12-PAM-ADMIN-Privileged-Threat-Analytics.pdf

Full Transcript

PAM Administration
Privileged Threat Analytics

© 2023 CyberArk Software Ltd. All rights reserved
 By the end of this session the participant will be able to:

1. Describe the main functionality of Privileged Threat
Analytics (PTA)

2. Describe the different data sources used
Agenda by the PTA

3. Describe the different attacks and risks detected
by the PTA

4. Describe the alert flow by the PTA

5. Configure and test PTA automatic responses

6. Describe the session analysis
and response flow

© 2023 CyberArk Software Ltd. All rights reserved
 Overview: Privileged Threat Analytics

© 2023 CyberArk Software Ltd. All rights reserved
 Privileged Threat Analytics

COLLECT
Quickly gather and analyze
the most critical data

RESPOND
Enable speedy response
and automated containment DETECT
Rapidly identify and detect
PRIVILEGED THREAT suspicious activities
ANALYTICS

ALERT
Notify security teams with
detailed event information
© 2023 CyberArk Software Ltd. All rights reserved
 Collect The CyberArk Privileged Threat Analytics
collects data from a wide variety of sources

© 2023 CyberArk Software Ltd. All rights reserved
 Collect and Analyze the Right Data
Collect and Analyze
SIEM Data From Critical
Solutions External Components

Digital Vault
Active
Directory

– CYBERARK PTA –
Real-time Analytics Powered
By Proprietary Profiling PSM
Cloud Algorithms to Detect
Anomalous Activity

© 2023 CyberArk Software Ltd. All rights reserved
 Attacks that bypass security controls

Detect Statistical anomalies

Active Directory risks

© 2023 CyberArk Software Ltd. All rights reserved
 Abuse or Bypass
of PAM Controls
PTA continuously monitors the use of
privileged accounts that are managed by
CyberArk, as well as privileged accounts
that are not yet managed, and looks for
indications of abuse or misuse of the
CyberArk platform.

Such abuse or bypasses include:

Unmanaged privileged access
Suspected credential theft
Suspicious password change
Suspicious activities detected in a
privileged session

© 2023 CyberArk Software Ltd. All rights reserved
 Statistical Anomalies
Using proprietary profiling algorithms, the
PTA distinguishes in real time between
normal and abnormal behavior and raises
alerts when abnormal activity is detected.

Such abnormal behavior includes:

Access to the Vault during irregular
hours or days
Access to the Vault from irregular IP
addresses
Excessive access to privileged
accounts in the Vault
Activity by dormant vault users

© 2023 CyberArk Software Ltd. All rights reserved
 Active Directory
Risks
PTA proactively monitors risks related to
accounts in Active Directory that can be
abused by attackers and sends alerts to
the security team to handle these risks
before attackers abuse them.

Such risks include:

Unconstrained Delegation
Dual Usage

© 2023 CyberArk Software Ltd. All rights reserved
 PTA Detections – Standard
PTA DETECTION VAULT LOGS AD EPM

Suspected credentials theft

Unmanaged privileged access OPTIONAL

Unconstrained delegation

Service account logged on interactively OPTIONAL OPTIONAL

Risky SPN

Suspicious activities detected in a privileged session

Privileged access to the Vault during irregular hours

Excessive access to privileged accounts in the Vault

Privileged access to the Vault from irregular IP

Active dormant Vault user

Machine accessed during irregular hours

© 2023 CyberArk Software Ltd. All rights reserved
 Alert Security Events

Security Monitoring Navigation

© 2023 CyberArk Software Ltd. All rights reserved
 Alerts On Suspicious Activity and Behavior

PTA enables security teams to prioritize
and respond to the most critical incidents.

Security events coming from the PTA:

Are assigned risk scores based on
severity of the detected anomaly

Contain granular details related to the
suspected attack

Can easily be reviewed in the PVWA
and/or in a SIEM dashboard

© 2023 CyberArk Software Ltd. All rights reserved
 Security Events You can review security events in the PVWA
according to the timeline and filter the events to
focus on specific groups of events based on:
⎼ Severity
⎼ Event Type
⎼ Date

Visible in the PVWA
under the Security pane

© 2023 CyberArk Software Ltd. All rights reserved
 Security Event Compact View

© 2023 CyberArk Software Ltd. All rights reserved
16

Reviewing Security Events in the PVWA
The last time the event The name of Shown when remediation
was detected. the event has been started.

