SlideShare une entreprise Scribd logo

Case Study: Privileged Access in a World on Time

CA Technologies
CA Technologies

Today there are more privileged users than ever before. Providing access is not optional it is a business necessity. But how do you avoid excessive access? Providing the right access at the right time is the formula for reducing your risk and securing a world of data. At FedEx empowering the right people at the right time is not only good business, but it's also good security. For more information on Security, please visit: http://cainc.to/CAW17-­Security

Technologie
1  sur  23
Télécharger pour lire hors ligne
Case  Study:   Privileged  Access  in  a  World  on  Time Trey  Ray SCT17S SECURITY IT  Manager   FedEx Cyber  Security  Advisor FedEx Laxmi Potana Sr.  Cyber  Security  Analyst FedEx Michael  Scudiero
2 COPYRIGHT  ©  2017  CA.  ALL  RIGHTS  RESERVED#CAWORLD #NOBARRIERS ©  2017  CA.  All  rights  reserved.  All  trademarks  referenced  herein  belong  to  their  respective  companies. The  content  provided  in  this CA  World  2017  presentation  is  intended  for  informational  purposes  only  and  does  not  form  any  type   of  warranty. The information  provided  by  a  CA  partner  and/or  CA  customer  has  not  been  reviewed  for  accuracy  by  CA.   For  Informational  Purposes  Only   Terms  of  This  Presentation
3 COPYRIGHT  ©  2017  CA.  ALL  RIGHTS  RESERVED#CAWORLD #NOBARRIERS Abstract Today  there  are  more  privileged  users  than  ever  before.  Providing  access  is  not  optional   it  is  a  business  necessity.  But  how  do  you  avoid  excessive  access?  Providing  the  right   access  at  the  right  time  with  CA  Privileged  Access  Manager  is  the  formula  for  reducing   your  risk  and  securing  a  world  of  data.  At  FedEx  empowering  the  right  people  at  the   right  time  is  not  only  good  business  it's  also  good  security. Trey  Ray FedEx IT  Manager Laxmi Potana FedEx Cyber  Security  Advisor Michael  Scudiero FedEx Sr.  Cyber  Security  Analyst
A GLOBAL SHIPPING NETWORK TO TAKE ON THE FUTURE HOW TO BUILD
VIDEO: “FEDEX” TRT:  1:31
Privileged Access in a World on Time Trey Ray, Laxmi Potana, and Michael Scudiero
Privileged Access in a World of Cyber Risk
PCI DSS 3.2 Created The Urgency
2 Factor Authentication Automated Password Rotation & Vaulting Command Filtering Leapfrog Prevention PREVENT DVR & Command Line Session Recording Available Logging of All PAM User Activity SIEM Integration & Alerting DETECT Built-in Reports on All Integrated Accounts and Passwords Metrics Displayed in Admin Dashboard REPORT Privileged Access is Preventive & Detective
Active Directory domain admin Windows Server Admin Unix root Database admin (DBA) and developer break-fix App service accounts Web Portals VMware Hypervisor admin TACACS Corporate social media accounts Any shared privileged account in the environment If privileged accounts are the “Keys to the Kingdom,” then PAM is the lockbox for the keys. Managing the Keys to Running the World on Time
Unix Root Admin Active Directory Domain Admin Windows Local Admin Accounts Developer Access To Privileged Data USE CASESTO CONTROL PRIVILEGED ACCESS
Use Case: Active Directory Domain Admin Domain Admin launches an RDP session from their own PC/Laptop or from other Windows server in the domain using a personal admin account. This practice is subject to the “Pass the Hash” vulnerability whereby the domain administrator’s credentials can be harvested by an attacker and used to gain privileged access to the domain. Before PAM Integration
Use Case: Active Directory Domain Admin Domain Admin logs into CA PAM client w/2FA and checks out a Domain Admin credential. RDP session to a Domain Controller is launched using CA PAM transparent login with PAM managed credentials. The Domain Admin credentials are never exposed to the administrator endpoint which eliminates the "Pass the Hash" vulnerability. Session is optionally recorded for audit purposes. After PAM Integration
Use Case: Unix Root No consistent method for managing Unix root passwords by the SysAdmin teams. The Unix root passwords had to be rotated manually on a regularly scheduled interval. No attribution for Unix root account usage Before PAM Integration
Use Case: Unix Root Unix SysAdmin logs into CA PAM client w/2FA to check out the root password for a server when required. SSH session to Unix server is launched using CA PAM transparent login with PAM managed credentials. The root password is never displayed to the SysAdmin. Command filtering prevents accidents (rm –rf *.*) Session is optionally recorded for audit purposes. After PAM Integration
Use Case: Developer DB Break-Fix Developer escalates his database privileges temporarily (24 hours) using an IDM pre-approved break/fix workflow. Since the developer uses his own personal user account for the escalated database access, the window of opportunity for an attacker to gain access using compromised credentials is lengthy. Before PAM Integration
Use Case: Developer DB Break-Fix Developer logs into CA PAM client w/2FA and checks out a privileged database account. Secure SQL session to database is launched using CA PAM transparent login with PAM managed credentials. The database password is never displayed to the developer. Session is optionally recorded for audit purposes. After PAM Integration
Use Case: Microsoft LAPS Console Administrator launches the LAPS console from their local machine. LAPS privileges are granted directly to the human admins via an AD group. An adversary utilizing a compromised human admin account would be able to view local Windows admin credentials for many devices in LAPS. Before PAM Integration
Use Case: Microsoft LAPS Console Administrator logs into CA PAM client w/2FA and checks out a LAPS enabled credential. CA PAM launches the LAPS console via RDP published application. The LAPS enabled credential is rotated at the end of the session and once a day. LAPS session is optionally recorded for audit purposes. After PAM Integration
WHAT WE LEARNED WILL HELP US SCALE | | |DESIGN FOR HIGH AVAILABILITY EMPOWER ADMINISTRATORS PHASED APPROACH AWARENESS PLANNING
21 COPYRIGHT  ©  2017  CA.  ALL  RIGHTS  RESERVED#CAWORLD #NOBARRIERS Questions?
22 COPYRIGHT  ©  2017  CA.  ALL  RIGHTS  RESERVED#CAWORLD #NOBARRIERS Stay  connected  at  communities.ca.com Thank  you.
23 COPYRIGHT  ©  2017  CA.  ALL  RIGHTS  RESERVED#CAWORLD #NOBARRIERS Security For  more  information  on  Security, please  visit:  http://cainc.to/CAW17-­Security

