PAS ADMINISTRATION

Core PAS Review

CyberArk Training
1
LESSON OBJECTIVES

This lesson provides an introduction to the CyberArk Privileged Account Security (PAS) solution.
Upon completion of this lesson the participant will be able to:
• Describe the system architecture and flows
• Describe a common attack method and how PAS solution can be used to minimize exposure to that
attack
• Describe the EPV
• Describe the PSM and how it can be used to minimize exposure to attacks
• Describe the PTA and how it can be used to detect and contain attacks

2
2
PRIVILEGED ACCOUNT SECURITY

• Privileged accounts are the accounts that hold the

“keys to the kingdom”.
• Administrator on a Windows server
• Root on a UNIX server
• Cisco Enable on a Cisco device

• CyberArk’s Privileged Account Security (PAS)

solution enables organizations to secure, manage,
control and monitor all activities associated with
Privileged accounts.

4
4
PRIVILEGED ACCOUNTS CREATE A HUGE ATTACK SURFACE

3rd Party &

System Service Select Social Networking
Administrators Providers Applications Business Users Account Managers

Privileged accounts exist in every connected device,

database, application, industrial controller and more!

Typically a ~3X ratio of privileged accounts to employees

5
5
AN OUTSIDE ATTACKER MUST OBTAIN CREDENTIALS OF
AN INSIDER

“…100% of breaches
involved stolen
credentials.” “APT intruders…prefer to leverage
privileged accounts where possible, such
as Domain Administrators, service
accounts with Domain privileges, local
Administrator accounts, and privileged
user accounts.”

Mandiant, M-Trends and APT1 Report

6
6
PASS-THE-HASH VULNERABILITY

• One common type of attack is the Pass-the-Hash attack

• For Windows SSO / Password hashes are loaded into the Local Security Authority Subsystem
(Lsass).
• Hash: Encrypted representation of password

• Widely available tools such as mimikatz can be used to expose the hashes and move latterly
through the network

7
7
PRIVILEGE IS AT THE CENTER OF THE ATTACK LIFECYCLE

8
8
CYBERARK BREAKS THE ATTACK CHAIN

• Remove insecure storage

of Privileged Credentials,
making Reconnaissance
and Lateral Movement
more difficult.
• Workflows allow credentials
to be changed immediately
after use, reducing
exposure to Pass-the-Hash
attacks
• Detect potentially malicious
access and seal off
potential breaches.

9
9
CYBERARK: PROACTIVE PROTECTION, DETECTION & RESPONSE

Proactive protection
• Only authorized users
Insider • Individual accountability
• Limit scope of privilege
External Hypervisors Databases/
Applications
Targeted detection
External • Continuous monitoring
Endpoints Network • Malicious behavior
Insider Devices
• High risk behavior
• Alerting
External
Industrial
Insider Controls Social Media Real-time response
External • Session termination
• Full forensics record of activity

Privileged Accounts

10
10
CYBERARK DELIVERS A NEW CRITICAL SECURITY LAYER

PERIMETER SECURITY

SECURITY CONTROLS INSIDE THE NETWORK

MONITORING

PRIVILEGED ACCOUNT SECURITY

11
11
COMPREHENSIVE CONTROLS ON PRIVILEGED ACTIVITY

Lock Down Isolate & Control Continuously

Credentials Sessions Monitor

Protect privileged Prevent malware Implement continuous

passwords and attacks and control monitoring across all
SSH keys privileged access privileged accounts

12
12
PRIVILEGED ACCOUNT SECURITY

Enterprise Privileged Session Privileged Threat Application Identity On-Demand Endpoint Privilege
Password Vault® Manager® Analytics Manager/Conjur Privileges Manager™ Manager

Credential Isolate, Monitor Privileged Attack DevOps & Apps *NIX Least Endpoint Least Privilege,
Protection & & Record Sessions Prevention & Secrets Management Privilege Control App Control & Credential
Management Detection Theft Protection

