Privilege Security & Next-Generation Technology Morey J. Haber - - PowerPoint PPT Presentation

privilege security
SMART_READER_LITE
LIVE PREVIEW

Privilege Security & Next-Generation Technology Morey J. Haber - - PowerPoint PPT Presentation

Oct 01, 2023 123 likes •451 views

Privilege Security & Next-Generation Technology Morey J. Haber Chief Technology Officer mhaber@beyondtrust.com Agenda The Next-Gen Threat Landscape o Infomatics, Breaches & the Attack Chain o Securing Cloud, DevOps & IoT o

slide-1
SLIDE 1

Privilege Security & Next-Generation Technology

Morey J. Haber Chief Technology Officer mhaber@beyondtrust.com

slide-2
SLIDE 2

Agenda

  • The Next-Gen Threat Landscape
  • Infomatics, Breaches & the Attack Chain
  • Securing Cloud, DevOps & IoT
  • Privilege Security Threats
  • PAM & Privilege Security Maturity
  • Privileged Access Management
  • Privilege Security Maturity Model
  • How BeyondTrust Helps
slide-3
SLIDE 3

The Next-Gen Threat Landscape

slide-4
SLIDE 4

Innovation Leader

30+ years of firsts

  • 1st fully-integrated PAM and VM platform
  • 1st to provide vulnerability insights to inform privilege decisions
  • 1st PAM vendor on all major cloud marketplaces
  • 1st Unix/Linux, Mac and network device PAM solution

Strong roadmap

  • Active threat response
  • Context-aware PAM
  • SaaS-based PAM platform
  • DevOps secrets

management

Patented technology

  • 7 patents granted
  • 10 pending

Infonomics

"Infonomics is the theory, study, and discipline of asserting economic significance to information. It provides the framework for businesses to monetize, manage, and measure information as an actual asset. … Infonomics endeavors to apply both economic and asset management principles and practices to the valuation, handling, and deployment of information assets."

  • Infonomics: How to Monetize, Manage, and Measure Information as an

Asset for Competitive Advantage by Douglas B. Laney

slide-5
SLIDE 5

Notable Breaches

Credentials hacked Unpatched software exploited; amplified by excessive privileges Credentials stolen

80% 28%

  • f security breaches involve

privileged credentials

Forrester Wave: Privileged Identity Management, Q3 2016

  • f breaches

involve insiders (and growing)

2018 Verizon Data Breach Investigations Report

95%

  • f critical vulnerabilities in Microsoft

systems could be mitigated by removing admin rights

2018 Microsoft Vulnerabilities Report

slide-6
SLIDE 6

The Cyber Attack Chain

  • 1. Perimeter

Exploitation

  • 2. Privilege Hijacking

& Escalation

  • 3. Lateral Movement

& Exfiltration

Attacker exploits asset vulnerabilities to gain entry … hijacks privileges or leverages stolen/cracked passwords … and compromises other network resources. Vulnerable Systems Unmanaged Credentials and Excessive Privileges Limited Visibility

slide-7
SLIDE 7

Internal Employees Client- Server Partners & Contractors WWW Mobile Cloud & IoT Remote Employees DevOps / A2A / A2DB

The New Enterprise

Evolving Infrastructure Expanding Accounts

More people, processes and technology have access to your systems and data than ever before.

Mainstream adoption DevOps

60%

Cloud

15% 56%

IoT

slide-8
SLIDE 8

More Privileged Accounts

 SaaS Admins  Cloud Admins  Application Admins  Privileged End Users  Developers  Machine Password & Keys

DevOps

 DevOps Tools  Dynamic Virtual Environments  Containers  Microservices

Cloud & Hybrid Cloud

 Cloud Management Platforms (AWS, Azure)  Virtualized Environments (VMWare, MSFT)  Virtualized Machines (UNIX, Linux, Windows)  SaaS Apps (Facebook, LinkedIn, Custom)

Attack Surface Evolution

Internet of Things

 Roaming workstations  BYOD  Cameras  Sensors  Printers  More…

On-Premise

  • Shared Administrator Accounts
  • Desktops (Windows, Mac)
  • Servers (Unix, Linux, Windows)
  • Industrial Control Systems
  • Security Infrastructure
  • Network Infrastructure
  • Applications & Application Servers
  • Databases & Database Servers
  • Machine Credentials (AtoA)
  • Hypervisors & Virtual Machine
slide-9
SLIDE 9

