01-PAM-ADMIN-Introduction to-CyberArk-PAM.pdf
Transcript
PAM Administration Introduction to CyberArk Privileged Access Management © 2023 CyberArk Software Ltd. All rights reserved This session introduces the CyberArk Privileged Access...
PAM Administration Introduction to CyberArk Privileged Access Management © 2023 CyberArk Software Ltd. All rights reserved This session introduces the CyberArk Privileged Access Management (PAM) solution. We will look at: Agenda 1. Overview of basic PAM principles and concepts 2. A common attack method and how CyberArk PAM can minimize exposure 3. Key features of the CyberArk self-hosted PAM solution 4. The system architecture 5. System interfaces and utilities 6. Online help and customer community © 2023 CyberArk Software Ltd. All rights reserved Overview © 2023 CyberArk Software Ltd. All rights reserved What are Privileged Accounts? A privileged account is any account that has the capability to change or impact the operational service of a business process Therefore, we often refer to Privileged Accounts as the “keys to the kingdom” © 2023 CyberArk Software Ltd. All rights reserved Examples of Privileged Accounts Some classic examples include the following accounts: Administrator on a Windows server Root on a UNIX server SYS user on Oracle DBs Enable on a Cisco device © 2023 CyberArk Software Ltd. All rights reserved Privilege is Everywhere Privileged accounts exist in every connected device, database, application, industrial controller, and more! There are typically 3X more privileged accounts than employees © 2023 CyberArk Software Ltd. All rights reserved Privilege Can Be Used By Any Identity System 3rd-Party & Select Social Networking Administrators Service Providers Applications Business Users Account Managers Until recently, IT Admins were considered privileged users In today’s environment almost any identity can be privileged under certain conditions © 2023 CyberArk Software Ltd. All rights reserved The Challenges and Threats © 2023 CyberArk Software Ltd. All rights reserved Attackers NEED INSIDER Credentials …80% of security breaches involve compromised privilege credentials. APT intruders…prefer to leverage privileged accounts where possible, such as Domain Administrators, service accounts with Domain privileges, local Administrator accounts, and privileged user accounts. The Forrester Wave : Privileged Identity Management, Q3 2018 © 2023 CyberArk Software Ltd. All rights reserved Technologies Change. Attack Paths Don’t. PRIVILEGEESCALATION LIMIT PRIVILEGE ESCALATION&&ABUSE ABUSE STOP LATERAL LATERAL&&VERTICAL VERTICALMOVEMENT MOVEMENT PREVENT CREDENTIAL CREDENTIAL THEFT THEFT Remote Vendor Internal Attacker IT Admin Business User External Attacker Developer Robot Internal Application Attacker © 2023 CyberArk Software Ltd. All rights reserved Privilege is at the Center of the Attack Lifecycle Typical Lifecycle of a Cyber Attack Penetration Credential theft Reconnaissance Lateral movement EXISTING Privilege escalation ACCESS Move Laterally Perform Repeat Internal Threats Reconnaissance Escalate Privileges External Threats Disrupt Business Network Perimeter Exfiltrate Data PERIMETER COMPROMISE © 2023 CyberArk Software Ltd. All rights reserved CyberArk Breaks the Attack Chain Penetration Credential theft Reconnaissance Lateral movement EXISTING Privilege escalation ACCESS Move Laterally Perform Repeat Internal Threats Reconnaissance Escalate Escalate Privileges Privileges External Threats Disrupt Business Network Perimeter Exfiltrate Data PERIMETER COMPROMISE © 2023 CyberArk Software Ltd. All rights reserved Protecting Privileged Access PERIMETER SECURITY SECURITY CONTROLS INSIDE THE NETWORK MONITORING PRIVILEGED ACCESS MANAGER © 2023 CyberArk Software Ltd. All rights reserved Proactive Protection, Detection, & Response Proactive protection Secured credentials Insider Only authorized users Individual accountability External Databases/ Hypervisors Applications Session isolation Limit scope of privilege External Network Targeted detection Endpoints Insider Devices Continuous monitoring Malicious behavior External High risk behavior Industrial Insider Controls Social Media Alerts External Real-time response Session suspension/termination Privileged Accounts Full forensics record of activity © 2023 CyberArk Software Ltd. All rights reserved Key Features of CyberArk PAM © 2023 CyberArk Software Ltd. All rights reserved CyberArk PAM Discover and Isolate Record and Monitor Remediate manage credentials audit sessions privileged risky credentials and sessions activity behavior © 2023 CyberArk Software Ltd. All rights reserved Discover and Manage Credentials Automated processes for accounts discovery Policies to manage: CPM ⎼ Password complexity Tojsd$5fh y7qeF$1 gviNa9% lm7yT5w X5$aq+p and length ⎼ Rotation frequency Digital Vault ⎼ Etc. System User Pass Unix root tops3cr3t Oracle SYS tops3cr3t Windows Administrator tops3cr3t z/OS DB2ADMIN tops3cr3t Cisco enable tops3cr3t Enterprise IT Environment © 2023 CyberArk Software Ltd. All rights reserved Isolate Credentials and Sessions CyberArk enables secure connections to critical systems PVWA using a proxy. Target systems are fully isolated, privileged credentials are not exposed to end users or their applications or devices. RDP Target Server Target systems are configured PSM not to accept direct connection Direct RDP Connection © 2023 CyberArk Software Ltd. All rights reserved Record and Audit Sessions Privileged sessions recorded in video and/or text format Stored and encrypted in the tamper-resistant Digital Vault Recordings have a clickable timeline to navigate to specific events © 2023 CyberArk Software Ltd. All rights reserved Monitor Privileged Activity CyberArk session monitoring enables review of recordings and live sessions, which can be sorted based on risk This enables the security operations personnel to take a risk-based approach by prioritizing the greatest threats that are detected in the environment © 2023 CyberArk Software Ltd. All rights reserved Remediate Risky Behavior Unmanaged accounts can be automatically on-boarded and managed through CyberArk’s continuous discovery capabilities CyberArk can automatically rotate credentials in the event of risky behavior such as credential theft, bypassing the Additionally, administrators can Digital Vault establish policies to either automatically suspend or terminate privileged sessions based on risk assignment © 2023 CyberArk Software Ltd. All rights reserved Key Features Discover & Manage Isolate Record/Audit Monitor Remediate Secure and manage Secure jump-server Record privileged View privileged activity Suspend and/or privileged passwords, to control credentials sessions and store in by going directly to terminate privileged SSH keys and other in an isolated centralized specified activities, sessions automatically secrets instance repository keystrokes, etc. based on risk score and activity Continually scan the Connect via secure Audit logs of video Send automatic alerts environment to detect jump server using a recording stored to SOC and IT admins Initiate automatic privileged accounts variety of native automatically based on risky credential rotation and credentials workflows activities based on risk in case Automatically start of compromise/theft Add accounts to Prevent malware viewing riskiest Reduce the number of pending to validate attacks and control sessions first, at the accounts that can be privilege or privileged access point of most used to circumvent automatically suspicious activities privileged controls onboard and rotate On Premises Cloud Hybrid Automation with Rest APIs and policies enhances Core PAS functionality © 2023 CyberArk Software Ltd. All rights reserved When ready select “Next” to continue NEXT System Architecture © 2023 CyberArk Software Ltd. All rights reserved CyberArk PAM Components A secure server used to store privileged account information Digital Vault Based on a hardened Windows server platform Password Vault Web Access The web interface for users to gain access to privileged account information (PVWA) Used by Vault administrators to configure policies Performs the password changes on devices Central Policy Manager (CPM) Scans the network for privileged accounts Privileged Session Manager Isolates and monitors privileged account activity (PSM) Records privileged account sessions Privilege Threat Analytics Monitors and detects malicious privileged account behavior. (PTA) © 2023 CyberArk Software Ltd. All rights reserved The Vault and Its Clients Unmanaged Target Account and Servers Privileged Session End Users: Manager IT Staff, Auditor, etc. Password Vault Web Access Central Policy Manager Managed Custom Applications, Target Account Reporting Tools, etc. and Servers PACli and SDKs Vault PrivateArk Client Unix/Windows Vault Application Target Databases Administrators Providers Privileged Threat Analytics Unix/Windows Users © 2023 CyberArk Software Ltd. All rights reserved The Vault: End-to-End Security Stored Vault User Credential Discretionary Mandatory Session File Firewall Authentication Access Access Auditing Encryption Encryption Control Control Proprietary Hardened Single or Two Granular Subnet Based Tamperproof Hierarchical Protocol built-in Factor Permissions Access Control Audit Trail Encryption Model Windows Authentication OpenSSL Firewall (recommended) Role Based Time Limits Event-based Every object has Encryption Access