WIXLIB

KuppingerCole ReportEXECUTIVE VIEWby Martin Kuppinger August 2014CyberArk Privileged Threat Analyticsby Martin Kuppingermk@kuppingercole.comAugust 2014KuppingerCole Executive ViewCyberArk Privileged Threat Analytics (PTA)Report No.: 70859

Content1 Introduction . 32 Product Description . 43 Strengths and Challenges . 54 Copyright . 6Related ResearchLeadership Compass: Privilege Management - 70960Advisory Note: Information Security Predictions and Recommendations 2014 - 71299Advisory Note: Privilege Management - 70736Product Report: CyberArk Privileged Identity Management Suite (PIM) - 70257KuppingerCole Executive ViewCyberArk Privileged Threat Analytics (PTA)Report No.: 70859Page 2 of 7

1 IntroductionIn some form, Privilege Management (PxM) already existed in early mainframe environments: thoseearly multi-user systems included some means to audit and control administrative and shared accounts.Still, until relatively recently, those technologies were mostly unknown outside of IT departments.However, the ongoing trends in the IT industry have gradually shifted the focus of information securityfrom perimeter protection towards defense against insider threats. Just as company networks becomemore open, incorporating multiple interconnected locations, the very notion of network perimeter isgradually disappearing. Traditional perimeter security systems such as firewalls are no longer effectiveagainst targeted attacks, and privileged accounts are the primary targets for attackers. Stolenadministrator credentials have been the cause of many recent high-profile security breaches (includingthe famed Edward Snowden case). Compromised technical accounts for network devices enableattackers to conduct cyber espionage undetected for months. A compromised Programmable LogicController (PLC) device could lead to sabotage of an industrial process or even to an industrial disaster.It is therefore not surprising that PxM solutions have grown from a niche market into a mandatorycomponent of any enterprise security infrastructure. Many vendors now offer integrated solutions forautomated discovery of privileged accounts, storing and managing privileged account credentials in asecured vault, and monitoring of privileged access to servers, databases and network devices. Somevendors go further and implement real-time analytics to detect and/or prevent malicious activities. For adetailed overview of the leading PxM vendors, you can refer to the KuppingerCole Leadership Compasson Privilege Management1.CyberArk, a leading vendor in the PxM market, has released a major update to their behavioral analyticssolution that specifically focuses on analyzing abnormal and potentially malicious use of privilegedaccounts. CyberArk Privileged Threat Analytics provides a complete view of privileged credential andaccount use, with forensic capabilities, covering devices within as well as outside of the company’sPrivileged Account Security Solution management. Immediately actionable threat alerts enable incidentresponse teams to respond directly to an attack. The product integrates with leading SecurityInformation and Event Management (SIEM) solutions and can operate independently as a standaloneoffering, or as part of the larger CyberArksolution. This integration allows customers to extend theirSIEM investment by feeding actionable insights back into the SIEM solution.CyberArk Privileged Threat Analytics delivers advanced behavioral analytics capabilities, based onpatented algorithms, which detect anomalies when they occur. This is done by comparing the historicalpatterns of privileged access with the current behavior and use of privileged accounts.While there are other, broad security analytics solutions on the market, such as SIEM and the upcoming,more advanced Real-time Security Intelligence 2 solutions, having a specialized offering for behavioralanalytics that returns targeted data on privileged account usage provides visibility these otherapproaches do not.12Leadership Compass: Privilege Management (#70,960)Advisory Note: Real-Time Security Intelligence (#71,033)KuppingerCole Executive ViewCyberArk Privileged Threat Analytics (PTA)Report No.: 70859Page 3 of 7