Recommandé

Cyber Security Tips and Resources for Financial Institutions
Cyber Security Tips and Resources for Financial InstitutionsCyber Security Tips and Resources for Financial Institutions
Cyber Security Tips and Resources for Financial Institutions
Colleen Beck-Domanico
 
Hunting_GrrCON22.pdf
Hunting_GrrCON22.pdfHunting_GrrCON22.pdf
Hunting_GrrCON22.pdf
Paül Jaramillo
 
cyber security
cyber security cyber security
cyber security
NiharikaVoleti
 
Cybersecurity
CybersecurityCybersecurity
Cybersecurity
NebiyeLioul
 
Barracuda company and product presentation
Barracuda company and product presentationBarracuda company and product presentation
Barracuda company and product presentation
Softechms
 
What is cyber security
What is cyber securityWhat is cyber security
What is cyber security
SAHANAHK
 
Fight bad bot on the internet
Fight bad bot on the internetFight bad bot on the internet
Fight bad bot on the internet
Cloudflare
 
Ransomware
RansomwareRansomware
Ransomware
G Prachi
 

Recommandé

Cyber Security Tips and Resources for Financial Institutions
Cyber Security Tips and Resources for Financial InstitutionsCyber Security Tips and Resources for Financial Institutions
Cyber Security Tips and Resources for Financial Institutions
Colleen Beck-Domanico
 
Hunting_GrrCON22.pdf
Hunting_GrrCON22.pdfHunting_GrrCON22.pdf
Hunting_GrrCON22.pdf
Paül Jaramillo
 
cyber security
cyber security cyber security
cyber security
NiharikaVoleti
 
Cybersecurity
CybersecurityCybersecurity
Cybersecurity
NebiyeLioul
 
Barracuda company and product presentation
Barracuda company and product presentationBarracuda company and product presentation
Barracuda company and product presentation
Softechms
 
What is cyber security
What is cyber securityWhat is cyber security
What is cyber security
SAHANAHK
 
Fight bad bot on the internet
Fight bad bot on the internetFight bad bot on the internet
Fight bad bot on the internet
Cloudflare
 
Ransomware
RansomwareRansomware
Ransomware
G Prachi
 
DDoS ATTACKS
DDoS ATTACKSDDoS ATTACKS
DDoS ATTACKS
Anil Antony
 
WannaCry ransomware outbreak - what you need to know
WannaCry ransomware outbreak - what you need to knowWannaCry ransomware outbreak - what you need to know
WannaCry ransomware outbreak - what you need to know
Symantec Security Response
 
Cybersecurity - Overview
Cybersecurity - OverviewCybersecurity - Overview
Cybersecurity - Overview
Thanuja Seneviratne
 
Segmenting your Network for Security - The Good, the Bad and the Ugly
Segmenting your Network for Security - The Good, the Bad and the UglySegmenting your Network for Security - The Good, the Bad and the Ugly
Segmenting your Network for Security - The Good, the Bad and the Ugly
AlgoSec
 
Cyber Security for Financial Institutions
Cyber Security for Financial InstitutionsCyber Security for Financial Institutions
Cyber Security for Financial Institutions
Khawar Nehal khawar.nehal@atrc.net.pk
 
