CyberArk Company Introduction

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

hello everyone thanks for joining if I could just for a moment while I speak for cyber-ark I'm I want to say how much of a privilege it is to be here in the room but also be present at the inaugural security field day both cyber-ark and this humble engineer can't thank you enough for the invite as well as all the questions that no doubt will pour in over the number of sessions today so by way of introduction my name is Brandon I'm an engineer at cyber-ark I've been with the the company for around five years my main areas of focus are emergent technology secrets management application secrets management as well as just well general secrets management - and in this session we'll talk a little bit about cyber arc as a solution as well as the company why we exist when we began to exist and what this whole hub of is about privileged access security now we'll start with a quote and the quote is a little bit old but I like it it's it's an oldie but a goodie back in 2012 Robert Mueller back when he was the director of the FBI and regardless of how you feel about him today utter a quote that we all use all the time but I'll submit to you we only use half of that quote I'll paraphrase because I'm not going to be all weird and turned around back and look at it but there are two types of companies those who have been packed and those that will be and then we cut it off because that feels really good that feels like a good complete thought but the other half I think is even more powerful the ones that have been compromised and those that will be compromised again and every single security vendor is going to tell you well here's the reason why that is so I admit that I'm a little bit biased but myself as well cyber-ark believe that these breaches are caused primarily by those delicious creamy Dinu creamy nougat II crispity crunchity privileged accounts that are in every single environment domain admin local admin UI D zero accounts those built-in accounts on mainframes and industrial control systems and even on things like coca-cola freestyle machines those little things you put in you mix your beverage at the movie theater they have privileged accounts - they all are their attackers look for them because let's face it breaches aren't happening because of least privilege this was the reason that cyber art came into being that provides some sort of vault for you to store these privileged accounts later it actually started as just a vault right put stuff in this secure location wasn't until a couple years later that we realized everybody was just storing passwords then it clicked Eureka let's move forward with this now if you've not heard of cyber-ark before we've been in business since 1999 since then we've amassed over 4,200 customers all over the globe this includes 50 percent of Fortune 100 and 50 percent of the fortune 500 - that are gracious enough to trust them with the keys to their proverbial kingdom by the way there are only so many metaphors you can use for privileged accounts so you're gonna you're gonna hear a couple of them please don't get mad at me buy them again and again but in any case they trust us with these now in terms of the verticals we support it's all over the place of course you're highly regulated industries like banking power I'll tell some stories about utilities and a little bit the kind of harken back to Superman 3 but also retailers large credit-card companies Airlines transportations they've all got privileged accounts now today is about you so I will be very brief on the next two slides but I can't not say it naturally there exists great minds outside of this room and outside of the folks watching on the web that serve in an independent analyst functionality I'm glad to say they agree with our assessment that privilege is important we've been ranked by folks like Forrester as the kind of top right in both the ability to execute as well as vision and this year was the inaugural Gartner Pam magic quadrant where we were also ranked as a leader but enough about Gartner because today is your day so let's start at the basis now I know a lot of you in the room and a lot of you watching have security backgrounds some of this is gonna sound you like I know this brand I know but but let's let's establish a baseline let's look at your traditional breach now we're gonna use this as a way to expand how the threat surface looks today let's start with a pretty pretty straightforward breach and with my favorite source of public user information good ol LinkedIn so we've got a bad guy hanging out on LinkedIn learning everything there is to know about their target what they support oh my gosh they like animal welfare and puppies because who doesn't like puppies they've worked for these companies they went to these schools here their connection so many breaches start with that initial infiltration through phishing if you send me a link to a funny cat video even being in security and some would say a security professional I'll still click it I can't not click it it could be the best cute funny cat video ever so user is fished now I'll talk a little bit about local administrative rights and further sessions but man if that user has local admin rights on their laptop life has now become so much easier from a threat actor perspective by using those local administrative rights are finding someone else who has them we're able to start the process of escalation in this case by the way this is actually this was a live breach that we looked at but in this case an executive user was compromised they had local admin rights we were able to then dump hashes happen to find the hash of the help desk user who would assisted that executive user before him right Kerberos based authentication leaves behind hashes I'll talk about mitigation for that later but now the attacker can start the process of lateral movement by leveraging that helpdesk users hash they're able to connect to say a server in the environment dumping the hashes on that server means we can continue to rinse and repeat until we've got something really delicious a domain administrative account once domain admin is pops we're like a kid in a candy store full access irreversible network takeover is possible here and of course the exfiltration event occurs now golden ticket of course is an incredibly popular Kerberos based attack method but we use pass the hash to get there there are also other types of attacks as well that I'll talk about more when I talk about cyber Ark labs in a little bit but at this point our attacker