Joseph Carson: Your Journey to Privileged Access Security Maturity and Success

So, as I mentioned, you know, my name's Joseph Carson, chief security scientist at dichotic Centrify, and I'm gonna be talking about your journey, helping you really take it to, you know, the privilege, access security, maturity, and success. So I'm really excited to kind of share with you some of my lessons and experience with you today. So the first thing is I, you know, I always get the question why, why even do privilege access security?

Why, you know, why should it be a priority? Why should be something you should do immediately? Why should you do it in the next three months?

You know, I hear the question. We don't have enough budget or it's, you know, we don't have enough resources or something that, you know, we're thinking about it, or we have deployed it in this one area, but, you know, we're planning to, to, you know, expand it further. We're at the point now where the threats are so serious, you can no longer wait, you must really prioritize this and you must take it seriously because you know, the threats are real, you know, there, I see as a ethical hacker and an instant responder, I respond to many different incidents.

And I always see that, you know, the impact, how organizations can have serious damage resulting from whether being financial fraud, whether being a cyber criminal, gaining access to an executive's email account, and then sending a email to the financial department to transfer funds, or whether being, you know, somebody who clicked on a fishing email that ultimately deployed ransomware. I see the impact. I see the individual sitting at home who, you know, who clicked, enabled their computer to access remotely. And all of a sudden became the victim of rands smart, losing 30 years of data.

Their entire photograph history is now gone of all their family pictures, history, children growing up is completely gone. I've seen businesses become victims of ransomware and loads, an entire years of value and data. Let's make sure that that's not you. This is why it's such an important priority. And ultimately, you know, why does it happen? And we look at, you know, this is coming from things like the Spen the Verizon data breach investigations report. It all comes down to poor access management, insecure applications, misconfiguration of cloud stories.

We saw even recently, another developer having their cloud stories completely open were researchers able to actually extract gigs of data, including, you know, intellectual property, hard coded passwords, the actual code itself, really exposing and putting it through all of their customers. We see continuously overprivileged users, employees ensuring credentials and passwords being the only security controls. This is something we have to stop this today. We really have to take a pause and think about how can we reduce the risk? What can we do?

And many of these all result from the attackers want to gain privileged access and every single time in the ransomware cases, almost all ransomware cases I've been involved and looked at and investigated all started with basically the attacker gaining access to basically a standard user and being able to elevate the rights up to full domain administrator. We're seeing ransomware becoming more hands on the keyboard, where they're actually not only about deploying the ransomware and actually, you know, disrupting the services, but it's also about stealing the data.

And this means that you know, that we really have to not just look at privilege access and privilege accounts as being the domain administrator. That's not what it is today. We're seeing privilege access and privilege accounts really becoming that it's all entities are not privilege.

It's not to say that they're all equal, but it means that basically anyone who has access, whether it being help, desk workers, you know, third party contractors, whether it being your internal employees or whether it being service providers, even non-human accounts, such as applications and service accounts, robotic process automation, all of the things that really need to have connectivity, whether being network resources and access to data. This is really critical.

And we have to treat all identities as privilege, but it means that we have to look at them from a different perspective, a risk-based approach to making sure that we actually apply the right security controls and reduce the risk. And for many of them they're all protected with sometimes a simple password. We can look at some of the, you know, even recently, one of the biggest supply chain breaches in history, all resulted from a per individual, choosing a poorly creative password to protect a GitHub repository. This is what we have to move away from attack.

We're making it too easy for attackers to gain access. And we have to really basically look at my job is really to make it as difficult as possible. So what things can we do to reduce the risk? What can you do to reduce the risk? And it's important that we actually do it today, and it means that we have to do it across the board. We cannot do it for one account. We can't just say that the domain administrator account we're using privilege access security, and we're protecting it because basically I've seen the ability for attackers to actually gain access to local administrative account.

And within only a few hours elevate up to full domain, even if it's only the domain account that's being protected, you must go beyond, you must get all accounts to be protected with privilege access security. And this really means that fundamentally focusing at entities, being the new perimeter, I'm based in talent Estonia, and here, the government really seen that in a digital society, entities are fundamental, but in the businesses and organizations, identities are critical. It is the new perimeter. And we have to think about, and it's not just about human identities or digital identities.

This really goes beyond into applications into cloud environments, develop repositories into even artificial intelligence into basically anything that needs. Connectivity needs to have an identity to provide identification for verification, authorization authentication. So what is, what is fundamental? What is an identity? And we look back at the Latin terms, it's the existence it's about being it's existing. And also identity is about repeating the use repeating and, and using it over and over again.

And when we look at this from a digital perspective in the it world and the cloud, or basically in organizations, it's all about an object and that object being the identity and the continuous usage of that identity. And this is really where we fundamentally need to get to protecting. And this is really organizations really need to get down to looking about how we can put this in place. How can we can make it easy? How can we make security, something that people want to use? And that's what we adhere to do.