Cloud-Enabled: The Future of Endpoint Security
Cloud-Enabled: The Future of Endpoint SecurityCloud-Enabled: The Future of Endpoint Security
Cloud-Enabled: The Future of Endpoint Security
CrowdStrike
 
Ransomware attack
Ransomware attackRansomware attack
Ransomware attack
Amna
 
Cyber security
Cyber securityCyber security
Cyber security
Akdu095
 
Cyber Security For Organization Proposal PowerPoint Presentation Slides
Cyber Security For Organization Proposal PowerPoint Presentation SlidesCyber Security For Organization Proposal PowerPoint Presentation Slides
Cyber Security For Organization Proposal PowerPoint Presentation Slides
SlideTeam
 
Phishing attacks ppt
Phishing attacks pptPhishing attacks ppt
Phishing attacks ppt
Aryan Ragu
 
CrowdStrike CrowdCast: Is Ransomware Morphing Beyond The Ability Of Standard ...
CrowdStrike CrowdCast: Is Ransomware Morphing Beyond The Ability Of Standard ...CrowdStrike CrowdCast: Is Ransomware Morphing Beyond The Ability Of Standard ...
CrowdStrike CrowdCast: Is Ransomware Morphing Beyond The Ability Of Standard ...
CrowdStrike
 
Cyber attacks and IT security management in 2025
Cyber attacks and IT security management in 2025Cyber attacks and IT security management in 2025
Cyber attacks and IT security management in 2025
Radar Cyber Security
 
Ceh v5 module 19 evading ids firewall and honeypot
Ceh v5 module 19 evading ids firewall and honeypotCeh v5 module 19 evading ids firewall and honeypot
Ceh v5 module 19 evading ids firewall and honeypot
Vi Tính Hoàng Nam
 
Web application security I
Web application security IWeb application security I
Web application security I
Md Syed Ahamad
 
Intrusion Detection Presentation
Intrusion Detection PresentationIntrusion Detection Presentation
Intrusion Detection Presentation
Mustafash79
 
Ransomware
RansomwareRansomware
Ransomware
m3 Networks Limited
 
Dell Technologies Cyber Security playbook
Dell Technologies Cyber Security playbookDell Technologies Cyber Security playbook
Dell Technologies Cyber Security playbook
Margarete McGrath
 
40262077 tehnica-de-atac-in-jocul-de-volei
40262077 tehnica-de-atac-in-jocul-de-volei40262077 tehnica-de-atac-in-jocul-de-volei
40262077 tehnica-de-atac-in-jocul-de-volei
Adytza Miki
 
Cyber security and Hacking
Cyber security and HackingCyber security and Hacking
Cyber security and Hacking
Parth Makadiya
 
Cyber Security 101
Cyber Security 101Cyber Security 101
Cyber Security 101
Cloudflare
 
CyberArk Interview Questions and Answers for 2022.pdf
CyberArk Interview Questions and Answers for 2022.pdfCyberArk Interview Questions and Answers for 2022.pdf
CyberArk Interview Questions and Answers for 2022.pdf
Infosec Train
 
CyberArk Interview Questions and Answers for 2023.pdf
CyberArk Interview Questions and Answers for 2023.pdfCyberArk Interview Questions and Answers for 2023.pdf
CyberArk Interview Questions and Answers for 2023.pdf
infosec train
 

Contenu connexe

Tendances

WannaCry ransomware outbreak - what you need to know
WannaCry ransomware outbreak - what you need to knowWannaCry ransomware outbreak - what you need to know
WannaCry ransomware outbreak - what you need to know
Symantec Security Response
 
Cloud-Enabled: The Future of Endpoint Security
Cloud-Enabled: The Future of Endpoint SecurityCloud-Enabled: The Future of Endpoint Security
Cloud-Enabled: The Future of Endpoint Security
CrowdStrike
 
Phishing attacks ppt
Phishing attacks pptPhishing attacks ppt
Phishing attacks ppt
Aryan Ragu
 
CrowdStrike CrowdCast: Is Ransomware Morphing Beyond The Ability Of Standard ...
CrowdStrike CrowdCast: Is Ransomware Morphing Beyond The Ability Of Standard ...CrowdStrike CrowdCast: Is Ransomware Morphing Beyond The Ability Of Standard ...
CrowdStrike CrowdCast: Is Ransomware Morphing Beyond The Ability Of Standard ...
CrowdStrike
 
40262077 tehnica-de-atac-in-jocul-de-volei
40262077 tehnica-de-atac-in-jocul-de-volei40262077 tehnica-de-atac-in-jocul-de-volei
40262077 tehnica-de-atac-in-jocul-de-volei
Adytza Miki
 

Tendances (20)

DDoS ATTACKS
DDoS ATTACKSDDoS ATTACKS
DDoS ATTACKS
 
WannaCry ransomware outbreak - what you need to know
WannaCry ransomware outbreak - what you need to knowWannaCry ransomware outbreak - what you need to know
WannaCry ransomware outbreak - what you need to know
 
