CyberArk

Security for the Heart of the Enterprise

Bogdan Tobol
Regional Sales Director North/Eastern Europe

1
 Anunak Attack Summary

Breach
Breach Overview
Overview
Target: Financial institutions
Attacker: Anunak cybercrime ring
Motivation: Monetary
Goal: Steal money directly from banks
Outcome: >$25M stolen since 2H 2014

What
What Happened?
Happened?
Anunak launched targeted attacks against
several banks
Gained privileged access to systems
Transferred money to outside accounts
Compromised ATMs to steal cash

2
 Large US Retailer: March 2014 Attack Summary

COMPANY
COMPANY OVERVIEW
OVERVIEW
Industry Retail

Employees 27,000

Headquarters USA

WHAT
WHAT HAPPENED?
HAPPENED?

Early
Early 2014:
2014: 260,000
260,000 credit
credit cards
cards stolen
stolen from
from aa
large
large US
US retailer
retailer went
went up
up for
for sale
sale

Early
Early 2015:
2015: The
The same
same retailer
retailer announced
announced aa
second
second intrusion
intrusion to
to POS
POS systems
systems

3
 Sony Pictures Entertainment Breach Summary

Company
Company Overview
Overview
Industry: Media/Entertainment
Revenue: $8 billion
Employees: 6,500
Headquarters: California, US

What
What Happened:
Happened:

What was taken: IP, IT information,

employee PII, and more
Alleged threat actor: North Korea
Likely motivation: Brand damage
Impact: Complete loss of IT control,
brand damage, pulled movie
premier

4
 Privileged Accounts are Targeted in All
Advanced Attacks

APT
APT intrudersprefer
intrudersprefer to to
leverage
leverage privileged
privileged accounts
accounts
100%
100% ofof breaches
breaches where
where possible,
possible, such
such as
as Domain
Domain
involved
involved stolen
stolen Administrators,
Administrators, service
service accounts
accounts
credentials.
credentials. with
with Domain
Domain privileges,
privileges, local
local
Administrator
Administrator accounts,
accounts, and
and
privileged
privileged user
user accounts.
accounts.

Mandiant, M-Trends and APT1 Report

5
 Privileged Credentials are Everywhere

Privileged Accounts

Routers, Firewalls, Hypervisors,

Databases, Applications
Power Plants,
Factory Floors

Routers, Firewalls, Servers,

Databases, Applications

WiFi Routers, Smart TVs

Laptops, Tablets,
Smartphones

6
 Privilege is At The Center of the Attack Lifecycle
Typical Lifecycle of a Cyber Attack

7
 Hijacked Credentials Put the Attacker in Control

Compromised Privileged Accounts

Routers, Firewalls, Hypervisors,

Databases, Applications
Power Plants,
Factory Floors

Routers, Servers,
Enable attackers to:Databases, Applications

Firew
Bypass security controls & monitoring
all
Access all of the data on the device WiFi Routers, Smart TVs

Disrupt normal operation of the device

Cause physical damage
Laptops, Tablets,
Smartphones

8
 CyberArk Breaks the Attack Chain

9
 CyberArk Delivers a New Critical Security Layer

PERIMETER
PERIMETER SECURITY
SECURITY

SECURITY
SECURITY CONTROLS
CONTROLS INSIDE
INSIDE THE
THE NETWORK
NETWORK
MONITORING
MONITORING

PRIVILEGED
PRIVILEGED ACCOUNT
ACCOUNT SECURITY
SECURITY

10
 Privilege Account Security Across the Stack

Data
Data
Data
Security
Security

Applications
Application
Application
Security
Security
Privilege
Privilege
dd
End-point Account
Account
End
End Point
Point Security
Security
Security
Security

Network
Network
Network
Security
Security

11
 Solving The Privileged Account Security Problem

Advanced, External Threats Securing Application Credentials

Threats
Insider Threats Securing Shared Admin Accounts

Audit & Control & Accountability for Compliance Reporting

Compliance Privileged Users
Remote User Access Control
Monitor & Record Privileged
Activity

Enterprise Cloud SCADA/ICS

12
 Comprehensive Controls on Privileged Activity

Lock Down Isolate & Control Continuously

Credentials Sessions Monitor

Protect privileged Prevent malware Implement continuous

passwords and SSH attacks and control monitoring across all
keys privileged access privileged accounts

Enterprise
Enterprise Password
Password Vault
Vault Privileged
Privileged Session
Session Manager
Manager
SSH
SSH Key
Key Manager
Manager On-Demand
On-Demand Privileges
Privileges Unix
Unix Privileged
Privileged Threat
Threat Analytics
Analytics
Application
Application Identity
Identity Manager
Manager OPM
OPM Windows
Windows

