Event Recording

Yaron Mazor: The Interplay between SOAR and PAM


Oh, good evening. Greetings from Israel. Everyone's saying that Israel is the cyber nation or the startup nation. I think today, everyone can say that we are also the multi elections nation. We have four elections in a row in just a period of two years, which is really interesting. Imagine that happening in your country. And I have a question for you, who do you think is going to be the next prime minister in Israel? Actually have a different question for you. How many of you have purchased a Pam solution, but never got to fully implemented cross organization? So in the last I, I remember 10 years ago as a preservice engineer in one of the cybersecurity company, I gave this huge promise to my potential customers, that they will be able to manage all of their privilege accounts sounds amazing, but actually years after very exhausted the project still, they haven't got into it.
And there are two types of Pam customers, the ones who are aware that are not fully implemented and the ones who are not which group do you belong, you don't have to answer me, but actually it doesn't matter because both of you are exposed to this. Don't worry. I'm not going to analyze those attacks. It, you are probably already boosted with enough information coming from the social media. And also John discussed about it in the beginning. But what's more important is that these are more examples of cyber attacks, which involve abuse of privilege accounts along the way to reach their goal. The attackers in a hundred percent of the attacks are trying to push us towards this Dacy. And I mean that they will try to first steal credentials. Doesn't matter if they are privileged or not. And with that effect, they will try to escalate into privilege authorizations in order to abuse them to either steer information or to create huge damages.
This is the agenda for today. You can see the, the topics in the last four years as a Pam consultant in the cyber security arena, I'm striving to push my customers to improve their Pam implementation effectiveness by measuring their effectiveness and automating as much as possible, aiming for automating everything or managing everything will lead you to doing nothing. This is why in this session, I will try to focus on the top use cases that are important for you as an organization to start with in terms of automation, but let's start with, with the Pam solution. So luckily you have a Pam solution in order to minimize those privilege accounts, risks. And with the pump solution, you are able to prevent credential thefts, block authorization, unauthorized privilege, escalation, and monitor those privilege activities in just a quick background. The concept is very basic. Every user is a standard user.
And if the guy needs to do some work on the sensitive server through the pump system, he will be able, or she will be able to escalate to a privilege account, which is con rotated frequently or as a one-time account, not only humans, but also scripts and applications need privilege accounts. They run with low privilege and they can access the target system with privilege accounts. All the rest are blocked and here we go, privilege account management. So that's privilege account management in a nutshell, but the reality is that the Pam implementations or the Pam programs are one of the high, high complexity that you have in cybersecurity. And they have, as you can see a lot of elements within its lifecycle, starting from provisioning, those accounts detecting them, providing the right access control, who can access, which account rotating those credentials. That's the bread and butter of privilege access management.
And then when you can enforce them, you can start working by defining workflows and how to monitor those activities. So it's far from being a plug and play. It's a long term program, not mentioning the fact that you need to integrate with your enterprise standards, authentication and reporting system SIM solution and so on. So the pan vendors actually provide, they do a lot of work and they invest time in automating these elements that I just presented through the workflow. But most of the solutions that I have still have insufficient out of the box automation, which lead to the fact that customers still need to do a lot of the work during the implementation itself and during the day to day operations. So it means that eventually implementing critical use case and critical enforcement is avoided because it's too complex to implement. The second challenge is that if there is a lack of automation, then you'll try to do it yourself.
How many of you have heard from the vendors? Hey, we have rest API, do it yourself. You can do everything with it. And by the way, it's free. And we all know that there are some hidden costs, small costs for finding the right developers, DevOps team, and maintaining that piece of code that you just programmed last but not least. The integration itself is not real automation. You integrate with the corporate standards, but usually the time integration with your enterprise is one way. It means that you connect to the authentication, you connect to the same solution, but it's one way there is no interaction. And there is no interaction between the security layers, different security layers. I mean, Palm is not alone. I claim that it's the most important, but it's not alone. You have additional security layers and there's not really a collaboration. So let's see how Pam can assist you in improving and in automating in a better way, the elements within the Pam life cycle we saw.
So that's why I call it soaring, Pam and I will start with the first scenario of provisioning, those most critical accounts and the challenges there. But, you know, there are so many different types of privilege accounts. Where do you start? There are local admins on servers, laptops, and desktops. There are those personal domain admin, which are the organization super users. And there is the rest service accounts and the rest, but where, where would you start a or B? And I put intentionally those two, because these are the most common to start customers. Why? Because usually they have the list of these users. So who do you start with? When I ask my customers, usually they say, oh, obviously a hundred percent. I will begin with the personal domain admins because they are the higher risk. If they're compromised, if I compromise an domain admin, I can access all the service.
If I compromise the local admin, I can just access one server. So they say, yeah, I will start with B. But in the reality, what we see is that most of the customers start with provisioning. A and why is that? Because it's much easier and the pump vendors provide excellent automation for that provisioning process. So if you have good automation, you will use that first. But the result is unfortunately that you have no real impact. If you just provision those local admins and years after I'm still chasing my customer, Hey, when do we start the next phase of provisioning those personal domain admins? So why is it so complicated? And let's see the challenges of provisioning those specifically personal domain admin, which are the highest risk. So this is your organization. You have John, a domain admin, he's a super user. The first thing you need to do even before going into Pam, you need to restrict John's permissions and put it as a regular user.
And at the same time, create his new domain admin on the corporate active directory. Think about all the behind the scene activities that you need to do. Changing security policies and delegations and notify all of these user. Imagine how many users, how many domain admins do you have in your organization? Think about it that you need to automate this for every type and each type of user. And only then you can go to the Palm flow and say, okay, I will now embed this domain admin within the Palm life cycle provision, it create access control that only John can access this specific John ADM account and rotate credentials and so on. So, and this is something that the pan vendors are fortunately do not provide. And it's presents a lot of complexity to do that. So what do you do? Do you go for the free rest API before you do that?
You need to think about the following first. Do we have the right people to program it with the right skillset? Are they experts in ad? Are they expert in Pam? And if not, maybe you need to invest a lot in training, which means that you need to have budget for the DevOps team, for developers, for training and so on last but not least who is going to support you when, when this code breaks down, along the way, neither the pan vendor, nor not the it, you will need to take responsibility of all the flaws within your code.
