Tuesday, October 24, 2017

HOW DO YOU SPELL CREDENTIAL THEFT PROTECTION…EPP, NGAV, OR EPM?

 | Endpoint | 
It’s 2017 and time to realize that cyber attackers have the advantage of time, resources and motivation. They are actively progressing to a point where they test new tactics using the same software you likely use to detect threats in the first place. Common Anti-Virus (AV) and Endpoint Protection (EPP) suites on the market are now leveraged for evading detection on the very desktops and laptops and servers you want to protect. While that is not new, the use of tools such as Shellter, OWASP-ZSC or Veil-evasion is changing the game. With these tools, hackers can easily take an exploit-capable payload and encode it, so that signature detection by anti-virus products and other signature-based detection approaches will fail to detect them. These shadow developers then test for detection using a few of the most prevalent AV scanners, often using the very online scanners that their targets use to protect their corporate assets.
This modernization of the attackers’ software development process has helped these miscreants to deploy some of the most polymorphic software kits available. While I am not trying to draw a direct connection to newer software development approaches such as DevOps, it is rather similar with these streamlined approaches hackers have adopted to evade detection. As a result, traditional static signature methods for detecting viruses, malware and APTs is past its prime.  Attackers are just too quick to generate a specific attack that they know you will likely not detect because it leverages a known vulnerability you likely didn’t patch and does so with an approach that is unique to you. On top of that, it was likely validated as undetectable by the AV suite you depend upon to protect what you hold most dear.
Not going to fall for the banana in the tail pipe
I know what you are thinking, you can do better than traditional AV offered in EPP suites, right? You are saying to yourself, “We are not an organization that gets lulled into a false sense of security. (Sorry Axel Foley.) We can install advanced, next-generation AV (or NGAV) that’s powered by the cloud and provides cyber analytics and threat intelligence.”
Of course you could do this.  But don’t fall into the hype. Why? There is a great quote by Chris Hoff about what to expect when you move your datacenter to the cloud that goes, “If your security sucks now, you will be pleasantly surprised by the lack of change should you embrace the cloud.” So applying this, if you like (or disliked) your endpoint security before, you are going to love a Next Gen platform delivered from the cloud. Ok I will admit, I might have hi-jacked that quote to help illustrate a point that just because its cloud deployed doesn’t mean it’s better.
What is important to note here is that using data analytics and intelligence sourced from a community to detect likely footprints of an attacker is indeed a great idea, as long as your analytics work 100% of the time and you have a 100% of the required data to provide the context (i.e. the log data containing the digital footprints) in the first place. While your NGAV anomaly detection-based system is “learning” what you do and figuring out what “normal is from abnormal,” you best keep your fingers crossed and hope on the double 100s always win. We all know hope is not a strategy. (Better check the tailpipe.)
A defense in depth strategy is necessary when it comes to protecting endpoints on a network. Therefore, the use of EPP or the security analytics in NGAV is a complementary addition to one of the key activities that all the security frameworks identify: hardening all of your systems. In its simplest terms, system hardening is about reducing the surface of vulnerability, or the potential for vulnerability, by first understanding all software and hardware, both authorized and unauthorized, on your network.  Then secondly, taking appropriate measures to have only what is needed to operate, and third continuously monitoring for vulnerabilities, making necessary updates to OS and application software and enforcing security policies such as password changes and timeouts.  While some of these activities can be debated as other forms of security controls beyond hardening, hardening is not a one and done activity. It should be considered a continuous process of ensuring a system (and its users) has only what it needs and nothing more to do its job.
AV products on the market today and the promises of NGAV do serve a purpose in providing another layer to aid in the protection of endpoints, but they are unfortunately weakened by only detecting what they know or have data coverage and ability to see. As a point of comparison, hardening with least privilege, app control with grey listing and credential theft protection reduces the attack surface far more significantly. Many cyber frameworks (including CIS critical controls framework) and industry analysts agree that implementing hardening is the most effective action to prevent malware. According to a recent Gartner report, “Endpoint hardening, including vulnerability, patch, privilege and policy management, and application control, is currently the most effective form of malware defense; however, most organizations are unwilling or unable to invest in the upfront effort required to reduce the attack surface.” (The Real Value of a Non-Signature-Based Anti-Malware Solution to Your Organization, 22 September 2016).
Why is system hardening so important?
System hardening across all of your endpoints is a necessary step (or set of steps as previously outlined) starting first to get an understanding of all assets both HW and SW and then taking measures to reduce the attack surface through the reduction of the possible attack vectors.  Hardening activities do not tie you to known attacks, and in fact, do not look for specific attackers.  Hardening brings you back to the basics to protect access to what attackers aim to steal: “privilege.”  In fact, SANS’ most recent security survey identified the ultimate goal of attackers is credential compromise, and the reported noted privilege escalation caused the most impact. There is a step in the process of every attack that hackers strive to achieve: escalating privileges. The reason is simple, if the attacker has administrative level control over a resource, they stand a better chance to accomplish their objective.
The most common approach to gaining more privileges is by credential theft for an administrative or privileged user account. Malware targets the credential stores on Windows systems, such as harvesting credentials from the login process, the Windows SAM, various email systems, SSH terminal sessions as well as browser stored credentials. Some malware examples that carry out this harvesting are phishing email based HawkEye and the often file-less based and PowerShell assisted Mimikatz attacks.  With a hardening strategy in place, the attacker’s ability to execute a targeted attack using either of these “live off the land” style of attack vectors is severely diminished. Microsoft to their credit acknowledges this is a potential problem and has tried to solve this with Windows 10 Credential Guard, but it’s a partial solution and easy to get around.
We have spoken previously about the value of least privilege and about application control. Using these tactics can prevent many malware attacks from playing out.  However, having an “assume breach” and “defense in depth” mindset, combined with credential store protection as a further hardening measure (which has the ability to detect and block selectively at the application process level), gives you a way to severely deter and contain an attack at the point of intrusion. The attacker would not have the ability to obtain the required credentials to pivot to another system. By way of introduction, CyberArk Endpoint Privilege Manager offers credential theft protection that helps you to spell relief around credential theft.
To illustrate one of the more common credential theft attack vectors, I’ve included an example below of how a “living off the land,” file-less type of attack using PowerShell to load Mimikatz remotely is subsequently thwarted once CyberArk Endpoint Privilege Manager with credential theft protection is activated.
The dialog above depicts how PowerShell is used to load Mimikatz and then successfully grab credentials from the LSASS process on Windows.
Once CyberArk Endpoint Privilege Manager activates credential theft protection on the LSASS process, the same attack simply fails.
Every attempt made to harvest credentials is captured within the CyberArk Endpoint Privilege Manager Eventlog. The dialog above showcases how both detect and block events on LSASS were logged within the CyberArk Endpoint Privilege Manager console.
Configuring credential theft protection within CyberArk Endpoint Privilege Manager is simple, providing granular control over various credential stores as depicted in the dialog below.
If you are ready to get “back to basics” and see what credential theft protection can do for you, request a demo of CyberArk Endpoint Privilege Manager, the first Privileged Account Security solution for every desktop, laptop and server with credential theft protection built-in.

