Interoperability and Intelligence: Two Keys to a Successful Privilege Management Deployment

Good afternoon or good morning, ladies and gentlemen, welcome to this webinar into our ability and intelligence two keys to a successful privilege management deployment. This webinar is supported by beyond trust the speakers today.

Me, my name is Matthias ARD. I'm senior Analyst at a Cole, and I will be later joined by ma J Haber vice president of technology office of the CTO at beyond trust. Before we start some information about a Cole, the webinar, how it's keeping notes and a look at our today's agenda.

First, some words about a Cole, very quick. Cooking Cola as a company has been founded in 2004 is headquartered in Germany with a team of international analysts spread across the world, including the us UK APAC and central Europe. We offer neutral advice and expertise and various areas to companies, corporate users, integrators itself, software manufacturers. And while IM was the original starting point. We are now working in the areas, information, security, GRC, and governance.

And generally speaking, we cover all the important topics in the areas concerning the digital transformation, the business areas. The quick look in research, we provide a wide range of strategic documents and reports, including our leadership compass, comparing vendors and market segments. We do events and we will have a look at that on my next slide very quickly.

And the third area is advisory where we provide vendor independent market expertise to customers again, and end users and vendors ranging from roadmap, advisory, product and technology selection, or maturity assessments, the events, and there's lots to come. We start out with the consumer identity world tour. We would go on that starting in Seattle and September followed by Paris in Singapore, focusing on consumer identity and access management. That will be the next generation marketing executive summit in, in Frankfurt in 2018 February.

And we, again, plan to have the digital finance world, which was very successful before. And it will be also in Frankfurt in February to March the guidelines for this webinar. We are all, you are all muted centrally. You don't have to mute. I'll mute yourself. That is something that we control. We will record this webinar. So the podcast recording will be available tomorrow alongside with the slides. And we will have a question and answer section at the end of this webinar, where we can answer all your questions that you have, and that may arise during the first parts of the webinar.

And if you look at the agenda, we will find that again, we have a threefold three, an agenda divided to three parts. And my part is the first part that is a big picture for a privilege management blueprint then ma will join us for a more, for a more in depth view, into designing and deploying a unified and intelligent privilege management solution for the real life. And the third part will be questions and answers where we can answer your questions in a discussion.

And every part will be around some 20 minutes so that we end up with something below 60 minutes, one hour, and you can enter your questions during the complete webinar in the questions panel. And we, I, I asked you to please do so that we have a good set of questions to start with at the end of the webinar, with the part three, the questions and answers. So that's it for the introductory part. And let's start with my first part, the big picture for privilege management blueprint, which gives a, a rough overview over the area and where we are as of now.

And if we talk about where we are, as of now, we talk about the privilege management reality in many organizations, we say PX, and because some people say privilege, access management, user management, account management. So the stands for every possible aspect of the middle initial in there. So the good thing is privilege management is nothing new for many organizations. First steps are made. So traditional access management of access governance are in place. Privileged management is understood as a key requirement, which is of importance.

And usually there are project driven approaches to protect some highly critical applications. And these systems that are identified as critical are usually already protected through privilege management solution, but this is in many organizations, still the case. So there is room for improvement regarding the maturity. So we have lots of open questions, issues, problems in that area that needs to be that need to be solved.

And here are a few of them which range from technological aspects to organizational aspects and the overall design of an, a corporate wide infrastructure for privileged management. So it all adds up to, there is no integrated overall strategy for privileged accounts, and that is something that we consider as very important. And that is something that more will show us later on that there are also products, infrastructures, architectures, which look into such a overall integrated strategy. So how can we improve from there?

One good approach is to start with a risk based approach, to identify priorities and to have a step by step approach towards an a privilege management. And if you look at that, we will have, first of all, the requirement to have reliable, stable, trustworthy identities and entitlements available. And that is something that is happening in traditional identity and access management. The next step would be local privilege management.

So the, the management of the local access of privileged users and shared accounts, the typical local admin is an important access that's that needs to be maintained on top of that. The next step that usually people try to achieve is privileged management, a privileged session monitoring. So that once there is a defined process for getting to sessions in, in a privileged system, that these systems are adequately monitored so that people can really approve if you've proven evidence of what has happened during the session, including session recording.

If we go one step up within the priorities list, then there would be something that helps in, in automating in, in getting to a more efficient approach towards session monitoring that is anomaly detection. So we identify something that is normal so that we can help identifying what is considered not being normal, which is an anomaly that we need to detect. So we are really looking at user behavior and that might also be of course, privileged user behavior. The last point that people want to achieve.

