Más contenido relacionado La actualidad más candente (20) Similar a kill-chain-presentation-v3 (20) kill-chain-presentation-v31. Privileged Identity – The Core of the Kill Chain
Shawn Croswell, CISSP
Senior Security Engineer
scroswell@xceedium.com
@shawncroswell on Twitter
2. © Copyright 2015, Xceedium, Inc. 2
Introducing Xceedium
Best Overall IT
Company
Best Privileged
Access Management
Solution
Best Privileged
Access Management
Solution
Gold: Innovations in
Cloud Security
Silver: Innovations in
Privileged Identity
Management
Leading Privileged Identity Management
solution for hybrid enterprises
Global Fortune 1000 and US government
customer base
Headquartered in Herndon, VA
Flagship Product - Xsuite®
February 2015
3. High profile breaches spanned
the globe
• Target, Adobe, Facebook, LinkedIn, Groupon
Taiwan, LivingSocial, Evernote, Supervalu, …
Target was the poster child
• 40 million credit cards stolen
• $4 billion loss in market cap
• 46% loss in 4Q profits
• CEO, 7 board directors removed
Symantec Internet Security Threat Report 2014
© Copyright 2015, Xceedium, Inc. 3
2013 – Year of the Mega Breach
62% Increase in
Breaches (YoY)
552
Million
Identities
Compromised
February 2015
4. High profile breaches spanned
the globe
• Target, Adobe, Facebook, LinkedIn, Groupon
Taiwan, LivingSocial, Evernote, Supervalu, …
Target was the poster child
• 40 million credit cards stolen
• $4 billion loss in market cap
• 46% loss in 4Q profits
• CEO, 7 board directors removed
February 2015 © Copyright 2015, Xceedium, Inc. 4
2013 – Year of the Mega Breach
40%
Population of
South Korea
had personal
data exposed
150
Million
Records
compromised
in a single
breach (Adobe)
5. 95%
Percent of all attacks
on enterprise
networks are a result
of spearfishing
attempts
Percent of scanned
public websites
contained a
vulnerabilities that
could be exploited
77%
High profile breaches spanned
the globe
• Target, Adobe, Facebook, LinkedIn, Groupon
Taiwan, LivingSocial, Evernote, Supervalu, …
Target was the poster child
• 40 million credit cards stolen
• $4 billion loss in market cap
• 46% loss in 4Q profits
• CEO, 7 board directors removed
SANS/Symantec
© Copyright 2015, Xceedium, Inc. 5
2013 – Year of the Mega Breach
February 2015
6. 3 of top 10 breaches of all time
Home Depot - 56 million credit cards
stolen ($4.3 billion loss in market cap)
• Compromised privileged credentials used to deploy
custom malware on self-checkout systems
CodeSpaces - forced out of business
• Privileged credential breach of AWS account
Sony Pictures –pulled movie release
• Unprecedented waterfall effect
6
2014 – High Profile Breaches Accelerate
© Copyright 2015, Xceedium, Inc.February 2015
7. The Common Thread?
“Stealing and
exploiting privileged
accounts is a critical
success factor for
attackers in 100% of
all advanced attacks,
regardless of attack
origin.”
8. 2004 2005 2006 2007 2008 2009 2010 2011 2012 2013 2014
10+ Years of Global Breach
• * Source-
February 2015 © Copyright 2015, Xceedium, Inc.
Adobe
152,000,000
AOL
2,400,000
JP Morgan
Chase
76,000,000
Community
Health
Services
Gmail
Sony
AOL
92,000,000
Ebay
145,000,000
Home Depot
56,000,000
Mozilla
Japan
Airlines
Target
70,000,000
Staple
sUPS
Evernote
50,000,000
NASDAQ
Niemen
Marcus
Korea
Credit
Bureau
European
Central
Bank
Telcom
Telcom
Telcom
Telcom
Telcom
TelcomTelcom
Telcom
Telcom Telcom
Telcom
Telcom
Telcom
Living
Social
50,000,000
Massive
American
Business
Hack
160,000,000
Sony
PSN
77,000,000
UbiSoft
Ubuntu
Telcom
Court Ventures
200,000,000
Zappos
24,000,000
Compass
Bank
Citigroup
TJ
Maxx
94,000,000
VA
26,500,000
Monster.com
KDDI
Fidelity
Bank
US Military
76,000,000
AOL
20,000,000
Card systems
Solutions
AT&T
Telcom
Telcom
Jefferson
County
Telcom
Telcom
Apple
Telcom
NHS
VA Dept
Health
Telcom
US Nat
Guard
Telcom
Telcom
Heartland
130,000,000
RockYou!