Editor’s note: Click here to listen to Laura Melton, senior information technology associate at Texas A&M University College of Architecture, about the importance of removing local administrator rights to strengthen endpoint security using CyberArk Endpoint Privilege Manager.

THE WHYS AND WHEREFORES OF AUTOMATING PRIVILEGED TASKS


 | Security and Risk | 
task can be defined as:
noun 1.  A piece of work that needs to be done regularly.
verb  2.  Assign a piece of work to.
IT operations teams are often inundated with menial, regular and repetitive tasks (e.g. trigger events, running daily monitoring activities and starting services) that can not only be damaging to the business when done incorrectly, but also hinder productivity. By limiting the number of tasks assigned to IT and enabling greater access to automation capabilities, performance and productivity can be significantly improved. In parallel, it’s important to protect your environment from risks such as the abuse or misuse of privileged access (insider threats), service outages caused by human error (typos) and third-party/remote vendor vulnerabilities (external threats).
Automation can be defined as:
noun 1.  The technique, method, or system of operating or controlling a process by highly automatic means, as by electronic devices, reducing human intervention to a minimum.
I recently addressed the importance of locking down the remote vendor attack pathway, as this is often an easy target for cyber attackers. By automating privileged tasks (any task to be performed by a privileged user), you can lessen potential vulnerabilities in process workflows both utilized by internal users and remote vendors alike. Once you fully automate a privileged task, you’re not only simplifying privileged account security processes, but also helping to ensure your remote vendors (who might have access to critical servers, endpoints and applications) will not inadvertently make an error that could lead to a serious security risk.
Additionally, in the DevOps world, orchestration tools are automating tasks across workflows, taking this role from IT operations and vendors – even for some systems that are no longer in existence. In the on-premises world, organizations still rely on vendors and support staff to perform tasks on an ad-hoc, often sporadic basis. Ideally, organizations should allow all of these tasks to be performed while a complete and correlated audit trail is generated automatically.
CyberArk solutions enable audit and operations teams to monitor and record the task management and automation of related activities as well as promote user accountability across the board. Users can automate maintenance and provisioning of tasks, (re)start and stop services, and only launch the applications or clients necessary to perform the task at hand – and nothing else. Users can also automate deployments through remote SSH command execution on target systems in both on-premises and cloud environments – all while maintaining the highest security standards. This functionality enables users to place restrictions on what privileged users are allowed to do with an organization’s most critical assets.
So How Does it Work?
Let’s walk through a simple example. A local Windows Server Administrator account has been on-boarded into the CyberArk Vault, and the usage of this privileged account has been limited to only a handful of allowed operations.
Full access to the server is not permitted, the user can only manage a list of services running on that server.
The user selects “Restart Service” and is then prompted to select the service to be managed, which can be pre-populated or added as a part of a drop-down list to further limit the control the user has over this account and the server.
 