And that is proposed probably a later step is meaningful audits to get really, to the information that you need to provide meaningful audit information to regulators, to internal audit or external audits. So really understand what is audited and why some, some people want to have access to that and then give them what they want to have access to. Another dimension of that is what we consider the evolution of privilege management. These products are around for quite a while, and they have evolved from traditional product offerings, which are displayed as of now.

So it's the typical functionality that we consider as related to privilege management. And it starts with identity provisioning into, into systems, but it also includes application privilege management and password balls to make sure that passwords and SSH keys are stored adequately privileged, single sign on enterprising sign on, and a general access governance.

There are all aspects that are typically covered here, but if we look into recent developments of privilege management, other aspects have been added also to privilege management products that includes adaptive authentication so that there might be the requirement to, to step up the quality of an authentication process in case some more critical operations are trying to be executed session monitoring and recording has been mentioned before, but this is something that has been added recently and also session monitoring and recording is something that ends up in privileged user behavior analytics so that we can really apply the access governance access analytics methodology also to, to privileged access on top of session, mandatory and recording.

And the last point that is to the, to the below privileged elevation management is also the, the inclusion of the, the possibility to increase or reduce access rates dynamically. So these are trending topics that are added to privilege management quite recently. So the product scope of privilege management has changed as well, as well as the requirements have changed. And as well as hopefully the maturity changes of organizations deploying privilege management. If you look at that from an, from an architecture point of view.

So from an architectural landscape point of view, we have core features which are included in many of these products. And they include as mentioned before, shared account password management and session management for ranging, from monitoring to recording to forensics. And these are more, more complemented by additional features that include some of the features that I mentioned before.

I don't read them out again, but that means means really that applications providing functionality for privilege management, constantly evolve and add additional functionality, for example, application white listing on endpoints, because what happens on the end point might also be interesting for, for the overall privilege management and the analytics on top of that. And the second part is those landscapes also include the, the topic of integration privilege management is not only a standalone solution that works on its own and has a, a limited scope, but this is not true privilege.

Management needs to be well integrated into an overall enterprise architecture that goes beyond the pure privilege management or pure IAM. It also goes for example, to the aspect of lock management scene and RTS, I realtime security intelligence taking part in the security operations center and lots of more possibilities to provide information from the privilege management into further connected systems. One aspect that we consider very important is that we apply the key security by design principles.

A concept that has been has been presented for for many years, which is also underlying principle of the upcoming GDPR, it's called security by design. And there are a few main principles implemented or, or included in the security by design that we consider as relevant also for, for privilege management and deployment within organizations in general. So security by design says, reduce your attack surface.

So make sure that there is only a little entry point, and that is something that we of course find also in the concept of privilege management, where privilege management and the system itself, a jump post or another application providing access to critical systems is the only way to get to privileged access to systems security by default, make security simple that are all aspects that can be directly mapped to concepts and functionalities that are implemented within privilege management systems.

And the idea to have secur segregation of duties also implemented within a privileged management system is something that is very inherit, very inherent to these systems to make sure that privileged access is as good governed or as well governed as privileged access or access in general is, is maintained in, in business applications or other technical applications. So the, the last point that is on the left list is constant improvement. And I think that is very important for privilege management as well.

So to understand what happened during a former security issue or a, a former data breach can only help in improving the information as it is used for privilege management as well. So to really understand what is required to prevent something like that, that happened last time from happening again. So learning from earlier phases feeding back to constantly improved detection is something that is very important also for privilege management in general.

So I I'm already coming to my final slide and that actually sums up also the, the, the title of this, this webinar, because we think the, the next generation of a privileged management architecture or design is something that includes two major aspects, not the only important aspects, but to real important major aspects. And this is interoperability as mentioned before and intelligence. So if you look at interoperability, that is something that I touched upon before, but this is really of importance.

Privilege management plays a key role in, in, in modern system administration and system security. So that needs to be well integrated within an existing infrastructure and systems that people might not have considered in context of a privilege management before. But this is very important to get this connection made. So the integration to cyber security is something that I mentioned before, the integration to sea and R TSI is of course of importance. There's valuable information available within privilege management. And of course that is something that can be used there as well.

Detection detection of attack, vectors of actual breaches that can be considered in cybersecurity approaches in general, the cloud is something that needs to be well integrated into privilege management as well, because more and more infrastructures are deployed in the cloud.

And so privileged accounts in the cloud need to be managed, ideally just the same way as they are managed within the traditional on premises, privileged management, the, the management of managed service providers, people who are managing your systems or their systems on your behalf, maybe even on your premises as well is something that needs to be integrated into privilege management. And it's a strong factor for many organizations looking at privilege management because they have MSPs in their own data centers.