2 Product DescriptionCyberArk Privileged Threat Analytics is a streamlined product that provides a dashboard interface todeliver insight into potential risks related to privileged account use. There is little to configure when itcomes to the analytical algorithms.One strength of the product is that CyberArk Privileged Threat Analytics is a targeted offering that isready-to-use. Instead of spending significant time and money in configuring a SIEM solution, the productis optimized for the specific use-case of analyzing the behavior of privileged account usage.Out-of-the-box integration of data feeds from major SIEM products enables CyberArk Privileged ThreatAnalytics customers to discover, analyze and monitor behavior beyond what’s detectible using datafeeds directly from CyberArk technology. For example, if an administrator tries to access a server,firewall or other endpoint directly without going through the privileged access workflow, CyberArkPrivileged Threat Analytics can identify and alert this from the data feeds provided by security incidentand event management solutions.By understanding privileged account behavior on systems, such as servers, databases, etc., CyberArkPrivileged Threat Analytics is able to identify malicious activity directly on the device itself. For example,a server may be bombarded with attempts to take over the privileged account during an advancedattack. CyberArk Privileged Threat Analytics will detect abnormal privileged account behavior on thatserver and will immediately alert IT security personnel of the anomaly.The product also has the ability to understand the relationship of shared accounts and individual users.A significant portion of privileged accounts are shared accounts. Just analyzing the account behavior isnot sufficient. It requires understanding the behavior of each individual user who is accessing the sharedaccounts. CyberArk’s core competency is managing and controlling privileged account usage, whichprovides the individual accountability required to achieve true user behavior analytics, including theability to protect, detect and respond to advanced threats that target these critical accounts.Another important feature of the product is the real-time analytics capability that provides targeteddata, rather than trying to ‘boil the ocean’ the way general security analytics tools work. Privilegedaccount usage is continuously analyzed. Once there is a mismatch between the historical usage patternsand the current behavior, events and alarms are generated. In contrast to purely forensic analysis, thishelps customers to reduce the window of opportunity for attackers. Given the potentially severe impactof abuse of privileged accounts and the role, these accounts play in insider attacks and advancedthreats, early detection of privilege anomalies or suspicious activity related to privileged accounts andimmediate reaction is mandatory.The product includes forensics capabilities, which deliver visibility and insight into privileged accountbehaviors. Customers can query on anomalies, view baseline behavior models, and benchmark for risklevels across the entire privileged account ecosystem within their organization. Administrators can alsodrill down into individual privileged account profiles for insight into normal behavior and activities.Insight into normal conditions helps expedite event resolution when there are abnormal conditions (i.e.anomalous privileged account activities).KuppingerCole Executive ViewCyberArk Privileged Threat Analytics (PTA)Report No.: 70859Page 4 of 7

Since the solution is built on learning behavioral patterns, rather than pre-defined rules, means thatcustomers don’t have much insight into the algorithms used or the ability to access detailedconfiguration. This is primarily due to the fact that the approach differs from common SIEM solutionswith their rule-based approach to analytics. CyberArk Privileged Threat Analytics, in contrast, relies onpattern-based analysis of anomalies and a self-learning approach. Self-learning in fact means that theresults will become better over time, with a risk of more false positives at the beginning. This isparticularly true for use patterns of privileged accounts that occur only over long time intervals.Common scenarios are maintenance windows, year-end activities, or infrequent updates of systems.These frequently are related to increased use of privileged accounts and might be considered ananomaly on the first few occurrences. Unfortunately, CyberArk Privileged Threat Analytics lacks theability to “pre-configure” such activities. On the other hand, when these situations are known (whichthey would need to be for pre-configuration anyway), customers also can easily identify that the relatedresults are false positives.Another challenge might be imposed by the fact that CyberArk Privileged Threat Analytics is a veryspecific tool for one use-case within the broader area of threat analytics. There needs to be skilledpersonnel for analyzing the events and responding appropriately. In the case where there already is aSecurity Operations Center (SOC) in place, CyberArk Privileged Threat Analytics becomes yet one moretool to use, which might cause resistance. CyberArk addresses this by providing integrations to SIEMsolutions.In addition to the dashboards provided by CyberArk Privileged Threat Analytics, data and alerts can beintegrated with an organization’s existing SIEM solution. In that scenario, CyberArk Privileged ThreatAnalytics acts as a sort of pre-processor to the SIEM tool.3 Strengths and ChallengesOverall, CyberArk Privileged Threat Analytics appears to be a well thought-out solution focused onsolving a major deficiency among most security strategies: understanding anomalies in the use ofprivileged accounts and thus increasing the ability of identifying and responding quickly to attacks.There is a good value in using such a solution, either stand-alone or in combination with existing SIEMtools or more advanced Real-time Security Intelligence solutions.CyberArk Privileged Threat Analytics provides a simple, intuitive user interface and well thought-outdashboards for that analysis. It is easy to use and results are easy to understand. The required skill levelis far below that required for SIEM tools. Additionally, there is integration to existing SIEM tools,allowing CyberArk Privileged Threat Analytics to run as a value add to such tools, increasing insight andquality of results and thus helping mitigate security risks.One challenge is the lack of managed services for supporting customers in analyzing the events andsetting up remediation for these. However, there might be Managed Security Services Providers (MSSPs)in the future that provide such service.The second challenge is by design. The algorithms in use and the self-learning, minimal configurationapproach also means that the tool can’t be informed upfront about planned anomalies.KuppingerCole Executive ViewCyberArk Privileged Threat Analytics (PTA)Report No.: 70859Page 5 of 7