After the user clicks ‘OK,’ the service will restart. Through the CyberArk Privileged Session Manager, a full audit trail is created capturing the completed actions by each privileged user. Any abnormal behavior, abuse of privileges or any other privileged activities associated with that privileged task will be on record and immutably stored in a tamper resistant vault. Sessions can be monitored in real time or later reviewed by a member of the audit team to improve security and support compliance regulations.
Whether your tasks ‘need to get done regularly’ or they’re something you ‘assign a piece of work to,’ it’s in your best interest to introduce automation controls. The example above shows how easily this can be done. Organizations today mostly exist in a ‘do more with less environment’ so it’s a best practice to automate simple privileged tasks to keep a high level of security and enable IT operations teams to focus on workloads that deliver more value to the organization.
Learn more about privileged task automation and management by watching our on-demand webinar, “Curse of the Typo! Automate Repeated Tasks to Improve Efficiency and Reduce Risk Around User Mistakes.”  You can review the on-demand version of the webcast at any time.

LOCKING DOWN THE REMOTE VENDOR ATTACK PATHWAY THROUGH PRIVILEGED ACCOUNT SECURITY


 | Security and Risk | 
Remote vendors are everywhere, and they’re not limited to help desk services, storage and application service providers or other IT-focused MSP’s. Let’s not forget about the other vendors a company typically works with – law firms, public relations firms, HVAC, trucking companies, supply chain vendors, services companies – the list goes on. Organizations both large and small grant third-party vendors with access to their network and applications as a necessary means to do business. However, in doing this, they also introduce a potential new pathway for cyber attacks.  This pathway can be especially vulnerable given that the security controls for third-party vendors are not typically held to the same standards as those followed internally by an organization.
Locking down privileged credentials for remote vendors is a critically important step in minimizing the attack surface. A recent report showed that 67 percent of organizations had experienced a data breach that somehow tied back to a third-party vendor. This is a clear indication that attackers continue to look at third parties as an easy way to gain a foothold into a network, move laterally, escalate privileges and eventually gain access to their target assets. Before engaging with third-party vendors, organizations should fully vet each one and consider the potential risks the vendor might introduce to their business.
Mitigating Risks Associated with Remote Vendors
The first step in mitigating risks associated with remote vendor access is an obvious one – identify all third parties that have access into your internal systems. This can represent a complex ecosystem for some organizations. The number of vendors given access to systems and applications continues to increase year-over-year widening the threat landscape for attacks – and somehow remote vendor access management is still not considered to be of high priority for many organizations. CyberArk has a free tool that discovers privileged user accounts and credentials provisioned by your organization as well as those created by third parties (that perhaps you didn’t even know existed).
Organizations should be able to safely provide their remote vendors with access to the resources they need without exposing any user credentials, and at the same time, without introducing too many hoops for them to jump through. Storing passwords, SSH keys and other associated credentials with your third-party privileged accounts in a single, secured vault is how you can provide the required level of access without burdening the end user. Keeping a close eye on all privileged activity within your environment is accomplished through session isolation, monitoring and recording.  Doing this both secures and assigns all internal and external users with a baseline-level of accountability. More importantly, by adding this separation layer between the end user and target systems, you enable your users to successfully complete their tasks without directly accessing critical systems. To the end user, everything appears to be totally normal, but if an attacker were to get into the network, they wouldn’t be able to move laterally across the environment or spread harmful malware to an organization’s systems.
Putting the Right Tools in Place
What about those regular and mundane manual tasks that can be inadvertently damaging to the business? Remember that recent public cloud outage where a routine debugging exercise went haywire leading to a six hour meltdown caused by one simple little typo? Automated privileged task management (both in the cloud and on-premises) safeguards your remote vendors and internal users alike by automating manual, sometimes critically sensitive privileged tasks while simultaneously improving workflow productivity. How would you respond to high-risk commands and tasks that can lead to a mix up like above example? With the right analytics tools in place, you can pre-define default, high-risk commands that are unique to your organization and automatically notify the necessary security teams to take action when those commands have been executed. Furthermore, these tools can help you to detect and even disrupt in-progress attacks through both heuristic and advanced behavioral-based threat detection capabilities.
The CyberArk Privileged Account Security Solution can help minimize the threat associated with third party vendor management. Controlling and auditing each vendor’s access can be resource-intensive, causing meaningful activities to get lost in the shuffle. Therefore, it’s recommended to start with the areas that have the highest risk, such as access, privileged access and critical assets. CyberArk enables organizations to securely lock down remote vendor access and put the necessary security controls in place to enable third parties to safely complete tasks.
Learn more by downloading the Securing Remote Vendor Access with Privileged Account Security white paper. See how CyberArk can help to identify vulnerabilities in your organization and how you can better secure your privileged accounts against targeted attackers.

