1 The New Cyber Battleground: Inside Your Network Chad Froomkin Major Account Executive Southeast

2 Why are we here? 90% of organizations breached 59% of organizations breached more than once $3,500,000 Average cost per incident to investigate and remediate Ponemon Institute - Cost of Data Breach: Global Analysis, 2014 Cisco Talos, Deliotte Financial Advisory service, Deloitte & Touche LLP, Mandiant, RSA, Verizon RISK - CyberArk Threat Report: Privileged Account Exploits Shift the front lines of Cyber Security, 2014

3 The new cyber battleground: Inside your network Over 90% of organizations have been breached In the past: “I can stop everything at the perimeter” Today: “I can’t stop anything at the perimeter” Information security focus shifts to inside the network Over 35% of breaches are internal – driven by malicious and unintentional insiders Compromised credentials empower any attacker to act as an insider Compliance and audit requirements focus on privileged accounts Privileged accounts provide access to the most sensitive and valuable assets Information exposure damages brand reputation and customer confidence

4 What do we know? 54%94% % Of compromised systems contained malware Of breaches are reported by third parties Median number of days advanced attackers are on the network before being detected Of breaches involved stolen credentials Mandiant, M-Trends and APT1 Report, 2014 “We have to assume we have already been breached” Brian Krebs (Krebs on Security )

5 Privileged accounts are targeted in all advanced attacks Mandiant, M-Trends and APT1 Report, 2014 “…100% of breaches involved stolen credentials.” “APT intruders…prefer to leverage privileged accounts where possible, such as Domain Administrators, service accounts with Domain privileges, local Administrator accounts, and privileged user accounts.”

6 Privileged accounts are targeted in all advanced attacks Avivah Litan, Vice President and Distinguished Analyst at Gartner, 2014 “ Anything that involves serious intellectual property will be contained in highly secure systems and privileged accounts are the only way hackers can get in.”

7 Privileged accounts are targeted in all advanced attacks CyberSheath APT Privileged Account Exploitation Securing Organizations against Advanced, Targeted Attacks, 2013 “…that’s how I know I’m dealing with a sophisticated adversary… if they are targeting privileged accounts, I’ve got a serious APT problem…”

8 Perimeter defenses are consistently breached Over 28 Billion spent on IT security in 2014!!! Over 90% of organizations breached Cisco Talos, Deliotte Financial Advisory service, Deloitte & Touche LLP, Mandiant, RSA, Verizon RISK - CyberArk Threat Report: Privileged Account Exploits Shift the front lines of Cyber Security, 2014

9 Privileged Account Security: Now a critical security layer

10 Typical Lifecycle of a Cyber Attack Privilege is at the center of the attack lifecycle

11 Scope of Privileged Account “attack surface” underestimated Cyber - Privileged Account Security & Compliance Survey, 2014 (Enterprises > 5000 Employees)

12 Many organizations only use partial measures Cyber - Privileged Account Security & Compliance Survey, 2014 Do you monitor and record privileged activity?

13 Privileged Accounts create a HUGE attack surface Privileged accounts exist in every connected device, database, application, industrial controller and more! Typically a ~3X ratio of privileged accounts to employees

14 What, Where & Why of Privileged Accounts ScopeUsed byUsed for Elevated Personal Cloud providers Personal accounts w/ elevated permissions IT staff Any employee Privileged operations Access to sensitive information Web sites Shared Privileged Accounts Administrator UNIX root Cisco Enable Oracle SYS Local Administrators ERP admin IT staff Sys admins/Net admins DBAs Help desk Developers Social media mgrs Legacy applications Emergency Fire-call Disaster recovery Privileged operations Access to sensitive information Application Accounts (App2App) Hard coded/ embedded App IDs Service Accounts Applications/scripts Windows Services Scheduled Tasks Batch jobs, etc Developers Online database access Batch processing App-2-App communication All Powerful Difficult to Control, Manage & Monitor Pose Devastating Risk if Misused

15 Telecom breaches draw attention to insider access issues ▪August 2014 : A global top 5 Telecommunications company reported that, for the 2 nd time in 2014, a privileged insider gained unauthorized access to customer information. “ We’ve recently determined that one of our employees violated our strict privacy and security guidelines by accessing your account without authorization and while doing so, would have been able to view and may have obtained your account information, including your social security number and driver's license number ” ▪Yet another reminder that true technical controls need to be put in place to better manage the privileges and access that employees have to data and systems.

16 Chinese hack U.S. weather systems & satellite network ▪October 2014: A federal agency recently had four of its websites attacked by hackers from China. To block the attackers, government officials were forced to shut down a handful of its services. ▪Post breach, security testing discovered multiple weaknesses: ￭ “Weak or default passwords and operating system vulnerabilities with well documented exploits” ￭ Significant problems with remote access ￭ Assessment results lacked supporting evidence – lack of audit logs

17 Once necessary privileges are obtained Install malware on POS Install Remote Administration Tools - Ex-filtrate data Access Via compromised 3 rd party account Escalation of privileges *For example* Via Pass the Hash The framework of a retail breach Goal

18 The Privileged Account Security maturity model Baseline maturity Medium maturity High maturity Discover and control Manage and monitor Expand scope and automate

19 1) Baseline Maturity Baseline maturity Discover and control  Inventory the privileged accounts  Limit standard user accounts  Establish on- and off- boarding processes  Remove non-expiring passwords  Securely store passwords  Ensure attribution

20  Schedule password changes  Utilize one-time passwords  Implement session recording  Prevent human usage of service accounts  Control application accounts  Detect anomalies 2) Medium Maturity Medium maturity Manage and monitor

21 3) High Maturity High maturity Expand scope and automate  Use multi-factor authentication  Replace all hard-coded passwords in applications  Employ next-generation jump-servers  Implement approval and monitoring workflows  Proactively detect malicious behavior

22 Critical steps to stopping advanced threats Protect and manage privileged account credentials Control, isolate and monitor privileged access to servers and databases Use real-time privileged account intelligence to detect and respond to in-progress attacks Discover all of your privileged accounts

23 Virtual Servers Unix/Linux Servers iSeries Mainframes Windows Servers zSeries Mainframe Databases Applications Network Devices Security Appliances Websites & Web Apps Unix AdminsWindows Admins DBAs VM Admins External Vendors Business Applications Auditor/ Security & Risk I need the password to map a drive I need my service provider to connect remotely with root I just need root to patch a database I have this script that needs to run as root every night What are your root entitlements, who used it, when did they use it and why? Enterprise account usage today What are your root entitlements, who used it, when did they use it and why?

24 Requirements for an effective Privileged Account Security Solution Granular Privileged Access Controls Privileged User Access Controls Protecting & Isolating Sensitive Assets Privileged Activity Monitoring Application Identity Controls

25 Break the attack chain!!!

26 DNA - Discovery & Audit Discover where your privileged accounts exist Clearly assess privileged account security risks Identify all privileged passwords, SSH keys, and password hashes Collect reliable and comprehensive audit information

27 The CyberArk Team: Chad Froomkin – Major Account Executive Southeast: NC/SC/TN (770) Doug Brecher – Internal Account Executive Southeast (617)