Cloud

slide-10
SLIDE 10

Secure Cloud Enablement

DISCOVER & INVENTORY Asset Management SCAN FOR VULNERABILITIES Vulnerability Management ENSURE CONFIGURATION COMPLIANCE Hardening and Best Practices GAIN ACCOUNTA- BILITY OVER SHARED ACCOUNTS ELIMINATE HARD-CODED PASSWORD A2A Security ENFORCE APPROPRIATE CREDENTIAL USAGE Least Privilege Management Privileged Management SEGMENT NETWORKS Network Design Password Management RESTRICT PRIVILEGES

Cloud Security

Secure cloud enablement requires a multidisciplinary strategy!

slide-11
SLIDE 11

Into the cloud In the cloud From the cloud

Secure Cloud Transformation

  • Cloud Management Platforms
  • Shared Administrator Accounts
  • Servers (Unix, Linux, Windows)
  • Applications & Application Servers
  • Databases & Database Servers
  • Machine Credentials (A to A)
  • Security & Network Infrastructure
  • Hypervisors & Virtual Machines
  • SaaS Applications
  • DevOps Environments
  • Containers & Micro Services
  • IoT Devices

Virtual Machines, Dedicated Hardware | Marketplace Applications | IaaS, PaaS, & SaaS

The New Cloud Perimeter

slide-12
SLIDE 12

Privilege Management for the Cloud

Cloud-Agnostic Private, Public and Hybrid Environments

  • License flexibility
  • Asset inventory integration
  • Docker and container aware
  • Discover online & offline instances
  • Leverage Hypervisor APIs
  • Agent technologies
  • Respects OA and application hardening
  • Fully automated for passwords & API
  • Auditing, reporting and change-aware
  • Proxy access
  • Session management
  • Regulatory compliance
slide-13
SLIDE 13

DevOps

slide-14
SLIDE 14

DevOps Security Strategy

DISCOVER & INVENTORY GAIN ACCOUNTABILITY OVER SHARED ACCOUTS ELIMINATE HARD- CODED PASSWORDS RESTRICT PRIVILEGES SCAN FOR VULNERABILITIES ENSURE CONFIGURATION COMPLIANCE ENFORCE APPROPRIATE CREDENTIAL USAGE SEGMENT NETWORKS

Secure DevOps

Asset Management Password Management Privilege Management Hardening and Security Best Practices Vulnerability Management A2A Security Least Privilege Management Network Design

slide-15
SLIDE 15

Privilege Automation for DevOps

  • Only allow approved assets; identify

unacceptable variations

  • Identify security risks and

automatically remediate them

  • Ensure configuration hardening
  • Eliminate all locations for hard-

coded credentials

  • Platform-agnostic, from cloud to on

premise

  • Limit all users, including privileged

access, in the DevOps automated workflow

  • Provide security and performance

visibility to ensure security and automation success

slide-16
SLIDE 16

IoT / IIoT

slide-17
SLIDE 17

Privilege Management for IoT, IIoT, ICS,SCADA

Zones

Internet Public Private Air-Gapped

Segmentation

Users Servers DMZ Guest Dumb Devices

Device Type & Risk

IoT IIoT ICS SCADA

Communications and Restricted Lateral Movement Privileged Access

slide-18
SLIDE 18

The Privileged IoT Perspective

  • IoT asset and inventory management
  • Risk assessment with vulnerability management
  • Password management and privileged session access
  • Command line least privilege management
  • Policy and script repository
slide-19
SLIDE 19

Privilege Security Threats

slide-20
SLIDE 20

Privilege Security Threats

  • Guessing
  • Dictionary attacks
  • Brute Force
  • Pass the Hash
  • Security questions
  • Password resets
  • Vulnerabilities
  • Misconfigurations
  • Exploits
  • Malware
  • Social engineering
  • MFA flaws
  • Default credentials
  • Anonymous
  • Predictable
  • Shared credentials
  • Temporary
  • Reused

Insider Threats External Threats Hidden Threats

slide-21
SLIDE 21

Accountability for Privileges

  • Privileged account discovery
  • Develop permissions model
  • Rotate passwords and keys
  • Workflow process and auditing
  • Define session monitoring
  • Segmentation
  • User behavior analysis
slide-22
SLIDE 22

