270 likes | 364 Vues
The New Cyber Battleground: Inside Your Network. Chad Froomkin Major Account Executive Southeast. Why are we here?. 90% of organizations breached 59% of organizations breached more than once $3,500,000 Average cost per incident to investigate and remediate.
E N D
The New Cyber Battleground:Inside Your Network Chad Froomkin Major Account Executive Southeast
Why are we here? 90% of organizations breached 59% of organizations breached more than once $3,500,000 Average cost per incident to investigate and remediate Ponemon Institute - Cost of Data Breach: Global Analysis, 2014 Cisco Talos, Deliotte Financial Advisory service, Deloitte & Touche LLP, Mandiant, RSA, Verizon RISK - CyberArk Threat Report: Privileged Account Exploits Shift the front lines of Cyber Security, 2014
The new cyber battleground: Inside your network • Over 90% of organizations have been breached • In the past: “I can stop everything at the perimeter” • Today: “I can’t stop anything at the perimeter” • Information security focus shifts to inside the network • Over 35% of breaches are internal – driven by malicious and unintentional insiders • Compromised credentials empower any attacker to act as an insider • Compliance and audit requirements focus on privileged accounts • Privileged accounts provide access to the most sensitive and valuable assets • Information exposure damages brand reputation and customer confidence
What do we know? “We have to assume we have already been breached” Brian Krebs (Krebs on Security) Mandiant, M-Trends and APT1 Report, 2014
Privileged accounts are targeted in all advanced attacks “APT intruders…prefer to leverage privileged accounts where possible, such as Domain Administrators, service accounts with Domain privileges, local Administrator accounts, and privileged user accounts.” “…100% of breaches involved stolen credentials.” Mandiant, M-Trends and APT1 Report, 2014
Privileged accounts are targeted in all advanced attacks “Anything that involvesserious intellectual propertywill be contained in highly secure systems and privileged accountsare the only way hackers canget in.” Avivah Litan, Vice President and Distinguished Analyst at Gartner, 2014
Privileged accounts are targeted in all advanced attacks “…that’s how I know I’m dealingwith a sophisticated adversary…if they are targeting privileged accounts, I’ve got a serious APTproblem…” CyberSheathAPT Privileged Account Exploitation Securing Organizations against Advanced, Targeted Attacks, 2013
Perimeter defenses are consistently breached Over 28 Billion spent on IT security in 2014!!! Over 90% of organizations breached • Cisco Talos, Deliotte Financial Advisory service, Deloitte & Touche LLP, Mandiant, RSA, Verizon RISK - • CyberArk Threat Report: Privileged Account Exploits Shift the front lines of Cyber Security, • 2014
Privilege is at the center of the attack lifecycle Typical Lifecycle of a Cyber Attack
Scope of Privileged Account “attack surface” underestimated Cyber - Privileged Account Security & Compliance Survey, 2014 (Enterprises > 5000 Employees)
Many organizations only use partial measures Do you monitor and recordprivileged activity? Cyber - Privileged Account Security & Compliance Survey, 2014
Privileged Accounts create a HUGE attack surface • Privileged accounts exist in every connected device, database, application, industrial controller and more! • Typically a ~3X ratio of privileged accounts to employees
What, Where & Why of Privileged Accounts All Powerful Difficult to Control, Manage & Monitor Pose Devastating Risk if Misused
Telecom breaches draw attention to insider access issues • August 2014 : A global top 5 Telecommunications company reported that, for the 2nd time in 2014, a privileged insider gained unauthorized access to customer information. “ We’ve recently determined that one of our employees violated our strict privacy and security guidelines by accessing your account without authorization and while doing so, would have been able to view and may have obtained your account information, including your social security number and driver's license number ” • Yet another reminder that true technical controls need to be put in place to better manage the privileges and access that employees have to data and systems.
Chinese hack U.S. weather systems & satellite network • October 2014: A federal agency recently had four of its websites attacked by hackers from China. To block the attackers, government officials were forced to shut down a handful of its services. • Post breach, security testing discovered multiple weaknesses: • “Weak or default passwords and operating system vulnerabilities with well documented exploits” • Significant problems with remote access • Assessment results lacked supporting evidence – lack of audit logs
The framework of a retail breach • Escalation of privileges • *For example* Via Pass the Hash • Once necessary privileges are obtained Install malware on POS • Install Remote Administration Tools -Ex-filtrate data Goal • Access Via compromised 3rd party account
The Privileged Account Security maturity model Expand scope and automate Manage and monitor Discover and control Baseline maturity Highmaturity Mediummaturity
1) Baseline Maturity • Inventory the privileged accounts • Limit standard user accounts • Establish on- and off-boarding processes • Remove non-expiring passwords • Securely store passwords • Ensure attribution Discover and control Baseline maturity
2) Medium Maturity Manage and monitor • Schedule password changes • Utilize one-time passwords • Implement session recording • Prevent human usage of service accounts • Control application accounts • Detect anomalies Mediummaturity
3) High Maturity • Use multi-factor authentication • Replace all hard-coded passwords in applications • Employ next-generation jump-servers • Implement approval and monitoring workflows • Proactively detect malicious behavior Expand scope and automate Highmaturity
Critical steps to stopping advanced threats • Discover all of your privileged accounts • Protect and manage privileged account credentials • Control, isolate and monitor privileged access to servers and databases • Use real-time privileged account intelligence to detect and respond to in-progress attacks
Enterprise account usage today ? Auditor/ Security & Risk External Vendors Business Applications DBAs VM Admins Windows Admins Unix Admins I need my service provider to connect remotely with root I need the password to map a drive I just need root to patch a database I have this script that needs to run as root every night What are your root entitlements, whoused it, when did they use it and why? What are your root entitlements, who used it, when did they use it and why? Websites & Web Apps Security Appliances iSeries Mainframes zSeries Mainframe Unix/Linux Servers Network Devices Windows Servers Virtual Servers Applications Databases
Requirements for an effective Privileged Account Security Solution Granular Privileged Access Controls Privileged UserAccess Controls Protecting & Isolating Sensitive Assets Application Identity Controls Privileged Activity Monitoring
DNA - Discovery & Audit Discover where your privileged accounts exist Clearly assess privileged account security risks Identify all privileged passwords, SSH keys, and password hashes Collect reliable and comprehensive audit information
The CyberArk Team: Chad Froomkin – Major Account Executive Southeast: NC/SC/TN (770) 322-4201 Chad.Froomkin@cyberark.com Doug Brecher – Internal Account Executive Southeast (617) 796-3264 Doug.Brecher@cyberark.com