Cybersecurity - Overview
Cybersecurity - OverviewCybersecurity - Overview
Cybersecurity - Overview
 
Segmenting your Network for Security - The Good, the Bad and the Ugly
Segmenting your Network for Security - The Good, the Bad and the UglySegmenting your Network for Security - The Good, the Bad and the Ugly
Segmenting your Network for Security - The Good, the Bad and the Ugly
 
Cyber Security for Financial Institutions
Cyber Security for Financial InstitutionsCyber Security for Financial Institutions
Cyber Security for Financial Institutions
 
Cloud-Enabled: The Future of Endpoint Security
Cloud-Enabled: The Future of Endpoint SecurityCloud-Enabled: The Future of Endpoint Security
Cloud-Enabled: The Future of Endpoint Security
 
Ransomware attack
Ransomware attackRansomware attack
Ransomware attack
 
Cyber security
Cyber securityCyber security
Cyber security
 
Cyber Security For Organization Proposal PowerPoint Presentation Slides
Cyber Security For Organization Proposal PowerPoint Presentation SlidesCyber Security For Organization Proposal PowerPoint Presentation Slides
Cyber Security For Organization Proposal PowerPoint Presentation Slides
 
Phishing attacks ppt
Phishing attacks pptPhishing attacks ppt
Phishing attacks ppt
 
CrowdStrike CrowdCast: Is Ransomware Morphing Beyond The Ability Of Standard ...
CrowdStrike CrowdCast: Is Ransomware Morphing Beyond The Ability Of Standard ...CrowdStrike CrowdCast: Is Ransomware Morphing Beyond The Ability Of Standard ...
CrowdStrike CrowdCast: Is Ransomware Morphing Beyond The Ability Of Standard ...
 
Cyber attacks and IT security management in 2025
Cyber attacks and IT security management in 2025Cyber attacks and IT security management in 2025
Cyber attacks and IT security management in 2025
 
Ceh v5 module 19 evading ids firewall and honeypot
Ceh v5 module 19 evading ids firewall and honeypotCeh v5 module 19 evading ids firewall and honeypot
Ceh v5 module 19 evading ids firewall and honeypot
 
Web application security I
Web application security IWeb application security I
Web application security I
 
Intrusion Detection Presentation
Intrusion Detection PresentationIntrusion Detection Presentation
Intrusion Detection Presentation
 
Ransomware
RansomwareRansomware
Ransomware
 
Dell Technologies Cyber Security playbook
Dell Technologies Cyber Security playbookDell Technologies Cyber Security playbook
Dell Technologies Cyber Security playbook
 
40262077 tehnica-de-atac-in-jocul-de-volei
40262077 tehnica-de-atac-in-jocul-de-volei40262077 tehnica-de-atac-in-jocul-de-volei
40262077 tehnica-de-atac-in-jocul-de-volei
 
Cyber security and Hacking
Cyber security and HackingCyber security and Hacking
Cyber security and Hacking
 
Cyber Security 101
Cyber Security 101Cyber Security 101
Cyber Security 101
 

Similaire à Case Study: Privileged Access in a World on Time

Exploiting Active Directory Administrator Insecurities
Exploiting Active Directory Administrator InsecuritiesExploiting Active Directory Administrator Insecurities
Exploiting Active Directory Administrator Insecurities
Priyanka Aash
 
Lock It Down: How to Secure Your Organization's AWS Account
Lock It Down: How to Secure Your Organization's AWS AccountLock It Down: How to Secure Your Organization's AWS Account
Lock It Down: How to Secure Your Organization's AWS Account
Amazon Web Services
 

Similaire à Case Study: Privileged Access in a World on Time (20)

CyberArk Interview Questions and Answers for 2022.pdf
CyberArk Interview Questions and Answers for 2022.pdfCyberArk Interview Questions and Answers for 2022.pdf
CyberArk Interview Questions and Answers for 2022.pdf
 
CyberArk Interview Questions and Answers for 2023.pdf
CyberArk Interview Questions and Answers for 2023.pdfCyberArk Interview Questions and Answers for 2023.pdf
CyberArk Interview Questions and Answers for 2023.pdf
 
CyberArk Interview Questions and Answers for 2022.pdf
CyberArk Interview Questions and Answers for 2022.pdfCyberArk Interview Questions and Answers for 2022.pdf
CyberArk Interview Questions and Answers for 2022.pdf
 
_Hackercool - September 2021.pdf
_Hackercool - September 2021.pdf_Hackercool - September 2021.pdf
_Hackercool - September 2021.pdf
 
CoLabora March 2022 - Improve security posture by implementing new Azure AD ...
CoLabora March 2022 - Improve security posture by implementing new Azure AD ...CoLabora March 2022 - Improve security posture by implementing new Azure AD ...
CoLabora March 2022 - Improve security posture by implementing new Azure AD ...
 
