the role of privilege in recent breaches - asimm · • 90% of our staff is service oriented...
TRANSCRIPT
Security Solutions Inc.
AnthonyMeyerRegionalSE,CanadaCyberArk
LucGagneNorthAmericaSalesDirectorIAMConcepts
The Role of Privilege in Recent Breaches
Medical Center
About• PrimaryHospital&Level1TraumaCenter
• TeachingHospitalforaUniversity
Whathappened• 6,000+Computers&connecteddeviceshitbyRansomwarein2017
• Refusedtopay&decidedtorebuild
Gaining Access..
AHacker
Intranet
DMZ
RDP
# Weak password gives access to DMZ machine # Finds hash and moves into trusted zone
1
# Discovers IT admin creds with domain privileges # Erases VMware backups to prevent OS roll backs
2
Deploy, Collect and Wait
Intranet
AHacker
# Deploys ransomware to 6k machines; crippling vital systems for client care
3
# Attacker is presumed to have been inside the network for <1 week
4
Remediation
5
DMZ# CyberArk engaged for remediation
5
Intranet
# Vault installed and total remediation completed in 6 weeks 6
Key takeaways
• Total cost of remediation effort is over $10M
• If an attacker owns the infrastructure, they can cripple the business in an instant
• Unmonitored admin credential usage can be devastating, especially without a behavioral analytics platform
• Password policies remain subject to human error without tool assistance
Entertainment Company
About • American entertainment company that produces, acquires and distributes
movies What happened • Destructive malware erases infrastructure. Sensitive data was stolen and
publicized
7
The Attack
8
AHacker
# Attacker utilized a spear phishing to get inside the network
1
# Attacker harvested credentials found on the client PC. Credentials were used to move laterally
2
# Usernames and passwords for admins were kept in Word files with names like Computer Passwords
3
The Attack: continued..
9
Intranet
AHacker
# 7 sets of credentials were found and studio’s entire network mapped. This information was “hard-coded” into destructive malware
3
Key Takeaways
• Attackers spent a long time in reconnaissance mode without causing any immediate harm.
• The attackers used to gathered information to blackmail and, in the end, do a lot of damage
• A Golden Ticket was not necessary, in fact only seven sets of credentials were enough to infiltrate the entire organisation
• This highlights the fact that it is important to have random and unique passwords for each end point
Insurance Company
About• InsuranceCompany
• Over50,000employeesWhathappened• Disclosedadatabreachin2015.Atfirstsaid35+Mrecordsstolenandlaterrevisedto
75+M
• Paidarecord$115milliontoseHleU.S.lawsuitsoverdatabreach(significantlyovertheirinsurancecap)
Phishing for access
AHacker GoldenTicket
# Attacker utilized a phishing campaign to get inside the network
1
# Bad actor harvested credentials from a management script written by a contract employee
2
# With admin credentials in hand, attacker generates a “Golden Ticket”
3
I’ve got the golden ticket!
AHacker
# Using address book, attacker searched for users with “database” or “security” in their title
1
# Attacker chose a DBA’s credentials to access a domain server that was connected to an encrypted database
2
# DBA’s unmonitored privileged credentials allowed attacker to decrypt and exfiltrate data for possible sale on the deep web
3
0110100001100001
Wait,thosearen’tmycommands…
DomainAdmins
How long can an attack remain unnoticed?
AHacker
InternalDomain
Addresses&MedicalInfo SocialSecurity#s
Names&Birthdays
CyberArk?
Months!
