11-PAM-ADMIN-Privileged-Session-Management-pt2.pdf

Full Transcript

PAM Administration
Privileged Session Management
Part 2

© 2023 CyberArk Software Ltd. All rights reserved
 Upon completion of this session, the participant will be able to:
1. Monitor and manage privileged session recordings

Agenda 2. Monitor and manage privileged session audits
3. Monitor and manage active privileged sessions

© 2023 CyberArk Software Ltd. All rights reserved
 Recordings

In this section we will discuss how to
enable, monitor and manage privileged
session recordings

© 2023 CyberArk Software Ltd. All rights reserved
 Recordings
The PSM and PSM for SSH create video and text recordings for privileged sessions and store
them in the Vault where they can be viewed at any time by authorized users
You can store PSM video and text recordings in an external storage device

© 2023 CyberArk Software Ltd. All rights reserved
 Recordings
PVWA
HTTP/S 1858

Unix
Administrator

After the session is complete,
the video recording is uploaded to a
safe in the Vault
RDP

(by default: “PSMRecordings”).

1858

PSM

During the session, a video of all
activity is recorded on the file
system of the PSM server.

© 2023 CyberArk Software Ltd. All rights reserved
 Enable Recordings: Master Policy

Enable session recording in the
Master Policy for all platforms or for
specific platforms by use of
exceptions

© 2023 CyberArk Software Ltd. All rights reserved
 View Recordings in the PSM

Member of the Auditors group

© 2023 CyberArk Software Ltd. All rights reserved
 Monitor Recordings (PSM for SSH)
Recordings created by PSM for SSH are currently displayed in the classic interface

© 2023 CyberArk Software Ltd. All rights reserved
 Manage Recordings

© 2023 CyberArk Software Ltd. All rights reserved
 Sizing Calculations for the PSM Server
𝑆𝑃𝑆𝑀 = 𝐶𝑠𝑒𝑠𝑠𝑖𝑜𝑛 𝑡𝑠𝑒𝑠𝑠𝑖𝑜𝑛 𝑅𝑠𝑒𝑠𝑠𝑖𝑜𝑛 𝑟𝑒𝑐𝑜𝑟𝑑𝑖𝑛𝑔 + 20𝐺𝐵

SPSM = Required storage on PSM Server
Csession = Maximum Number of Concurrent Sessions
tsession = Average length of recorded session
Rsession recording = Average bit rate of recorded video
⎼ 100 KB/min – average SSH session
⎼ 200 KB/min – average low activity RDP session
⎼ 300 KB/min – average high activity RDP session with rich wallpaper

(25 sessions) x (180 minutes/session) x (300 KB/minute) + 20GB = 21.35GB

© 2023 CyberArk Software Ltd. All rights reserved
 Sizing Calculations for the Vault Server
𝑆𝑉𝑎𝑢𝑙𝑡 = 𝑡𝑟𝑒𝑡𝑒𝑛𝑡𝑖𝑜𝑛 𝑁𝑠𝑒𝑠𝑠𝑖𝑜𝑛 𝑡𝑠𝑒𝑠𝑠𝑖𝑜𝑛 𝑅𝑠𝑒𝑠𝑠𝑖𝑜𝑛 𝑟𝑒𝑐𝑜𝑟𝑑𝑖𝑛𝑔 + 20𝐺𝐵

SVault = Required storage on Vault Server
tretention = Retention history requirement
Nsession = Average number of recorded sessions per day
tsession = Average length of recorded session
Rsession recording = Average bit rate of recorded video
⎼ 100 KB/min – average SSH session
⎼ 200 KB/min – average low activity RDP session
⎼ 300 KB/min – average high activity RDP session with rich wallpaper

(90 days) x (400 sessions/day) x (180 minutes/session) x (300 KB/minute) + 20GB = 1.96 TB

© 2023 CyberArk Software Ltd. All rights reserved
 PSM Recording
Safes
Recordings are stored by default
in a safe called: PSMRecordings
Custom recording safes can be
defined at the platform level
The safes are created
automatically by the PSM when
it uploads the first recording to
the Vault
For example, a separate
recordings safe for SOX-
compliant Linux accounts
(365 days retention period)

© 2023 CyberArk Software Ltd. All rights reserved
 PSM Recording
Safes

Members of the Auditors
group are automatically granted
permissions on all Recording
Safes
You can also manually set
different auditors for each
Recording Safe according to
their access control policy

© 2023 CyberArk Software Ltd. All rights reserved
 Session Audits

In this section we will discuss how
to monitor privileged session audits

© 2023 CyberArk Software Ltd. All rights reserved
 Session Audit

By default, the PSM records
all the activities that take
place during privileged
sessions and provides audit
data for the following events:
⎼ SQL commands
⎼ SSH keystrokes
⎼ Window titles
⎼ Universal keystrokes
When integrated with the PTA,
PSM for SSH can create the suspicious activity risk
audit records for activities score is also available in the
that are performed during Monitoring pane, allowing the
SSH, SCP, and Telnet auditing team to prioritize
session auditing based on risk
connections

© 2023 CyberArk Software Ltd. All rights reserved
 Audit
PVWA
HTTP/S 1858 Syslog

Unix SIEM/PTA
Administrator
RDP

The Vault forwards
real time audit information to
SIEM and/or PTA for activity
1858 risk analysis

PSM

The session audit is sent in real time
from the PSM to the Vault

© 2023 CyberArk Software Ltd. All rights reserved
 Active Session Monitoring

In this section we will discuss how to
monitor and manage active privileged
sessions

© 2023 CyberArk Software Ltd. All rights reserved
 Active Session Monitoring (PSM)
The PSM enables authorized users to monitor active sessions, take part in controlling these sessions,
and suspend or terminate them

The PSM can also automatically
suspend or terminate sessions
when notified by PTA or a third-
party threat analytics tool

© 2023 CyberArk Software Ltd. All rights reserved
 Active Session Monitoring (PSM for SSH)
While it is not possible to monitor or control live PSM for SSH sessions, it is possible to view the live
session audit

© 2023 CyberArk Software Ltd. All rights reserved
 Monitor Active Sessions
PVWA
HTTP/S HTTP/S

Unix Auditor
Administrator

RDP

RDP

PSM

SSH (using putty)

IT Environment
© 2023 CyberArk Software Ltd. All rights reserved
 Enable and
Configure Live Session
Monitoring
Live session monitoring settings
determine how users can monitor live
privileged sessions and the types of
activities that they can perform

By default, all members of the Vault
group PSMLiveSessionTerminators
are authorized to suspend and
terminate active sessions

© 2023 CyberArk Software Ltd. All rights reserved
 Monitor Active Sessions

© 2023 CyberArk Software Ltd. All rights reserved
 Summary

© 2023 CyberArk Software Ltd. All rights reserved
 Summary In this session we covered:

Privileged session monitoring
capabilities for PSM and PSM for SSH

How to monitor and manage privileged
session recordings

How to monitor and manage privileged
session audits

How to monitor and manage active
privileged sessions

© 2023 CyberArk Software Ltd. All rights reserved
 External Storage of PSM Recordings

https://training.cyberark.com/elearning/external-storage-of-psm-recordings

Additional You may now complete the following exercises:
Resources Privileged Session Management – Part 2
Privileged Session Terminators
Monitor, Suspend and Terminate Active Sessions
Monitor Recordings