32,000,000
Telcom
CheckFree
Telcom
US Military
Telcom
Telcom
AT&T
JP Morgan
Telcom
Telcom
Telcom
Telcom
Anthem
80,000,000
9. Hacker Malware/APT
© Copyright 2013, Xceedium, Inc. 9
What is Privileged Access?
On Premise
Employees/Partners
• Systems Admins
• Network Admins
• DB Admins
• Application Admins
Partners
Systems/NW/DB/Application Admins
Employees
Systems/NW/DB/A
pplication Admins
Public Cloud
Apps
Apps
VMware
Administrator
AWS Administrator
Microsoft Office
365 Administrator
Internet
10. © Copyright 2015, Xceedium, Inc. 10
Who are Privileged Users?
Ponemon Institute, June 2014
February 2015
11. 11
Existing Security Layers Have Been Breached
Melissa, Code Red, etc.
Mvdoom, Bagle, DM5, etc.
Zeus, Aurora, Conflicker, etc.
Stuxnet, GitHub, NSA, etc.
“Over 90% of enterprises today have
already been breached with active
malware networks running”
-- Ponemon Institute 2013
Annual Worldwide IT
Security Spend –
Gartner 2014
$28
Billion
February 2015 © Copyright 2015, Xceedium, Inc.
12. Privilege: Core of the Breach Kill Chain
Network Perimeter
EXTERNAL THREATS
INTERNAL THREATS
C&C, Data/IP
Exfiltration
Wreak HavocElevate Privilege
Lateral Movement,
Reconnaissance
Threat
Actor
Trusted
Insider
Gain/Expand Access
• Weak Authentication/Default
Passwords
• Stolen/Compromised Credentials
• Poor Password/Key Management
• Shared Accounts/Lack of Attribution
• Authentication = Access Control
• No Limits on Lateral Movement
• No Limits on Commands
• Lack of Monitoring/Analysis
February 2015
13. February 2015 © Copyright 2015, Xceedium, Inc. 13
KPMG Corroborates Breach Stats
14. Component Customers that Reported using this
Security Measure
Breach Rate
Firewall 212 100%
IDS/IPS 119 100%
Web proxy 138 100%
Network anti-virus 75 100%
Endpoint AV 169 100%
Other anti-malware 33 100%
February 2015 © Copyright 2015, Xceedium, Inc. 14
As Does FireEye
Over 1,200 trial deployments and 6 months of data show:
Mandiant/FireEye, 2014
15. If breach is the rule, not the exception
And privileged identity is at the core of the breach
kill chain
Then privileged identity needs to be an enterprise’s
most protected asset
15
PIM – A New Security Imperative
We need a new security layer!
February 2015 © Copyright 2015, Xceedium, Inc.
16. Break The Kill Chain:
Strong Authentication
Network Perimeter
EXTERNAL THREATS
INTERNAL THREATS
C&C, Data/IP
Exfiltration
Wreak HavocElevate Privilege
Lateral Movement,
Reconnaissance
Threat
Actor
Trusted
Insider
Gain/Expand Access Wreak HavocElevate Privilege
Lateral Movement,
Reconnaissance
• Strong Authentication
• AD/LDAP Integration
• Multifactor Hardware/Software
• PIV/CAC Card Support
• SAML
• Login Restriction
• Origin IP
• Time of Day
© Copyright 2015, Xceedium, Inc. 16February 2015
17. Break The Kill Chain:
Prevent Unauthorized Access
Network Perimeter
EXTERNAL THREATS
INTERNAL THREATS
C&C, Data/IP
Exfiltration
Wreak HavocElevate Privilege
Lateral Movement,
Reconnaissance
Threat
Actor
Trusted
Insider
Gain/Expand Access Wreak HavocElevate Privilege
Lateral Movement,
Reconnaissance
• Zero Trust – Deny All, Permit by
Exception
• Role-Based Privileged User
Access Limits
• Privileged User Single Sign on
• Command Filtering
• Leapfrog Prevention
• Proactive Policy Violation
Prevention
© Copyright 2015, Xceedium, Inc. 17February 2015
18. Break The Kill Chain:
Improve Forensics, Deter Violations
Network Perimeter
EXTERNAL THREATS
INTERNAL THREATS
C&C, Data/IP
Exfiltration
Wreak HavocElevate Privilege
Lateral Movement,
Reconnaissance
Threat
Actor
Trusted
Insider
Gain/Expand Access Wreak HavocElevate Privilege
Lateral Movement,
Reconnaissance
• Continuous monitoring and
logging
• Warnings, Session Termination,
Alerts
• DVR-like recording and playback
of sessions
• Activity Log Reporting
