SlideShare a Scribd company logo

CyberArk

Download as PPTX, PDF
J
Jimmy Sze

CyberArk is an information security company focused on privileged account security. They help companies protect their most sensitive information and infrastructure by securing privileged accounts. The document outlines best practices for securing privileged accounts at different maturity levels - from baseline to highly effective. It recommends identifying and reducing privileged accounts, enforcing least privilege, and automating password management. For highly effective security, it suggests multi-factor authentication, privileged session recording, and anomaly detection to prevent cyber threats targeting privileged credentials.

Related slideshows

Zero trust deck 2020
Zero trust deck 2020Zero trust deck 2020
Zero trust deck 2020
 
Identity & Access Management - Securing Your Data in the 21st Century Enterprise
Identity & Access Management - Securing Your Data in the 21st Century EnterpriseIdentity & Access Management - Securing Your Data in the 21st Century Enterprise
Identity & Access Management - Securing Your Data in the 21st Century Enterprise
 
5. Identity and Access Management
5. Identity and Access Management5. Identity and Access Management
5. Identity and Access Management
 
1 of 15
CyberArk SECURING PRIVILEGED ACCOUNTS AND BEST PRACTICES B Y : J I M M Y S Z E Information obtain through www.cyberark.com
About CyberArk CyberArk is a Information Security company focused on privileged account security Used to protect companies' highest-value information assets, infrastructure and applications Today, CyberArk is delivering a new category of target security to help leaders react to cyber threats, and get ahead of the game to prevent attacks before they escalate to irreparable business damage Auditors and regulators recognize privileged accounts are the targets for cyber attack and need stronger protection against them
About Cyber Ark (Continued) Deployed Worldwide in: ◦ Financial Services ◦ Energy Retail ◦ Health Care As of the year 2015: ◦ 1800 global businesses ( includes over 40% of the Fortune 100 ) ◦ 17 of the world’s top 20 banks ◦ 8 of the world’s top 16 pharmaceutical companies ◦ 75 of the leading energy companies Offices: ◦ U.S / Israel / U.K / France / Germany / Netherlands / Singapore ◦ Serves Customers in more than 65 countries
Privileged Accounts (P.A) Are valid credentials used to gain access to systems ◦ Differences – provides elevated, non-restrictive access to platforms that a non-privileged account don’t have access to ◦ Used by sysadmin to deploy & manage IT technology such as: ◦ Operating Systems ◦ Network Devices ◦ Applications & more Privileged Account provide access to everything ◦ Reason why attacks or malicious insiders seek to steal them
Types of Privileged Accounts Local Admin Accounts ◦ Provide admin access to local host, used by IT Staff to perform maintenance on workstations, servers, network devices, databases, mainframe ect Privileged User Accounts ◦ Give admin privileges on one or more systems. Password usually have unique and complex password. Yield much power and needs to be monitored Domain Admin Accounts ◦ Give admin privileged access to all workstation and servers within Windows Domain. Few in numbers but provide most extensive and robust access across all networks Emergency Accounts ◦ Provide unprivileged users with admin access in case of emergency. *Manager Approval * Service Accounts ◦ Privileged local or domain accounts used by an app or service to interact with OS. May have domain admin privileges depending on requirements of app being used for Application Accounts ◦ Accounts used by application to access database, run batch jobs or scrips, or provide access to other app
The Three Phase of Securing Privileged Accounts Baseline Maturity ◦ Those who just started dealing with privileged account security Medium Effective Maturity ◦ Those who are in the middle Highly Effective Maturity ◦ Those who are at the forefront of developing a strong, proactive, preventive measures for securing privileged accounts
Best Practices – Baseline Maturity Identify & Reduce number of Privileged Accounts ◦ Most organization underestimate # of privileged account in organization ◦ Create inventory of these account & after, the unnecessary Acc. should be deleted Principle of Least Privilege – Enforce it! ◦ Give as much power to an employee as they need to do their job ◦ Standard users should be given privileged access based on need basis Revocation of Rights ◦ Onboarding and off boarding privileged access is critical to security ◦ New employee need to understand the power & responsibility ◦ Business need to have a way to immediately remove access to employee privilege account or changing shared password