And that is of importance, the support for IOT, the devices and the access to devices and from devices is something that is highly important when it comes to interoperability with privilege management. And as mentioned before, of course, the integration with IAM and beyond also the customer identity and access management is something that many organizations are currently looking into because the overall architectures are changing with the cloud, with customers coming into the processes and being active identities in these systems. So integration with IAM and beyond is of course of importance.

And the final thing is more and more with more regulatory requirements being imposed on many organizations, strong audit features, and the integration with general GRC tools, auditing tools, lock collection tools is something that is of high importance. So this is the first of the two aspects that we think is are of high importance that is interoperability. So privilege management. It's really something like a spider in the middle of many connected systems and playing nicely with all these systems providing information to these. And the second part is intelligence.

I've mentioned that in my former slides as well, but just to sum it up here again. So we start out with traditional access intelligence. This is something that we have in, in commercial off the shelf business intelligence, tech intelligence technology that is already there, but this is typically very rule based, very, very, very static. And this is something that helps you in, in, in creating good reports.

It's go, it goes beyond reporting. And one important point is of course, to identify critical entitlements and to understand what is actually going on in standard systems. This is something that you get from, from, from various vendors and various systems. Next step would be then really some user behavior analytics to go one step further to really understand what is going on and what that means and what that, what the reasons for, for that could be.

For example, identifying anomalies, as I've mentioned before, in the usage patterns, if somebody changes the, their, their behavior just dramatically, that might mean that the usage patterns might give a hint that actually not that person is using that account, but that it's being impersonated by somebody else. So hijacked accounts, and also inside the attack might be still the right person, but the person is doing something it did not expect them to do so. Privilege management can really help also in user behavior analytics and the final step would then be privileged threat analytics.

So really understand when it comes to the, to the privileged accounts, combined with network threats and security threats in general, that you can really understand which privileged accounts are behaving in a way that they impose potential danger to the organization, to the data, to, to many aspects of the secure systems in, in general. And of course that again, hints at hijacked accounts and insider attacks, but these are in that case, then actually highly critical accounts and highly elevated access rights.

And that is something where privileged threat analytics also based on, on the so-called big data analytics mechanisms that help in identifying also yet unknown usage patterns that might hint at anomalous behavior. That is something that is of big importance.

So again, we, this is the second part of what we think is of importance and intelligence really helps administrators and systems in general to improve the overall quality of security by applying intelligent algorithms also to, to threat analytics and to privilege management in general. And with that having said, and, and pointed out that interoperability and intelligence are two important aspects of the overall privilege management of a next generation.

I would like to, to hand over to more J but just as a reminder, in case you have any questions regarding my talk and the talk that that ma will now present, please enter your questions into the questions panel of the go to webinar software so that we really have a good basis to jump into the Q and a session right after MA's presentation right now. So I would like to hand over to ma Thank you Matthias very much. Appreciate it. Good morning. Good afternoon, everyone.

I'd like to talk to you a little bit about beyond trust and how we can help solve the problems that Matthias has outlined in his presentation. He actually covered it really well in terms of core intelligence, interoperability, but I wanna step take a first to step back as to who is beyond trust, what we believe in, and really the problems that we're trying to solve in everyday business that we need to think about first. It's one thing to understand. We need identity and access. We need privileges.

We need session, but why after all of these years, is this becoming so important because the space has been around since practically the early eighties, beyond trust as a company delivers cybersecurity software, focusing on privilege, access management, vulnerability management, and threatened behavioral analytics. Well, Matthias talked about core. We'll mention how core is so important to privilege. It shouldn't just be about passwords. It shouldn't, shouldn't be just about least privilege or active directory bridging or change auditing it.

Shouldn't be about just running a vulnerability report and then giving it to another team to patch, because we already know based on the latest ransomware breaches that's not working, how do we make core these two fundamental technologies so that you can make decisions on privileges based on the risks of assets and applications and other nuances in your environment that would tie into governance or SIM solutions.

And then looking at that needle in a haystack, threaten behavioral and analytics to help you understand intelligence, whether it's explicit time-based behavior, something that's trending over a vast period of time, or even helping you to conduct threat hunting, finding that adversary within your environment. Who's been there for a long period of time, and you just don't know about it. So let's talk a little bit further about first insider threats to date, the worst insider threat most companies have ever experienced.

