3 TIPS TO REVEALING HIDDEN
SECURITY RISKS WITH BEHAVIOR
ANALYTICS
[email protected] * www.secureanchor.com
Secure Anchor is All Cyber Defense, All of the Time
PREVENT – DETECT - RESPOND
If you have not detected an
attack/compromise in the
last 6 months, it is not
because it is not happening
– it is because you are not
looking in the right areas…
3
You are either hunting or being hunted
Security MUST be focused on
minimizing the impact and controlling
the damage
Two key metrics are:
DWELL TIME
LATERAL MOVEMENT
PREVENTION IS IDEAL BUT
DETECTION IS A MUST
Insiders Are Responsible for 90% of Security Incidents *
Mailicious
∙ Fraud/Data Theft
∙ Inappropriate access
∙ Disgruntled employee
Unintentional
∙ Misuse of systems
∙ Log-in/log-out failures
∙ Cloud storage
71% 29%
* Verizon 2015 Data Breach Investigations Report
* Kaspersky Lab 2016 Security Risks Special Report
Are You Focused on the Correct Area?
Insiders: Excessive Privileges
Shared Privileged Access Credentials
• Several admins / common credentials
• Lack of accountability
• Compliance (e.g., SOX, HIPAA, GLBA, PCI)
• Maintenance for routine changes / turnover
• Amplified threats from disgruntled insiders
Password Security
• Strength / storage issues
• Communications with administrators
• Routine changes
Need for Dual Control
• Production, critical or sensitive systems
• Compliance requirements (developer or administrative
access to production systems)
Security of Embedded Passwords
• Passwords hardcoded & passed in code or scripts
• Difficult to change / maintain compliance
External Attackers: Vulnerabilities
System or Network Availability
• Operational impacts (performance and downtime) from
malware (HeartBleed, ShellShock, Poodle, Ghost, etc.)
Data Overload
• Easy to find
• Hard to fix
Cost of Remediation
Security
• Unauthorized assets on network
• Default or weak passwords
• Inadequate network access controls
• Unauthorized access
• Unauthorized website changes and defacements
THE EVOLVING THREAT ENVIRONMENT
Most (2/3) don’t know they’ve been attacked
Present for over 200 days before detected
Too easy to successfully attack most companies
• Phishing – High percentage can be socially engineered to click
• Popular sites (water holes) infected
• Most client systems have several known vulnerabilities
• Some attacks leverage non-publicized vulnerabilities
• Once inside undetected, lateral expansion occurs seeking privileged access to key systems often without need to exploit a vulnerability
Expanding target base and content
• No longer limited to defense, financial, large F100 companies
• Includes small, medium sized businesses where controls are lacking
• Thefts - far beyond specific product IP to business plans and how it operates
Sophisticated attack methods / tools - mostly not needed
• Leverages off-the-shelf malware but with variations
• 70% of attacks uses standard malware but have unique signatures
COMMON PITFALLS Trying to protect IP without business sponsorship
• Owners of information must be accountable and take lead to protect information
• Security can help with tools, best control practices, awareness
Thinking technical controls address most issues
• Most large risk management programs require holistic approach (e.g., 7 steps to effective
compliance)
• Governance (oversight), corporate polices
• Employee education and awareness
• Leadership from key groups (Business, Research, Manufacturing, Legal, HR, IT, …)
• Monitoring, response to incidents, enforcement, and assessments
Trying to lead vulnerability management from Security
• IT Operations are accountable for the security of systems under their management
• Security can help with tools, communications and metrics
Trying to implement too many tools
• Very challenging to introduce another console or agent
• Look at the overall security framework / architecture and define key control solutions
• Look for synergies & integration between tools (some can provide additional benefits
11
To defend against an adversary you must understand how the adversary operates, so a
proper defense can be built….
If the offense knows more than the defense you will lose…..
Focus on Behavior & Analytics
Activity patterns focused on data:
— Amount of data accessed
— Failed access attempts
— Data copied or sent to external sources
There are differences in activity between a normal user and
an insider threat.
1. Control and manage privileged access
2. Focus on vulnerability remediation with clear metrics
3. Prioritize risks based on criticality of information
4. Monitoring and timely detection is key
5. Communicate clear metrics to your executives
Focus on rogue behavior not signatures
5 STEPS FOR SECURING ENDPOINTS
Are You Ready to Take…..