So I've actually came up with a few years ago, called a privileged access management life cycle. We need to really put this into a systematic approach. So it becomes consistent, repeatable, efficient skillable, and enterprise capable. This is really means that you must actually go through and it means that we no longer can have approach security or even privilege access security, like a checkbox approach for too many years, organizations have basically done it from checkbox to meet things like compliance and regulatory needs.

We actually have to do this from a systematic, consistent, repeatable process. It means that that checkbox is like putting a sticker on your door saying, you know, cyber criminal stay out, that's the checkbox approach, but we need to make sure we have the effective and correct locks, the right security controls, the right authorization, access verification, and really getting to what Phillip had mentioned earlier. But really the, the principle of lease privilege, we really need to get into making sure that we start the basis of lease privilege. And it's all about getting to on demand.

Elevation of privileges. I myself years ago was a data data center administrator. And I had basically a full domain account and we had them move away from having that persistence. We had them move to actually, I'm a standard account. And I elevate on demand, whether that being gaining access to a GitHub repository into CRM in the cloud or SAS based applications or in, you know, virtual environments or hybrid cloud, whatever that might be, I should start at the least privilege and elevate up on demand. And then one, my time is basically done or expired.

I should move back down and any credentials, anything should be rotated afterwards. So this really means that organizations really need to define privileged access and the risks you need to understand the risks. What is it mean if your organization is not able to protect those accounts, what is the impact? And we must get it towards a automated, continuous discovery of privileges. This is not something that we can rely on human intervention. We must actually get it where it's consistent and systematic. And it means that we also have to look at what security controls do we want to apply.

It can no longer be just a password. And I know we've heard a lot about password lists and in my view, you know, it's MIS sexually it's incorrect assumption. It's not password list. It's about less password interaction. It's about how do we reduce the interaction between humans and passwords? So the true sense is what we're doing is really moving passwords into the background. And that's what privilege access security. That's what the life cycle enables you to do is actually ability to move those passwords into the background.

So the employees can focus at the things that they need to be doing. What makes your organiz organization successful? And it means you must monitor the usage and access. And that's, what's really about what identities, what we need to do. It's not about just identities exist and we're managing the password, but we must manage the usage and you can also integrate it into an instant response plan. This is so critical when I actually end up responding to incidents and I get called to come in and actually help clean up many cases.

I'm actually using the same accounts that the actually criminal has been, you know, compromised. This means that we really must have a definitive, a very clear separation that we must actually have privilege access, having ready to go into response accounts for me to use that actually keeps the forensics and evidence separated. That allows us to actually, you know, eradicate and disable the compromised accounts. We must integrate privilege, access into instant response plan. And as I mentioned, this is not a checkbox approach. It's something we must do continuously.

We must review, audit and update the security controls. When required, when changes happen, we actually can't let those changes actually cause security risks. So therefore we must intervene and make sure we do it correctly. So I've actually created to help you. What I refer to as the Pam coverage of the risk matrix. As I mentioned earlier, we must treat all identities as privileged. Anything that has access to these organization must be treated as privilege.

Just like people who walk into your offices, you know, many, you know, months ago at a time when we could actually leave our homes, it means that we it's not to say that they're all equal. It means that different people have access to different rooms and different departments and different data and different applications. So therefore we must treat it as a risk matrix. Therefore it means that all new accounts created, we might see systems going snapshot, restorations. We might see new applications being deployed. You're always gonna have new accounts being created.

So therefore a risk register and approval process will help you move those unmanaged accounts into a managed and secured environment. So this is really to help you get to the point that you're having this continuous process you're continually discovering, and you're finding these accounts and you have to determine what is the risk, therefore, do I need to apply multifactor authentication? Do I need to have a, basically a workflow or a peer approval process?

If this account is being accessed from outside the country or from a different IPA address or from a machine that you've never seen before, should you apply different security controls? We must move to risk based approach. And this also gets into even cloud access when you're accessing cloud applications, what security controls, what visibility do you have over the access? So this is really the fundamental is helping you really come up with a strategy and a plan to get to maturity.

And again, this is a continuous process. It's something that you must do as a system to make sure that you have that consistent because ultimately from a cyber criminal, it only takes one account, one endpoint, one vulnerable application further than get one foot in the door. And we have to make sure we eliminate that we, our job is to make cyber criminals task as difficult and as challenging as possible, the more we force them to make noise, the more likely it is, we're able to detect them and prevent them from getting access.

So, as I mentioned, you might be in different stages of the maturity you might have already been using as a password manager. You might have privilege access security and apply to your domain administrator or certain accounts in your environment or your infrastructure, or even in cloud. But you must ask yourself, how can you get as much coverage as possible to reduce the risk? So the Pam matrix are what is now called as a checklist is really to help you ask the right questions.

What is those questions that will help you fundamentally get closer and closer to actually having a true, mature, privileged access security strategy. And this means that sometimes you must start at the risks. What is the concerns? What are you trying to, what's your goals? Are you trying to reduce the risk from ransomware? Are you looking to reduce the risk from potential insider threats?