3 weeks to secure with CyberArk
CyberArkPS
InternalDomain
Addresses&MedicalInfo SocialSecurity#s
Names&Birthdays
DomainAdminsDomainAdmins
AHacker
▪ Golden tickets should only be found in movies
▪ People remain the weakest link in an org’s security chain, especially temporary employees
▪ Encryption is a powerful tool -- unless you have credentials to decrypt and extract
▪ Unmonitored privileged account usage can prove fatal
Key Takeaways
Services Company
About• Oneoftheworld’slargestOilandGasservices
company
• BasedintheUS
WhatHappened• Breachoccurredinearly2017however,thefirm
decidedagainstdisclosingpublicly
• CalledCyberArktohelpwiththeremedia`on
A flawed environment
InternalDomain
# All users were local admins on their workstations
1
# Personal accounts were used to administrate the network
2
# No two-factor authentication for VPN access
3
BusinessPartners
The attack
InternalDomain
Monster.com--CV
ContractorBusinessPartners
CyberArkPS
Key Takeaways
• Falling revenues should not be accompanied by security short-cuts
• Reputation with business partners could falter if attacks effect their environment
• Two Factor authentication and separation of duties are no longer just security suggestions
• A dollar saved on security tools can mean millions lost in revenue
Droppingoilpricess`flesindustryspending(link)
7 Step Hygiene Program
SecuritySoluIonsInc.
LucGagneNorthAmericaSalesDirector
416-999-6360
©CopyrightIAMConceptsCorpora`on2018
HelpingcustomersachievetheirIAMgoalsanddeliveringvaluetothebusiness
About IAM Concepts…
©CopyrightIAMConceptsCorpora`on2018
WeoffercosteffecIveIdenIty&AccessManagementstrategies,soPware,consulIngandservices
• WeareaToronto-basedcompanythatspecializesinIden`ty&AccessManagement.• 90%ofourstaffisserviceoriented(Solu`ons’Architects,Developers,SpecialistsandProjectManagers)
• WeofferhighlycustomizableManagedServicesandSojwareasaService(SAAS)• Consul`ng:freeworkshops,largescaleassessments,healthchecks,roadmaps,training• Cer`fica`onsinthetopIAMvendorsinthemarket• Implementa`onservices&ProjectManagement• Cer`fica`onswiththeleadingvendorsinthemarket• CyberArkTechnologyPartneroftheYear2017
Iden2ty & Access Management challenges
©CopyrightIAMConceptsCorpora`on2018
Whatarewehearingfromcustomers?
• Lackofresources,trainingandexper`se(lossofknowledgeableemployeestoaHri`on)• ConfusionaroundIAMsojwaresolu`onsavailable?CloudorOn-Premise?• HowcanIgetquicker`metovalueformyIAMini`a`ves/projects?• CanIleverageIAMsojwarethatwealreadyhave?• HowcanyouhelpmeaddressAccessGovernanceAuditandcompliancerequirements?• CanyouhelpmebuildabusinesscasetointernallysellourIAMproject?• HowcanImanageuseraccesswiththerapidgrowthofourmobileworkforceandallofthesedifferentend-userdevices?
IAMConcepts’ Managed Services Offering
©CopyrightIAMConceptsCorpora`on2018
IAMConceptsprovidesanIAMManagedServicetailoredtoeachcustomer’sneeds:
• Whetheritbeimplementedonthecloudoronpremise
• Opera`onalmanagementcaninclude:• Applica`onmanagement• SecurityAdministra`on
IAM Managed Services
Infrastructure Management Security Administration
Secure VPN
OnPremise Cloud
Aflexible,customizable,andcosteffecIvemanagedserviceoffering
Why our customers are interested in an IAM Managed Service?
