CyberArk University

Overview
The New Cyber Battleground: Inside Your Network

Over 90% of organizations have been breached

• In the past: “I can stop everything at the perimeter”
• Today: “I can’t stop anything at the perimeter”

Information security focus shifts to inside the network

• Over 35% of breaches are internal – driven by malicious and unintentional insiders
• Compromised credentials empower any attacker to act as an insider

Compliance and audit requirements focus on privileged accounts

• Privileged accounts provide access to the most sensitive and valuable assets
• Information exposure damages brand reputation and customer confidence

2
An Outside Attacker Must Obtain Credentials of an Insider

“APT intruders…prefer to
leverage privileged accounts
“…100% of breaches where possible, such as Domain
involved stolen Administrators, service accounts
credentials.” with Domain privileges, local
Administrator accounts, and
privileged user accounts.”

Mandiant, M-Trends and APT1 Report

3
Comprehensive Controls on Privileged Activity

Lock Down Isolate & Control Continuously

Credentials Sessions Monitor

Protect privileged Prevent malware Implement

passwords and SSH attacks and control continuous
keys privileged access monitoring across all
privileged accounts
All accounts, wherever they exist!

4
 Privileged Accounts Create a Huge Attack Surface

Applications

3rd Party & Service Select Business

Providers Users

Social Networking
System Privileged Account
Managers
Administrators Accounts

• Privileged accounts exist in every connected device,

database, application, industrial controller and more!

• Typically a ~3X ratio of privileged accounts to employees

5
CyberArk: Proactive Protection, Detection & Response

Proactive protection
Insider • Only authorized users
• Individual accountability

External • Limit scope of privilege

Hypervisors
Targeted detection
External Databases/
Applications • Continuous monitoring
Network • Malicious behavior
Insider Devices
End
• High risk behavior
Points
• Alerting
Social
External Industrial Media
Controls
Insider Real-time response
• Session termination
External
Privileged • Full forensics record of activity
Accounts

6
Privilege is At The Center of the Attack Lifecycle
Typical Lifecycle of a Cyber Attack

7
CyberArk Breaks the Attack Chain

8
CyberArk Overview

Trusted experts in privileged account

security
• 1,800 privileged account security customers
• 40% of Fortune 100 56%
GROWTH
Approach privileged accounts as a
security challenge 40%
GROWTH
• Designed and built from the ground up for security
30%
GROWTH

Twelve years of innovation in privileged

account controls, monitoring and
analytics
• First with vault, first with monitoring, first with analytics
2011 2012 2013 2014
• Over 100 software engineers, multiple patents

Only comprehensive privileged account

security solution
• One solution, focused exclusively on privileged accounts
• Enterprise-proven

9
Solving The Privileged Account Security Problem

▪ Advanced, External Threats ▪ Securing Application Credentials

Threats
▪ Insider Threats ▪ Securing Shared Admin Accounts

Audit & ▪ Control & Accountability for ▪ Compliance Reporting

Compliance Privileged Users
▪ Remote User Access Control
▪ Monitor & Record Privileged
Activity

10
CyberArk Delivers a New Critical Security Layer

PERIMETER SECURITY

SECURITY CONTROLS INSIDE THE NETWORK

MONITORING

PRIVILEGED ACCOUNT SECURITY

 CyberArk’s Privileged Account Security Solution

Behavioral Privileged Threat Analytics

Analytics

Management Portal/Web Access

Proactive On-
Controls, Enterprise Privileged Application
SSH Key Demand
Password Session Identity Viewfinity
Monitoring & Manager Privileges
Vault® Manager® Manager™
Manager™
Management

Shared Master Policy

Technology
Platform Secure Digital Vault™

Protect Detect Respond

Enterprise Password Vault
Enterprise Password Vault - Standard Components

▪ The Enterprise Password Vault Solution includes the

following standard components:
• EPV – Enterprise Password Vault
• A hardened and secured digital vault used to store privileged account
information.
• Based on a hardened windows server platform.
• CPM - Central Policy Manager
• Holds the Master Policy which controls the default password change
policies and other workflow definitions.
• Preforms the password changes on devices.
• PVWA – Password Vault Web Access
• The web interface utilized by users to gain access to privileged account
information.
• Used to configure the Master Policy on the CPM.
• PrivateArk Client
• A thick-client used by administrators to preform some configuration tasks of
the EPV solution

