Defending the World s Most Secure Enterprises Roy Duckles EMEA Channel Director rduckles@liebsoft.com +447900576036 2014 by Lieberman Software Corporation. 1
Breach Fatigue 2
Post Breach Facts 100% Of victims had up-to-date AV 67% Of breaches were reported by third parties 100% Of breaches involved compromised credentials 229 The median number of days an attacker was on the network Source: Mandiant M-Trends 2014 report 3
How Attackers Gain Access The misuse of administrator privileges is a primary method for attackers to spread inside a target enterprise... SANS Institute 4
Snowden persuaded NSA workers to give up Admin passwords Edward Snowden used login credentials and passwords provided unwittingly by colleagues to access some 1 million documents relating to classified material. Snowden persuaded between 20 and 25 fellow workers at an NSA regional operations center to give him their logins and passwords by telling them they were needed for him to do his job as a computer systems administrator. 5
Planning and Executing Cyber Attacks Maltego Metagoofil exiftool NMAP Nessus Shodan THC Hydra Immunity John the Ripper Metasploit Corkscrew OpenPuff Sabznameh Linux identities Windows identities Michaeldaw.org Flashro Bitblinder Tor Reconnaissance Scanning Access & Escalation Exfiltration Sustainment Assault Obfuscation Each of These Stages Requires Privileged Credentials 6
Problem with Privileged Accounts Unidentified most organizations don t have a comprehensive inventory of their privileged accounts Shared many are considered Service Accounts with multiple people having access to the password Unmanaged admin IDs do not follow 60-90 day expiration policies, based on their impact when changed Targeted Spear Phishing and other attacks seek admin credentials Powerful have full rights to install malware, delete data, etc. Difficult to remediate if compromised 7
Privileged Accounts Are Everywhere Your Built-In Vulnerability Privileged Accounts Network Devices Systems Databases Applications Component Services 8
Can You Control and Audit Access? Local Admins Domain Admins Windows Service Accounts Windows Scheduler Task RunAs Identities Windows Scheduler At Service Accounts COM+ Application Identities DCOM Object RunAs Identities IIS6 Metabase Account Info IIS7 Account Info SCOM RunAs Accounts Accounts in.net Config Credentials in SQL Server String Replacements SharePoint Logon Cache Auto Logon Account Local Cache JAVA Client SQL Reporting Services IBM, Oracle, SAP, others and this is only Windows 9
You Don t Know What You Don t Know Even in the best managed data centers, our privileged account audits typically find at least 30% more accounts than were previously known 10
Privileged Accounts Root/Admin Accounts Rarely Change It is too difficult to keep changing the privileged accounts and the applications that use them We don t have a budget to deal with this We don t make any more money to keep systems secure The auditors never checked this... we are okay for another year 11
Are You At Risk? Do you know where all your privileged accounts are? Who is sharing credentials? Are they accountable? Does lack of automation make it impractical to comply with policies? Do passwords and keys change? Are vendor supplied default passwords in use? Will your passwords withstand dictionary attacks? 12
Privileged Identity Management Comprehensive Credential Management Process Automated: Discovery of machines, process accounts, local & fire call accounts, services and tasks and everywhere those accounts are referenced Password Change Process for randomizing privileged accounts and propagating those changes everywhere the accounts are used to avoid lock outs Storage of complex, random passwords in an encrypted repository Role Based Provisioning of password access and delegation Auditing of every password request, use and change 13
Privileged Identity Management Controls the Entire Life Cycle of Privileged Accounts Always keeps up-to-date, accurate systems & account lists Immediately removes knowledge of shared credentials Provides access to credentials on a need to know basis for the shortest time possible Automatically changes disclosed passwords Allows organizations to change sensitive passwords without fear from outages Automates as much as possible for low TCO and fast deployment 14
Benefits Eliminate shared credentials Ensure every managed credential is unique Enable minimal disclosure of access credentials Discover new credentials and usage automatically Change privileged passwords regularly without fear of outages Control privileged access to applications and SSH Keys 15
Privileged Identity Management 16
Privileged Access Management 17
About Lieberman Software Founded in 1978, 1994 as an ISV Technology Partnerships include: Pioneers of Privilege Management 1200+ Enterprise Customers in all verticals Followed by Gartner, Forrester, 451 Group, Kuppinger-Cole US-based, managementowned and profitable 18
1200+ Enterprise Customers Finance Manufacturing Federal Government Technology Healthcare Insurance 19
Microsoft Lieberman Software provides ERPM based on MS Windows Server, SQL Server Enterprise, RDS and IIS deployed either on-premises or in Azure IAAS Both Microsoft GFS OSSC and XBOX have deployed our products widely on more over 550,000 systems. OSSC uses ERPM to protect over 22 Microsoft global data centres. Lieberman Software is a Global ISV Partner, and a member of the System Center Alliance. 20
Questions? Roy Duckles EMEA Channel Director Lieberman Software rduckles@liebsoft.com +44 7900 576036 21