Best Practices – Baseline Maturity (Continued) Eliminate Shared account with Non-Expiring passwords ◦ Should be changed on a regular basis to reduce vulnerability to password cracking tools and password sharing between employees Secure Password Storage ◦ Businesses should store passwords in most secure, encrypted vaulting system. ◦ NEVER have password stored in binders, spreadsheets or any other non-secure mechanism. Shared Account Attribution * ◦ All shared accounts should be attributed to specific individuals ◦ Shared credentials should be completely eliminated ◦ If not possible, need ability to enforce and audit individual accountability is required
Best Practices – Medium Effective Maturity Automatically Changing P.A password on 30 or 60-day Cycle ◦ Should be changed on a regular cycle, complex, difficult to guess, & Unique Use One-Time Passwords ◦ Password that are valid for only one login session or transaction. Frequent changing password makes it much harder for hackers to identify and steal Recording Privileged Sessions ◦ Important for any session involving key asset, server, or 3rd party access. Recording allows companies to do a playback at the point of breach/malicious behavior
Best Practices – Medium Effective Maturity (Continued) Eliminating Human Login for Service Accounts ◦ Allows service account to be used interactively. If presents a significant vulnerability, that can be eliminated with ease one inventory is established Automated Changing Hard-Code & Embedded Passwords ◦ Implement process to change hardcode & embedded passwords for script and service acc. Without it, could cause something to break within the infrastructure. An automated system can increase security without more risk Focused Auditing of Admin Privileged Function – Monitor Behavior ◦ Log all user activity and generate alerts for unusually behavior ◦ Provide additional information on privileged accounts ◦ Integrating with security teams can reduce speed of reviews & investigation of potential incidents and/or violations
Best Practices – Highly Effective Maturity Automated Disabling Inactive Privileged Accounts ◦ P.A Acc are prone to human errors. Relying on manual solution and institutional knowledge is better than nothing but automation is far more effective Multi-factor Authentication for All Admin Access ◦ Includes domain admin access ◦ Additional layer that makes privileged identities a harder target for advanced threats ◦ Many platform such as legacy and network devices may not support multi-factor authentication. This is the reason why deploying P.A security solution with support of multifactor authentication eliminates the need to support multifactor authentication natively to target devices
Best Practices – Highly Effective Maturity (Continued) Automate Password Verification and Reconciliation ◦ Ensures all password of record are current on all systems ◦ Very critical when managing privileged identities because new P.A are constantly created and deleted, which is why requiring an automated system to manage and verify passwords is beneficial Frequently Identify, Change and Verify Hardcoded Passwords ◦ Hackers frequently target hard coded password embedded in application and usually become an afterthought to many organizations ◦ Audit all accounts and automating the management of app credential allows an organization to rotate passwords without risks
Best Practices – Highly Effective Maturity (Continued) Directly Connect Target Systems without Displaying passwords to Users ◦ Preventing disclosure of P.A to end users add an additional layer of security and reduce the maintenance of shared accounts Privileged Gateway - Eliminate Direct access to Sensitive Assets/Infrastructure ◦ Implementation of a gateway between the end-user and sensitive assets limits network exposure to malware & keep privileged credentials off admin endpoints/desktops Implement Request Workflow for Credential Access Approval (Dual-Controls) ◦ Duel control provide a check and balance mechanism needed to prevent malicious insiders from exploiting P.A
Best Practices – Highly Effective Maturity (Continued) Record all Privileged Sessions ◦ Require that all P.A actions be recorded with session recording and video playback for forensic analysis and change management review Proactively Detect Malicious Behavior ◦ Solution to monitor, detect and alert on Anomalous privileged user behavior is critical layer in a best-in- class P.A security strategy
Conclusion 100% of all advance attack exploit privileged credentials Locking these accounts down is critical to an enterprise Following these guidelines, depending on your organization’s maturity level, will help the prevention of cyber threats towards the organization Process for securing privileged accounts should be on-going with continuous evaluation and adjustments to improve security as the business and threat changes

