In this presentation from the webinar of Security MVP and Microsoft Security Trusted Advisor, Paula Januszkiewicz,get an overview of how privileged access management can help balance DevOps’ need for agility and speed with IT security’s need for visibility, access management, and compliance.
Key use cases covered include:
• Network Segmentation: Grouping assets, including application and resource servers, into logical units that do not trust one another
• Enforcing Appropriate Use of Credentials: IT organizations can leverage these controls to limit lateral movement in the case of a compromise and to provide a secure audit trail
• Elimination of Hard-Coded Passwords: Removing hardcoded passwords in DevOps tool configurations, build scripts, code files, test builds, production builds, etc.
You can watch the full, on-demand webinar here: https://www.beyondtrust.com/resources/webinar/securing-devops-privileged-access-management/
4. What does CQURE Team do?
Consulting services
High quality penetration tests with useful reports
Applications
Websites
External services (edge)
Internal services
+ configuration reviews
Incident response emergency services
– immediate reaction!
Security architecture and design advisory
Forensics investigation
Security awareness
For management and employees
info@cqure.us
Trainings
Security Awareness trainings for executives
CQURE Academy: over 40 advanced security
trainings for IT Teams
Certificates and exams
Delivered all around the world only by a CQURE
Team: training authors
5. Overly simple passwords and security questions
Key learning points:
✓ Almost always there are passwords reused
✓ Almost always (ekhm… always) there is some variant of
company name and some number (year, month etc.)
✓ It makes sense to check for obvious passwords and
continuously deliver security awareness campaigns
Typical password locations
NTDS.dit, SAM
Configuration files
Registry
Memory dumps, Hiberfil.sys
Databases (DPAPI ?)
7. Lack of SMB Signing (or alternative)
Key learning points:
✓ Set SPNs for services to avoid NTLM:
SetSPN –L <your service account for AGPM/SQL/Exch/Custom>
SetSPN –A Servicename/FQDN of hostname/FQDN of domain
domainserviceaccount
✓ Reconsider using Kerberos authentication all over
https://technet.microsoft.com/en-us/library/jj865668.aspx
✓ Require SPN target name validation
Microsoft network server: Server SPN target name validation level
✓ Reconsider turning on SMB Signing
✓ Reconsider port filtering
✓ Reconsider code execution prevention but do not forget that
this attack leverages administrative accounts
8. Allowing unusual code execution
Key learning points:
Common file formats containing malware are:
✓ .exe (Executables, GUI, CUI, and all variants like SCR, CPL etc)
✓ .dll (Dynamic Link Libraries)
✓ .vbs (Script files like JS, JSE, VBS, VBE, PS1, PS2, CHM, BAT,
COM, CMD etc)
✓ .docm, .xlsm etc. (Office Macro files)
✓ .other (LNK, PDF, PIF, etc.)
If SafeDllSearchMode is enabled, the search order is as follows:
1. The directory from which the application loaded
2. The system directory
3. The 16-bit system directory
4. The Windows directory
5. The current directory
6. The directories that are listed in the PATH environment
variable
11. Trusting solutions without knowing how to break them
Key learning points:
✓ The best operators won't use a component until they
know how it breaks.
✓ Almost each solution has some ‘backdoor weakness’
✓ Some antivirus solutions can be stopped by SDDL
modification for their services
✓ Configuration can be monitored by Desired State
Configuration (DSC)
✓ DSC if not configured properly will not be able to spot
internal service configuration changes
Example: how to I get to the password management
portal?
12. Misusing service accounts + privileged accounts
Key learning points:
✓ gMSA can also be used for the attack
✓ Service accounts’ passwords are in the registry, available online
and offline
✓ A privileged user is someone who has administrative access to
critical systems
✓ Privileged users have sometimes more access than we think (see:
SeBackupRead privilege or SeDebugPrivilege)
✓ Privileged users have possibility to read SYSTEM and SECURITY
hives from the registry
Warning! Enabling Credential Guard blocks:
x Kerberos DES encryption support
x Kerberos unconstrained delegation
x Extracting the Kerberos TGT
x NTLMv1
13. Falling for hipster tools
Key learning points:
✓ Worldwide spending on information security is expected to reach
$90 billion in 2017, an increase of 7.6 percent over 2016, and to top
$113 billion by 2020, according to advisory firm Gartner
✓ With increasing budget the risk of possessing hipster tools increases
too – do we know where these tools come from and what are their
security practices?
✓ Lots of solutions where not created according to the good security
practices (backup software running as Domain Admin etc.)
