High-riskinsideractivity&threat
Insightandincidentresponsesupport
Automaticallytriggermitigations§ Alerting§ Reportingandinsightintosystemuseandrisk
Authorizeduseractionsthatposeseriousrisks:§ Contractors§ Partners§ Policyviolators§ Disgruntledanddepartingemployees
Identitiescompromisedbyattacksthatinclude:§ Phishing§ Weakpasswords§ Malware§ Compromiseddevices§ Man-in-the-middle
Blindspotsinhowsystemsareused.NeedquickresponsestoincidentsandSOCinquiries:§ IdentifyusersandriskyactivityassociatedwithIP,devices,dataassets
Detect
Mitigate
Breachprevention Operationalinsights Improvedcompliance
§ Automatedsessionrecording§ Re-authentication
Results
37 ©2016CA.ALLRIGHTSRESERVED.@CAWORLD#CAWORLD
OverseasContractorUseCaseInsiderThreatDetectionandMitigation
Continuousmonitoringandanalysisofaccessenables:
§ Monitoringaccessforallusers,includingBangalore-basedcontractorsauthorizedtouseshareddatabaseandserveraccounts
§ Identifyinghighlyunusualsessionactivitiesofindividualoverseasdeveloperthatinclude:- Unusualsessionactivitiesandlengthsbasedonindividualandotherenterpriseusers
- Accesstolargenumberofsensitivesystems,manyforthefirsttime
- RemoteDesktopProtocolaccesstoahigh-riskPCIserver
Thisbehaviorposeshighriskandisnotconsistentwithpastactionsoftheuserortheenterprise.
§ ThreatAnalyticsforPrivilegedAccessManagerautomaticallytriggerssessionrecordingforreview
§ Admingeneratesincidentreportforcomplianceofficer/SOC
Result:Successfuldetectionandmitigationofinsiderthreat
ThreatAnalyticsforPAM
Activitycontinuouslymonitoredinbackground
Sessionrecordingautomaticallyinitiated
IncidentreportforcomplianceofficerorSOC
Overseascontractors
High-risksessionbehaviorisdetected
PCI
PrivilegedAccessManager
38 ©2016CA.ALLRIGHTSRESERVED.@CAWORLD#CAWORLD
IncidentResponseUseCasePAMAdminclosesthedooronattackers
EnterpriseSOCinvestigationofahighpriorityincident&wantstoknow:“WhatinformationcanthePAMAdminprovidetoassist?”
UsingtheIPaddressprovidedbytheSOC– thePAMadmincansearchBAforPAMandquickly:- IdentifyallusersassociatedwithIPaddress- Inspectaccessandactivitiesofthemostsuspicioususer- ProvideIRteamwithidentityofthesuspicioususer- NavigatetoInsightpagetogetalldormantaccountstoprovidetoIRteamalso
ThreatAnalytics’abilitytocorrelateaccessactivity,IPaddresses,sessions,andriskprovideimmediate valuetoinvestigations.
§ Tomitigatefutureattacks-- PAMadminaddssuspiciousIPaddressthreatintelligencetoBAforPAM.Futureactivityisthenautomaticallydetectedandanalyzed.
§ PAMadminconfiguresBAforPAMtosendautomatedalertstoSIEMwhenanyactivityrelatedtoasuspiciousIPisdetected
Result:BAforPAMprovidesimmediatevaluetoincidentresponseeffortsandclosesthedooronfutureattacks.
PAMThreatAnalyticsforPAM
Activitycontinuouslymonitored
ThreatintelligenceusedbyBAtoproactivelyaddressfuturethreats
IRTeam
Immediateinsightregardingusers,activity,risk,etc.
AutomatedAlertstoSIEM/SOC
!
ThreatIntelusedbyAnalytics
Canyouhelp….attackfrom
193.105.219.210?!
39 ©2016CA.ALLRIGHTSRESERVED.@CAWORLD#CAWORLD
AnalyticsandIntelligentControls
ThreatAnalyticsforPAM
§ Offersanadd-onthatsuperchargesexistingPrivilegedAccessManagercapabilities
§ Enablesautomateddetection,mitigationandalertingforcriticalthreats
§ Easydeployment: Deploysassingle,virtualmachine—nospecialskillsorsignificanteffortrequired
§ Quicktoprovidevalue: Immediately deliverscompellinguserexperiencewithhuman-understandableriskandinsights
Solutionsummary
§ Automaticallyestablishesnormaloperatingprofilesforusersandenterprisebasedonobservedbehavior
§ Useshistoricandreal-timeactivitytoassesscontextandanalyzerisk
§ Providesmeaningfulinsightregardinguserandsystemactivities
§ Triggerriskmitigationsandcontrolsincludingtriggeringsessionrecording
AdvancedAnalytics&AutomatedMitigation
40 ©2016CA.ALLRIGHTSRESERVED.@CAWORLD#CAWORLD
PAMforHybridEnterprisesDeepDiveAsyoucansee,thereisalotmoretoPAMthatmeetstheeye!
Fromfunctioningasit’sownPrivilegedUserIDP,toproxyingAPIcallsinordertoauditapplications,todetectingandmitigatingactivitiesviaThreatAnalytics,CAPAMprovidesahostofcapabilitiesthatextendthestandardPrivilegedUserandPrivilegedIdentityfunctions.
Ifyou’dliketohavefurtherdiscussions,simplycontactyourCAAccountteamandwecansetupasessiontodigintoanyofthesetopicsatgreaterdepths.
Summary
41 ©2016CA.ALLRIGHTSRESERVED.@CAWORLD#CAWORLD
RecommendedSessions
SESSION# TITLE DATE/TIME
SCX15E MeetthePAMTeamQ&A 11/14/2016at11:00am
SCT41T PAMMaturityModel 11/16/2016at1:45pm
SCT05T ThreatAnalyticsforPAM 11/17/2016at4:30pm
42 ©2016CA.ALLRIGHTSRESERVED.@CAWORLD#CAWORLD
Don’tMissOurINTERACTIVESecurityDemoExperience!
SNEAKPEEK!
42 ©2016CA.ALLRIGHTSRESERVED.@CAWORLD#CAWORLD
43 ©2016CA.ALLRIGHTSRESERVED.@CAWORLD#CAWORLD
Wewanttohearfromyou!
§ ITCentralisaleadingtechnologyreviewsite.CAhasthemtohelpgenerateproductreviewsforourSecurityproducts.
§ ITCSstaffwillbeatmostsessions.Ifyouwouldliketoofferaproductreview,pleaseaskthemaftertheclass,orgobytheirbooth.
Note:§ Onlytakes5-7mins§ Youhavetotalcontroloverthereview§ Itcanbeanonymous,ifrequired