Red Team vs. Blue Team on AWS (DVC304) - AWS re:Invent 2018
Red Team vs. Blue Team on AWS (DVC304) - AWS re:Invent 2018Red Team vs. Blue Team on AWS (DVC304) - AWS re:Invent 2018
Red Team vs. Blue Team on AWS (DVC304) - AWS re:Invent 2018
 
DIY-CyberArk-Blueprint-Roadmap-Template.pptx
DIY-CyberArk-Blueprint-Roadmap-Template.pptxDIY-CyberArk-Blueprint-Roadmap-Template.pptx
DIY-CyberArk-Blueprint-Roadmap-Template.pptx
 
Low Hanging Fruit, Making Your Basic MongoDB Installation More Secure
Low Hanging Fruit, Making Your Basic MongoDB Installation More SecureLow Hanging Fruit, Making Your Basic MongoDB Installation More Secure
Low Hanging Fruit, Making Your Basic MongoDB Installation More Secure
 
Clouds And Security
Clouds And SecurityClouds And Security
Clouds And Security
 
CyberArk Interview.pdf
CyberArk Interview.pdfCyberArk Interview.pdf
CyberArk Interview.pdf
 
cPanel: Brief Glossary
cPanel: Brief GlossarycPanel: Brief Glossary
cPanel: Brief Glossary
 
Exploiting Active Directory Administrator Insecurities
Exploiting Active Directory Administrator InsecuritiesExploiting Active Directory Administrator Insecurities
Exploiting Active Directory Administrator Insecurities
 
Lock It Down: How to Secure Your Organization's AWS Account
Lock It Down: How to Secure Your Organization's AWS AccountLock It Down: How to Secure Your Organization's AWS Account
Lock It Down: How to Secure Your Organization's AWS Account
 
Escalation defenses ad guardrails every company should deploy
Escalation defenses ad guardrails every company should deployEscalation defenses ad guardrails every company should deploy
Escalation defenses ad guardrails every company should deploy
 
MongoDB World 2018: Low Hanging Fruit: Making Your Basic MongoDB Installation...
MongoDB World 2018: Low Hanging Fruit: Making Your Basic MongoDB Installation...MongoDB World 2018: Low Hanging Fruit: Making Your Basic MongoDB Installation...
MongoDB World 2018: Low Hanging Fruit: Making Your Basic MongoDB Installation...
 
Protecting Your Big Data on the Cloud
Protecting Your Big Data on the CloudProtecting Your Big Data on the Cloud
Protecting Your Big Data on the Cloud
 
Understanding "Red Forest" - The 3-Tier ESAE and Alternative Ways to Protect ...
Understanding "Red Forest" - The 3-Tier ESAE and Alternative Ways to Protect ...Understanding "Red Forest" - The 3-Tier ESAE and Alternative Ways to Protect ...
Understanding "Red Forest" - The 3-Tier ESAE and Alternative Ways to Protect ...
 
Hybrid Identity Management and Security for Large Enterprises (ENT307-R2) - A...
Hybrid Identity Management and Security for Large Enterprises (ENT307-R2) - A...Hybrid Identity Management and Security for Large Enterprises (ENT307-R2) - A...
Hybrid Identity Management and Security for Large Enterprises (ENT307-R2) - A...
 
CyberArk Interview Questions and Answers for 2022.pptx
CyberArk Interview Questions and Answers for 2022.pptxCyberArk Interview Questions and Answers for 2022.pptx
CyberArk Interview Questions and Answers for 2022.pptx
 
Magento security best practices magento's approach to pci compliance
Magento security best practices magento's approach to pci complianceMagento security best practices magento's approach to pci compliance
Magento security best practices magento's approach to pci compliance
 

Plus de CA Technologies

CA Mainframe Resource Intelligence
CA Mainframe Resource IntelligenceCA Mainframe Resource Intelligence
CA Mainframe Resource Intelligence
CA Technologies
 
Mainframe as a Service: Sample a Buffet of IBM z/OS® Platform Excellence
Mainframe as a Service: Sample a Buffet of IBM z/OS® Platform ExcellenceMainframe as a Service: Sample a Buffet of IBM z/OS® Platform Excellence
Mainframe as a Service: Sample a Buffet of IBM z/OS® Platform Excellence
CA Technologies
 
Application Experience Analytics Services: The Strategic Digital Transformati...
Application Experience Analytics Services: The Strategic Digital Transformati...Application Experience Analytics Services: The Strategic Digital Transformati...
Application Experience Analytics Services: The Strategic Digital Transformati...
CA Technologies
 
Strategic Direction Session: Deliver Next-Gen IT Ops with CA Mainframe Operat...
Strategic Direction Session: Deliver Next-Gen IT Ops with CA Mainframe Operat...Strategic Direction Session: Deliver Next-Gen IT Ops with CA Mainframe Operat...
Strategic Direction Session: Deliver Next-Gen IT Ops with CA Mainframe Operat...
CA Technologies
 