Just hit the news again yesterday with Petya, you might be asking, how is that an insider threat step back as to how Petya and wanna cry have become so successful. It was the breaches themselves at the NSA that revealed zero day vulnerabilities, eternal, eternal blue, and double pulsar leaked via vault seven and shadow brokers that now have been weaponized by threat.

Actors turned into ransomware and now used on the outside the insider threat of someone in the, the organization, within the NSA, stealing that information and leaking it out is why we have so much trouble today with ransomware of those two classes. Now insider threats can be intentional unintentional. They can be completely malicious. Most of the time, it's someone that doesn't even know they're doing something until it's too late, but it could also be the person that's leaving the organization that wants to steal information for their next job.

But privilege abuse was behind 81% of insider misuse incidents, according to Verizon, 2017. And that can be anything from excessive privileges to passwords that are reused to attacks and accounts that were hijacked by users. We have to understand that insider threats represent the biggest problem because something as simple as one person stealing sense of information from a government, I know that sounds crazy could turn into the ransomware that we're dealing with today. It leads us to the external hacking problems.

Well, ransomware is a great problem, but we still see this every day, whether it's the swift network compromises, whether it's compromises of ATM machines, doesn't really matter. This is an outside adversary, an outside threat actor, attacking our resources with web applications, fishing, ransomware, and other techniques for nation states, for activism as a part of crime rings. Their end goal normally is disruption and money here in the us. We're talking about it every single day with potentially a nation state that tried to hack our last election.

It's not something we're all fond of, but we also know it's occurring in other nations as well. The point is, is external. Adversaries are after our systems and almost every attack vector needs privileges in order to be successful. There are very few that don't maybe a sequel injection, but then you could argue, you know, the tables weren't properly secured, almost always need privileges.

You need privileges in order to move, you need privilege privileges for lateral movement to run programs that you shouldn't to access a database or even scrape memory privileges are always a part of it, even external. And it's one of those things that external actors need in order to be successful. Then finally, the hidden threats, this is where threat hunting comes in, where a threat actor may have a persistent presence in your organization. It could also be due to an insider slowly stealing information and leaking it out.

It's what's going on in my organization that I just don't know about many times it's behavioral. It goes back to Matthias conversation about intelligence. We need to know what we don't know. We need to find that in a haystack, we need to look at patterns and unusual behavioral patterns to find those hidden threats. Because even back to 2015, average breach time was 256 days. Hasn't changed much in modern time. That means those threat actors are within our organization doing something malicious. We just don't know anything about it.

Now, if you take those three scenarios, they boil down to three use cases, employees and other insiders have unnecessary access straight up, too much privileges. You gave admin privileges. You shouldn't, ah, just give them access to that. They can do whatever they need, but what else do they have access to? And that doesn't matter if it's an employee, a vendor or contractor, did you even revoke those privileges after they did their tasks? Are you performing any type of, at reporting to see what they did or see what access they do have?

Part of that is identity and access government governance. Part of that is privileged access management, because many applications don't have fine grain controls. So you have to layer privilege on top of identity and have them work really close together to be able to solve this type of problem.

Now, if you think about your own privileges, your own rights, or even your boss, should your boss be an admin to the mail server? Probably not. That's for special team. Should they be an admin to office 365 or box or anything else? Probably not. We generally give more privileges than we should. And we have to start thinking the other way, only giving it when it's needed and making it, making it accountable for what they have and when they have it. The second is credentials are shared and unmanaged simple example. We deployed a ton of routers, ton of switches.

We made the same route and admin password on all of them. It was easy, right?

Should it, everyone should be different. They should not be shared. They should be not written on a post-it note. You have to communicate it to somebody else. They should be rotated. Passwords are your passcodes. They're not meant to be shared. They're meant for your usage. They're tied to potentially something you or a threat actor impersonating you could do malicious. So we have too many cases of credentials being shared, especially password misuse and reuse, whether they're using the same password in a public account, personal account government account work account.

Look at what just happened to parliament early in the week, up to 90 parliament members attacked with week passwords. I'm willing to bet those were not dictionaries. I'm willing to bet they were password reuse. Think about that. Think about in your organization where you have those individual problems. Finally it assets communicating unchecked. I have to go back to ran somewhere on this one. Petya and WannaCry are perfect examples of this.

Now Petya, according to some of the analysis that I've seen overnight used eternal blue to propagate also had malware and PS exec to scrape memory and look in the disc for passwords and propagate the systems that were even patched by running PS exec with those admin credentials. Why should a user be able to talk to a server directly without a firewall, right? Why should a end user's mail station be able to talk to an OT, ICS or I OT environment, or even I, I OT environment. We have to learn that our networks should not be as flat as they used to be.

