case study: privileged access in a world on time
TRANSCRIPT
Case Study: Privileged Access in a World on Time
Trey Ray
SCT17S
SECURITY
IT Manager FedEx
Cyber Security AdvisorFedEx
Laxmi PotanaSr. Cyber Security AnalystFedEx
Michael Scudiero
2 COPYRIGHT © 2017 CA. ALL RIGHTS RESERVED#CAWORLD #NOBARRIERS
© 2017 CA. All rights reserved. All trademarks referenced herein belong to their respective companies.
The content provided in this CA World 2017 presentation is intended for informational purposes only and does not form any type of warranty. The information provided by a CA partner and/or CA customer has not been reviewed for accuracy by CA.
For Informational Purposes Only Terms of This Presentation
3 COPYRIGHT © 2017 CA. ALL RIGHTS RESERVED#CAWORLD #NOBARRIERS
Abstract
Today there are more privileged users than ever before. Providing access is not optional it is a business necessity. But how do you avoid excessive access? Providing the right access at the right time with CA Privileged Access Manager is the formula for reducing your risk and securing a world of data. At FedEx empowering the right people at the right time is not only good business it's also good security.
Trey RayFedExIT Manager
Laxmi PotanaFedExCyber Security Advisor
Michael ScudieroFedExSr. Cyber Security Analyst
A GLOBAL SHIPPING NETWORK TO TAKE ON THE FUTURE
HOW TO BUILD
VIDEO:“FEDEX”TRT: 1:31
Privileged Access in a World on TimeTrey Ray, Laxmi Potana, and Michael
Scudiero
Privileged Access in a World of Cyber Risk
PCI DSS 3.2 Created The Urgency
2 Factor Authentication
Automated Password Rotation & Vaulting
Command Filtering
Leapfrog Prevention
PREVENT
DVR & Command Line Session Recording Available
Logging of All PAM User Activity
SIEM Integration & Alerting
DETECT
Built-in Reports on All Integrated Accounts and Passwords
Metrics Displayed in Admin Dashboard
REPORT
Privileged Access is Preventive & Detective
Active Directory domain adminWindows Server AdminUnix rootDatabase admin (DBA) and developer break-fixApp service accountsWeb PortalsVMware Hypervisor adminTACACSCorporate social media accountsAny shared privileged account in the environment
If privileged accounts are the “Keys to the Kingdom,” then PAM is the lockbox for
the keys.
Managing the Keys to Running the World on Time
Unix RootAdmin
Active DirectoryDomain Admin
Windows LocalAdmin Accounts
Developer AccessTo Privileged Data
USE CASESTO CONTROL PRIVILEGED ACCESS
Use Case: Active Directory Domain Admin
Domain Admin launches an RDP session from their own PC/Laptop or from other Windows server in the domainusing a personal admin account.
This practice is subject to the “Pass the Hash” vulnerability whereby the domain administrator’s credentials can be harvested by an attacker and used to gain privileged access to the domain.
Before PAM Integration
Use Case: Active Directory Domain Admin
Domain Admin logs into CA PAM client w/2FA and checks out a Domain Admin credential.
RDP session to a Domain Controller is launched using CA PAM transparent login with PAM managed credentials.
The Domain Admin credentials are never exposed to the administrator endpoint which eliminates the "Pass the Hash" vulnerability.
Session is optionally recorded for audit purposes.
After PAM Integration
Use Case: Unix Root
No consistent method for managing Unix root passwords by the SysAdmin teams.
The Unix root passwords had to be rotated manually on a regularly scheduled interval.
No attribution for Unix root account usage
Before PAM Integration
Use Case: Unix Root
Unix SysAdmin logs into CA PAM client w/2FA to check out the root password for a server when required.
SSH session to Unix server is launched using CA PAM transparent login with PAM managed credentials.
The root password is never displayed to the SysAdmin.
Command filtering prevents accidents (rm –rf *.*)
Session is optionally recorded for audit purposes.
After PAM Integration
Use Case: Developer DB Break-Fix
Developer escalates his database privileges temporarily(24 hours) using an IDM pre-approved break/fix workflow.
Since the developer uses his own personal user account for the escalated database access, the window of opportunity for an attacker to gain access using compromised credentials is lengthy.
Before PAM Integration
Use Case: Developer DB Break-Fix
Developer logs into CA PAM client w/2FA and checks out a privileged database account.
Secure SQL session to database is launched using CA PAM transparent login with PAM managed credentials.
The database password is never displayed to the developer.
Session is optionally recorded for audit purposes.
After PAM Integration
Use Case: Microsoft LAPS Console
Administrator launches the LAPS console from their local machine.
LAPS privileges are granted directly to the human admins via an AD group.
An adversary utilizing a compromised human admin account would be able to view local Windows admin credentials for many devices in LAPS.
Before PAM Integration
Use Case: Microsoft LAPS Console
Administrator logs into CA PAM client w/2FA and checks out a LAPS enabled credential.
CA PAM launches the LAPS console via RDP published application.
The LAPS enabled credential is rotated at the end of the session and once a day.
LAPS session is optionally recorded for audit purposes.
After PAM Integration
WHAT WE LEARNEDWILL HELP US SCALE
| | |DESIGN FOR HIGH AVAILABILITY
EMPOWERADMINISTRATORS
PHASEDAPPROACH
AWARENESS PLANNING
21 COPYRIGHT © 2017 CA. ALL RIGHTS RESERVED#CAWORLD #NOBARRIERS
Questions?
22 COPYRIGHT © 2017 CA. ALL RIGHTS RESERVED#CAWORLD #NOBARRIERS
Stay connected at communities.ca.com
Thank you.
23 COPYRIGHT © 2017 CA. ALL RIGHTS RESERVED#CAWORLD #NOBARRIERS
Security
For more information on Security,please visit: http://cainc.to/CAW17-Security