12-PAM-ADMIN-Privileged-Threat-Analytics.pdf
Document Details
Uploaded by FancySarod
CyberArk University
2023
Tags
Full Transcript
PAM Administration Privileged Threat Analytics © 2023 CyberArk Software Ltd. All rights reserved By the end of this session the participant will be able to: 1. Descr...
PAM Administration Privileged Threat Analytics © 2023 CyberArk Software Ltd. All rights reserved By the end of this session the participant will be able to: 1. Describe the main functionality of Privileged Threat Analytics (PTA) 2. Describe the different data sources used Agenda by the PTA 3. Describe the different attacks and risks detected by the PTA 4. Describe the alert flow by the PTA 5. Configure and test PTA automatic responses 6. Describe the session analysis and response flow © 2023 CyberArk Software Ltd. All rights reserved Overview: Privileged Threat Analytics © 2023 CyberArk Software Ltd. All rights reserved Privileged Threat Analytics COLLECT Quickly gather and analyze the most critical data RESPOND Enable speedy response and automated containment DETECT Rapidly identify and detect PRIVILEGED THREAT suspicious activities ANALYTICS ALERT Notify security teams with detailed event information © 2023 CyberArk Software Ltd. All rights reserved Collect The CyberArk Privileged Threat Analytics collects data from a wide variety of sources © 2023 CyberArk Software Ltd. All rights reserved Collect and Analyze the Right Data Collect and Analyze SIEM Data From Critical Solutions External Components Digital Vault Active Directory – CYBERARK PTA – Real-time Analytics Powered By Proprietary Profiling PSM Cloud Algorithms to Detect Anomalous Activity © 2023 CyberArk Software Ltd. All rights reserved Attacks that bypass security controls Detect Statistical anomalies Active Directory risks © 2023 CyberArk Software Ltd. All rights reserved Abuse or Bypass of PAM Controls PTA continuously monitors the use of privileged accounts that are managed by CyberArk, as well as privileged accounts that are not yet managed, and looks for indications of abuse or misuse of the CyberArk platform. Such abuse or bypasses include: Unmanaged privileged access Suspected credential theft Suspicious password change Suspicious activities detected in a privileged session © 2023 CyberArk Software Ltd. All rights reserved Statistical Anomalies Using proprietary profiling algorithms, the PTA distinguishes in real time between normal and abnormal behavior and raises alerts when abnormal activity is detected. Such abnormal behavior includes: Access to the Vault during irregular hours or days Access to the Vault from irregular IP addresses Excessive access to privileged accounts in the Vault Activity by dormant vault users © 2023 CyberArk Software Ltd. All rights reserved Active Directory Risks PTA proactively monitors risks related to accounts in Active Directory that can be abused by attackers and sends alerts to the security team to handle these risks before attackers abuse them. Such risks include: Unconstrained Delegation Dual Usage © 2023 CyberArk Software Ltd. All rights reserved PTA Detections – Standard PTA DETECTION VAULT LOGS AD EPM Suspected credentials theft Unmanaged privileged access OPTIONAL Unconstrained delegation Service account logged on interactively OPTIONAL OPTIONAL Risky SPN Suspicious activities detected in a privileged session Privileged access to the Vault during irregular hours Excessive access to privileged accounts in the Vault Privileged access to the Vault from irregular IP Active dormant Vault user Machine accessed during irregular hours © 2023 CyberArk Software Ltd. All rights reserved Alert Security Events Security Monitoring Navigation © 2023 CyberArk Software Ltd. All rights reserved Alerts On Suspicious Activity and Behavior PTA enables security teams to prioritize and respond to the most critical incidents. Security events coming from the PTA: Are assigned risk scores based on severity of the detected anomaly Contain granular details related to the suspected attack Can easily be reviewed in the PVWA and/or in a SIEM dashboard © 2023 CyberArk Software Ltd. All rights reserved Security Events You can review security events in the PVWA according to the timeline and filter the events to focus on specific groups of events based on: ⎼ Severity ⎼ Event Type ⎼ Date Visible in the PVWA under the Security pane © 2023 CyberArk Software Ltd. All rights reserved Security Event Compact View © 2023 CyberArk Software Ltd. All rights reserved 16 Reviewing Security Events in the PVWA The last time the event The name of Shown when remediation was detected. the event has been started. The score and severity of the Recommended action to take / Automatic event (high, medium, low). remediation action that was taken © 2023 CyberArk Software Ltd. All rights reserved Easy Navigation: Security-Monitoring © 2023 CyberArk Software Ltd. All rights reserved Automatic Remediation PSM – PTA Integration Respond