The worms that we used to experience 10 plus years ago, unfortunately are back. And they're gonna come back with a vengeance, going back to our insider threats. If shadow brokers does release more zero days every month, and now they've doubled the ransom up to $200,000 to, you know, basically see what's coming, I'm willing to bet we're gonna get more worms. Whether they're RDP based or others, we have to segment our networks to stop these things. We have to make sure our perimeter are solid.

The concept of saying the perimeter is gone is true with mobile devices, but what still remains inside the perimeter or what side we deploy in the cloud truly, and really needs to be segmented off with proxy access. CASBS when needed verification of API calls.

I, I think the list just goes on, but what I'm stating here is flat open networks really need to keep, keep under control. Now speaking from the beyond trust portfolio perspective, we could look at this sample attack, kill chain. Typically there's some form of reconnaissance or weaponization of that reconnaissance. You're going to deliver a dropper payload, phishing, an exploit for a web application, and you're gonna install something. Now that installation doesn't always have to be a program. It can also be native commands in an operating system to do reconnaissance.

We've seen file list ransomware and file list reconnaissance using native tools. But basically whatever someone gets into or threat actor gets in an organization, they need to be able to instruct what to do, automate what they need to do, or send something back to get. Let's say the key for encrypting the files and ransomware or command and control where to continue lateral movement and then proceed their malicious activities. This translates into the external hacking insider threats and hidden threats. We just spoke about pretty straightforward, external hacking.

What's the easiest way to protect against it. One of the best security, basic hygiene practices, vulnerability management, and patch find where you have holes, patch them. It's a wonder that Microsoft released those patches in March and they were still systems today or yesterday that we're not patched. Even going back to XP, we could identify 'em with vulnerability management. We could assess them. We could automatically patch them. Why aren't we doing best practices? This is part of Pam in a crazy way, even though it's old school, because many vulnerabilities just run as user.

When exploited, if they're even exploitable, very few vulnerabilities can exploit and raise privileges to root. So controlling privileges and vulnerabilities go hand in hand. It's the rare occurrence where an exploit can gain privileges that we have to worry about.

Now, those insider threats, we covered. Most of that in those use cases, too much credentials, shared credentials, too much privileges. This is where we go under the privileged access management and an identity access management umbrella. We wanna see what people are doing. We want a session record. We want them to come in as the lowest form of privileges needed, but if they have to run MMC or big fix or TW can or QuickBooks or portions of SAP or modified Oracle tables, we'll give them the privileges that are needed, but document everything they did.

That's not only for the security of the system, but when an auditor comes in and says, Hey, someone was running privileges against these tables. What did they do? You have proof that they didn't link the information. It wasn't copied out considering the ramifications of GDPR and new governance that's coming across from Australia, that sensitivity of an information and privileged commands that it can extract it, that session recording and that privileged monitoring allows you to keep an eye that it wasn't misused.

And then finally, under the hidden threats, we're talking about analytics, we're talking about that low level risk of user behavior, that needle in a haystack again, what did they do? When did they do it? What trends did they follow? Did they do something out of the ordinary? How do I find it were their local accounts used versus active directory bridging where there changes in the software profile or ports open finding those hidden threats again is not only user behavior based, but it's the characteristics of a system.

The gold disk perspective that we used to use or talk about for vulnerability applied to user behavior. For example, user X ran privilege commands X, Y, and Z. The system now has a different profile with software reports or even processes. What was the risk that was introduced correlating that helps us identify the hidden threats. Now beyond trust does this in a beyond insight, it risk management platform, a single platform for all the privilege, access management, vulnerability management, and threat analytics. This ties very closely to the core recommendations.

Matthias talked about having a single component, a single framework platform that does the fundamental work from reporting to asset discovery, to grouping, to user management, whether it's local or integrated with ad or LDAP to third party integrations of IAM and SIM and next generation firewalls, or even threat intelligence.

Being able to bring all of that data together with patented integrations between password safe, lease privilege, active directory, bridging and auditing, and then managing that with vulnerabilities as well beyond trust does all of this in a single platform, the beyond insight, it risk management platform. This is very important to our message because all of these solutions can be deployed as a single vertical or integrated in the platform to solve those core problems for privilege and pretty much give or take a little bit fall under the best practices, outline that Matthias indicated earlier.

So when we start about a privilege to access management overview, we wanna do something when we implement that is gonna solve the problem for privileges. It's the goal, right? Fundamentally we know we need to do something for passwords. That's gonna be less cost. It's not going to introduce a more difficult workflow. It's not going to place a burden on administrators or end users to work with. We need something that's completely integrated, such that I can use native tools or even custom tools for RDP, SSH scripts, so that my entire portfolio or your entire implementation of Pam is covered.