Shared Technology Platform

Discovery Engine Hardened Digital Vault Secure Audit

On-Premises Hybrid Cloud

13
CORE PAS SOLUTION
• Standard Core
Includes:
• EPV
• Vault
• CPM
• PVWA
• PrivateArk Client
• PSM
• PTA
• Advanced Core
includes:
• OPM/EPM for
NIX/Windows and
Domain Controller
protection

14
ADDITIONAL PAS SOLUTIONS
• DevOps and Apps
Secrets
Management
includes:
• AIM and
Conjur
• Endpoint Least
Privilege App
Control and
Credential Theft
Protection
includes:
• EPM for
Workstations

15
CORE PAS SOLUTION

16
CORE PAS SOLUTION
• A hardened and secured digital vault used to store privileged account information
Secure Digital Vault • Based on a hardened Windows server platform

Central Policy
• Performs the password changes on devices
Manager (CPM)

Password Vault Web • The web interface utilized by users to gain access to privileged account information
Access (PVWA) • Used to configure the Master Policy on the CPM

Privileged Session
• Isolates and Monitors privileged account activity.
Manager (PSM)
• A thick-client used by administrators to perform some configuration tasks of the
PrivateArk Client
EPV solution

Privilege Threat
• Monitors and detects malicious privileged account behavior.
Analytics

17
17
SECURE
DIGITAL • Hardened and secured digital vault used to securely store data
for the entire PAS solution including:
VAULT
• Privileged Credentials
• Audit Data
• Configuration data for most components
CPM - AUTOMATIC, POLICY-BASED PASSWORD MANAGEMENT

• The Central Policy Manager changes

passwords based on organizational
requirements
• For many non-AD platforms, a manual process
was previously needed to change passwords.
In many instances, they were not changed
routinely and thus commonly fell out of
compliance.
• Managing previously unmanaged accounts
automatically with the CPM brings them into
compliance and reduces vulnerabilities.

19
 PVWA - PASSWORD VAULT WEB ACCESS

• Main web interface for the PAS solution

• Used by:
• Administrators to perform management tasks
• End users to gain access to privileged account
information.

21 21
ENTERPRISE PASSWORD VAULT SOLUTION OVERVIEW

1. Master/exception policy definition

CPM
2. Initial load & reset Master Policy
Automatic Detection, Bulk upload, Manual
3. Request workflow lm7yT5w
X5$aq+p
Dual control, Tojsd$5fh
Oiue^$fgW
y7qeF$1
gviNa9%
Integration with ticketing systems,
One-time passwords, exclusivity and more.
EPV
4. Direct connection to device
5. Auditor access System User Pass
Policy
Unix root tops3cr3t
Oracle SYS tops3cr3t
Policy Windows Administrator tops3cr3t
Security/
Risk Management z/OS DB2ADMIN tops3cr3t
PVWA
Cisco enable tops3cr3t
Request access to Windows
Administrator On prod.dom.us

IT

Enterprise IT Environment

Request to view Reports

Auditors

22
PRIVILEGED SESSION MANAGER
(PSM)

28
PRIVILEGED ACCOUNT SECURITY

Enterprise Privileged Session Privileged Threat Application Identity On-Demand Endpoint Privilege
Password Vault® Manager® Analytics Manager/Conjur Privileges Manager™ Manager

Credential Isolate, Monitor Privileged Attack DevOps & Apps *NIX Least Endpoint Least Privilege,
Protection & & Record Sessions Prevention & Secrets Management Privilege Control App Control & Credential
Management Detection Theft Protection

Shared Technology Platform

Discovery Engine Hardened Digital Vault Secure Audit

On-Premises Hybrid Cloud

29
VALUE OF PRIVILEGED SESSION MANAGEMENT

ISOLATE CONTROL MONITOR

Prevent cyber attacks Create accountability Deliver continuous

by isolating desktops and control over monitoring and
from sensitive target privileged session compliance with
machines access with policies, session recording with
workflows and privileged zero footprint on target
single sign on machines