14
 Enterprise Password Vault Solution Overview

1. Master/exception policy definition

2. Initial load & reset CPM
Automatic Detection, Bulk upload, Manual Master Policy
3. Request workflow
Dual control,
Integration with ticketing systems, gviNa9%
X5$aq+p
lm7yT5w
Oiue^$fgW
Tojsd$5fh
y7qeF$1
One-time passwords, exclusivity and more.
4. Direct connection to device EPV
5. Auditor access
System User Pass
Policy
Unix root tops3cr3t
Oracle SYS tops3cr3t
Policy Windows Administrator tops3cr3t
Security/
Risk Management PVWA z/OS DB2ADMIN tops3cr3t
Cisco enable tops3cr3t
Request access to Windows
Administrator On prod.dom.us

IT
Enterprise IT Environment
Request to view Reports

Auditors

15
CyberArk’s Secure Digital Vault

16
16
Master Policy

17
Users and Accounts

Throughout this course we will be using the terms Users and Accounts.
It is very important to understand the difference between the two.
▪ Users – People who have been granted access to the system.
￭ Access passwords

￭ Manage policies

￭ Typically defined by their Domain credentials

▪ Accounts – The actual privileged account ids and passwords.

￭ Stored in Safes

￭ Examples include domain administrators, local administrators, root

accounts, service accounts and more.

18
Account Storage – Granular User Access Control

19
Password Storage – Account Creation
Manual Entry Automatic Detection/Provisioning

Password Upload Utility

20
Password Retrieval – Show Password

21
Password Retrieval – Transparent Connection

22
Password Retrieval – Work Flow 1/2
User attempts to access a password

E-mail is automatically
sent for approval

23
Password Retrieval – Work Flow 2/2
Approver confirms the request

User is notified that

password is now available

User follows e-mailed link

to access the password
24
Password Retrieval – Audit Trail

25
Automatic, Policy-Based Password Management

The Central Policy Manager

can automatically change
passwords based on
organizational requirements.
This:
• Reduces the burden on IT.
• Eliminates configuration
errors.

26
SSH Key Manager
What are SSH Keys?

John wants to connect using an SSH Key…

The public key associated

John will have the to root is stored in root’s
private key home directory

root

SSH

John Linux Server

192.168.41.37
Application Connectivity and Jump Servers

root

192.168.41.37
FTP primary Server
root
root

192.168.41.38
192.168.40.4 FTP backup Server
Billing Application
root

192.168.40.5
Billing backend Server
SSH Key Manager
End Users SSH Key Manager Unix/Linux Resources

Secure Storage

Pub.
Priv.

Key Rotation and

Distribution Servers Mainframes

PVWA Databases Applications

Cloud
Infrastructure
Privileged Session Manager
 CyberArk Privileged Session Manager

Databases

Windows/UNIX
Servers
1
HTTPS PSM 4

RDP over HTTPS

2 3 5 Web Sites

1. Logon through PVWA Routers and Switches

Vault
2. Connect 6
3. Fetch credential from Vault
4. Connect using native protocols ESX\vCenters

5. Store session recording

6. Logs forwarded to SIEM/Syslog SIEM/Syslog

32
 PSM – RDP Connection Using RemoteApp

User Accesses account from User is redirected to PSM server, which

PVWA and presses ‘Connect’ initiates the RDP connection

33
PSM – Windows Video Recording

34
PSM – Text Recording with Point-in-time Playback

35
PSM – Built-in Clients
SQL Plus VMWare vCenter Client

Management Studio WinSCP

36
Application Identity Manager
 Application Identity Manager (AIM)
Applications Application Identity Manager Enterprise Resources

Type System

Secure Storage
Accounts Servers Mainframes
Receivable
WebSphere *****

Password and SSH

Key Rotation
Databases Applications
CRM UserName = “app”
Password = “y7qeF$1”
WebLogic Host = “10.10.3.56”
ConnectDatabase(Host, UserName, Password)
UserName = GetUserName()
Password = GetPassword() Network Security
Host = GetHost() Devices Appliances
Human ConnectDatabase(Host, UserName, Password)
Resources
IIS / .NET