Now, when we talk about Pam from a trust perspective, we wanna make sure we understand, or you understand that we're talking about any platform, Unix, Linux, windows, or Mac. We want to make sure that you understand this can be cloud on premise or even MSP based. And we also want you to understand that you're not looking at company a for list, little module and company B for that little module, you can license them all together as a part of the platform, or even stand them up in silos as best to breed.

That's truly your choice that encompasses password management, lease privilege ad bridging the session, monitoring the user behavioral threat analytics at intelligence and advanced reporting. Now let's start with basically the basics of password management. We can abstract ourselves from beyond trust here and just take this as the best practices for password management you can, or where you want to want to deploy a solution that is as flexible as possible. That normally means agentless. You can use agents to get a deeper dive, but you want something.

That's gonna sit in the middle, provide the proxy technology for password management, rotating check in checkout session, recording APIs to do the work without affecting other production systems or even systems that you may not even be able to modify. That includes ICS, OTT, et cetera. So think of password management as a black box and appliance with high availability, working in the cloud from a marketplace or on premise, that's going to do password rotations, check in, check out at a station session, recording application to application calls, everything that you need.

That's what password management is about. It's not the end user typing in a password and storing it somewhere for later. Retrieval. There's really no, not much difference than them writing it on posted. It's just doing it electronic, but having it rotated where the end user never knows it never sees it. And every time they do use it, it gets changed or they do need it. It requires a manager's approval. And when they're finished, it gets changed automatically. That's password management.

There are tons of solutions out there that enterprises are using for personal use on, you know, your work computer here, store your passwords here. That's not what we're talking about. We're talking about making it difficult for the threat actor to guess find and have a persistent presence because the passwords are always changing. They're never shared they're complex and they're not subject to brute force or even something humanly legible because they may be 128 characters long and have even foreign letters in it.

Something to consider server privilege management is truly about Unix, Linux and windows server. This is everything in the least privileged side to saying, I'm going to allow an administrator or help desk to come into a server. And I'm not going to give a admin rights. The question becomes, how do they do their job? You specify what they have access to for windows. It would be something like services. So help desk could cycle a service for a database admin. They might have full control of Oracle, but as soon as they start running commands, everything gets recorded in an dialogue.

All their scripts are checked for malicious commands. Everything is documented. Everything is searchable and everything drives that user behavior model that we talked about before.

Now, there's one thing about this that makes it a little bit more complicated and that's DCAP data centric, auditing and protection. When you do give admin rights to a box to a user, whether that's through password management or even server privilege management, they have access generally to the file system or can run commands that would give them control or ACL control to the file system. This is where file integrity monitoring becomes so important file integrity.

Monitoring is a part of a decaf strategy, protects the files and the file system separate from the operating system and the privileges of the applications. So if you give admin access, they can't extract the files. You keeping that permission model locked together, but operating separate, you have to make it simple. The end user should never know that this is occurring, knowing that, Hey, I'm not gonna allow them to run this command because there are vulnerabilities until it's patched, because if they do, you know, I, I might be exploited true for windows.

I'm not gonna give Adobe Acrobat admin privileges or certain other programs, admin privileges, because I know of threats in the wild. All of this should be brought back, analyzed keystroke, logged, and brought into an intelligent reporting system and threat analytics. Now the end user problem is a whole different mess. We gotta deal with windows going back a long time, and we have to deal with Mac potentially going back for a long time. If we look at our recent ransomware propagations, we just discussed that they were using eternal blue, double pulse SAR, scraping memory.

How do they get to the next machine? Not patched known vulnerabilities and admin access?

Well, end users should never be logging into the machines as an admin. That's one of the first steps we must do is remove all those rights, but we hear the complaints. I can't change my background. I can't change my system clock. If you use least privileged tools on the desktop correctly, they can still do it. They won't even notice the difference. And then when sensitive programs are run, let's say help desk remotes in to check a certificate. You do that same type of session recording and keystroke locking to look for bad user behavior.

What we wanted to do is get rid of admin rights because most malware needs admin rights to install. Most malware fails under application control. We've seen this for years as well, but why can't application control be a part of privilege as well will give privileged access or even strip out all privileges, but still let it run just to satisfy the task, making it simple accountability, understanding what risks from vulnerabilities or other threats may be present when giving privileges, getting, reporting all of that.