FIVE THINGS TO KNOW ABOUT RANSOMWARE


 | Security and RiskVideos | 
With WannaCry barely in the rear view mirror, ransomware was back in the spotlight with a new malware dubbed NotPetya. We can expect to see new ransomware strains as advanced attackers continue to evolve their tactics, and the ramifications on business will be significant if proactive measures are not taken. In previously posts, we’ve deconstructed ransomware and offered mitigation tips. To protect your organization, it’s important to be informed and have baseline knowledge.
Here are five things to know about ransomware:
  1. What is ransomware? Ransomware is a type of malicious software, or malware, that denies access to files and data until a ransom is paid. There are two distinct types of ransomware. The most common is crypto ransomware, which encrypts sensitive data and files until a ransom is paid. The other type, locker ransomware, locks a device, completely preventing the victim from using it. In most cases, ransomware encrypts personal files, blocking users from accessing them. Victims are given instructions on how to pay the requested ransom, and only after doing so, are they given a decryption tool that will unlock the files.
  2. How does ransomware encryption work? A well-designed ransomware strain will typically use an asymmetric encryption algorithm, which leverages a pair of keys – one public and one private. The data that is encrypted with the public key can only be unlocked by this matching private key and vice versa.
  3. How do victims pay cyber ransoms? Ransoms are typically paid in the cryptocurrency Bitcoin due to its anonymity and difficulty to trace.
  4. How much is a typical ransom? Requested ransom amounts can vary wildly. In the WannaCry attacks, victims were asked to pay between $300 to $600 via BitCoin to have their files unlocked. This may not seem like much, but it’s important to consider the other, more severe, costs resulting from such attacks due to downtime caused by lack of access to systems. Shockingly, it was recently reported that South Korean web hosting provider paid $1 million in bitcoins to hackers after a Linux ransomware infected its servers and encrypted the websites data hosted on them.  A big jump from the amount the Hollywood Presbyterian Medical Center reportedly paid last year.
  5. How do I mitigate risk? Ransomware prevention measures can seem particularly daunting as administrator rights are not always required for some of today’s advanced strains of malware to compromise an end users’ machine and infect the endpoint. This means that while privilege management can play a role in mitigating risks, many strains of ransomware can encrypt data using standard user rights. So even if an organization has removed local administrator rights, this doesn’t necessarily mitigate the risk. However, testing at CyberArk Labs demonstrated that application control, including greylisting, coupled with the removal of local administrator rights, was 100 percent effective in preventing ransomware from encrypting files.
Watch this CyberArk Brief and learn how to proactively protect against ransomware.