31
31
PSM – SESSION ISOLATION / JUMP SERVER

• The PSM acts as a jump server,

stopping malware contamination
of target servers PVWA

• Restrict access to Target Servers

to the IP address of the PSM RDP
Server to stop users connecting Malware-Infected
Desktop Computer
manually. Target
PSM Server Server

Direct RDP
Connection

32
CYBERARK PRIVILEGED SESSION MANAGER

Databases

PVWA
HTTPS
1
Windows/UNIX
Servers

RDP over HTTPS PSM 4

2
3 5 Web Sites

1. Logon through PVWA

2. Connect Routers and Switches
3. Fetch credential from Vault Vault
6
4. Connect using native protocols
5. Store session recording
ESX\vCenters
6. Logs forwarded to SIEM/Syslog

SIEM/Syslog

33
33
SESSIONS SEARCH PAGE

34
34
TEXT RECORDING WITH POINT-IN-TIME VIDEO PLAYBACK

Selecting a command takes

you to the specific point in
the video

35
35
PRIVILEGED THREAT ANALYTICS

36
PRIVILEGED THREAT ANALYTICS

• CyberArk’s Privileged Threat Analytics detects malicious privileged account behavior.

• By comparing current privileged activity in real-time to historical activity, CyberArk can detect and
identify anomalies as they happen, allowing the incident response team to respond, disrupting the
attack before serious damage is done.
• By continuously monitoring privileged accounts for reset and change password activities, the PTA
can detect when a user changes a password of a managed privileged account without using the
CPM, and can automatically respond to contain the risk by reconciling the password of this account.

37
PTA DATA SOURCES
CyberArk Vault Network Tap or Agent on DC
SIEM EPM

Collect network traffic for Collect endpoint access logs

Collect fine-grained
analysis and detection of for behavior analysis on
information on individual Detect Credential theft
damaging Kerberos devices and correlation with
privileged users for attempts
Active Directory attacks privileged user information
User and Entity Behavior
Analysis
PSM

Query Active Directory

for understanding the
configuration and state Privileged Threat Analytics Detect and configure an
of the domain automatic response to
high-risk activities during
recorded user sessions
Actionable Privileged
Threat Intelligence

38
IMMEDIATELY RESPOND TO DETECTED INCIDENTS

Privileged Threat Analytics Improves Incident Response

Automatically contain in-progress

attacks

 Automatically invalidate stolen

credentials and stop an attacker from
Compromised continuing their attack
Privileged
Credential  Automatically reconcile managed
privileged accounts when they are
changed without using the CPM
RESPOND
 Automatically detect and onboard any
DETECT new privileged accounts that are
discovered
PROTECT  Minimize damage and limit an
attacker’s window of opportunity
 Streamline incident response with
automatic containment
39
HOW DOES IT WORK? – PROFILING USERS AND ACCOUNTS

Collect
Collecting privileged accounts
activity

Ongoing Profiling

Profiling normal behavior

Detect
Detecting abnormal privileged accounts
activity

40
 HOW PRIVILEGED THREAT ANALYTICS WORKS

PRIVILEGED ACCOUNT Behavioral Analysis: Self-learning

statistical model based on a combination of
ACTIVITY
patented algorithms, Vault access data,
and target system data gathered from
Privileged User CyberArk inbound SIEM integrations.
Vault

Behavioral
Analysis Normal

Abnormal
Critical System
Access SIEM ALERT: SIEM &
Solution CyberArk

41
SUMMARY

42
SUMMARY

In this session we discussed:

• the system architecture and flows
• a common attack method and how PAS solution can be used to minimize exposure to that attack
• the EPV
• the PSM and how it can be used to minimize exposure to attacks

43
43
THANK YOU

44