Focus on outbound traffic
The Dr. Cole Challenge
– Number of connections
– Length of the connections
– Amount of data
SUMMARY
Security is about endpoint security of ALL endpoints
Assume both insider and cyber attacks are occurring
Take a holistic approach; go beyond required technical controls
Focus on vulnerability remediation not just scanning
Widespread assignment of privileged credentials makes it easier for
attackers to get to valuable assets and data
Talk to your executives about security – it could make all of the difference
PAM – A collection of best practices
AD Bridge Privilege
Delegation
Session
Management
Use AD credentials to access
Unix/Linux hosts Once the user is logged on,
manage what they can do
Managed list of resources the user is
authorized to access. Gateway proxy
capability. Audit of all session activity
Password & SSH
Key Management
Automate the management of functional account
passwords and SSH keys
Comprehensive Security Management
► Secure and automate the process for managing privileged account passwords and keys
► Control how people, services, applications and scripts access managed credentials
► Auto-logon users onto RDP, SSH sessions and apps, without revealing the password
► Record all user and administrator activity (with keystrokes) in a comprehensive audit trail
► Alert in real-time as passwords, and keys are released, and session activity is started
► Monitor session activity in real-time, and immediately lock/terminate suspicious activity
Privileged Password Management
People Services A2A
Privileged
Session
Management
SSH Key
Management
Native desktop tool (MSTSC/PuTTY etc.) connects
to Password Safe which proxies connection through
to requested resource
Protected Resources User authenticates to Password Safe and requests
session to protected resource
RDP/SSH session is proxied through the Password
Safe appliance HTTPS RDP / SSH
RDP / SSH
Password
Safe Proxy Proxy
Privileged Session Management
Automatic Login to ESXi example
Browser
RDP Client
ESXRDP (4489) RDP (3389)
User selects vSphere application
and credentials
vSphere RemoteApp
CredentialCheckout
Credential Management
UserStore
Session Recording / Logging
HTTPS
Automatic Login to Unix/Linux Applications
Typical Use Cases
• Jump host in DMZ
• Menu-driven Apps
• Backup Scripts
• Role-based Apps
Browser
RDP Client
SSH (22) SSH (22)
User selects SSH application and
credentials
SSH Application
CredentialCheckout
Session Recording / Logging
HTTPS
What makes Password Safe different?
• Adaptive workflow control to evaluate and intelligently route based on
the who, what, where, and when of the request
• Full network scanning capabilities with built-in auto-onboard capabilities
• Integrated data warehouse and analytics capability
• Smart Rules for building permission sets dynamically according to data
pulled back from scans
• Session management / live monitoring at NO ADDITIONAL COST
• Clean, uncluttered, and intuitive HTML5 interface for end users
Less complexity & cost
Password and Session Management together in the same solution
Rotate SSH keys according to a defined schedule and enforce granular
access control and workflow
Native tools for session management (MSTSC/PuTTY etc), with no Java
required
Faster time to value
Deploy as a hardened physical or virtual appliance with a sealed
operating system, or as software
Clean, uncluttered, and intuitive HTML5 interface for end users
Full network scanning, discovery and profiling with auto-onboarding, and
Smart Rules
Better insights
Integrated data warehouse and threat analytics capability through
BeyondInsight
Live session monitoring, true dual control for locking, terminating or
canceling sessions
Improve workflow by considering the day, date, time and location when a
user accesses resources
Key differentiators and business value
Reduce risk | Achieve compliance | Improve efficiency
PowerBroker Privileged Account Management:
Validated by the industry
BeyondTrust is a “representative vendor” for all five key feature solution categories.1
“Deploying the BeyondTrust PAM platform … provides an integrated, one-stop approach to PAM… one
of only a small band of PAM providers offering end-to-end coverage.”2
“BeyondTrust is a pure-player in the Global Privileged Identity Management market and holds a
significant position in the market.”3
"Frost & Sullivan endorses PowerBroker Password Safe.“4
"Leverage a solution like BeyondTrust’s PowerBroker for Windows to transparently remove
administrator privileges.“5
BeyondTrust is a “Major Player” in Privileged Access Management.6
“BeyondTrust is a vendor you can rely on… BeyondTrust PowerBroker Auditor suite is an
impressive set of flexible and tightly integrated auditing tools for Windows environments.”7
1Gartner, Market Guide for Privileged Account Management, June 17, 2014. 2Ovum, SWOT Assessment: BeyondTrust–The BeyondInsight and PowerBroker Platform, November 5, 2014. 3TechNavio, Global Privileged Identity Management Market 2015-2019, 2014. 4Frost & Sullivan, PowerBroker Password Safe – a Frost & Sullivan Product Review, 2014. 5Forrester, Introducing Forrester’s Targeted Hierarchy of Needs, May 15, 2014. 6IDC, IDC MarketScape: Worldwide Privileged Access Management 2014 Vendor Assessment, March 2015. 7Kuppinger Cole, Executive View: BeyondTrust PowerBroker Auditor Suite, March 2015.
Top Related