PRIVILEGED ACCESS MANAGEMENT: A MATRIX APPROACH FOR ACCOUNT RANKING AND PRIORITIZATION

 | Guest Blogs | 
Throughout the course of my six years in helping KPMG clients with their Privileged Access Management programs, there has rarely been a simple answer to the critical questions of exactly which privileged accounts in an environment should be integrated first (e.g., application/infrastructure/personal accounts), and exactly how we should control each type of privileged account. The ways an organization can control privileged accounts using a solution like CyberArk can vary greatly (e.g. vaulting, password rotation, brokering, etc.).
A common approach to password management includes treating all vaulted credentials with the same level control measures; this is typically a symptom that indicates a lack of a risk-based approach to assigning criticality to accounts. Alternatively, we also see cases of wild inconsistencies in the way passwords are managed, typically leaving it up to the individual platform owners to pick and choose the right security controls for them. This typically an indication of a lack of defined PAM standards that can be applied enterprise-wide. When developing strategies and roadmaps for KPMG clients, our teams apply an “Account Criticality Matrix” to help answer these questions. This matrix is designed to help standardize the way we rate and weigh the criticality of a given account.  It includes a set of predefined criteria that we tailor to meet the unique needs of each organization. Example criteria in the Account Criticality Matrix include:
*   Number of individuals that have access to a given privileged credential
*   Frequency of account usage
*   Potential to access sensitive data
*   Scope of privilege across single/multiple systems or platforms
*   Control level granted
Based on the numerical scoring derived from the Account Criticality Matrix, we then begin to build a profile of what an organization would consider a “high-risk” account versus a “low-risk” account.  This profile helps on numerous fronts.  First, it allows for consideration of account types that typically would not be considered as true “privileged” accounts.  For example, many application or service accounts are inadvertently excluded from management in organizations due to a lack of understanding of enterprise privileged account definitions by the application owner.  In the absence of pre-defined account prioritization criteria, those owners are left to decide what constitutes a “privileged” account or not.  Many will opt for the latter without prescribed guidance.  The matrix will allow an organization to take any account type and provide a standardized metric to determine whether it meets the criteria to be integrated into CyberArk.
The second benefit is the standardization of account controls across the organization based on the calculated account criticality.  Depending on licensing and hardware limitations, recording all privileged accounts may not be feasible.  Based on a pre-defined policy, an organization could mandate that only “high” rated accounts require dual control and PSM recording, but periodic password rotations of “medium” rated credentials are sufficient.
Thirdly, combining knowledge of “high” severity accounts and implementation effort can provide a window to prioritization of the path of integration.  When various stakeholders ask why the decision was made to start with default local accounts first and not their specialized application, you can point them not only to the fact that those accounts rated as high based on the user base, scope of privilege, and access granted, but also because the implementation effort was lowest for those accounts.

Art Chaisiriwatanasai is a Director within KPMG’s Chicago office and is a member of their IT Advisory – Cyber practice. Art has in-depth experience in information security focusing on privileged access management, security operation center implementations, vulnerability management, risk assessment, and incident response initiatives.

Some or all of the services described herein may not be permissible for KPMG audit clients and their affiliates.
© 2017 KPMG LLP, a Delaware limited liability partnership and the U.S. member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved. [Printed in the US].The KPMG name and logo are registered trademarks or trademarks of KPMG International. The information contained herein is of a general nature and is not intended to address the circumstances of any particular individual or entity. Although we endeavor to provide accurate and timely information, there can be no guarantee that such information is accurate as of the date it is received or that it will continue to be accurate in the future. No one should act upon such information without appropriate professional advice after a thorough examination of the particular situation.

GET YOUR ENTERPRISE READY FOR GENERAL DATA PROTECTION REGULATION (GDPR)