Privileged Access Management & Privilege Security Maturity

slide-23
SLIDE 23

Privileged Access Management

  • Provides an integrated approach to

enterprise password management

  • Enforces least privilege on all endpoints with-
  • ut compromising productivity or security
  • Ensures administrator and root compliance
  • n Unix, Linux, Windows and Mac
  • Identifies high-risk users and assets by

teaming behavioral analytics and risk data with security intelligence from best-of-breed security solutions

  • Achieves unified visibility over accounts,

applications, and assets that they protect

ENTERPRISE PASSWORD MANAGEMENT PRIVILEGE MANAGEMENT SESSION MANAGEMENT ADVANCED REPORTING & ANALYTICS USER BEHAVIOR MONITORING ACTIVE DIRECTORY BRIDGING

Privileged Access Management

slide-24
SLIDE 24

IT ECOSYSTEM INTEGRATION NEW ENTERPRISE DEPLOYMENT: CLOUD, DEVOPS, NETWORK/IOT/ICS/SCADA UNIFIED MANAGEMENT, REPORTING & THREAT ANALYTICS Asset discovery & vulnerability scanning FIM, system-level control A2A & A2DB

FIM, VBAM, event log monitoring

Session recording & monitoring

The Journey to Privilege-Centric Security

Account discovery Server least privilege / command elevation & delegation Password/key storage & rotation Endpoint least privilege / command elevation & delegation

IDENTIFY & INVENTORY ELIMINATE EXCESSIVE PRIVILEGES & GAIN GRANULAR COMMAND AND TASK-LEVEL CONTROL

Time Maturity Session management

IMPROVE ACCOUNTABILITY & CONTROL OVER SHARED CREDENTIALS

slide-25
SLIDE 25

About BeyondTrust

slide-26
SLIDE 26

Privilege-Centric Security for the New Enterprise

Identity- Focused

Not network focused

Centralized & Modular

Integrates w/ best-of-breed solutions

Future- Ready

Built for next- gen IT environments

Dynamic

Locations, teams, contexts

Risk- Based

Accounts for user & asset risk Privilege security solutions control, monitor and audit privileged access to systems and data across the expanding enterprise.

slide-27
SLIDE 27

Infrastructure Endpoints Secure Remote Access

  • Secure credentials with

Privileged Identity and manage sessions with Privileged Access

  • Empower and protect your

service desk with the most secure Remote Support software

Password & Session Management

  • Gain accountability over

shared accounts

  • Eliminate hard-coded

passwords

  • Monitor privileged sessions

and user behavior

  • Enforce appropriate

credential usage

  • Eliminate Admin\root rights
  • Enforce Application &

command control

  • Efficiently delegate Windows,

Mac, Unix & Linux privileges and elevate

  • Enforce appropriate use
  • Risk based privilege decisions

Privilege Management

On-Premise

PowerBroker Privileged Access Management Platform

Cloud Hybrid

slide-28
SLIDE 28

Innovation Leader

30+ years of firsts

  • 1st fully-integrated PAM and VM platform
  • 1st to provide vulnerability insights to inform privilege decisions
  • 1st PAM vendor on all major cloud marketplaces
  • 1st Unix/Linux, Mac and network device PAM solution

Strong roadmap

  • Active threat response
  • Context-aware PAM
  • SaaS-based PAM platform
  • DevOps secrets

management

Patented technology

  • 7 patents granted
  • 10 pending

Innovation Leader

30+ years of firsts

  • 1st fully-integrated PAM and VM platform
  • 1st to provide vulnerability insights to inform privilege decisions
  • 1st PAM vendor on all major cloud marketplaces
  • 1st Unix/Linux, Mac and network device PAM solution

Strong roadmap

  • Active threat response
  • Context-aware PAM
  • SaaS-based PAM platform
  • DevOps secrets

management

Patented technology

  • 7 patents granted
  • 10 pending
slide-29
SLIDE 29
  • Table1. PASM Vendors and Their Key Capabilities

PAM Industry Leader

Leader: Forrester PIM Wave, 2016 Leader: Gartner Market Guide for PAM, 2017

slide-30
SLIDE 30

Morey J. Haber

  • 20+ years security experience
  • Articles on Secure World, Dark Reading, CSO

Online, etc.

  • Author of “Privileged Attack Vectors: Building

Effective Cyber-Defense Strategies to Protect Organizations” & ”Asset Attack Vectors” (covering Vulnerability Management) – both available from Apress Media

slide-31
SLIDE 31

Questions?

Morey J. Haber Chief Technology Officer mhaber@beyondtrust.com