Strategic Direction Session: Enhancing Data Privacy with Data-Centric Securit...
Strategic Direction Session: Enhancing Data Privacy with Data-Centric Securit...Strategic Direction Session: Enhancing Data Privacy with Data-Centric Securit...
Strategic Direction Session: Enhancing Data Privacy with Data-Centric Securit...
CA Technologies
 
Blockchain: Strategies for Moving From Hype to Realities of Deployment
Blockchain: Strategies for Moving From Hype to Realities of DeploymentBlockchain: Strategies for Moving From Hype to Realities of Deployment
Blockchain: Strategies for Moving From Hype to Realities of Deployment
CA Technologies
 
Establish Digital Trust as the Currency of Digital Enterprise
Establish Digital Trust as the Currency of Digital EnterpriseEstablish Digital Trust as the Currency of Digital Enterprise
Establish Digital Trust as the Currency of Digital Enterprise
CA Technologies
 

Plus de CA Technologies (20)

CA Mainframe Resource Intelligence
CA Mainframe Resource IntelligenceCA Mainframe Resource Intelligence
CA Mainframe Resource Intelligence
 
Mainframe as a Service: Sample a Buffet of IBM z/OS® Platform Excellence
Mainframe as a Service: Sample a Buffet of IBM z/OS® Platform ExcellenceMainframe as a Service: Sample a Buffet of IBM z/OS® Platform Excellence
Mainframe as a Service: Sample a Buffet of IBM z/OS® Platform Excellence
 
Case Study: How CA Went From 40 Days to Three Days Building Crystal-Clear Tes...
Case Study: How CA Went From 40 Days to Three Days Building Crystal-Clear Tes...Case Study: How CA Went From 40 Days to Three Days Building Crystal-Clear Tes...
Case Study: How CA Went From 40 Days to Three Days Building Crystal-Clear Tes...
 
Case Study: How The Home Depot Built Quality Into Software Development
Case Study: How The Home Depot Built Quality Into Software DevelopmentCase Study: How The Home Depot Built Quality Into Software Development
Case Study: How The Home Depot Built Quality Into Software Development
 
Pre-Con Ed: Privileged Identity Governance: Are You Certifying Privileged Use...
Pre-Con Ed: Privileged Identity Governance: Are You Certifying Privileged Use...Pre-Con Ed: Privileged Identity Governance: Are You Certifying Privileged Use...
Pre-Con Ed: Privileged Identity Governance: Are You Certifying Privileged Use...
 
Case Study: How SGN Used Attack Path Mapping to Control Privileged Access in ...
Case Study: How SGN Used Attack Path Mapping to Control Privileged Access in ...Case Study: How SGN Used Attack Path Mapping to Control Privileged Access in ...
Case Study: How SGN Used Attack Path Mapping to Control Privileged Access in ...
 
Case Study: Putting Citizens at The Center of Digital Government
Case Study: Putting Citizens at The Center of Digital GovernmentCase Study: Putting Citizens at The Center of Digital Government
Case Study: Putting Citizens at The Center of Digital Government
 
Making Security Work—Implementing a Transformational Security Program
Making Security Work—Implementing a Transformational Security ProgramMaking Security Work—Implementing a Transformational Security Program
Making Security Work—Implementing a Transformational Security Program
 
Keynote: Making Security a Competitive Advantage
Keynote: Making Security a Competitive AdvantageKeynote: Making Security a Competitive Advantage
Keynote: Making Security a Competitive Advantage
 
Emerging Managed Services Opportunities in Identity and Access Management
Emerging Managed Services Opportunities in Identity and Access ManagementEmerging Managed Services Opportunities in Identity and Access Management
Emerging Managed Services Opportunities in Identity and Access Management
 
The Unmet Demand for Premium Cloud Monitoring Services—and How Service Provid...
The Unmet Demand for Premium Cloud Monitoring Services—and How Service Provid...The Unmet Demand for Premium Cloud Monitoring Services—and How Service Provid...
The Unmet Demand for Premium Cloud Monitoring Services—and How Service Provid...
 
Leveraging Monitoring Governance: How Service Providers Can Boost Operational...
Leveraging Monitoring Governance: How Service Providers Can Boost Operational...Leveraging Monitoring Governance: How Service Providers Can Boost Operational...
Leveraging Monitoring Governance: How Service Providers Can Boost Operational...
 
The Next Big Service Provider Opportunity—Beyond Infrastructure: Architecting...
The Next Big Service Provider Opportunity—Beyond Infrastructure: Architecting...The Next Big Service Provider Opportunity—Beyond Infrastructure: Architecting...
The Next Big Service Provider Opportunity—Beyond Infrastructure: Architecting...
 
Application Experience Analytics Services: The Strategic Digital Transformati...
Application Experience Analytics Services: The Strategic Digital Transformati...Application Experience Analytics Services: The Strategic Digital Transformati...
Application Experience Analytics Services: The Strategic Digital Transformati...
 