The General Data Protection Regulation (GDPR) is said to be one of the most important changes to data privacy regulations within the past two decades. The primary purpose of GDPR is to reinforce the personal data rights for all individuals’ residing within the European Union, and subsequently harmonizing the way member states enforce data protection across this geography. The fact of the matter is, most people today do not trust their personal data in the hands of businesses – and honestly, who can blame them?
Significant personal data breaches continue to dominate headlines. Most organizations are not taking security seriously enough with some even admitting they are well aware of existing security gaps but deliberately look the other way to keep business costs down and maintain a higher profitability. As we’ve seen over the past few months, the media has highlighted both the financial and reputational implications with being caught in non-compliance – and for good reason.
GDPR will affect organizations globally. If an organization is found to be negligent, they’ll face fines north of €20 million or 4 percent of total global turnover (whichever greater of the two). Moreover, there are equally as serious reputational risks such as significant brand damage and loss of both consumer trust and loyalty. Gartner predicts that by the end of 2018, more than 50 percent of companies affected by the GDPR will not be in full compliance with its requirements.1 This begs a very important question: is your enterprise really ready?
What to Know and Understand
Understand where personal data resides within your organization. Personal data is defined as any subject’s name, address, localization, online identifier, health information, income, cultural profile and more. Enterprises should map their data flows in a prioritized manner, starting from the top down with whatever is considered to be of high risk and with whatever business processes involve gathering, processing and protecting sensitive personal data. CyberArk solutions will help an enterprise lock down the access both human and non-human users have to critical systems and applications, but before you can do that, you really need to first identify where exactly the data resides within your organization. Additionally, any personal data that no longer serves a legitimate business purpose needs to be deleted. Backups and duplicate copies of personal data files might land you in the hot seat if you don’t manage your data subjects’ ‘right to erasure’ correctly.
Get a handle on your supply chain. One important change in GDPR that was absent from its mandated predecessor (the Data Protection Directive) is the new direct legal obligations for data processors. This change brings potential litigation and damage claims directly from data subjects, whereas before, data processors really only needed to concern themselves with existing contractual agreements they had in place with their data controllers. Once GDPR goes into enforcement, both controllers and processors will be required to prove they were not held responsible in the event of a breach. You might have the most comprehensive GDPR strategy in place with all the necessary tools and components to protect your personal data – but there still remains substantial risk residing within your third-party vendor supply chain. There needs to be a greater degree of transparency across the supply chain, with a shared responsibility for securing personal data.
Additional Considerations
Given that GDPR is a very complex and far-reaching regulation that cannot be solved overnight, it’s best to not boil the ocean. Take a pragmatic approach. One of the first and most critical steps for enterprise-level organizations is to partner with an advisory consultant. Most consultancies offer GDPR-specific workshops, detailed assessments, regular testing and actionable guidance. They’ll work with your team to put in place the necessary personnel, processes and technology that align with whatever is your most optimal strategy to maintain compliance with this regulation.
I previously discussed five ways CyberArk can help you address GDPR, highlighting some of the key articles within the regulation and how CyberArk can help mitigate risk against non-compliance.  It’s well understood that complying with GDPR cannot be achieved with a single security vendor – it’s a team effort. CyberArk customers also have access to our C3 Alliance Technology Program, which provides a wide range of integrations with security solution providers from around the world. These technology integrations enable an organization to realize a much more comprehensive GDPR solution, as well as bring more value to  existing security investments.
Take the first step and download the Security Checklist for Securing Personal Data to get your enterprise ready for GDPR. Visit the CyberArk GDPR solution web page for more information on how privileged account security plays a critical part in safeguarding sensitive personal data.
Don’t get caught in the crosshairs of GDPR non-compliance. Get your enterprise ready before time runs out.
1 Gartner Press Release: “Gartner Says Organizations Are Unprepared for the 2018 European Data Protection Regulation,” May, 3 2017. gartner.com/newsroom/id/3701117

SECURING YOUR CLOUD ENVIRONMENT: SIX CRITICAL USE CASES TO CONSIDER


 | Security and Risk | 
Migration to the cloud continues to accelerate as organizations increasingly take advantage of its many benefits—from efficiency and flexibility to competitive advantage and strategic value. In fact, 74 percent of chief financial officers at technology companies say cloud computing will have the most measurable impact on their business this year.
Here are some industry stats and predictions around this movement:
  • Cloud computing spending is growing at 4.5 times the rate of IT spending since 2009 and is expected to grow at better than 6 times the rate of IT spending from 2015 through 2020. (Source: IDC White Paper, sponsored by Salesforce, The Salesforce Economy: Enabling 1.9 Million New Jobs and $389 Billion in New Revenue Over the Next Five Years , September 2016)
  • Worldwide public cloud services market will grow 18 percent in 2017 to $246.8B, up from $209.2B in 2016. (Source: Gartner1)
  • By the end of next year, spending on IT-as-a-Service will be $547B. (Source: Deloitte)
  • Platform-as-a-Service (PaaS) adoption is predicted to be the fastest-growing sector of cloud platforms, growing from 32 percent adoption in 2017 to 56 percent by 2020. (Source: KPMG )
  • Microsoft Azure adoption increased from 26 percent in 2016 to 43 in 2017, while AWS adoption increased from 56 percent to 59 percent.(Source: RightScale)
The business benefits of the cloud are very real, but so are the vulnerabilities that exist within cloud workloads such as unprotected privileged accounts, credentials and secrets. That’s why security must play an integral role in any cloud strategy and be viewed as a shared responsibility between public cloud vendors and their customers. This is particularly important as more organizations leverage cloud to save on costs, access on-demand compute and turn to DevOps processes to increase their business agility.
While each organization’s cloud journey is different, there are a number of best practices that will likely need to be addressed to help ensure cloud workloads and infrastructures are secure. Our just-released eBook, 6 Key Use Cases for Securing Your Organization’s Cloud Workloadsoutlines several important approaches organizations should take to secure their cloud workloads. The use cases are based upon our experiences of working with customers in the field.  Download it for free and visit cyberark.com/cloud for more information about how CyberArk can help your organization secure its cloud environments.