©CopyrightIAMConceptsCorpora`on2018
Risk Mitigation
Quality Cost Optimization
• Stabiliza`onofexis`nginfrastructure• Standardservicelevelsofdelivery• Proac`vemonitoringofIAMapplica`ons• Enhancedperformanceandusabilitythroughourassetlibrary• Keypatchesandupdatesreviewedandappliedregularly
• AlignmentofIAMinvestmentswithbusinessobjec`ves• Costcontrolandcontainment• Compe``vepricing
• Elimina`onofneedtotrainandretainhighlyskilledstaff• Founda`onputinplacetomakeotherIAMini`a`ves• ComplexityofmanagingIAMsolu`ons• AdaptabilityofIAMsolu`ontoevolvingneeds
BalancesriskmiIgaIon,costopImizaIon,andqualityservicedelivery
CyberArk Managed Services from IAMConcepts
©CopyrightIAMConceptsCorpora`on2018
3StepProcessforon-boardingaCyberArkManagedService
FuncIon Coverage
Applica`onSupport CyberArkPASwithCri`calPlasorms:AD,Linux,AIX(100servers)
Coverage 8x5on36Term
ServicesProvided • ProblemandIncidentManagement• Maintenance,patching,andhot-fix• Managementandrepor`ng
Environments Non-Produc`on&Produc`on
ServiceLevelObjec`ves
Jointlydefinedaccordingtopriorityincidentresponse`meobjec`ves
Func`onalEnhancements
OndemandviaRequestforServiceop`on(i.e.securityadministra`onorcustomiza`ons)
CyberArkManagedServiceallowsclientstomiIgaterisks,opImizecosts,andfocusestheSecurityAdminteamonTrueSecurityAdministraIonacIviIes
Step1DefinetheManagedService
Step2One`metransi`onservicefortechnicalandopera`onaltransi`on
Step3On-goingManagedServiceforthedura`onoftheterm
OurCyberArkManagedServiceOfferingDesignedtobeaflexible,customizable,andcosteffec`vesolu`ontailoredtofitclientspecificrequirementssuchas:• PAMProblemandIncidentmanagement
• Ticketandincidentstatus,correc`vemeasures,rootcauseanalysis• PAMPeriodicInfrastructureMaintenance
• Preventa`vemaintenance• Performancetuning• Patchingandsecurityhot-fix
• RegularServicereviews• Func`onalEnhancements–uponrequest
SampleCaseStudyAwealthmanagementservicesproviderrequiredCyberArkapplica`onmanagedservicestoaddressskillsgapandmanagecosts,withoutaddingcomplexity
Privilege Access Management and ID Governance
©CopyrightIAMConceptsCorpora`on2018
Organiza`onsarelookingtoconnectiden`tygovernanceandprivilegeaccessmanagementintoaunifiedsolu`onthatmeetsauditandcompliancerequirements,increasesopera`onalefficiency,andaddressesrisk.IAMConceptshasworkedwithtwobestofbreedsolu`ons–integra`ngSailPoint’sIden`tyLifecycleandGovernancecapabili`eswithCyberArk’sPrivilegedAccountSecuritysolu`on–addingiden`tycontrolstoprivilegeaccess.Thissolu`onprovidesourclientswithacompleteprivilegeaccessmanagementandIDgovernanceasingleautomatedpolicy-basedprocessto:• Gainvisibilitytoprivilegeusersandtheaccesslandscapebyimpor`ngprivileged
en`tlementsmanagedbyCyberArkintoSailPoint• CerIfyprivilegeaccessrequiredandremoveexcessrightsfromSailPointtoaleastprivilege
model,withrevoca`onautoma`callyreflectedinCyberArkduringaccessreviewsandcer`fica`on
• IdenItylifecycle,processesandcontrolsforprivilegedusersaremanagedinSailPoint,suppor`ngaccessrequestsandCRUDprovisioning(Create–Read–Update–Delete),withprivilegeden`tlementsautoma`callyaddedinCyberArk
• AuditandreporIngoftheen`reprocess,fromiden`typrovisioningtoprivilegedaccountusage
IDLifecycle
Create Read
Delete Update
Governance
ü PolicyMgtü Cer`fyü Report
PrivilegedAccountSecurity
ThepreferredNorthAmericanIden3tyandAccessManagementServiceproviderwithover100+customers,leveragingtop3erstrategicpartnersandvendorsto
meettheneedsofourclients.
WeoffercosteffecIveIdenIty&AccessManagementstrategies,soPware,consulIngandservices
Security Solutions Inc.
AnthonyMeyerRegionalSE,CanadaCyberArk
LucGagneNorthAmericaSalesDirectorIAMConcepts
Thank you!