✓ Each app running in the user’s context has access to secrets of other
apps – Data Protection API
✓ Case of CCleaner
17. The Cyber Attack Chain – Where is the Risk?
Vulnerable Assets & Users
Unmanaged Credentials
Excessive Privileges
Limited Visibility
of compromises used definable
patterns established as early as 2014.188%
of data breaches involve the use or
abuse of privileged credentials on the
endpoint.2
80%
average days to detect a data
breach.3206
1Verizon 2017 Data Breach Investigations Report
2Forrester Wave: Privileged Identity Management, Q3 2016
3Ponemon 2017 Cost of a Data Breach Study
18. The Cyber Attack Chain – Getting More Complex
Virtual & Cloud
IoT
DevOps
Connected Systems
growth of hybrid cloud adoption in the
last year, increasing from 19% to 57% of
organizations surveyed.1
3X
billion connected things will be in use
worldwide in by 2020, according to
Gartner. 2
20.4
of organizations implementing DevOps
– it has reached “Escape Velocity.”350%
1Forbes 2017 State of Cloud Adoption & Security
2Gartner Press Release, Gartner Says 8.4 Billion Connected “Things” Will Be in Use in 2017, Up 31% From 2016, Feb 7, 2017
3Forrester Q1 2017 Global DevOps Benchmark Online Survey
19. Our Mission: Stop Privilege Abuse. Prevent Breaches.
• Reduce attack surfaces by eliminating
credential sharing, enforcing least privilege,
and prioritizing and patching system
vulnerabilities
• Monitor and audit sessions for unauthorized
access, changes to files and directories, and
compliance
• Analyze behavior to detect suspicious user,
account and asset activity
21. Cloud
Hybrid Cloud
IoT
DevOps
On-Premise
Privilege Management – The New Perimeter
Reduce Insider Threats
• Discover, manage
& monitor all
privileged
accounts & keys
• Enforce least
privilege across
all Windows, Mac,
Unix, Linux and
network endpoints
• Gain control and
visibility over
privileged
activities
Stop External Hacking
• Discover network,
web, mobile, cloud
and virtual
infrastructure
• Remediate
vulnerabilities
through
prescriptive
reporting
• Protect endpoints
against client-side
attacks
Reveal Hidden Threats
• Aggregate users &
asset data to
baseline and track
behavior
• Correlate diverse
asset, user &
threat activity to
reveal critical risks
• Dynamically adjust
access policies
based on user and
asset risk
22. Into the Cloud
Connector Framework: Industry unique connector technology to
enumerate instances in the cloud and virtually instantiated for
management.
• Amazon AWS
• Microsoft Azure
• Vmware
• Hyper-V
• IBM SmartCloud
• Go Grid
• Rackspace
• Google Cloud
23. In the Cloud
• Cloud Ready Agents: UnixLinuxWindowsMac Agents
• Cloud Ready Communications: Agents to Console
• Cloud Ready API: Public Password Safe API
• Dynamic Licensing: High watermark based licensing
• MSP & Multi-tenant Platform: Managed Service Provider Ready
24. From the Cloud
• Market Place Apps: Amazon AWS
AMI, Microsoft Azure, & Google and
Oracle (Later this year)
• Cloud Offerings (SaaS)
• BeyondSaaS – Vulnerability Assessment,
Web Application Scanning, Privilege
Cloud Management
• PowerBroker Cloud Privilege Manager
(Coming soon)
25. DevOps & PAM: Challenges
1. Inventory of DevOps Assets & Activity
2. Asset vulnerabilities across dev, test, production
3. Hard Coded Passwords in scripts & orchestration
4. Shared Accounts with limited accountability
5. Excessive Privileges on test and production systems
6. Attackers targeting developer workstations
7. Lack of boundary controls between dev, test & production
8. Scale and dynamic nature of the environment
27. DevOps & PAM: Best Practices
DISCOVER &
INVENTORY
GAIN ACCOUNTABILITY
OVER SHARED ACCOUTS
ELIMINATE HARD-
CODED PASSWORDS
RESTRICT
PRIVILEGES
SCAN FOR
VULNERABILITIES
ENSURE CONFIG-
URATION COMPLIANCE
ENFORCE APPROPRIATE
CREDENTIAL USAGE
SEGMENT
NETWORKS
28. DevOps & PAM: Best Practices
GAIN ACCOUNTABILITY
OVER SHARED ACCOUTS
ELIMINATE HARD-
CODED PASSWORDS
RESTRICT
PRIVILEGES
SCAN FOR
VULNERABILITIES
ENSURE CONFIG-
URATION COMPLIANCE
ENFORCE APPROPRIATE
CREDENTIAL USAGE
SEGMENT
NETWORKS
DISCOVER & INVENTORY
Continuous discovery of assets across
physical, virtual and cloud
environments.
29. DevOps & PAM: Best Practices
DISCOVER &
INVENTORY
GAIN ACCOUNTABILITY
OVER SHARED ACCOUTS
ELIMINATE HARD-
CODED PASSWORDS
RESTRICT
PRIVILEGES
ENSURE CONFIG-
URATION COMPLIANCE
ENFORCE APPROPRIATE
CREDENTIAL USAGE
SEGMENT
NETWORKS
SCAN FOR VULNERABILITIES
Continuous vulnerability assessment and
remediation guidance of the infrastructure and
code/builds across physical, virtual and cloud
environments.