Session Analysis and Response Risk-based Prioritization Configuring Session Analysis and Response Rules The Session Analysis and Response Life Cycle © 2023 CyberArk Software Ltd. All rights reserved Respond with Automatic Remediations Automatic response improves your organization’s security posture and mitigates risk PTA can contain in-progress attacks by automatically: Onboarding unmanaged accounts Rotating credentials Reconciling credentials © 2023 CyberArk Software Ltd. All rights reserved PSM – PTA Integration © 2023 CyberArk Software Ltd. All rights reserved Session Analysis and Response Connecting the PTA and PSM leverages the analytic capabilities of the PTA, which receives details of PSM privileged sessions and user activities, analyzes them, and assigns a risk score to each session. Audit teams now can prioritize workloads based on risk scores. © 2023 CyberArk Software Ltd. All rights reserved Session Analysis and Response Once the PTA and PSM are integrated, we can configure Privileged Session Analysis and Response rules to execute automatic session suspension or termination during high-risk user activity, thereby reducing response times and the risk of damage to the organization. © 2023 CyberArk Software Ltd. All rights reserved Risk-based Prioritization Events Privileged Threat Risk-Based Priorities Analytics Engine Session #1 Session #323 Session #2 Session #83 Session #3 Session #2 Session #4 Session #421 Session #5 Session #95 Session #6 Session #34 Session #7 Session #297 Session #5364 Session #5364 © 2023 CyberArk Software Ltd. All rights reserved Configuring Rules You can add new rules or customize existing rules for session analysis and response The scope of a rule can be granularly applied to different Vault users, accounts, and machines. In the event of high-risk activity, the PTA can also be configured to terminate or suspend the session. CyberArk recommends that each organization study the predefined set of rules for suspicious session activities and then modify and add rules according to their needs. © 2023 CyberArk Software Ltd. All rights reserved Configuring Rules Rules are defined by: Category ⎼ SSH ⎼ Universal Keystrokes ⎼ SCP ⎼ SQL ⎼ Windows title Pattern: a regular expression to be monitored Session response ⎼ Suspend ⎼ Terminate ⎼ None The Threat Score (1-100) Scope: To whom or what the rule will apply © 2023 CyberArk Software Ltd. All rights reserved Session Analysis and Response Life Cycle ANALYTICS DEFINE RISKS ALERTS AUTOMATIC RESPONSE Security Team MANUAL RESPONSE & RISK REVIEW © 2023 CyberArk Software Ltd. All rights reserved Demos In this section we will review recorded demos of threat detection and automatic response demos in: Windows AWS 2 7 © 2023 CyberArk Software Ltd. All rights reserved Privileged Threat Detection and Automatic Response Demo: Windows © 2023 CyberArk Software Ltd. All rights reserved © 2023 CyberArk Software Ltd. All rights reserved Privileged Threat Detection and Automatic Response Demo: AWS © 2023 CyberArk Software Ltd. All rights reserved Detect and Respond to Privileged Risks in the Cloud To help address the challenge of monitoring Privileged Cloud users and detecting, alerting, and responding to high-risk privileged access, the PTA can be now used to improve the efficiency of Cloud security teams and to secure threats within Amazon Web Services (AWS) and Microsoft Azure. The following capabilities are supported for AWS: – Detect unmanaged Access Keys and Passwords for IAM accounts – Detect compromised privileged IAM accounts – Detect compromised EC2 accounts The following capabilities are supported for Azure: – Detect unmanaged privileged access – Detect suspected credential theft © 2023 CyberArk Software Ltd. All rights reserved PTA’s Threat Detection and Response Capabilities within AWS © 2023 CyberArk Software Ltd. All rights reserved © 2023 CyberArk Software Ltd. All rights reserved Summary © 2023 CyberArk Software Ltd. All rights reserved In this session we: Looked at overview of the main functionality Summary of the PTA Viewed the different data sources used by the PTA Described the different attacks and risks detected by the PTA Discussed the alert flow by the PTA Looked at the PTA’s automatic responses Described the session analysis and response flow Viewed some videos demonstrating PTA functionality © 2023 CyberArk Software Ltd. All rights reserved You may now complete the following exercises: Privileged Threat Analytics Detections and Automatic remediation for UNIX/Linux Unmanaged Privileged Access Suspected Credential Theft and Automatic Password Rotation Suspicious Password Change and Automatic Reconciliation Exercises Suspicious activities in a Unix session and automatic suspension Security Rules Exceptions Detections and Automatic Remediation for Windows Unmanaged Privileged Access Suspicious Activities in a Windows Session and Automatic Suspension Connect to the PTA Administration Interface