The New Cyber Battleground:

Inside Your Network

Chad Froomkin
Major Account Executive
Southeast

1
 Why are we here?

90%
of organizations breached

59%
of organizations breached more than once

$3,500,000
Average cost per incident to investigate and remediate

Ponemon Institute - Cost of Data Breach: Global Analysis,

2014

Cisco Talos, Deliotte Financial Advisory service, Deloitte & Touche LLP, Mandiant, RSA, Verizon RISK -
CyberArk Threat Report: Privileged Account Exploits Shift the front lines of Cyber Security,
2014
2
 The new cyber battleground: Inside your network

Over 90% of organizations have been breached

• In the past: “I can stop everything at the perimeter”
• Today: “I can’t stop anything at the perimeter”

Information security focus shifts to inside the network

• Over 35% of breaches are internal – driven by malicious and unintentional insiders
• Compromised credentials empower any attacker to act as an insider

Compliance and audit requirements focus on privileged accounts

• Privileged accounts provide access to the most sensitive and valuable assets
• Information exposure damages brand reputation and customer confidence

3
 What do we know?

54% 94% 243 100%

Of compromised Of breaches are Median number of Of breaches
systems contained reported by third days advanced involved stolen
malware parties attackers are on the credentials
network before being
detected

“We have to assume we have already been breached”

Brian Krebs (Krebs on Security)
Mandiant, M-Trends and APT1 Report,
2014
4
 Privileged accounts are targeted in all
advanced attacks

“APT intruders…prefer to
leverage privileged accounts
“…100% of breaches where possible, such as Domain
involved stolen Administrators, service accounts
credentials.” with Domain privileges, local
Administrator accounts, and
privileged user accounts.”

Mandiant, M-Trends and APT1 Report,

2014

5
 Privileged accounts are targeted in all
advanced attacks

“Anything that involves

serious intellectual property
will be contained in highly secure
systems and privileged accounts
are the only way hackers can
get in.”

Avivah Litan, Vice President and

Distinguished Analyst at Gartner,
2014

6
 Privileged accounts are targeted in all
advanced attacks

“…that’s how I know I’m dealing

with a sophisticated adversary…
if they are targeting privileged
accounts, I’ve got a serious APT
problem…”

CyberSheath
APT Privileged Account Exploitation
Securing Organizations against
Advanced, Targeted Attacks,
2013

7
 Perimeter defenses are consistently breached

Over 28 Billion spent on IT security in 2014!!!

Over 90% of organizations breached

Cisco Talos, Deliotte Financial Advisory service, Deloitte & Touche LLP, Mandiant, RSA, Verizon RISK -
CyberArk Threat Report: Privileged Account Exploits Shift the front lines of Cyber Security,
2014
8
 Privileged Account Security:
Now a critical security layer

9
 Privilege is at the center of the attack lifecycle
Typical Lifecycle of a Cyber Attack

10
 Scope of Privileged Account “attack surface”
underestimated
In Your Estimation, How Many Privileged Accounts
Are There In Your Organization?

35%
30%
25%
20%
15%
10%
5%
0%
1-250 251-500 501-1,000 1,001-5,000 5,001+ Don't know

Cyber - Privileged Account Security & Compliance Survey, 2014 (Enterprises > 5000 Employees)

11
 Many organizations only use partial measures

28%

72%
How Do You Monitor Or Record
Privileged Account Activity?
Do you monitor and record
privileged activity?
25%

20%

15%

10%

5%

0% Paper-based Homegrown IAM PIM SIEMs DAM Other

SW Solutions Software

Cyber - Privileged Account Security & Compliance Survey, 2014

12
 Privileged Accounts create a HUGE attack surface

Privileged accounts exist in every

connected device, database,
application, industrial controller and
more!