30. DevOps & PAM: Best Practices
DISCOVER &
INVENTORY
GAIN ACCOUNTABILITY
OVER SHARED ACCOUTS
ELIMINATE HARD-
CODED PASSWORDS
RESTRICT
PRIVILEGES
SCAN FOR
VULNERABILITIES
ENFORCE APPROPRIATE
CREDENTIAL USAGE
SEGMENT
NETWORKS
ENSURE CONFIGURATION
COMPLIANCE
Continuous configuration and hardening
baseline scanning across servers and
code/builds across physical, virtual and cloud
deployed assets.
Ensure configurations are consistent and
properly hardened across the entire devops
lifecycle.
31. DevOps & PAM: Best Practices
DISCOVER &
INVENTORY
ELIMINATE HARD-
CODED PASSWORDS
RESTRICT
PRIVILEGES
SCAN FOR
VULNERABILITIES
ENSURE CONFIG-
URATION COMPLIANCE
ENFORCE APPROPRIATE
CREDENTIAL USAGE
SEGMENT
NETWORKS
GAIN ACCOUNTABILITY
OVER SHARED ACCOUTS
Control and audit access to shared
accounts and ensure that all audited
activity is associated with a unique identity.
Include developer access to source control,
devops tools, test servers, production builds
Ensure that all passwords are properly
managed and rotated across the devops
environment.
32. DevOps & PAM: Best Practices
DISCOVER &
INVENTORY
GAIN ACCOUNTABILITY
OVER SHARED ACCOUTS
RESTRICT
PRIVILEGES
SCAN FOR
VULNERABILITIES
ENSURE CONFIG-
URATION COMPLIANCE
ENFORCE APPROPRIATE
CREDENTIAL USAGE
SEGMENT
NETWORKS
ELIMINATE HARD-CODED
PASSWORDS
Control scripts, files, code, embedded
application credentials and hard-coded
passwords.
Remove hardcoded passwords in devops
tool configurations, build scripts, code files,
test builds, production builds, and more.
33. DevOps & PAM: Best Practices
DISCOVER &
INVENTORY
GAIN ACCOUNTABILITY
OVER SHARED ACCOUTS
ELIMINATE HARD-
CODED PASSWORDS
RESTRICT
PRIVILEGES
SCAN FOR
VULNERABILITIES
ENSURE CONFIG-
URATION COMPLIANCE
SEGMENT
NETWORKS
ENFORCE APPROPRIATE
CREDENTIAL USAGE
Eliminate administrator privileges on end-
user machines
Securely store privileged credentials
Require a simple workflow process for
check-out, and monitor privileged sessions.
34. DevOps & PAM: Best Practices
DISCOVER &
INVENTORY
GAIN ACCOUNTABILITY
OVER SHARED ACCOUTS
ELIMINATE HARD-
CODED PASSWORDS
RESTRICT
PRIVILEGES
SCAN FOR
VULNERABILITIES
ENSURE CONFIG-
URATION COMPLIANCE
ENFORCE APPROPRIATE
CREDENTIAL USAGE
SEGMENT NETWORKS
Group assets into logical units Reduce
“line of sight” access
Utilize a secured jump server with MFA,
adaptive access and session monitoring
Segment access based on context of the
user, role, app and data being requested.
35. DevOps & PAM: Best Practices
DISCOVER &
INVENTORY
GAIN ACCOUNTABILITY
OVER SHARED ACCOUTS
ELIMINATE HARD-
CODED PASSWORDS
SCAN FOR
VULNERABILITIES
ENSURE CONFIG-
URATION COMPLIANCE
ENFORCE APPROPRIATE
CREDENTIAL USAGE
SEGMENT
NETWORKS
RESTRICT PRIVILEGES
Target environments
Development workstations
Containers
36. BeyondTrust Secures DevOps
DISCOVER &
INVENTORY
GAIN ACCOUNTABILITY
OVER SHARED ACCOUTS
ELIMINATE HARD-
CODED PASSWORDS
RESTRICT
PRIVILEGES
SCAN FOR
VULNERABILITIES
ENSURE CONFIG-
URATION COMPLIANCE
ENFORCE APPROPRIATE
CREDENTIAL USAGE
SEGMENT
NETWORKS
POWERBROKER
Single Platform that Unites
DevOps Security
Retina Vulnerability
Management
PowerBroker
Password Safe
PowerBroker Desktop &
Server Privilege Management
Retina Vulnerability
Management
Retina Vulnerability
Management
PowerBroker
Password Safe
PowerBroker
Password Safe
PowerBroker
Password Safe
POWERBROKER
Single Platform that Unites
DevOps Security
37. Why BeyondTrust? The PAM Industry Leader
Leader: Forrester PIM Wave, 2016 Leader: Gartner Market Guide for PAM, 2017