1 Gartner Press Release, Gartner Says Worldwide Public Cloud Services Market to Grow 18 Percent in 2017, February 2017, http://www.gartner.com/newsroom/id/3616417

THREE KEY STEPS FOR LOCKING DOWN CRITICAL PRIVILEGED ACCOUNTS


 | Security and Risk | 
Let’s cut to the chase: Most IT professionals understand cyber attacks will happen, and it’s simply a matter of when. Every major breach has a common denominator: compromised privileged accounts. They are an essential element of the attack lifecycle and must be secured.
I recently presented a webcast on three key steps organizations can take to protect their most critical privileged accounts. Here’s an overview of each of these steps:
Take Control: Locking Down Credentials and Endpoints
Locking down credentials and endpoints is a crucial first step in an environment that does not have privileged credential security in place. The hardest part is figuring out where to start. You’ll need to identify and prioritize which accounts present the greatest risk and therefore need to be locked down first.
  • Credential The first step is to figure out exactly where your account credentials actually “live” within your environment. Only then can you truly understand which ones need to be locked down immediately and which ones can be de-provisioned. For example, your organization may currently have 150 separate domain admin accounts that can feasibly be trimmed down to one or, at the minimum, just a handful.
  • Endpoints. They continue to be attractive entry points for attackers. Identifying users with local administrator rights and removing those rights is a critical first step to securing your organization’s endpoints. From there, you can create policies against those endpoints. For example, you can dictate which applications can run in administrative mode and which ones cannot. Least privilege and application control are best practices to follow and a strong defensive combo.
Often, the discovery process is easier said than done. The average organization has 3X to 4X more privileged accounts than employees. Tools such as CyberArk DNA can help streamline the arduous process of discovering privileged accounts—on-premises or in the cloud, assessing privileged account security risks to help you prioritize actions and identify accounts with local admin rights. Using such a tool, you can also pinpoint embedded and hard-coded credentials stored within applications and uncover which machines are vulnerable to credential theft attacks, such as harvesting, Pass-the-Hash, Overpass-the-Hash and Golden Ticket. Discovery tools are particularly helpful in cloud environments. For example, in AWS or Azure, organizations can quickly find and identify AWSIM rules, users, Access Keys and EC2 Key pairs.
Once you identify where these credentials are, you can take ownership and action by placing them in a secure space or vault.
Isolate and Control Sessions
Once all of these critical accounts are located within a vault, it’s time to turn your attention to usage control. In today’s collaborative environment, many people need access to privileged accounts—from third-party contractors to temporary employees and more. Solutions such as CyberArk Privileged Session Manager can help manage and monitor privileged account sessions without impacting the end-user experience OR disrupting system administrators’ workflow. It allows users to connect to target systems within their environment via an agentless jump server. This isolates the user from the target systems’ passwords (ensuring credentials never reach endpoints) while enabling authorized access so s/he can perform necessary duties. Meanwhile, the secure vaultkeeps the passwords hidden and protected and rotates them (either each time they are used or on a set scheduled cycle). Monitoring and recording capabilities enable security teams to track user activity, pinpoint suspicious privileged sessions and immediately terminate them, as needed.
A key, added bonus is that organizations can continue to leverage native tools such as Putty, remote desktop connection manager, etc. CyberArk can configure these tools to be able to go through the CyberArk proxy channels to get to those target systems without introducing a lot of latency between the user and the job that they’re there to do.
Keep a Watchful Eye
The last step is keeping a watchful eye and making sure that you understand where anomalies are actually taking place in the day-to-day routine. For example, does John typically work from 8:00 to 5:00, but suddenly starts to check out passwords at 2:00 a.m.?  Was that really even John, or was it someone else?  Or, what if John normally checks out 10 to 15 passwords per day, then all of a sudden he starts checking significantly more?
But it’s not just user behavioral analytics—it’s also environmental. What happens if we can detect the very first time that someone is able to compromise the system by brute-forcing their way in as an administrator or another admin account?  Or creating a backdoor account and then logging into it at strange hours?
CyberArk Privileged Threat Analytics is a security intelligence system that allows organizations to detect, alert and respond to attacks targeting privileged accounts. It is designed to identify an attack in real-time and automatically respond to stop an attacker from moving laterally to advance the attack. Because in order to move laterally, the attacker needs to have the necessary credentials to escalate privileges. CyberArk individualizes every single password, and therefore, stops the lateral movement and shuts down the pathway. With CyberArk, organizations can set baselines and create thresholds for anomalies and get notifications immediately on true security events, which helps to lower the alert volume. Additionally, taking advantage of integrations—or tools that speak fluently with each other—helps to minimize alert fatigue.
For additional details on the attack lifecycle and how privileged accounts come into play, along with common hurdles to establishing the most effective protection, I invite you to view the on-demand presentation.