Typically a ~3X ratio of privileged

accounts to employees

13
 What, Where & Why of Privileged Accounts

Scope Used by Used for

• Privileged operations
• Cloud providers
• IT staff • Access to sensitive
Elevated Personal • Personal accounts w/
• Any employee information
elevated permissions
• Web sites

All Powerful
• Administrator
• IT staff
• Sys admins/Net admins
• Emergency

Shared
Difficult•• UNIX
to root
Control,
Cisco Enable
•Manage
DBAs & • Fire-call
Monitor
• Disaster recovery
• Help desk
Privileged Accounts • Oracle SYS • Privileged operations
• Developers
• Local Administrators • Access to sensitive
• Social media mgrs
Pose • Devastating
ERP admin Risk
• Legacy if Misused
applications
information

• Applications/scripts
• Online database access
• Hard coded/ embedded • Windows Services
Application Accounts • Batch processing
App IDs • Scheduled Tasks
(App2App) • App-2-App
• Service Accounts • Batch jobs, etc
communication
• Developers

14
 Telecom breaches draw attention to insider access
issues

▪ August 2014 : A global top 5 Telecommunications company reported that, for the 2nd time in
2014, a privileged insider gained unauthorized access to customer information.
“ We’ve recently determined that one of our employees violated our strict privacy and security
guidelines by accessing your account without authorization and while doing so, would have
been able to view and may have obtained your account information, including your social
security number and driver's license number ”
▪ Yet another reminder that true technical controls need to be put in place to better manage
the privileges and access that employees have to data and systems.

15
 Chinese hack U.S. weather systems & satellite
network

▪ October 2014: A federal agency recently had four of its websites attacked by
hackers from China. To block the attackers, government officials were forced to
shut down a handful of its services.
▪ Post breach, security testing discovered multiple weaknesses:
￭ “Weak or default passwords and operating system vulnerabilities with well
documented exploits”
￭ Significant problems with remote access
￭ Assessment results lacked supporting evidence – lack of audit logs

16
 The framework of a retail breach

• Escalation of privileges

*For example* Via Pass the

Hash
• Once necessary
privileges are
obtained Install
malware on POS

• Install Remote
Administration Tools -
Ex-filtrate data

• Access Via
compromised 3rd
party account

Goal

17
 The Privileged Account Security maturity model

Expand scope and

automate
Manage and monitor

Discover and control

Baseline
maturity

Medium
High
maturity maturity

18
 1) Baseline Maturity

 Inventory the privileged

accounts
 Limit standard user
accounts
Discover and  Establish on- and off-
boarding processes
control  Remove non-expiring
passwords
 Securely store passwords
 Ensure attribution

Baseline
maturity

19
 2) Medium Maturity

 Schedule password
changes
 Utilize one-time
passwords
 Implement session
Manage and recording
monitor  Prevent human usage of
service accounts
 Control application
accounts
 Detect anomalies

Medium
maturity

20
 3) High Maturity

 Use multi-factor
authentication
 Replace all hard-coded
Expand scope and passwords in applications
automate  Employ next-generation
jump-servers
 Implement approval and
monitoring workflows
 Proactively detect
malicious behavior

High
maturity

21
 Critical steps to stopping advanced threats

Discover all of your privileged accounts

Protect and manage privileged account credentials

Control, isolate and monitor privileged access to

servers and databases

Use real-time privileged account intelligence to

detect and respond to in-progress attacks

22
 Enterprise account usage today
DBAs External Business Auditor/
Windows Admins Unix Admins VM Admins
Vendors Applications Security & Risk

I need the I need my service I just need root to I have this script What are your root
password to map a provider to connect patch a database that needs to run entitlements, who
drive remotely with root as root every night used it, when did
they use it and
why?

Virtual Unix/Linux Windows iSeries zSeries Network Security Websites

Databases Applications
Servers Servers Servers Mainframes Mainframe Devices Appliances & Web Apps

23
 Requirements for an effective Privileged Account
Security Solution

Granular Privileged User

Privileged Access Controls
Access Controls

Protecting & Application

Isolating Identity
Sensitive Controls
Assets

Privileged
Activity Monitoring

24
 Break the attack chain!!!

25
 DNA - Discovery & Audit

Discover where your

privileged accounts exist

Clearly assess privileged

account security risks

Identify all privileged

passwords, SSH keys, and
password hashes

Collect reliable and

comprehensive audit
information

26
 The CyberArk Team:

Chad Froomkin – Major Account Executive

Southeast: NC/SC/TN
(770) 322-4201
Chad.Froomkin@cyberark.com

Doug Brecher – Internal Account Executive

Southeast
(617) 796-3264
Doug.Brecher@cyberark.com

27