The score and severity of the Recommended action to take / Automatic
event (high, medium, low). remediation action that was taken

© 2023 CyberArk Software Ltd. All rights reserved
 Easy Navigation: Security-Monitoring

© 2023 CyberArk Software Ltd. All rights reserved
 Automatic Remediation

PSM – PTA Integration

Respond Session Analysis and Response

Risk-based Prioritization

Configuring Session Analysis and Response Rules

The Session Analysis and Response Life Cycle

© 2023 CyberArk Software Ltd. All rights reserved
 Respond with
Automatic
Remediations
Automatic response improves
your organization’s security
posture and mitigates risk

PTA can contain in-progress
attacks by automatically:
Onboarding unmanaged
accounts
Rotating credentials
Reconciling credentials

© 2023 CyberArk Software Ltd. All rights reserved
 PSM – PTA Integration

© 2023 CyberArk Software Ltd. All rights reserved
 Session Analysis and Response
Connecting the PTA and PSM leverages the analytic capabilities of the PTA, which receives
details of PSM privileged sessions and user activities, analyzes them, and assigns a risk score to
each session.
Audit teams now can prioritize workloads based on risk scores.

© 2023 CyberArk Software Ltd. All rights reserved
 Session Analysis and Response
Once the PTA and PSM are integrated, we can configure Privileged Session Analysis and
Response rules to execute automatic session suspension or termination during high-risk user
activity, thereby reducing response times and the risk of damage to the organization.

© 2023 CyberArk Software Ltd. All rights reserved
 Risk-based Prioritization
Events Privileged Threat Risk-Based Priorities
Analytics Engine
Session #1 Session #323

Session #2 Session #83

Session #3 Session #2

Session #4 Session #421

Session #5 Session #95

Session #6 Session #34

Session #7 Session #297

Session #5364 Session #5364

© 2023 CyberArk Software Ltd. All rights reserved
 Configuring Rules
You can add new rules or customize
existing rules for session analysis and
response
The scope of a rule can be granularly
applied to different Vault users,
accounts, and machines.
In the event of high-risk activity, the
PTA can also be configured to
terminate or suspend the session.

CyberArk recommends that each
organization study the predefined set
of rules for suspicious session
activities and then modify and add
rules according to their needs.
© 2023 CyberArk Software Ltd. All rights reserved
 Configuring Rules
Rules are defined by:
Category
⎼ SSH
⎼ Universal Keystrokes
⎼ SCP
⎼ SQL
⎼ Windows title
Pattern: a regular expression to be
monitored
Session response
⎼ Suspend
⎼ Terminate
⎼ None
The Threat Score (1-100)
Scope: To whom or what the rule will
apply

© 2023 CyberArk Software Ltd. All rights reserved
 Session Analysis and Response Life Cycle

ANALYTICS
DEFINE RISKS ALERTS
AUTOMATIC RESPONSE

Security
Team

MANUAL RESPONSE & RISK REVIEW

© 2023 CyberArk Software Ltd. All rights reserved
 Demos

In this section we will review recorded
demos of threat detection and
automatic response demos in:

Windows

AWS

2
7
© 2023 CyberArk Software Ltd. All rights reserved
 Privileged Threat Detection
and Automatic Response Demo:

Windows

© 2023 CyberArk Software Ltd. All rights reserved
© 2023 CyberArk Software Ltd. All rights reserved
 Privileged Threat Detection
and Automatic Response Demo:

AWS

© 2023 CyberArk Software Ltd. All rights reserved
 Detect and Respond to Privileged Risks in the Cloud
To help address the challenge of monitoring Privileged Cloud users and detecting, alerting, and responding to
high-risk privileged access, the PTA can be now used to improve the efficiency of Cloud security teams and
to secure threats within Amazon Web Services (AWS) and Microsoft Azure.

The following capabilities are supported for AWS:
– Detect unmanaged Access Keys and Passwords for IAM
accounts
– Detect compromised privileged IAM accounts
– Detect compromised EC2 accounts

The following capabilities are supported for Azure:
– Detect unmanaged privileged access
– Detect suspected credential theft

© 2023 CyberArk Software Ltd. All rights reserved
 PTA’s Threat
Detection and
Response Capabilities
within AWS

© 2023 CyberArk Software Ltd. All rights reserved
© 2023 CyberArk Software Ltd. All rights reserved
 Summary

© 2023 CyberArk Software Ltd. All rights reserved
 In this session we:
Looked at overview of the main functionality
Summary of the PTA
Viewed the different data sources used by
the PTA
Described the different attacks and risks
detected by the PTA
Discussed the alert flow by the PTA
Looked at the PTA’s automatic responses
Described the session analysis and response
flow
Viewed some videos demonstrating PTA
functionality
© 2023 CyberArk Software Ltd. All rights reserved
 You may now complete the following exercises:

Privileged Threat Analytics
Detections and Automatic remediation for UNIX/Linux
Unmanaged Privileged Access
Suspected Credential Theft and Automatic Password Rotation
Suspicious Password Change and Automatic Reconciliation

Exercises Suspicious activities in a Unix session and automatic suspension
Security Rules Exceptions

Detections and Automatic Remediation for Windows
Unmanaged Privileged Access
Suspicious Activities in a Windows Session and Automatic Suspension

Connect to the PTA Administration Interface