THINK LIKE AN ATTACKER AND IMPROVE YOUR DEFENSIVE STRATEGY


 | Security and RiskUncategorized | 
The CyberArk Red Team is a highly qualified group of industry veterans who are trained to use “any means necessary” – just as an attacker would – to help security operations teams identify and measure which threats they can detect – and which ones they cannot.
In a recent post, we asked Shay Nahari, our Head of Red Team Services, about the process and goals of simulated attacks. In this exchange, we ask additional questions about an attack simulation and his team’s approach. Here are some highlights of our conversation:
Q: How do organizations test internal and external systems, so that the exercise successfully mimics real attacks?
A:  If you examine real-world breaches, you can see that adversaries are always thinking – and operating – in terms of goals, such as stealing intellectual property or financial records. With traditional penetration testing, you would have someone scan to pinpoint specific vulnerabilities, such an unpatched windows system, on the network. While this is certainly an important vulnerability to know about, advanced attackers simply don’t think like this. They are goal-driven and will try multiple times until they get into the network and on to the path that will lead them to the crown jewels. This is done by hunting for privileges that will allow them to move around on the network. Make no mistake – attackers will get in. Operating under the assumption that you’ve already been breached is the first step in improving your organization’s security posture.
Q: During Red Team adversarial simulation testing, are you asked to breach the perimeter or do begin the exercise on the inside?
A: While we’ve done both forms of testing, we preach to “assume breach,” so we most often start from within the network, on a VM or an internal user’s laptop, for example. There is always a way to get into the network either through exploiting an external facing device or through social engineering.
Q: In your attack simulation, you created a connection back to a C2 server to carry out the initial breach. What are some of the ways to gain network access?
A: We work to gain access in a variety of ways, such as deploying malicious codes in enterprise applications or abusing inherent trust both externally and internally to gain a foothold. Examples include phishing with an HTA file, link or macro embedded document to multiple people within the organization. All of these methods will lead to in-memory execution of our payloads. Once we’ve infiltrated the network, we’ll abuse trust, like credentials, misconfiguration or software vulnerability to escalate privileges locally. Attackers are lazy – they will usually choose the path of least resistance. Humans are always the easiest option to exploit.
Q: So, attackers will try to steal credentials from a compromised machine?
A: There are multiple credential locations within Windows – some of them are within windows credentials managers, user history, applications and even Outlook. Microsoft has done a lot of work to harden these locations (particularly from v8.1 on), but attackers continue to innovate, and they have found ways to circumvent these protections. If there is a privileged credential on a machine, it’s almost impossible to stop an attacker from stealing it and using it to help achieve his/her goal. That’s why it’s so important to ensure workstations don’t contain privileged accounts within the network.  
(Editor’s note: CyberArk Endpoint Privilege Manager helps organizations to block and contain attacks at the endpoint, reducing the risk of information being stolen or encrypted and held for ransom. A combination of privileged security and application control reduces the risk of malware infection. Unknown applications run in a restricted mode to contain threats and behavioral analysis blocks credential theft attempts. These critical protection technologies are deployed as a single agent to strengthen existing endpoint security. It also enables security teams to enforce granular least privilege policies for IT administrators, helping organizations to effectively segregate duties on Windows servers.)
Q: Is there a difference between an external or internal attack?
A: The concept of inside vs. outside is obsolete. We view internal resources as hostile territory. Organizations need to treat their internal network in the same way they treat their external network. Just like you would not put an RDP connection outside, connected to the internet with a weak password, you should not do it internally. At the end of the day, a compromised workstation or malicious insider will lead to the same result.
Q:  What is the biggest deterrent to you being able to move laterally throughout a network?
A: This is relevant to almost every threat actor out there – from script kiddies to nation states and everything in between: Lateral movement occurs after an attacker finds a user’s privileged accounts and begins impersonating that user by using those privileged accounts. In almost all of our engagements, we end up searching and querying Active Directory to figure out who is logging in and from where, in our hunt for privileges. As an attacker, if I cannot access your privileged accounts (passwords, SSH keys, tokens, etc.), my job becomes infinitely harder to do.
Interested in learning more about what our Red Team’s research? Check out our Threat Research blog, which features in-depth technical research from CyberArk Labs and Red Team security experts to help you think like an attacker by keeping you ahead of the latest threats.