Transcription
Why a Zero Trust Mindsetdrives an Identity CentricSecurity StrategyYuval Moss - VP Identity SecurityYuval MossVP Identity Security1
IDENTITY IS THE NEW SECURITY BATTLEGROUNDDIGITALTRANSFORMATIONCHANGINGNATURE OFPRIVILEGEINCREASEDTHREATS2
ATTACKERS KEEP INNOVATING
THE FUNDAMENTAL NATURE OF RANSOMWARE1. DELIVERY Exploit configuration gaps, access weaknessesand peopleExecute [with Elevated Privileges] Escalate privilegesHarvest CredentialsPerform Lateral Movement Disable security defencesMaximise ImpactExecute read/write access to dataCYBER-ATTACK CHAIN 2. PROPAGATION3. ACTION ON OBJECTIVES4. DEMAND RANSOM4
STAGE 1STAGE 2O r i o n S o f t w ar eP i p e l i ne I n f e c ti o nT a r g e t S o l a rW in d sC u s t o me rsSTAGE 3S O L A R W IND S A T T A C K C H A I NPr i v i l ege E s ca la tiont o H i gh V a l ue A s s e ts
A BRIEF SYNOPSISSOLARWINDS IS CONNECTED EVERYWHERE. SolarWinds Inc. is an American company that develops software forbusinesses to help manage their networks, systems, and informationtechnology infrastructureVMware AdminRouter Admin Orion Software: The Orion Software is an infrastructure monitoring andSwitchplatformAdmin designed to simplifyFWITAdminDomain Adminmanagementadministration for on-premises,hybrid, and software as a service (SaaS) environmentsSAN Admin Dec. 8th 2020: FireEye discovered a supply chain attack trojanizingSolarWinds Orion software updates in order to distribute malware After a thorough investigation, the attack revealed itself to be a part of aglobal intrusion campaign utilizing a supply chain attack vector The attack involved highly sophisticated and extremely evasive attacktechniques; speculation points to a Russian nation state attack This campaign impacted global organizations, both public and private;however the U.S. government and its interests were the primary target,specifically the U.S. Department of Commerce, The Department of theTreasury and U.S. Department of Homeland Security6
EXCHANGE BREACH: TRUST AND IDENTITYVulnerabilities allow “an unauthenticated attacker toexecute arbitrary code on vulnerable Exchange Servers,enabling the attacker to gain persistent system access.Successful exploitation may additionally enable theattacker to compromise trust and identity ”
TECHNOLOGY CHANGES. ATTACK PATHS DON’T.Credential Theft, Lateral Movement and Privilege EscalationEstablish Persistence and Execute on ObjectiveRansomwareRemote VendorInternalAttackerIT erRobotInternalAttackerApplicationMS Exchange ZeroDay Vulnerabilities
ADOPT AN “ASSUME BREACH” MENTALITYINFRASTRUCTURE & PLATFORMSHybridMulti-CloudOn-Prem AppsAPPS & ENDPOINTSEndpoints &Virtual DesktopsCloud AppsMobile AppsCODE & AUTOMATIONOn-Prem APIsRPA &WorkflowsCloud APIsDON’T ASSUME IDENTITIESCAN BE TRUSTEDIT AdminsDevOpsBots / APIsVendorsEmployeesCustomers9
IDENTITY IS THE ONLY COMPREHENSIVE CONTROL PLANEINFRASTRUCTURE & PLATFORMSHybridMulti-CloudOn-Prem AppsAPPS & ENDPOINTSEndpoints &Virtual DesktopsCloud AppsMobile AppsCODE & AUTOMATIONOn-Prem APIsRPA &WorkflowsCloud APIsACCESS CONTROLS BASED ON CONTEXT, RISK,AND LEAST AMOUNT OF PRIVILEGE NEEDEDIT AdminsDevOpsBots / APIsVendorsEmployeesCustomers10
RISING ADOPTION OF ZERO TRUST88% of security leaders say transitioning to Zero Trust is “important” or “very important”— CISO View 2021 Survey1Verify Every Identity2Validate Every Device3Intelligently Limit Privileged AccessMonitor, Analyze, & Adapt to Risk11
IDENTITY SECURITY DEFINITIONAdminsDevOpsApps / RobotsWorkforce3rd PartyCustomersIDENTITY Y USER &THEIR DEVICESJUST IN TIMEJUST ENOUGHPRIVILEGESECURE &MONITORALL ACCESSRECORD ORAUDIT pelinesSaaSIaaS / PaaS12
IDENTIFY YOUR ATTACK PATHS AND HIGH RISK ACCOUNTSSearchSearch“CyberArk DNA”“CyberArk CloudEntitlements Manager”13
BUILD YOUR IDENTITY SECURITY ROADMAP-When implementing new technologies andconsidering how these are secured, do you take anassume breach approach? What would happen if anidentity is hijacked, what then?-When looking at the flow of providing access tocritical assets, do you have all the controls in place toreduce this risk and ensure accountability?(e.g. Adaptive MFA, Entitlement/authorizationmanagement, Privilege Access Management, SecretsManagement, Session Isolation and Recording?)Search“CyberArk Blueprint”14
THANK YOUYuval Moss - VP Identity SecurityYuval MossVP Identity Security15
SolarWinds Orion software updates in order to distribute malware After a thorough investigation, the attack revealed itself to be a part of a global intrusion campaign utilizing a supply chain attack vector The attack involved highly sophisticated and extremely evasive attack techniques; speculation points to a Russian nation state attack