Event Recording

Roy Adar - Mitigate Targeted Attacks with Privileged Account Analytics

Keynote at the European Identity & Cloud Conference 2014

May 13-16, 2014 at Munich, Germany

So I may not survive the through the end of day, but here we go, you are doing very well. So I'd like to invite up Roy, ADA, ADA from cyber a why are you here? I haven't actually seen, oh, he's on his way. And he's, micd up and looks like he's ready to go and to leap in there. And Roy, you don't quite look as though you're as elders, some of the rest of us here.
Take that as compliment. Thank you. Thank you. Thank you very much. Where's that? Okay. Thank you. Okay, good evening everyone. It's been, I know it's been a long day, so we'll, we'll work through this together. The topic of, of the session for now is looking at privileged account analytics to help mitigate privileged accounts. And this is just a disclaimer to say that we're talking also about theoretical concept and not things that are specific features of any specific product, but we'll get that outta the way. So the main question and the main thing that we will talk about in this session is really who controlled your systems as blunt as that who controlled your system? Is it you, or is it an attacker
Now? You know, these are attacks that I'm sure most of, you know, there are a million other examples out there. The point is not to, to show you attack, but to, to talk about a very common thread that research shows appear in almost all those advanced attacks. And the thing is that almost a hundred percent of them involve using stolen credentials. And in most cases going after privileged accounts, so attackers would go after privileged account, as part of those advanced attack is something that, again, almost a hundred percent of the cases now, just to oversimplify process of a, of a breach and to show where we, where we wanna focus the conversation today, we'll talk about the steps that most attacks take. Again, it's not a hundred percent of the cases are exactly like this, but it's a very recurring blueprint. The first stages, of course, just getting through the perimeter, getting in somehow into your organization. And once the attacker is in, there is really a cycle, a recurring cycle of trying to advance to more and more machines in the environment. As the attacker moves to different machines, tries to escalate. This privileges collects the data. It finds, sends it out. There are many tools for the different stages of, of attacks. Our focus today is really to talk about that the privilege escalation part that as we is appears in, in almost a hundred percent of privilege accounts.
So how hard is it for attackers to find and, and hijack and steal privilege accounts? Apparently again, looking at looking at the past, not, not too difficult, the, the attack surface, the number of privileged accounts that average organizations have is really huge. People are often surprised by the true number of privileged accounts that they have in their organization. Just as a, as a rule of thumb in many ti in many cases, it's about three times the number of employees, again, rule of thumb. It, it varies, but it's, it's a very big number. Now, some of these are very trivial, very obvious. For example, the system administrator accounts, all the, you know, the root accounts of your Unixes, the administrator of your, of your windows, the systems on your Oracle database, you know, these are all, you, you would know that these are the privilege accounts out there, and, and sometimes you would look at them, but there are many other types of privilege accounts out there that attackers would go after.
There was a lot of conversations about cloud providers and, and managed service providers. These companies, these outsourcers also use a lot of privilege accounts to manage your systems. So this is also something attackers would go after now, you know, long list. I'm not gonna review all of it, but privilege account really enable you as an attacker to do almost everything you want in a system. That's why the session started with who owns your system. So if you look, you know, simple example, domain controllers, once, once I get a domain administrator account, as an attacker, I can pretty much establish my backdoor user so I can come back into the organization undetected whenever I want. I can, you know, I can have all that flexibility. I can access any desktop of any employee management executive in the company without being noticed and so forth. If I have a privileged database account, I just go directly to the database, get any data that I want.
I do not need to go through application logic and application access control. I can of course bypass all of that as an attacker. So, you know, each types of those privilege accounts can really get me to, to wherever I want as an attacker. But the other challenge is that it's not just, you know, your external attacker, criminal attacker nation state sponsored can also be insiders. And again, there are many examples of insiders who are already in, they, they don't need to do the clever zero day to penetrate the, the, the walls of your organization to get in. They are in, okay, they are in, and now they have access perhaps as part of their job to get to anything.
So Edward Snowdon was mentioned many times today in many different contexts. The one context that I would refer to today is that he was an insight. He was a trusted insider. He didn't hack into the, the NSA to, you know, find all the secret and, and publish them. He was already an insider. And part of the, of the, of the conversation that resulted is a lot of organizations are asking themselves, you know, what if, what if I also have an insider who, who is on a mission who has, you know, who wants to, to do something with the inside information? Now, the even worse thing is that many cyber attackers basically impersonate the insider. So if I find, if I can find as an attacker, the names of employees, of your it team, and I can, you know, repeatedly try to social engineer them until I can trick one of them to, you know, press on my, my link or go into the, the bad website that I've set up for them. I can get into that. Employee's personal, you know, laptop. And now when I'm, you know, brought into the organization, I can act on his behalf. I can do everything again. As an attacker, I can do everything that, that it person can do. So again, it's not that this individual is necessarily bad, but this individual is privileges privilege. As, as an attacker, I can impersonate his identity and really do things on, on his behalf. Again, leveraging the full access that he may have.
So what do you do generally speaking, when we talk about securing protecting privilege accounts, we talk about four steps. I'm not gonna go deep, down, deep down into all of them, mainly go on the fourth one, but it starts with really, you know, step one, discover what do you have out there? Which privilege accounts are out there. Many organizations really underestimate the numbers and the types of accounts that they have out out there. And we find, and we help organizations find that, you know, EV every day, second thing is protect the privilege accounts, make sure that they are protected, secure, automatically changing all the time. Third, make sure that you have monitors and controls. Whenever usage of privilege account takes place, you can do full monitoring, full recording of the usage. And finally, this is the, the main takeaway for, for today, look at privilege, account intelligence to help define what is the normal usage of those privileged account. And then help you understand when something abnormal, something unusual is happening, detect that early and respond to it. Cause that's, that is a, a very powerful indicator that all the other steps along the way may have missed an attacker and someone is, is working in your organization. Again, it could be an external attacker that passed many layers. It could be an insider.