Control and Delays Alerts unique key © 2023 CyberArk Software Ltd. All rights reserved CyberArk’s Scalable Architecture Auditors PVWA PTA CPM PSM IT Vault (HA Cluster) IT Environment Main Data Center - US Auditors/IT Auditors/IT IT Environment IT Environment London Hong Kong DR Site © 2023 CyberArk Software Ltd. All rights reserved System PVWA Interfaces and Utilities PrivateArk Client PAM Web Services (REST API) Vault Central Administration Station Remote Control Client © 2023 CyberArk Software Ltd. All rights reserved Password Vault Web Access – a New Interface Some features still require the classic interface, which can be accessed by a dedicated link. PVWA version 10 introduced End users will use this Auditors will use this the new user interface, which interface to retrieve passwords interface to monitor privileged focuses on seamless or launch privileged sessions. sessions. workflows and easy access. © 2023 CyberArk Software Ltd. All rights reserved PVWA – Classic Interface The classic interface is mostly used by Vault Administrators to manage policies and permissions, and to configure the PVWA and the other components. © 2023 CyberArk Software Ltd. All rights reserved PrivateArk Client The PrivateArk Client is the legacy interface to Vault data Mostly used by administrators for certain tasks that are not implemented in PVWA The PrivateArk Client can be installed on any station with access to the Vault © 2023 CyberArk Software Ltd. All rights reserved PAM Web Services Client PVWA Vault HTTP CyberArk The PAM Web Services is a LOGON Authenticate user RESTful API that enables HTTP Response code: 200 Success users to create, list, modify, CyberArkLogonResult= and delete entities in PAM AAEAAAD/////AQAAAA using programs and scripts. AAAAAMAgAAAFhDe WJlckFyay5TZXJ2aWN lcy5XZWIsIFZlcnNpb24 The main purpose of the PAM 9OC4w Web Services is to automate ADD USER Create the User tasks that are usually HTTP Response code: 201 Success performed manually using the UI and to incorporate them into system- and account- provisioning scripts © 2023 CyberArk Software Ltd. All rights reserved Vault Central Administration Station stop/start Only available on Vault server Starting and stopping the PrivateArk Server Windows service ITALOG.LOG Displaying the Vault Server log Changing the Vault debug level dynamically © 2023 CyberArk Software Ltd. All rights reserved Remote Control Monitoring the Vault status using the Remote Client: Client PARCLIENT> status vault Password: ********* Vault is running. PARCLIENT> stop vault Runs from a command line Are you sure you want to stop the remote Vault (Y/N)? y Vault was stopped successfully interface PARCLIENT> start vault Executes tasks on Vault was started, pending service running. use status command for further details. Vault server via PARCLIENT> status vault Remote Control Agent Vault is running. PARCLIENT> status ene Client and agent communicate ENE is stopped. via CyberArk Remote PARCLIENT> start ene Control Protocol on port ENE was started, pending service running. use status command for further details. 9022 PARCLIENT> status ene ENE is running. RCC reduces the need to PARCLIENT> open an RDP port for the Vault © 2023 CyberArk Software Ltd. All rights reserved Online Help and Customer Community © 2023 CyberArk Software Ltd. All rights reserved CyberArk Customer Community Online documentation Knowledge base Training Enhancement Requests Marketplace © 2023 CyberArk Software Ltd. All rights reserved On-line Documentation Available in the CyberArk Customer Community Published online Easily searchable information © 2023 CyberArk Software Ltd. All rights reserved CyberArk Acronyms The CyberArk Glossary can be found easily here: © 2023 CyberArk Software Ltd. All rights reserved Summary © 2023 CyberArk Software Ltd. All rights reserved Summary In this session we discussed: Basic principles and concepts Key features of the CyberArk PAM solution The PAM system architecture System interfaces and utilities Online help and customer community © 2023 CyberArk Software Ltd. All rights reserved Online Training Risk Assessment Tools Video Introduction to Privileged Additional DNA zBang DNA Access Management Resources You may now complete the following exercise: Introduction to CyberArk Privileged Access Management Getting to Know the Acme Corp Environment PrivateArk Client ̶ Acme Servers ̶ Connecting ̶ Accessing a File in a Safe Getting to Know CyberArk PAM ̶ Modifying the View Log Into the Components Server Remote Control Client PVWA The Vault Server ̶ Log in as Mike ̶ Activate the PSM ̶ Deactivate “Reason for Access” ̶ Connect to an Account in the New UI ̶ Retrieve a Password in the Classic UI © 2023 CyberArk Software Ltd. All rights reserved