But most importantly, it's gotta be completely transparent to the end user or with minimal changes to their workflow. Because if you make them jump through hoops, they're gonna push back and at least privileged solutions gonna fail, or even the removal of their own admin rights, the tools from, you know, beyond trust, we can help solve these problems. And finally, vulnerability management. I mentioned basic cybersecurity hygiene before how important it is, it's that important? We're not doing it well.

We've had this for years, going back to 1999, actually when first vulnerability management tools came out, retina and S we have the reports, we just don't do anything with them. We have to patch everything. The days of only patching servers not gonna work anymore. We have to patch our endpoints. We have to do it for third party applications, and we have to do it in a timely manner, but it starts with vulnerability management, understanding the assets that are out there regardless of type desktop server, IOT infrastructure, doesn't matter. What are the known vulnerabilities?

What is the recommended mitigation and using tools like vulnerability assessment scanners to prove segmentation is enforced and lateral movement cannot occur from one segment to another. Now from ATRA standpoint, we've talked a lot about endpoints, hidden threats, risks, etcetera. We partner with a lot of vendors to make this all work, everything from sale point and RSA and Oracle for identity and access management, threat intelligence, SIM solutions for taking all of this data, all of this aggregated data and extracting it out.

Our platform can also ingest data from data from McAfee QS, rapid seven, as well as we're in the marketplace for Azure and AWS. And soon to be Google with the entire solution set, this data should never remain an island. We want to know as much about user behavior, process it as best as we can, but make the data available to many other solutions, inbound and outbound in order to get the best use or best intelligence out of it. In the end.

Now, at this point, I'm gonna turn it back to Matthias and our manager for the call and ask if there are any questions, Thank you, Mari, for that great presentation was great insight into what you're doing. And it really was the perfect fit for what I presented. And it did go far beyond what we, what we talked about, what I talked about. So that was really great for our, for our participants. We are now moving into the Q and a session. So please make sure that you have provided all your questions through the questions and answers panel in on the screen.

We have already some, some great questions here. So let's, let's start with them. And funnily enough, many of them are about integration.

So, so maybe I, I start out with one question for Mai, and that is the topic of cloud. You've mentioned that slightly, but how do you, how do you integrate with cloud when it comes to privilege management? What is your approach towards, towards privilege management in the cloud? Is that an integrated approach as well? That's a really good question. Matthias. I think you highlighted the importance of cloud in your part of the deck.

And we recognize that as well at beyond trust, we have a three-pronged strategy for cloud into the cloud on the cloud and out of the cloud, we'll start with in the cloud itself, we offer our platform, the entire platform, as I mentioned in Azure, AWS, and soon to be Google, that means it uses, bring your own licensing from beyond trust. You pay for the runtime and you can run the platform in the cloud, into the cloud. We use connector based technology.

This allows us to numerate instances that are powered on powered off for IBM Rackspace, go grid, AWS, a variety of others, so that you know what to target for privileged access, you know, what to automatically put under password safe management. And then out of the cloud, we host our vulnerability assessment scanner for privileged, for scanning external addresses and web applications. And you'll see announcements very soon for our brand new offering for privileged access from the cloud.

Basically a password manager that will help you manage passwords and also provide break glass scenarios for you as well. For cloud environments. This is all complimented by dynamic licensing and other tools that we have to help facilitate privileges in the crowd cloud and securing those assets.

Okay, great. Thank you.

So, so the, the, the very modern new shiny cloud world is covered. How about the old fashioned ICS operational technology side? Is this something that you're looking at as well in the same manner We are? And this is a little, this is a little scarier in some ways we've Al we've always had on premise technology, it's been available software virtual appliance, physical appliance and ICS technology from a vulnerability standpoint has been covered for many years in terms of SCADA and the control systems have been Linux or windows.

When we talk about OT or ICS, we're just talking about embedded baked versions or more hardened versions that are managing SCADA or other dumb, I, I O T or O T devices. So the answer is yes, if it has an API or has SSH capabilities for privileges, we can definitely manage that today. We've done a lot of work with power generation companies. We've done a lot, lot of work with individual vendors like Siemens and a Bradley to make this happen.

Don't think of those as specialty devices, think of them more like embedded operating systems or slim down operating systems, as long as they have forward facing controls for password management or access APIs se SSH cetera. They can be placed under management in the same way. And beyond trust has specialty tools, basically user defined tools that they can create their own connectors to these technologies without us going back and you burning development, do dollars to custom create them.

There's basically a model within the engine for you to do it yourself, or ask us to do it as a part of parole. So the simple answer is yes, we can handle it. Okay.