Application Experience Analytics Services: The Strategic Digital Transformati...
Application Experience Analytics Services: The Strategic Digital Transformati...Application Experience Analytics Services: The Strategic Digital Transformati...
Application Experience Analytics Services: The Strategic Digital Transformati...
 
Strategic Direction Session: Deliver Next-Gen IT Ops with CA Mainframe Operat...
Strategic Direction Session: Deliver Next-Gen IT Ops with CA Mainframe Operat...Strategic Direction Session: Deliver Next-Gen IT Ops with CA Mainframe Operat...
Strategic Direction Session: Deliver Next-Gen IT Ops with CA Mainframe Operat...
 
Strategic Direction Session: Enhancing Data Privacy with Data-Centric Securit...
Strategic Direction Session: Enhancing Data Privacy with Data-Centric Securit...Strategic Direction Session: Enhancing Data Privacy with Data-Centric Securit...
Strategic Direction Session: Enhancing Data Privacy with Data-Centric Securit...
 
Blockchain: Strategies for Moving From Hype to Realities of Deployment
Blockchain: Strategies for Moving From Hype to Realities of DeploymentBlockchain: Strategies for Moving From Hype to Realities of Deployment
Blockchain: Strategies for Moving From Hype to Realities of Deployment
 
Establish Digital Trust as the Currency of Digital Enterprise
Establish Digital Trust as the Currency of Digital EnterpriseEstablish Digital Trust as the Currency of Digital Enterprise
Establish Digital Trust as the Currency of Digital Enterprise
 
How Components Increase Speed and Risk
How Components Increase Speed and RiskHow Components Increase Speed and Risk
How Components Increase Speed and Risk
 

Dernier

TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
sammart93
 
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Victor Rentea
 
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Jeffrey Haguewood
 
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdfRising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Orbitshub
 

Dernier (20)

TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
 
ICT role in 21st century education and its challenges
ICT role in 21st century education and its challengesICT role in 21st century education and its challenges
ICT role in 21st century education and its challenges
 
WSO2's API Vision: Unifying Control, Empowering Developers
WSO2's API Vision: Unifying Control, Empowering DevelopersWSO2's API Vision: Unifying Control, Empowering Developers
WSO2's API Vision: Unifying Control, Empowering Developers
 
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
 
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
 
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
 
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
 
Elevate Developer Efficiency & build GenAI Application with Amazon Q​
Elevate Developer Efficiency & build GenAI Application with Amazon Q​Elevate Developer Efficiency & build GenAI Application with Amazon Q​
Elevate Developer Efficiency & build GenAI Application with Amazon Q​
 
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWEREMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
 
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodPolkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
 
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
 
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
 
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
 
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingRepurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
 
[BuildWithAI] Introduction to Gemini.pdf
[BuildWithAI] Introduction to Gemini.pdf[BuildWithAI] Introduction to Gemini.pdf
[BuildWithAI] Introduction to Gemini.pdf
 
Six Myths about Ontologies: The Basics of Formal Ontology
Six Myths about Ontologies: The Basics of Formal OntologySix Myths about Ontologies: The Basics of Formal Ontology
Six Myths about Ontologies: The Basics of Formal Ontology
 
Corporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptxCorporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptx
 
Introduction to Multilingual Retrieval Augmented Generation (RAG)
Introduction to Multilingual Retrieval Augmented Generation (RAG)Introduction to Multilingual Retrieval Augmented Generation (RAG)
Introduction to Multilingual Retrieval Augmented Generation (RAG)
 
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdfRising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
 