Is it, you know, from basically service or downtime? Is it from compliance failure? What is it we're trying to achieve? What are we trying to reduce that risk? And then ultimately figuring out doing that reality check is what is the stage you're in? How are you preventing that today is your actually domain accounts only secured with a password. Then what can you do more?

You know, is it being used for configuration changes who has access to it? Who's using it?

Is it, you know, it, administrators, is it your security team? Does your help desk have access? Do you have any third party contractors? Is it your developers and really understand about what is that access? And this is really where that convergence between identity and access management and privilege access management, is that relationship between who has access, whether it being a human or non-human to what type of privilege they have access to, how they use it, is it for doing remote access for, you know, is it for basically, you know, running reports for scheduled tasks?

Is it for, you know, basically logging into an application? How did they get used? And this is really the critical, this is why privilege account management has evolved.

You know, this used to be called a privilege account management, but it's now all about the usage of the access, not just about managing static objects and attributes and accounts. It's really about managing the usage. And this is really where privilege access management vendors has evolved, really looking at the continuous active, you know, consistent us usage of those privileged accounts to really making sure that the security controls can actually be dynamic and adaptive. And this is really the world we're moving to.

So really this pan matrix is really to help you, you know, fundamentally look at what stage you're in, what things you want to prioritize, and you can make this interactive. It's not something that you, you know, have to, to, to look at once. So you can actually integrate this into your process and maturity model. So this is really kinda where I recommend, you know, using this as a, a framework to help you get there. And the way I look at privilege, access security, it's really about, it's like a continuous digital product golf test for access.

This is ultimately, you know, this means that anytime somebody's looking of authentication or identity's looking for, you know, authorization is we have to look at it and fundamentally look at what is the risk of that access being granted and ultimately determining what security controls, what we satisfy to reduce that risk. What should we apply?

How can we make it, make sure that we can verify the identity that we don't expose ourselves to more risk that we can actually potentially maybe turn on session recording, that we can have it as you know, on demands, elevated of privileges so that they can't actually, you know, have it persistent, or maybe we actually don't give them full privileges. We give them limited privileges, but it's the actions that gets elevated.

Moving to that principle least privilege are even getting into endpoint privilege management, where we're talking about elevating the actually actions in the libraries, but not the user context itself. This is really where it really gets down to fundamentally meaning that all access requests that you can make sure that you're doing as much risk reduction as possible. It's fundamentally to get to the point privilege access is so much more than just the password bolt. It's so much more than just rotating passwords and, and delegating and sharing passwords between users.

It's about fundamentally reducing the risk. It's about looking at the usage. It's about looking at the disclosure rate. It's about looking at your exposure. It's about looking at what type of data and what type of access to being granted. How long do they have access to what types of security controls we applying to it?

Are we basically making sure that they're only launching into the, the target, the application, the system, the infrastructure, the cloud environment, do they not know their credential needs, know the credential, rotating it after the usage, maintaining a recording of the activity and the changes it was done, this is really why it's all about managing and securing the usage and helping organizations really move to this on demand real time elevation where identity is the core, but privilege access is basically the fundamental perimeter.

We're moving to a world where basically, you know, organizations will no longer just managing accounts and managing infrastructure that will be managing usage. And this is where privilege access is so fundamental. And that's why it's so much more than just a password fault. It's so much more than just managing privileges. It's about managing the usage and continuous usage of accounts, giving you visibility, auditability, and transparency.

I realized a few years ago when I actually did a penetration test on a par station, they, that was a fundamental change in my look at how I look at security and how we all should look at security. Security should be dynamic. It should be like a living organism. When the threats are high out there, we should be able to increase the security fence as much as possible when the threats are low, we should turn it. So dial down a little bit so that the security that's usable, that we're not actually causing friction between the employees.

Our job in this industry is to help employees be successful to help the business be successful. So what I look at is that fundamentally our goal in security is to reduce the risk to the business, to make it resilient as possible. And this is why every time I've worked on a, in response or doing ethical hacking or penetration testing or security research, this is why every single time I see privilege access has been the fundamental cause of many data breaches, many security incidents. And this is why you must take it as a serious priority.

IM telling you today, I, I don't want you to become the next victim. I want you to get to maturity to become more resilient and take privilege, access security, seriously, to help you get there. I've created some assets. I've created the privilege access management checklist, and this is a template. That's a self-assessment tool to really help you ask those right questions about, to look at your organization and to really customize privilege access for you. So you might be at different stages. You might be looking at password management.

You might be looking at privilege account, but we want to help you get to the success we want to help you treat all privileges, all identities as privileges as basically fundamentally to make sure you apply the right security controls and get to a place where your organization is as resilient and reduce the risk as possible. So hopefully this has been interesting. I'm happy to take any questions that might be from the audience at this stage. And I hope, you know, if you do want to connect, you do have questions. I'll be in the networking lounge for the rest of the evening. Ask me questions.

I'm happy to share my experience and knowledge with you and help you get the right start to getting to maturity.