More Related Content

CyberArk

  • 1. CyberArk SECURING PRIVILEGED ACCOUNTS AND BEST PRACTICES B Y : J I M M Y S Z E Information obtain through www.cyberark.com
  • 2. About CyberArk CyberArk is a Information Security company focused on privileged account security Used to protect companies' highest-value information assets, infrastructure and applications Today, CyberArk is delivering a new category of target security to help leaders react to cyber threats, and get ahead of the game to prevent attacks before they escalate to irreparable business damage Auditors and regulators recognize privileged accounts are the targets for cyber attack and need stronger protection against them
  • 3. About Cyber Ark (Continued) Deployed Worldwide in: ◦ Financial Services ◦ Energy Retail ◦ Health Care As of the year 2015: ◦ 1800 global businesses ( includes over 40% of the Fortune 100 ) ◦ 17 of the world’s top 20 banks ◦ 8 of the world’s top 16 pharmaceutical companies ◦ 75 of the leading energy companies Offices: ◦ U.S / Israel / U.K / France / Germany / Netherlands / Singapore ◦ Serves Customers in more than 65 countries
  • 4. Privileged Accounts (P.A) Are valid credentials used to gain access to systems ◦ Differences – provides elevated, non-restrictive access to platforms that a non-privileged account don’t have access to ◦ Used by sysadmin to deploy & manage IT technology such as: ◦ Operating Systems ◦ Network Devices ◦ Applications & more Privileged Account provide access to everything ◦ Reason why attacks or malicious insiders seek to steal them
  • 5. Types of Privileged Accounts Local Admin Accounts ◦ Provide admin access to local host, used by IT Staff to perform maintenance on workstations, servers, network devices, databases, mainframe ect Privileged User Accounts ◦ Give admin privileges on one or more systems. Password usually have unique and complex password. Yield much power and needs to be monitored Domain Admin Accounts ◦ Give admin privileged access to all workstation and servers within Windows Domain. Few in numbers but provide most extensive and robust access across all networks Emergency Accounts ◦ Provide unprivileged users with admin access in case of emergency. *Manager Approval * Service Accounts ◦ Privileged local or domain accounts used by an app or service to interact with OS. May have domain admin privileges depending on requirements of app being used for Application Accounts ◦ Accounts used by application to access database, run batch jobs or scrips, or provide access to other app
  • 6. The Three Phase of Securing Privileged Accounts Baseline Maturity ◦ Those who just started dealing with privileged account security Medium Effective Maturity ◦ Those who are in the middle Highly Effective Maturity ◦ Those who are at the forefront of developing a strong, proactive, preventive measures for securing privileged accounts
  • 7. Best Practices – Baseline Maturity Identify & Reduce number of Privileged Accounts ◦ Most organization underestimate # of privileged account in organization ◦ Create inventory of these account & after, the unnecessary Acc. should be deleted Principle of Least Privilege – Enforce it! ◦ Give as much power to an employee as they need to do their job ◦ Standard users should be given privileged access based on need basis Revocation of Rights ◦ Onboarding and off boarding privileged access is critical to security ◦ New employee need to understand the power & responsibility ◦ Business need to have a way to immediately remove access to employee privilege account or changing shared password
  • 8. Best Practices – Baseline Maturity (Continued) Eliminate Shared account with Non-Expiring passwords ◦ Should be changed on a regular basis to reduce vulnerability to password cracking tools and password sharing between employees Secure Password Storage ◦ Businesses should store passwords in most secure, encrypted vaulting system. ◦ NEVER have password stored in binders, spreadsheets or any other non-secure mechanism. Shared Account Attribution * ◦ All shared accounts should be attributed to specific individuals ◦ Shared credentials should be completely eliminated ◦ If not possible, need ability to enforce and audit individual accountability is required
  • 9. Best Practices – Medium Effective Maturity Automatically Changing P.A password on 30 or 60-day Cycle ◦ Should be changed on a regular cycle, complex, difficult to guess, & Unique Use One-Time Passwords ◦ Password that are valid for only one login session or transaction. Frequent changing password makes it much harder for hackers to identify and steal Recording Privileged Sessions ◦ Important for any session involving key asset, server, or 3rd party access. Recording allows companies to do a playback at the point of breach/malicious behavior
  • 10. Best Practices – Medium Effective Maturity (Continued) Eliminating Human Login for Service Accounts ◦ Allows service account to be used interactively. If presents a significant vulnerability, that can be eliminated with ease one inventory is established Automated Changing Hard-Code & Embedded Passwords ◦ Implement process to change hardcode & embedded passwords for script and service acc. Without it, could cause something to break within the infrastructure. An automated system can increase security without more risk Focused Auditing of Admin Privileged Function – Monitor Behavior ◦ Log all user activity and generate alerts for unusually behavior ◦ Provide additional information on privileged accounts ◦ Integrating with security teams can reduce speed of reviews & investigation of potential incidents and/or violations
  • 11. Best Practices – Highly Effective Maturity Automated Disabling Inactive Privileged Accounts ◦ P.A Acc are prone to human errors. Relying on manual solution and institutional knowledge is better than nothing but automation is far more effective Multi-factor Authentication for All Admin Access ◦ Includes domain admin access ◦ Additional layer that makes privileged identities a harder target for advanced threats ◦ Many platform such as legacy and network devices may not support multi-factor authentication. This is the reason why deploying P.A security solution with support of multifactor authentication eliminates the need to support multifactor authentication natively to target devices
  • 12. Best Practices – Highly Effective Maturity (Continued) Automate Password Verification and Reconciliation ◦ Ensures all password of record are current on all systems ◦ Very critical when managing privileged identities because new P.A are constantly created and deleted, which is why requiring an automated system to manage and verify passwords is beneficial Frequently Identify, Change and Verify Hardcoded Passwords ◦ Hackers frequently target hard coded password embedded in application and usually become an afterthought to many organizations ◦ Audit all accounts and automating the management of app credential allows an organization to rotate passwords without risks
  • 13. Best Practices – Highly Effective Maturity (Continued) Directly Connect Target Systems without Displaying passwords to Users ◦ Preventing disclosure of P.A to end users add an additional layer of security and reduce the maintenance of shared accounts Privileged Gateway - Eliminate Direct access to Sensitive Assets/Infrastructure ◦ Implementation of a gateway between the end-user and sensitive assets limits network exposure to malware & keep privileged credentials off admin endpoints/desktops Implement Request Workflow for Credential Access Approval (Dual-Controls) ◦ Duel control provide a check and balance mechanism needed to prevent malicious insiders from exploiting P.A
  • 14. Best Practices – Highly Effective Maturity (Continued) Record all Privileged Sessions ◦ Require that all P.A actions be recorded with session recording and video playback for forensic analysis and change management review Proactively Detect Malicious Behavior ◦ Solution to monitor, detect and alert on Anomalous privileged user behavior is critical layer in a best-in- class P.A security strategy
  • 15. Conclusion 100% of all advance attack exploit privileged credentials Locking these accounts down is critical to an enterprise Following these guidelines, depending on your organization’s maturity level, will help the prevention of cyber threats towards the organization Process for securing privileged accounts should be on-going with continuous evaluation and adjustments to improve security as the business and threat changes