So we saw, I think you can introduce a complete story using those playbook. And you can, you can say that, okay. I want to define this provisioning, personal domain, admin playbook in one place using plugins that will connect both to the active directory form, all the update of the mission in your domain controller, and then go, go into Pam and provision the account automatically. Describe the access control for John and, and do a special program that will be able to even notify all those users about this new change. The second scenario is about privilege access workflows that I strongly urge you to automate providing workflows is critical. Especially if you want to apply the request approved workflow or the request confirm, why do we need this dual control in cases when we are discussing the highest risk service or applications, even if I have a legitimate permission and I want to have to, to access those critical service, having a, a request confirmed is critical because then I will be double checked by the corporate or by the it admin, whether it's really necessary to do the activity that I want to do on the server.
Maybe it's not the right time. Maybe this server is at, at the freeze mode at the end of the year. So we apply the request approved workflow before Pam, those of you, you who've been here 20 years ago, probably remember this that you had to fill in a request paper form, why you need to access this privilege server critical server with a privilege account. You need to wait for a manager to approve it within organization, sign the paper. And then you go with this paper to minus two floor at the bank. Present is confirmation. And from the physical safe, you get a nice envelope with the password inside and how it is done. How is it done today? Completely different.
And as you can see, the steps are almost the same, but using emails, notifications, and request approved, then you get the, the password, but still, it still requires the same steps. By the way, the old version was called envelope procedure and the new way of doing it with Palm the current way, by some customers, they call it electronic envelope procedure, but there are some challenges with it. Still, it's hard to implement you. Can't apply this request, approve workflow on all the privilege accounts. You need to do it. Only some of them, because it's really impossible. Second of all, it's still time consuming. You probably need to still wait for this manager to approve your request. I'm using it in one of my customers to access their pump solution. And when I click the connect, I need to wait and I can wait for two days until they approve because they get tons of emails in their, in their inbox.
So what do I do? I use a WhatsApp message and I call my guys there. Hey guys, can you please approve my access? I've been waiting for two days send, and then they approve it. So again, here, unfortunately, a lot of customers that I'm familiar with, they avoid using this very important workflow. We saw, you know, looking for innovation and the improving the way we work people today are looking to do things in an instant way. And with highest availability, 24 7, I don't want to wait for someone to approve it. So why not using WhatsApp? I have a better idea for you this by leveraging advanced workflows within. So some platforms allow you to build your own automatic system and, and put all the policies inside. So it will automatically will be able to reach decision making in order to approve and this privilege account request.
So I just need to type, I need access to this server with my John ADM account, the system will ask me, okay, can you identify yourself OTP? Or two-factor authentication that OTP validating my eligibility to retrieve the password. And that's it approved, looks amazing and doable. And this is not science fiction. I I'm sure you can look into it later, last but not least. The third scenario is monitoring those privileged account. Once you enforce them and managing those privileged account, you can manage, you can, sorry. You can monitor their activities both in order to have forensics and to have threat detection. And I will concentrate on detecting threats with Pam and the example of creation of a backdoor user. In this example, a backdoor user was created on your active directory and Uly created account. So with Pam today, thanks to some vendors, you are able to automatically detect these kind of newly recreated unmanaged account.
So the moment Pam will find this newly account U created account, it'll do two things. It'll auto provision it, and it will auto reset its credentials. So at that stage, this account is control and monitored, but still several challenges. First, the most of the vendors provide this automation through scanning in a cyclic way and not trigger based. So you need to wait one, two minutes until this cycle of scanning will check if there are newly created account. And what if this attacker is so sophisticated that it creates the account and 20 seconds later, it deletes it. You will not be even aware that this account was created and did something on your corporate directory. Second is that the whole event and whole, the whole event of creation of that new backdoor account will be detected on the pump scope. What about alerting the others? What about alerting the others teams and systems?
So I guess you'll figure it out and use your SIM solution and connect P to it. And I really think that P is the most critical security layer, but it's not alone. You have other security layers that also send sea slopes to your SIM server, which means that you are constantly blasting your SIM. How do you correlate this massive amount of events and more, more important? Do you really have actionable insights? I'm still chasing some of my customer to build instant response for the event they get from your, their pump solution. And they say, Yoon, we are fine. Don't worry. SIM is fully integrated. We send this logs, but the questions is what do you do with them? And more important is how do you collaborate between those security layers? Maybe the one event on one layer can affect another security layer. And this is where again saw, comes in at the interplay with Palm.
Let's look at the same scenario with saw. We are talking about trigger based. The SIM receives an event of that newly created domain account on your DC. And then by leveraging the playbooks, you can actually do the first step exactly as the Pam solution does, which means that you can program it easily using plugins and rest API coming from the solve platform to onboard this account automatically and reset its credentials. But again, we have a broader view now thanks to the advanced workflow. So if it's really seems to be a sophisticated attack, we can do other and launch other actionable insights. Like for example, blocking the originating station, block the source IP address. Or if we think that the, our domain control is in danger and dirty, then we can isolate it from the network automatically. And more we can send notification through this playbook. We can do a lot of stuff. So this is actually the first time that you will have full collaboration between all this different security layers and teams within your organization.
So let's summarize, where did you, where have you been until today? So yesterday you avoided critical use cases, and we all understand why, because it was really complex and seemed to be mission impossible. But this led to the fact that you only implemented Pam partially. And this means that you were left vulnerable to risks today. You learned that automation is not just a key factor, but a must, and you must include it in your Pam strategy. You want to do automation yourself. Think again, it's not free and it's not realistic. And I gave you some examples, some real examples that you can do with orchestration with so, and some takeaways, key takeaways for tomorrow, what you do tomorrow, you will be able finally to maximize your Palm effectiveness with. So the first thing that you will be able to do finally is to provision the most critical accounts. Like I said, those personal domain, admin, and such that you cannot easily automate today. Second, you will implement advanced work workflows to improve productivity. If you improve productivity, you will increase your security enforcement and increase your cybersecurity defense. And last is the first time you will have real collaboration between the security teams and the different security layers and time.
That's it for today. I would like to thank you all for listening at this time. I think it's almost 3:00 AM in Japan. I saw someone from Japan has joined and I would like also to thank to co call to, for inviting me to speak at this important event.