having compromised the environment is now able to profit just like happy screwed McDuck swimming around in his coins which by the way his neck would like to be broken it doesn't it doesn't work you can't sum round and points like okay that's that's how it operates now if you put that into a fancy marketing looking graphic it looks like this right once we breach the perimeter so whether we're dealing with an external compromise or an external compromise the goal is to rinse and repeat kind of like got like a privileged washing machine now cyber-ark understands the importance of having a strong network perimeter I know a lot of folks in the room have networking backgrounds that doesn't change but once you get in we've got to assume that compromise ation is possible the other thing that in in my kind of breach flow we assumed was that this was primarily an Active Directory driven environment that we were running Windows it's not always the case attackers are more connected than ever we as people are more connected than ever which means the threat surface is increasing I'll talk a little bit about the cloud threat surface - but also things you wouldn't necessarily think about like publicly facing programmable logic controllers in industrial control systems things that can control the amount of water sanitizer that goes into municipal water supplies are externally facing you can hit them over the public internet yes it takes of work to get there potentially but many of them use built-in administrative accounts I'll talk a little bit more about this later but there was a POC and at Georgia Tech I'm from Atlanta where they were actually able to install ransomware Zahn a specific type of PLC to slowly increase the amount of sanitizer to water until the ransom was paid it's right out of Superman 3 so privileges all over the place our goal with cyber-ark yes are you suggesting that you're seeing more and more SCADA systems directly accessible from the internet and not air-gapped or indirectly ok so not a number of more it's simply more being uncovered so using tools like for instance shoten is a quick one we're seeing more and more cases where areas we thought were air-gapped aren't and it's not because engineers are malicious or the security team didn't have enough information it's simple because the systems have been around so long that the access simply kind of creeped up but now we've this project and this thing to clean up that was inherited maybe from four or five teams back so our goal is to break that chain now everyone will tell you we get as close to 100% as possible but no security vendor is infallible my goal cyberarts goal is to make the process of lateral movement as caustic as possible for an attacker it has to be acidic the goal is for folks to turn around to give up potentially target something else and it's doing that without making our users just hate the level of security we put into play and I'll talk more about that approach in a little bit now when we take this so this idea and translate it into actually stuff that you can install the portfolio looks a little bit like this and and we organize things into what we call the core and then the elements of a phase 2 phase 3 add-on other things that other companies might not have but these three elements in the core the things we'll be seeing first are what every single one of our customers will deploy in their phase one that is a secure vault for storing discovering and rotating passwords I'll talk more about rotation logic in future sessions giving humans access to it making sure those humans are strongly authenticating so integrating with things like multi-factor now when a user's there they have access to their stuff it also is about using the accounts that are stored with them yeah you can check out passwords all day but I prefer connecting users directly isolating their systems from the targets they're connecting to so all those nasty memory scrapers keystroke loggers and stuff that you might not have control of on the endpoint don't gain access to those very privileged accounts while monitoring everything that's happening so actually creating an audit trail which is a beautiful thing now we've got all these secrets we doing all this access but what about analytics well I've got all this good information why not apply analytics to it to where I can notify of super weird anomalies on the most powerful accounts should do that but also take action from already rotating passwords and I detect to pass the hash attack one of the best ways to mitigate that it's just rotate that's all there is to it we should be able to do that matically and we do so these are the three elements of the core Vulcan rotation session isolation monitoring strong and actionable analytics on top primarily for humans but the attack surface isn't human anymore right the robots are uprising I'll talk more about that in a bit so also removing a hard-coded secrets from applications from scripts from configuration files called password dot P Y that you'll see in a further session and doing that for traditional applications think j2ee WebSphere WebLogic Tomcat but also more ephemeral applications to write there's the concept of Jenkins the DevOps Butler these processes exist ephemerally they must have secrets management that can also exist in that state so applications are something that we touch and something that is near and dear to my heart personally this also extends to endpoint privilege management to attack starts right here you saw how local administrative rights were used maliciously why not allow companies to remove those without completely shattering the earth beneath our eye two processes by the way I said earth-shattering there was there was an earthquake in in the southeast today I leave for like five minutes and then like the world falls down there so I'm I'm hoping that all my patio furniture is standing up but we don't want to quake the earth out from under these processes so we want to be very economist with endpoint controls then finally ten years ago everything was on print right we had our data centers everything was happy but since then focus on moving to infrastructure and platform as a service so for cyber-ark we couldn't stick with that on Krim story you have to be able to deploy all or some of the solution inside of AWS surahs your GCP now admittedly most of our customers are going in at a hybrid approach but they've got some powerful stuff that exists on Prem and some stuff that exists in the cloud so making sure that we can distribute out there is key for us and you'll see that a little bit when