When we, when we think about endpoints, we are usually thinking of the real hardware machine that people are carrying around either tablets or notebooks, or even stem real desktops. But how do you handle these virtualized versions of desktop, some Citrix solution or VMware workspace, one, something like that. Is this something that you see in reality as of now, and is this something that you integrate with as well?

Yeah, so think of it as two ways. When people first started talking about the cloud, they said, we just treat it as an asset. And then when they forgot all the unique characteristics with virtual desktops, VMware or Citrix, think of it as, yes, it is an operating system, but it has unique characteristics. Like every time you reboot it, it's gonna be refreshed or it may have privileged access. It may not, or it's being used as a jump server to go to the server room. So you have to consider things like two factor, user behavior context aware before you grant access.

And before you grant privileges, there's a lot of very defined use cases as to how to secure those properly beyond Trust's agent technology and password safe technology can work and does work very well in those environments to help understand the context, the location, the two factor, the workflow, making sure a ticket through service now has been published and make sure that that workflow is secure versus going, oh, I have a key and I have two factor. I can hit my Citrix box from anywhere.

That's not a good idea, so we can help secure that, that that's that access, or even the supply chain for vendors to make sure that that does not become a privilege problem for you. Okay. Thank you.

One, one thing that I mentioned in my slides, as well as they first, the first priority, or the first prioritization step was IAM identity and access management. And, and you mentioned that as well as you integrate with these solutions as well. If we step one, take one step back dividing line between classical, traditional IAM identity and access management and privilege management and the interation between both.

How, how would you describe this in, in general when it comes to, to the solutions that people create with your products or any other privilege management products by understanding what is IAM? What is privilege management? What makes privilege management necessary or is there not dividing line? There is a very firm dividing line, but think of it as a very thick gray bar privilege, access management or P XM, as you defined is a subset of IAM. When you have a human carbon human based life form identity, you are assigning them accounts. Those accounts have access to do things.

However, those things may not have fine grained privileges. So if you grant administrative access to again, go back to a window server, you're an admin. You can do anything, but what if I wanna deny certain things or let's say, I even give you guest access, but want to elevate certain things, native operating systems from Unix, Linux, and windows do not have that fine grain control, nor do they have the capabilities simply to record everything. This is where that big fuzzy line is. I need granularity to get to privileged access management.

Now, Microsoft is introduced to tools like gap blocker and device guard. They still don't go far enough. They don't do anything for file integrity monitoring. They have nothing like keystroke logging it. They just don't. But they do have things like lapse, which justifies Pam in the first place. So think of it as, yes, I need to take an identity, translate it to an account, and then I need fine grain controls. That's Pam identity and access is the translation of the identity to the account. And that's where the workflow with any integrated IAM vendor and Pam vendor is so important.

It's not only the access, but it's the fine gain controls. And then ultimately what that user did with those controls. Okay. Where would you draw the line between a highly privileged business user and a highly privileged admin user? Is there a dividing line?

So, so when somebody in SAP has, has highly elevated access rights, is this something that you would consider to be an I issue or a, I would consider that to be both. So the reason there's a differentiator here is taking SAP or Oracle or any other tool set that's at to the application level. Think of it this way, break it down by the OSI model, you know, learned it in school. Part of our CI S S P tests break it down that way. When I talked about data-centric audit and protection, I was talking the lowest levels of operating system file system file.

When we're talking about IAM, we're talking about an operating system and application, but what that is inside of that application, if the insides of that application don't have permissions or no easy way to access it from another identity and access, we then rely on Pam. So that administrator is not the same as the power business user. Okay. Okay. Thank you. Thank you for sharing that insight. There are some questions left, but I think we are getting close to the end of our webinar today. So if there are any other questions left, please feel free to contact ma or me by mail.

And, and to, to share our, your questions with us, I would like to thank ma for these, for this great insight into what they're doing. I on one hand on beyond trust, but also taking the step back and sharing their best practices and their experience, and really their knowledge for organizations currently working on privilege management. That's great. Yeah. We would be happy to welcome you in any, in another webinar soon. And I'm of course, looking forward to meeting people, you in person at our events. And that was really a great session.

Ma do you want to, to say some famous last words before we close down the call, something that you want to share with the audience as well? Not really Matthias. Just wanna thank everyone for attending today. And if you're looking for more information, please visit us@beyondtrust.com or just send us an email at sales@beyondtrust.com. And we'd be happy to get back to you, which everyone a great summer. Thank you. Yeah. Great. Summer is a good idea. Thank you very much for your time.

Thank all the participants for taking their time and for sharing their questions with us and for your participation. Have a great day and bye-bye.