• Privileged Account Use Attribution
• SIEM/SYSLOG Analytics
© Copyright 2015, Xceedium, Inc. 18February 2015
19. Vault & Manage Credentials
Attribute Identity for Shared Accounts (e.g., Root/Admin)
Always Record Sessions and Metadata
Continuously Monitor and Enforce Policy
Federate Identity and Attributes Activity (SSO)
Restrict Access to Authorized Systems
Positively Authenticate Users
19
Xsuite In Action
© Copyright 2015, Xceedium, Inc.February 2015
20. February 2015 © Copyright 2015, Xceedium, Inc. 20
Don’t Mistake Compliance for Security
The Target Timeline
21. February 2015 © Copyright 2015, Xceedium, Inc. 21
Mandiant Recommends PIM for PCI DSS 3.0
Mandiant 2014 Threat Report
22. Continuous Diagnostics and
Mitigation (CDM)
• $6 Billion BPA for IT security
• Phase 2 requires PIM
NIST 800-53r4
FedRAMP v2
February 2015 © Copyright 2015, Xceedium, Inc. 22
US FedGov Requires PIM
23. February 2015 © Copyright 2015, Xceedium, Inc. 23
Forrester – PIM Requirements for Cloud
24. February 2015 © Copyright 2015, Xceedium, Inc. 24
Gartner – PIM Requirements for Cloud
25. February 2015 © Copyright 2015, Xceedium, Inc. 25
Gartner – PIM Requirements for Virtualization
26. © Copyright 2015, Xceedium, Inc. 26
Privileged Identity Management
A Necessary New Security Layer
February 2015
Software Defined Data Center
SDDC Console & APIs
SaaS Applications
SaaS Consoles & APIs
Public Cloud - IaaS
Cloud Console & APIs
Traditional Data Center
Mainframe, Windows, Linux, Unix, Networking
Enterprise Admin Tools
New Hybrid Enterprise
27. © Copyright 2015, Xceedium, Inc. 27
Privileged Identity Management
A Necessary New Security Layer
February 2015
Enterprise Management Plane
• Vault Credentials
• Centralized Authentication
• Federated Identity
• Privileged Single Sign-on
• Role-Based Access Control
• Monitor & Enforce Policy
• Record Sessions and Metadata
• Full Attribution
A New Security Layer - Control and Audit All Privileged Access
Privileged Accounts and Credentials
Software Defined Data Center
SDDC Console & APIs
SaaS Applications
SaaS Consoles & APIs
Public Cloud - IaaS
Cloud Console & APIs
Traditional Data Center
Mainframe, Windows, Linux, Unix, Networking
Enterprise Admin Tools
New Hybrid Enterprise
28. Next Generation Privileged Identity Management
Introducing Xsuite®
New Enterprise
Software Defined Data Center
SDDC Console & APIs
SaaS Applications
SaaS Consoles & APIs
Public Cloud - IaaS
Cloud Console & APIs
Traditional Data Center
Mainframe, Windows, Linux, Unix, Networking
Enterprise Admin Tools
• Vault Credentials
• Centralized Authentication
• Federated Identity
• Privileged Single Sign-on
• Role-Based Access Control
• Monitor & Enforce Policy
• Record Sessions and Metadata
• Full Attribution
A New Security Layer - Control and Audit All Privileged Access
Identity Integration Enterprise-Class Core
Hardware Appliance AWS AMIOVF Virtual Appliance
Unified Policy Management
© Copyright 2015, Xceedium, Inc. 28February 2015
29. Privileged identity must be a highly protected core asset (process & technology)
A Zero-Trust model should be adopted for all privileged access (including
applications); Some process re-engineering is a reasonable trade-off for the
additional security and risk mitigation
Next generation PIM platforms will make this more manageable, but defense in
depth is still required
Organizations need to employ Protection, Detection, and Response Frameworks
specifically focused on Privileged Identities (and associated keys) that span the new
Hybrid Enterprise
Best Practices for PIM
February 2015 © Copyright 2015, Xceedium, Inc. 29
30. 2214 Rock Hill Road, Suite 100
Herndon, VA 20170
Phone: 866-636-5803
Contact Us
linkedin.com/company/xceedium
@Xceedium
info@xceedium.com
facebook.com/xceedium