Today there are more privileged users than ever before. Providing access is not optional it is a business necessity. But how do you avoid excessive access? Providing the right access at the right time is the formula for reducing your risk and securing a world of data. At FedEx empowering the right people at the right time is not only good business, but it's also good security.
For more information on Security, please visit: http://cainc.to/CAW17-Security
Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...
Case Study: Privileged Access in a World on Time
1. Case Study:
Privileged Access in a World on Time
Trey Ray
SCT17S
SECURITY
IT Manager
FedEx
Cyber Security Advisor
FedEx
Laxmi Potana
Sr. Cyber Security Analyst
FedEx
Michael Scudiero
9. 2 Factor Authentication
Automated Password
Rotation & Vaulting
Command Filtering
Leapfrog Prevention
PREVENT
DVR & Command Line Session Recording Available
Logging of All PAM User
Activity
SIEM Integration &
Alerting
DETECT
Built-in Reports on All
Integrated Accounts and
Passwords
Metrics Displayed in
Admin Dashboard
REPORT
Privileged Access is Preventive & Detective
10. Active Directory domain admin
Windows Server Admin
Unix root
Database admin (DBA) and developer break-fix
App service accounts
Web Portals
VMware Hypervisor admin
TACACS
Corporate social media accounts
Any shared privileged account in the environment
If privileged accounts are
the “Keys to the Kingdom,”
then PAM is the lockbox for
the keys.
Managing the Keys to Running the World on
Time
12. Use Case: Active Directory Domain Admin
Domain Admin launches an RDP session from their own
PC/Laptop or from other Windows server in the domain
using a personal admin account.
This practice is subject to the “Pass the Hash”
vulnerability whereby the domain administrator’s
credentials can be harvested by an attacker and used to
gain privileged access to the domain.
Before PAM Integration
13. Use Case: Active Directory Domain Admin
Domain Admin logs into CA PAM client w/2FA and
checks out a Domain Admin credential.
RDP session to a Domain Controller is launched using
CA PAM transparent login with PAM managed
credentials.
The Domain Admin credentials are never exposed to the
administrator endpoint which eliminates the "Pass the
Hash" vulnerability.
Session is optionally recorded for audit purposes.
After PAM Integration
14. Use Case: Unix Root
No consistent method for managing Unix root passwords
by the SysAdmin teams.
The Unix root passwords had to be rotated manually on
a regularly scheduled interval.
No attribution for Unix root account usage
Before PAM Integration
15. Use Case: Unix Root
Unix SysAdmin logs into CA PAM client w/2FA to check
out the root password for a server when required.
SSH session to Unix server is launched using CA PAM
transparent login with PAM managed credentials.
The root password is never displayed to the SysAdmin.
Command filtering prevents accidents (rm –rf *.*)
Session is optionally recorded for audit purposes.
After PAM Integration
16. Use Case: Developer DB Break-Fix
Developer escalates his database privileges temporarily
(24 hours) using an IDM pre-approved break/fix
workflow.
Since the developer uses his own personal user account
for the escalated database access, the window of
opportunity for an attacker to gain access using
compromised credentials is lengthy.
Before PAM Integration
17. Use Case: Developer DB Break-Fix
Developer logs into CA PAM client w/2FA and checks
out a privileged database account.
Secure SQL session to database is launched using CA
PAM transparent login with PAM managed credentials.
The database password is never displayed to the
developer.
Session is optionally recorded for audit purposes.
After PAM Integration
18. Use Case: Microsoft LAPS Console
Administrator launches the LAPS console from their local
machine.
LAPS privileges are granted directly to the human
admins via an AD group.
An adversary utilizing a compromised human admin
account would be able to view local Windows admin
credentials for many devices in LAPS.
Before PAM Integration
19. Use Case: Microsoft LAPS Console
Administrator logs into CA PAM client w/2FA and checks
out a LAPS enabled credential.
CA PAM launches the LAPS console via RDP published
application.
The LAPS enabled credential is rotated at the end of the
session and once a day.
LAPS session is optionally recorded for audit purposes.
After PAM Integration
20. WHAT WE LEARNED
WILL HELP US SCALE
| | |DESIGN FOR HIGH
AVAILABILITY
EMPOWER
ADMINISTRATORS
PHASED
APPROACH
AWARENESS
PLANNING