Websites/ Cloud
Web Apps Infrastructure
Online Booking
System
Legacy /
Homegrown
On-Demand Privilege Manager
 CyberArk On-Demand Privileges Manager for Unix

UNIX Servers
with OPM Agent 1
2 Installed PAS Admin

PVWA

IT personnel

1. Unix Admin defines policy in PVWA 3

4
2. IT requests on-demand elevation
through native interface (OPM).
• Uses PIMSU command instead of
SUDO
Auditor

3. OPM reads policies (cached)

Vault
executes command and stores
recording

4. Auditor reviews commands

recordings / audit reports
40
CyberArk Viewfinity
Control administrative privileges based on role

Server admin

Control Windows administrator

privileges based on role

 Use privilege management to

Application admin
Windows Server segregate administrative duties
 Control the use of applications,
scripts, commands and
activities
 Enable privilege elevation when
Application developer
needed, based on policy
Flexible Delivery Methods

GPO ARCHITECTURE

AD Domain
Servers, Desktops,
Laptops, VMs

Group
Policy

SCCM

CyberArk Viewfinity
GPO Editor
Report Events
Group Policy
Flexible Delivery Methods

PUBLIC CLOUD

CyberArk Viewfinity
Administrator

Remote Laptop
User Management
Engine
Web Server
Database &
Reporting

CyberArk
Viewfinity

Corporate Desktop Users

Flexible Delivery Methods

SERVER-BASED
AD Domain
Servers, Desktops, Laptops, VMs

Group
Management Policy
Engine
Web Server
Database &
Reporting

CyberArk
Viewfinity
CyberArk Viewfinity
Administrator
Remote Laptop
User
Privileged Threat Analytics
 Privileged Threat Analytics

Behavioral Analysis: Self-learning

statistical model based on a combination
of patented algorithms, login data, and
target system data gathered from inbound
SIEM integrations.

Behavioral
Analysis Normal

Login
Data

Abnormal
ALERT:
Target SIEM &
System Data CyberArk
GOALS: SIEM Solutions
• Find the signal in
the noise.
• Enable the SOC
to instantly locate
the most serious
alerts.
Privileged Threat Analytics

Collect

Collecting privileged accounts activity

Ongoing Profiling

Profiling normal behavior

Detect
Detecting abnormal privileged
accounts activity

48
Privileged Threat Analytics Dashboard

49
Architecture
Vault and Components

Central Policy
Privileged Session Manager Unix/Windows
Manager Application Provider

Password Vault Unix/Windows

Web Access
Privilege Provider
Vault

PrivateArk Client PACli and SDKs

 Component Communication – CPM and PVWA

The CPM and the

PVWA
exchange information.
However, all the
Managed Target Central Policy
Accounts and Servers Manager communication
is done through the
1858
Vault.

1858
Vault

End Users:
IT Staff, Auditor, etc.

HTTPS
Password Vault
Web Access

Vault Administrators
 EPV Clients

Managed Target Databases

Target Account
And Servers

Unmanaged
Target Account
and Servers

End Users:
IT Staff, Auditor, Unix/Windows
etc. Users

Custom Applications,
Reporting Tools, ets.
Vault
Administrators
Architecture – Basic Deployment, One Site

The Central Policy

Target Systems Manager
communicates with
the Target Servers via
Central Policy
Manager the native protocols

1858
10.0.1.30

1858

Password Vault
Web Access Vault
10.0.1.31
HTTPS

10.0.1.60 End Users:

IT Staff, Auditor, etc.
 Architecture – Basic Deployment, Multiple Sites

Target Systems Target Systems

1858 or 443

192.168.23.19 10.0.1.30
1858

Central Policy Central Policy

Manager
Vault Manager
192.168.23.20 10.0.1.31
1858

192.168.23.31 Password Vault 10.0.1.60

Web Access

Possible reasons for multiple

CPMs:
End Users: • Various network
IT Staff, Auditor, etc.
segments
End Users: • Scalability
IT Staff, Auditor, etc.
CyberArk’s Distributed Architecture

Auditors

IT

IT Environment

Vault (HA Cluster)

Main Data Center - US

Auditors/IT Auditors/IT

IT IT
Environment Environment

London Hong Kong

DR Site

56