Video Links

Stay Connected

KuppingerCole on social media

Related Videos

Webinar Recording

Championing Privileged Access Management With Zero Trust Security

A modern approach to securing privileged accounts is to apply the principle of Zero Trust: Never trust, always verify. While Zero Trust is not an off-the-shelf solution, it is modern vendors of PAM solutions that recommend using this security principle to cement the technical capabilities…

Analyst Chat

Analyst Chat #156: CIEM Is Entering the Privileged Access Management Market

The PAM market is changing and expanding. Paul Fisher talks about the latest trends for Privileged Access Management, the role of CIEM, mergers and newcomers in this important market segment.

Webinar Recording

Implementing Zero Trust With Privileged Access Management Platforms

Among the many approaches to do that, Zero Trust is one where organizations apply the principle of “never trust – always verify”. Since Zero Trust is not a single product or solution, implementing processes that work accordingly can be a challenge to IT teams that want to…

Webinar Recording

Implementing Modern and Future-Proof PAM Solutions

Privilege Access Management (PAM) is changing, driven by the move of most businesses from on-prem IT applications and infrastructure to the cloud, resulting in a multi-could, multi-hybrid IT environment. This has resulted in a proliferation of privileged identities that need to be…

Event Recording

Expert Chat: Interview with Denny Prvu

KC Analyst Paul Fisher interviews Denny Prvu, Global Director of IAM at Royal Bank of Canada.

How can we help you

Send an inquiry

Call Us +49 211 2370770

Mo – Fr 8:00 – 17:00