So what does it mean to do a privileged account monitoring analytics? So this is kind of a, a blueprint. It basically involves having a lot of information. And, and I, and I like Martin's analogy from the morning about logging systems being a, a pre-processing, if you will. So if you're using a solution for managing privilege accounts and controlling, controlling privilege accounts, there's a lot of logging that that solution collects. If you combine that with other system wide logging that you have in your organization, then there's quite a lot of information that you can use in order to understand how privileged accounts are used in your organization. So our approach in cyber is to have that engine offer two ways to share findings. One is through an application that we have that helps you review anomalies of privilege account usage. But of course, we also feed that into your security operation consoles.
So you, you are a higher level instrument for looking at all incidents across the entire company. We would feed those alerts into those solutions for you to start reviewing. So just to kind of visualize the types of things that you may wanna look at. So it's all about modeling, what is the normal behavior in your organization? So we'll, we'll use the term entities to define things that you wanna I'll call it, build a profile for. Okay, so you have individual users and you wanna profile how they work. You have groups of users, and sometimes the group of users, you know, one group of users would distinctly behave different than another group of users. You have certain commands and you can see when they are being used and by whom and, and where and so forth. And you have different assets in your organization. And you can also monitor how these assets are being managed, administrator in a privileged way.
The flip side of those of those are what we call the dimensions. So you could look at different attributes. For example, the time of the day, the date and time that certain activities take place. You could look at the, the location, the IP address that is being used in order to perform certain things. You can look at the, at the rate, you know, it's perhaps normal for something to happen once or twice. If it happens 5,000 times, you know, that's abnormal. Okay. The, the, from what we, from what has been reported about Edward Snowden breach, just, just to give an example, is him pulling hundreds of thousands of documents. Okay. It's, it's normal for someone to pull five documents, 10 documents, 20 documents a day, but you know, tens of thousands of document being pulled in a short period of time, okay. Some, someone needs to look at that, right?
That's that's when we, that's what we mean rate, and of course, geolocation, we need the countries, the regions are all around the world. Is it reasonable for someone in one country to access sensitive resources that, that, that happen in another country? Again, sometimes it is sometimes it isn't when you combine that together, then you get multi-dimensional structures. Now for the PowerPoint sake, it's just three dimensions in this PowerPoint, but of course, software wise, you can, you can, of course, look at, look at much more. And how do you use that? So let's take an example, each cross of the different, of the different dimensions that you map can answer a question. For example, is it normal for this user to access this sensitive asset at this time of day? Okay, is it normal or not normal?
Is it normal for a certain command to be executed at this rate? You know, a hundred times, a thousand times from that location. Now there are combinations that don't really have a security value in them. I mean, you can ask, you can kind of look at, at some of those, some of those crosses in the cube and say, you know what, that, that doesn't mean anything. And that is true. And one of the, one of the challenges here is really to help understand which combinations of attributes is informative, which combination is the one that you say, you know what? These are the metrics that are really important for me. These are the ones that if I see something unusual, then you know what someone should look at them. Maybe it's a, it's a breach. Maybe it's just a one off it operation that that kind of raises the alarm, but it's legitimate.
But you know what? These are the things that, that we wanna, we wanna look at. And these are things, of course, you, you can, you know, figure out, build, calculate on your own. These are things that vendors such as us help build a knowledge and accumulated knowledge across the industry of what interesting things you could be looking at. And of course, integrators consultants managed service providers out there can also help with that accumulated knowledge because eventually those type, these type of solution, there's enabling technology there, but there is learning curves of what should you monitor in your organization? What is a good indicator in your environment that you would like to profile and monitor? So
This is an example of, of, of the cyber dashboard, but again, just for example, you can, you can have that in, in different ways. These are incidents where the system found, okay, here's something which is unusual. Okay. So there are a lot of things that are normal, but over a period of time, here are things that we find found, which are unusual. And when you want to drill down and say, okay, why is, why is this unusual? And this is actually from a customer environment. So the blocked out sections are just for, you know, for privacy and secrecy. But this is a very simple example of a user accessing an asset at an unusual time for that user. Okay. So it, it's very easy to visually understand why this is something which is, which stands out. Okay. You can really see plotted all the, all the activity of that user over time. And you could see, you know, these are the normal working hours of this user, and suddenly here's a privilege operation happening at, you know, outside those hours. Is this a cyber attack?
You know, maybe no, maybe yes, but it is unusual. Okay. But it's only it's now, now it's you have one indicator, let's say at the same time that user also, you know, crosses another threshold of doing something too many times, or that user also does something from a location that has not been done before. So of course, a system that looks at anomalous privileged activity needs to have that taken into account. Okay. Multiple abnormal activities combined to, you know, a much stronger indication that, that something needs to be looked at something here needs to be reviewed. Okay. So with that, I, I, I finished, this is just those of you who are not familiar with cyber. This is who we are. We are working on securing and protecting privilege account and helping you secure against breaches with that happen. Using privilege accounts, we're a global company with our 1500 customers across the world. We're also here outside. If you wanna speak to us later, and with that, I thank you for your turn.

Video Links

Stay Connected

KuppingerCole on social media

Related Videos

How can we help you

Send an inquiry

Call Us +49 211 2370770

Mo – Fr 8:00 – 17:00