Case Study: Privileged Access in a World on Time

  • 1. Case  Study:   Privileged  Access  in  a  World  on  Time Trey  Ray SCT17S SECURITY IT  Manager   FedEx Cyber  Security  Advisor FedEx Laxmi Potana Sr.  Cyber  Security  Analyst FedEx Michael  Scudiero
  • 2. 2 COPYRIGHT  ©  2017  CA.  ALL  RIGHTS  RESERVED#CAWORLD #NOBARRIERS ©  2017  CA.  All  rights  reserved.  All  trademarks  referenced  herein  belong  to  their  respective  companies. The  content  provided  in  this CA  World  2017  presentation  is  intended  for  informational  purposes  only  and  does  not  form  any  type   of  warranty. The information  provided  by  a  CA  partner  and/or  CA  customer  has  not  been  reviewed  for  accuracy  by  CA.   For  Informational  Purposes  Only   Terms  of  This  Presentation
  • 3. 3 COPYRIGHT  ©  2017  CA.  ALL  RIGHTS  RESERVED#CAWORLD #NOBARRIERS Abstract Today  there  are  more  privileged  users  than  ever  before.  Providing  access  is  not  optional   it  is  a  business  necessity.  But  how  do  you  avoid  excessive  access?  Providing  the  right   access  at  the  right  time  with  CA  Privileged  Access  Manager  is  the  formula  for  reducing   your  risk  and  securing  a  world  of  data.  At  FedEx  empowering  the  right  people  at  the   right  time  is  not  only  good  business  it's  also  good  security. Trey  Ray FedEx IT  Manager Laxmi Potana FedEx Cyber  Security  Advisor Michael  Scudiero FedEx Sr.  Cyber  Security  Analyst
  • 4. A GLOBAL SHIPPING NETWORK TO TAKE ON THE FUTURE HOW TO BUILD
  • 6. Privileged Access in a World on Time Trey Ray, Laxmi Potana, and Michael Scudiero
  • 7. Privileged Access in a World of Cyber Risk
  • 8. PCI DSS 3.2 Created The Urgency
  • 9. 2 Factor Authentication Automated Password Rotation & Vaulting Command Filtering Leapfrog Prevention PREVENT DVR & Command Line Session Recording Available Logging of All PAM User Activity SIEM Integration & Alerting DETECT Built-in Reports on All Integrated Accounts and Passwords Metrics Displayed in Admin Dashboard REPORT Privileged Access is Preventive & Detective
  • 10. Active Directory domain admin Windows Server Admin Unix root Database admin (DBA) and developer break-fix App service accounts Web Portals VMware Hypervisor admin TACACS Corporate social media accounts Any shared privileged account in the environment If privileged accounts are the “Keys to the Kingdom,” then PAM is the lockbox for the keys. Managing the Keys to Running the World on Time
  • 11. Unix Root Admin Active Directory Domain Admin Windows Local Admin Accounts Developer Access To Privileged Data USE CASESTO CONTROL PRIVILEGED ACCESS
  • 12. Use Case: Active Directory Domain Admin Domain Admin launches an RDP session from their own PC/Laptop or from other Windows server in the domain using a personal admin account. This practice is subject to the “Pass the Hash” vulnerability whereby the domain administrator’s credentials can be harvested by an attacker and used to gain privileged access to the domain. Before PAM Integration
  • 13. Use Case: Active Directory Domain Admin Domain Admin logs into CA PAM client w/2FA and checks out a Domain Admin credential. RDP session to a Domain Controller is launched using CA PAM transparent login with PAM managed credentials. The Domain Admin credentials are never exposed to the administrator endpoint which eliminates the "Pass the Hash" vulnerability. Session is optionally recorded for audit purposes. After PAM Integration
  • 14. Use Case: Unix Root No consistent method for managing Unix root passwords by the SysAdmin teams. The Unix root passwords had to be rotated manually on a regularly scheduled interval. No attribution for Unix root account usage Before PAM Integration
  • 15. Use Case: Unix Root Unix SysAdmin logs into CA PAM client w/2FA to check out the root password for a server when required. SSH session to Unix server is launched using CA PAM transparent login with PAM managed credentials. The root password is never displayed to the SysAdmin. Command filtering prevents accidents (rm –rf *.*) Session is optionally recorded for audit purposes. After PAM Integration
  • 16. Use Case: Developer DB Break-Fix Developer escalates his database privileges temporarily (24 hours) using an IDM pre-approved break/fix workflow. Since the developer uses his own personal user account for the escalated database access, the window of opportunity for an attacker to gain access using compromised credentials is lengthy. Before PAM Integration
  • 17. Use Case: Developer DB Break-Fix Developer logs into CA PAM client w/2FA and checks out a privileged database account. Secure SQL session to database is launched using CA PAM transparent login with PAM managed credentials. The database password is never displayed to the developer. Session is optionally recorded for audit purposes. After PAM Integration
  • 18. Use Case: Microsoft LAPS Console Administrator launches the LAPS console from their local machine. LAPS privileges are granted directly to the human admins via an AD group. An adversary utilizing a compromised human admin account would be able to view local Windows admin credentials for many devices in LAPS. Before PAM Integration
  • 19. Use Case: Microsoft LAPS Console Administrator logs into CA PAM client w/2FA and checks out a LAPS enabled credential. CA PAM launches the LAPS console via RDP published application. The LAPS enabled credential is rotated at the end of the session and once a day. LAPS session is optionally recorded for audit purposes. After PAM Integration
  • 20. WHAT WE LEARNED WILL HELP US SCALE | | |DESIGN FOR HIGH AVAILABILITY EMPOWER ADMINISTRATORS PHASED APPROACH AWARENESS PLANNING
  • 21. 21 COPYRIGHT  ©  2017  CA.  ALL  RIGHTS  RESERVED#CAWORLD #NOBARRIERS Questions?
  • 22. 22 COPYRIGHT  ©  2017  CA.  ALL  RIGHTS  RESERVED#CAWORLD #NOBARRIERS Stay  connected  at  communities.ca.com Thank  you.
  • 23. 23 COPYRIGHT  ©  2017  CA.  ALL  RIGHTS  RESERVED#CAWORLD #NOBARRIERS Security For  more  information  on  Security, please  visit:  http://cainc.to/CAW17-­Security