we talk more about the architecture of the platform security doesn't happen in a vacuum though cyber-ark is really good I think and rotating passwords it's like our thing it's you know been doing it for a while but not so good at multi-factor I don't do vulnerability scanning robotic process automation I can help with but again I can help so one of the things that we've built over the past couple of years is something we call the C cubed Alliance that is an alliance of over at this point it's almost over a hundred certified partners out there when I say certified I mean that we do this together so for instance cyber-ark and duo for multi factor if you have a problem contact either of us it's not all go talk to them it's probably probably their fault so security solutions multi-factor scanning solutions coming together provide a cohesive way forward now one of the things that I can't be adamant enough about here is that these integrations weren't built just by cyber arc and aqua kind of hanging out and having coffee and ice cream one day do people eat coffee and ice cream at any case having coffee and ice cream whatever you choose to eat with your coffee together it was driven by our customers by our prospects by you challenging us to become better now if you look into cyber can you don't see something we integrate with best thing you can do is just ask hey cyber okay vendor why aren't you working together chances are we just didn't think about it or no one had asked us before so for those of you who are watching and maybe talking with cyber are looking at cyber please ask us be vocal it's very important same with you in the room now making the product and selling the product and then deploying it is one thing but it's also massively important to research the environment to understand some of the more emerging threats coming through there's a division of cyber arc are indeed that we've called cyber arc labs you'll find that our naming conventions at cyber arc are typically very they're very functional which is okay but cyber-ark labs their goal is twofold number one to ensure that our solution is secure number two to make sure we're locating additional threat vectors out there you can find all of our research in our blog as well as Cybercom the other element of that is many tools that we release are being open sourced today I'll talk more about community in a little bit but github.com slash cyber arc is a spot where you can find a number of tools available the most recent being z bang or for the Israelis is a bang which looks at a number of active directory level compromise and mitigation so you've got to be able to have research but also you got have a plan there are tons of privileged accounts at every organization and while many of many folks will come to us because they have an idea of what they want to manage once they have achieved step one well then what do you do where do we go next well that's good question so over the years side work is develop what we call a hygiene program I know what you're thinking hygiene kind of makes you think of brushing your teeth and flossing your teeth I promise this is this is good hygiene the seven steps that every one of our successful customers has taken from starting with eliminating irreversible network takeover right preventing that state where you either have to a assume you've been compromised forever or B just burn everything and rebuild to handling well known infrastructure accounts to limiting the move of attackers internally but also to doing things like managing SSH keys my background is as a UNIX application owner my company managed the root account I kept whistling and moving forward exactly as I would have before because I happen to have the root SSH key you can rotate I know it's not good to have a root SSH I didn't say I was that I was a good person I've changed I got I got better but you can rotate the root account all day the SSH key is outside of that it's like locking that door but leaving that door wide open so we want to make sure if we've got SSH keys we're managing them to to securing SAS based applications to infrastructure as a service I'll talk more about that later as well as making sure we're handling the nonhumans as part of that process now our customers might not do every one of these they may not even have DevOps they may not have a cloud offering or cloud infrastructure but it's the future it's how the growth can occur finally when it comes to development there are three things we've been focusing on over the past couple of years the first being simplicity I know that sounds kind of silly everybody's focusing on simplicity but but from we're modifying users everyday work and we're dealing with some of the most technical users in the biz if I change their workflow negatively by plus or minus 5% I go from happy well productive users to people who are lying on the floor rolling around telling me that they are literally going to die because the controls are too great I can tell you that that I personally have threatened a member of previous security team that if they continue down that path they would have a group of people outside their office with torches and pitchforks threatening to set their desks on fire using security solutions should not be difficult for our good users should be difficult for the bad guys so you'll see some of that simplicity today as well as making sure that we're handling the emerging cloud as well as DevOps adoption it has to happen a lot of times we see shadow IT going where our developers are building all these processes and security is over here looking in the window wondering what's going on so we want to make sure those are coming together and finally analytics because I have so much good information it would be negligent for me to not take action on the information that I have stored finally this innovation is just part of our DNA it's us from way back in 2003 when we rotated our very first credential to 2007 we put out our first application secrets management our customers prospects partners affiliates you challenged us to become better and it's because of this that we make sure to reinvest a large portion of our income back into research and development we started as an incredibly technical company that is simply not going to change thank you all

Info

Channel: Tech Field Day

Views: 12,066

Rating: 4.7777777 out of 5

Keywords: Tech Field Day, TFD, Security Field Day, XFD, XFD1, CyberArk, Priviledged Access Management, Passwords, Hashes, Reuse

Id: 7GcnLnficLM

Channel Id: undefined

Length: 19min 44sec (1184 seconds)

Published: Wed Dec 12 2018