Editor's Notes

  1. Domain Admin Acc: With complete control over all domain controllers and ability to modify the membership of every admin account within the domain, a compromise of these credentials is a worse case scenario.
  2. Best practices for Maturity model for those who just started to deal with privileged account security (Baseline Maturity), those who are in the middle (Medium Effective Maturity) and those who are at the forefront of developing a strong, proactive, preventative measures for securing privileged accounts (Highly Effective Maturity).
  3. Revocation of Rights: Without the Mechanism to immediately remove access to employees, companies are at the mercy of rogue employees.
  4. Given that Privileged account are the most powerful accounts in any organization, password should ne changed on a regular schedule to reduce vulnerability to password cracking tools and password sharing between employees.
  5. Here are best practices for companies at the forefront of privileged account security. These companies understand the threats that unprotected privileged accounts present and are enacting security policies that every company should aspire to emulate.
  6. Here are best practices for companies at the forefront of privileged account security. These companies understand the threats that unprotected privileged accounts present and are enacting security policies that every company should aspire to emulate.
  7. Here are best practices for companies at the forefront of privileged account security. These companies understand the threats that unprotected privileged accounts present and are enacting security policies that every company should aspire to emulate.
  8. Here are best practices for companies at the forefront of privileged account security. These companies understand the threats that unprotected privileged accounts present and are enacting security policies that every company should aspire to emulate.