Pam Administration Privileged Session Management Part 2 PDF

Summary

This document provides an overview of privileged session management, focusing on monitoring, recording, auditing, and managing active privileged sessions. It includes concepts on external storage, session audits, and sizing calculations. The document covers advanced topics relating to managing privileged sessions for better IT security practices.

Full Transcript

PAM Administration Privileged Session Management Part 2 © 2023 CyberArk Software Ltd. All rights reserved Upon completion of this session, the participant will be able to:...

PAM Administration Privileged Session Management Part 2 © 2023 CyberArk Software Ltd. All rights reserved Upon completion of this session, the participant will be able to: 1. Monitor and manage privileged session recordings Agenda 2. Monitor and manage privileged session audits 3. Monitor and manage active privileged sessions © 2023 CyberArk Software Ltd. All rights reserved Recordings In this section we will discuss how to enable, monitor and manage privileged session recordings © 2023 CyberArk Software Ltd. All rights reserved Recordings The PSM and PSM for SSH create video and text recordings for privileged sessions and store them in the Vault where they can be viewed at any time by authorized users You can store PSM video and text recordings in an external storage device © 2023 CyberArk Software Ltd. All rights reserved Recordings PVWA HTTP/S 1858 Unix Administrator After the session is complete, the video recording is uploaded to a safe in the Vault RDP (by default: “PSMRecordings”). 1858 PSM During the session, a video of all activity is recorded on the file system of the PSM server. © 2023 CyberArk Software Ltd. All rights reserved Enable Recordings: Master Policy Enable session recording in the Master Policy for all platforms or for specific platforms by use of exceptions © 2023 CyberArk Software Ltd. All rights reserved View Recordings in the PSM Member of the Auditors group © 2023 CyberArk Software Ltd. All rights reserved Monitor Recordings (PSM for SSH) Recordings created by PSM for SSH are currently displayed in the classic interface © 2023 CyberArk Software Ltd. All rights reserved Manage Recordings © 2023 CyberArk Software Ltd. All rights reserved Sizing Calculations for the PSM Server 𝑆𝑃𝑆𝑀 = 𝐶𝑠𝑒𝑠𝑠𝑖𝑜𝑛 𝑡𝑠𝑒𝑠𝑠𝑖𝑜𝑛 𝑅𝑠𝑒𝑠𝑠𝑖𝑜𝑛 𝑟𝑒𝑐𝑜𝑟𝑑𝑖𝑛𝑔 + 20𝐺𝐵 SPSM = Required storage on PSM Server Csession = Maximum Number of Concurrent Sessions tsession = Average length of recorded session Rsession recording = Average bit rate of recorded video ⎼ 100 KB/min – average SSH session ⎼ 200 KB/min – average low activity RDP session ⎼ 300 KB/min – average high activity RDP session with rich wallpaper (25 sessions) x (180 minutes/session) x (300 KB/minute) + 20GB = 21.35GB © 2023 CyberArk Software Ltd. All rights reserved Sizing Calculations for the Vault Server 𝑆𝑉𝑎𝑢𝑙𝑡 = 𝑡𝑟𝑒𝑡𝑒𝑛𝑡𝑖𝑜𝑛 𝑁𝑠𝑒𝑠𝑠𝑖𝑜𝑛 𝑡𝑠𝑒𝑠𝑠𝑖𝑜𝑛 𝑅𝑠𝑒𝑠𝑠𝑖𝑜𝑛 𝑟𝑒𝑐𝑜𝑟𝑑𝑖𝑛𝑔 + 20𝐺𝐵 SVault = Required storage on Vault Server tretention = Retention history requirement Nsession = Average number of recorded sessions per day tsession = Average length of recorded session Rsession recording = Average bit rate of recorded video ⎼ 100 KB/min – average SSH session ⎼ 200 KB/min – average low activity RDP session ⎼ 300 KB/min – average high activity RDP session with rich wallpaper (90 days) x (400 sessions/day) x (180 minutes/session) x (300 KB/minute) + 20GB = 1.96 TB © 2023 CyberArk Software Ltd. All rights reserved PSM Recording Safes Recordings are stored by default in a safe called: PSMRecordings Custom recording safes can be defined at the platform level The safes are created automatically by the PSM when it uploads the first recording to the Vault For example, a separate recordings safe for SOX- compliant Linux accounts (365 days retention period) © 2023 CyberArk Software Ltd. All rights reserved PSM Recording Safes Members of the Auditors group are automatically granted permissions on all Recording Safes You can also manually set different auditors for each Recording Safe according to their access control policy © 2023 CyberArk Software Ltd. All rights reserved Session Audits In this section we will discuss how to monitor privileged session audits © 2023 CyberArk Software Ltd. All rights reserved Session Audit By default, the PSM records all the activities that take place during privileged sessions and provides audit data for the following events: ⎼ SQL commands ⎼ SSH keystrokes ⎼ Window titles ⎼ Universal keystrokes When integrated with the PTA, PSM for SSH can create the suspicious activity risk audit records for activities score is also available in the that are performed during Monitoring pane, allowing the SSH, SCP, and Telnet auditing team to prioritize session auditing based on risk connections © 2023 CyberArk Software Ltd. All rights reserved Audit PVWA HTTP/S 1858 Syslog Unix SIEM/PTA Administrator RDP The Vault forwards real time audit information to SIEM and/or PTA for activity 1858 risk analysis PSM The session audit is sent in real time from the PSM to the Vault © 2023 CyberArk Software Ltd. All rights reserved Active Session Monitoring In this section we will discuss how to monitor and manage active privileged sessions © 2023 CyberArk Software Ltd. All rights reserved Active Session Monitoring (PSM) The PSM enables authorized users to monitor active sessions, take part in controlling these sessions, and suspend or terminate them The PSM can also automatically suspend or terminate sessions when notified by PTA or a third- party threat analytics tool © 2023 CyberArk Software Ltd. All rights reserved Active Session Monitoring (PSM for SSH) While it is not possible to monitor or control live PSM for SSH sessions, it is possible to view the live session audit © 2023 CyberArk Software Ltd. All rights reserved Monitor Active Sessions PVWA HTTP/S HTTP/S Unix Auditor Administrator RDP RDP PSM SSH (using putty) IT Environment © 2023 CyberArk Software Ltd. All rights reserved Enable and Configure Live Session Monitoring Live session monitoring settings determine how users can monitor live privileged sessions and the types of activities that they can perform By default, all members of the Vault group PSMLiveSessionTerminators are authorized to suspend and terminate active sessions © 2023 CyberArk Software Ltd. All rights reserved Monitor Active Sessions © 2023 CyberArk Software Ltd. All rights reserved Summary © 2023 CyberArk Software Ltd. All rights reserved Summary In this session we covered: Privileged session monitoring capabilities for PSM and PSM for SSH How to monitor and manage privileged session recordings How to monitor and manage privileged session audits How to monitor and manage active privileged sessions © 2023 CyberArk Software Ltd. All rights reserved External Storage of PSM Recordings https://training.cyberark.com/elearning/external-storage-of-psm-recordings Additional You may now complete the following exercises: Resources Privileged Session Management – Part 2 Privileged Session Terminators Monitor, Suspend and Terminate Active Sessions Monitor Recordings

Use Quizgecko on...
Browser
Browser