13
 The Problem: Users with admin rights can

Install kernel-mode root kits

Install system-level level key loggers
Install Malicious ActiveX controls, including IE and Explorer extensions
Install spyware and adware
Install malware; Pass-the-Hash exploits
Install and start services
Stop existing services (such as the firewall)
Access data belonging to other users
Cause code to run whenever anybody else logs on to that system
Replace OS and other program files with Trojan horses
Disable/uninstall anti-virus
Create and modify user accounts
Reset local passwords
Render the machine unbootable
And more

14
 Pain varies based on role and current state of
admin privilege management

Scenario: Users
Users have
have local
local admin
admin rights
rights Local
Local admin
admin rights
rights are
are removed
removed

Buyer:
Pain: Spends lots of timing fixing Pain: Handles consistent help desk calls
Operations
Operations Team
Team
damage and remediating incidents on as users need privileges to install and run
users laptops approved applications
Desktop Engineering
IT Planning and
Engineering How much time and effort do you spend How do you handle events that generally
responding to endpoint incidents? require local admin rights?
Director of IT

Security
Security Team
Team Pain: Limited ability to protect the Pain: Forced to manage privilege creep,
organizations due to a giant, unmanaged as users regain local admin rights to run
Security Analyst attack surface business applications

Security Architect
How many security incidents could you
Director of IT Security
prevent each year by eliminating local
admin rights?
How do you revoke local admin rights
once they are no longer needed by
business users?

15
 Recap: Least Privilege + App Control = Reduced Risk

Least
Least Privilege
Privilege Application
Application Control
Control

Limit privileges for business and Only allow whitelisted, trusted

administrative users applications
Gap: Malicious applications that dont Gap: Applications that require privileges
need privileges can still get in requires users to have local admin priv.

Combined least privilege and application control enable organizations to

reduce the attack surface and block the progression of malware-based attacks

16
 Privileged Accounts are Targeted in All
Advanced Attacks

Anything
Anything that
that involves
involves
serious
serious intellectual
intellectual property
property
will
will be
be contained
contained inin highly
highly secure
secure
systems
systems and
and privileged
privileged accounts
accounts
are
are the
the only
only way
way hackers
hackers can
can
get
get in.
in.

Avivah Litan, Vice President and Distinguished

Analyst at Gartner, 2012

17
 Can We Really Isolate All Critical Networks?

The assumption that all critical network

could be isolated is very problematic:

Removable media
Mistakes and temporary
connections
Remote access

How do we design a truly secure

remote access system?
A design that will also help secure
against the first two types of threat

18
 Securing Access Into the ICS/OT Network

Corporate
Network

VPN
DMZ firewall Web
Third party
Portal Supervisor
vendor
DMZ

PSM
ICS firewall

Password Session
ICS Recording
Network

Vault

Anti Virus &

Databases UNIX Windows Routers SCADA Content Filtering
Servers Servers & Switches Devices
19
 SSH Keys: A Critical Privileged Account Problem

SSH keys are commonly used by

users and machines to access
Privileged Accounts. They are
an attack vector commonly used
to gain access to critical systems.

51%
of companies report being impacted
by SSH key related compromises*

*Source: Ponemon Institute

20
 Layers of Security in the Digital Vault

Hierarchical Vault Safes

Encryption

Tamper-Proof
Auditability

Comprehensive
Monitoring

Segregation of Session
Duties Encryption

Firewall Authentication

21
 Sensitive Information Management
Easy, Secure and Compliant File Sharing

SHARE
Sensitive documents between users

AUTOMATE AUDIT
File transfers between File sharing and access to
applications sensitive documents

22
 CyberArk Overview

Trusted experts in privileged account

security
1,900 privileged account security customers
40% of Fortune 100 56%
GROWTH

Approach privileged accounts as a

security challenge 40%
GROWTH
Designed and built from the ground up for security
30%
GROWTH

Twelve years of innovation in privileged

account controls, monitoring and
analytics
First with vault, first with monitoring, first with analytics
Over 100 software engineers, multiple patents 2011 2012 2013 2014

Only comprehensive privileged account

security solution
One solution, focused exclusively on privileged accounts
Enterprise-proven

23
 IDC Names CyberArk the PAM Market Leader

CyberArk is the PAM

pure-play big gorilla
with the most revenue
and largest customer base.

SOURCE: "IDC MarketScape: Worldwide Privileged Access Management 2014 Vendor

Assessment, by Pete Lindstrom , December 2014, IDC Document #253303
24
 Trusted by Customers Worldwide

Over 1,900 Global Customers

40% of Fortune 100
19% of Global 2000

25
 Thank you

26