Welcome totheworld PROactiveCybersecurity · (Windows Azure) Policy management Built-in auditing & reporting Defendpoint Group Policy Edition Policy management Windows & Mac agent

„Welcome to the worldPROactive Cybersecurity"

© 2018 Avecto Inc.avecto.com

Peter Schaudeck Senior Manager, Partner SalesCentral & Eastern Europe

March 14th 2018, RISK Conference Lasko

© 2017 Avectoavecto.com2017

This pdf Version is slightly different than the versionshown during RISK conference.

• Slide Animations are cleaned and adjusted for bettervisibility

• Some extra slides for better understanding of contexthave been added.


Similarities ?


The „TV5 affair“ !


The „facebook“ dilemma !


“Companies spend millions of dollars on firewalls, encryption, and secure access devices and it’s money wasted because none of these measures address the weakest link in the security chain: the people who use, administer, operate and account for computer systems that contain protected information.”

Kevin Mitnik, former FBI Most Wanted Hacker


The Avecto paradigm

PROactively Stoppingcyberattacks without

stopping user productivity


PROactive versus Detection-basedEndpoint Security

• Mitigating attack vectors• „Time to attack“ doesn‘t matter• Malware pattern doesn‘t matter

• It‘s always a race against time• Patterns constantly change• Even „Next-gen“ solution often fail

DETECTIONBASEDMultilayered

approach


“The common misconception is that a user with local admin rights can do little harm

and that administrative actions taken at the endpoint are isolated to the endpoint itself.

Gartner, Inc., “Reduce Access to Windows Local Administrator with Endpoint Privilege Management,” Lori Robinson, October 20, 2017

Neither assertion is true.”


Magic Question #1

„What can you do with local admin rights and how can you do harm ?“


A local admin user has the keys to the kingdom...and beyond!


What can they do with the keys to the kingdom?Top 10 secrets of an admin user

1. Change registry keysNavigate around GPO and central management + policies

2. Take control of system services Disable and interfere with other security products such as anti-virus and firewall

3. Take ownership of files and foldersYou can own any file on the system – period: privileges always beat permissions

4. Manage certificates for the local machine Risk of phishing and man-in-the middle attacks

5. Use port scanning toolsCapturing network traffic allows the potential of finding a vulnerability

6. Go from Admin to System Create scheduled tasks to run as System. Applications can be set to run bypassing UAC, processes can be run as System

7. Install and uninstall any application or patchLeave the environment open to vulnerabilities

8. Cover tracksDelete application, system and security event logs

9. Manage and create your own usersCreate multiple admins as needed

10. Access any part of the OSSet ‘traps’ for users with higher privilege such as Domain Admin for privilege escalation attacks


„Local admin rights“ isone of the key attackvectors abused by a

large variety ofcyberattacks.


„Remove local Admin rights, remove threats, achieve Least Privilege“

Return the keys to the kingdom...


Magic Question #2

„What will happen, whenyou remove local admin

rights and switch to a standard user context?


What can’t and still can they do without the keys to the kingdom? - EXAMPLESKey challenge: working in standard user mode

Users CAN’T:• do even the basic things any longer

like changing date and time, changing network settings

• Simply install a programeven a simple printer driver installation is getting cumbersome

• ignore User Account control (UAC) for any small system change or installation.It will constantly bother you .

Users still CAN:• Install certain programs like Firefox or

Chrome in local user directorydespite of a fully hardened company wide established Internet Browser

• Install Cloud Storage Tools or Portable appsin your local directory, such as Dropbox, Onedrive, Bittorrent, also from USB stick

• „unwanted“ execution of documentbased attacksinside of trusted or whitelisted applications


„Remove local Admin rights, remove threats, achieve Least Privilege“

Return the keys to the kingdom...

„Control your applicationsand system processes“

AND


Industry and analyst advice

Implementing these 4 strategies mitigates

85% of cyber threats

Implementing these 4 strategies

mitigates min. 85% of cyber threats

1 Application whitelisting2 Reducing admin users3 OS patching4 Application patching

1 Application whitelisting2 Reducing admin users3 OS patching4 Application patching


NSA (US National Security Agency)Industry advise


Magic Question #3

„Why are attackersstill winning?“


Why are the attackers winning?Security Compromises

Locked & Well Managed

20%

60%

100%




20%

60%

100%

• Enforce strong security configuration & controls

• Ensure applications & operating systems are fully patched




20%

60%

100%



• Protect vulnerable applications and high risk activities

• Stop unknown & un-approved applications from running




20%

60%

100%





• Remove local administrative rights to achieve least privilege




20%

60%

100%

• Users require freedom & consumer-like experience









20%

60%

100%


• System stability and uptime are the most important factors

• User productivity and efficiency must be maintained









20%

60%

100%


• System stability and uptime are the most important factors

• User productivity and efficiency must be maintained

• Users need the flexibility to run new & undefined applications

• Users need to configure their endpoints & install software







Magic Question #4

„How Avecto can helpyou manage this

dilemma…?“


The impossible compromiseThe Endpoint Security Paradoxon

SecurityUser

Experience

Objective = Balance both“Underlocked”

All users given admin rights

All users locked down to a standard user

account

Poor user experience leads to privilege creep

Without admin rights users can’t do their job and desktops are difficult to manage

Giving admin rights is professional

negligenceSecurity weakened and the threat is always escalating

support costsfor local admin users increase

support costs for standard users

increase

“Overlocked”


Zero admins

DATA

The PROactive

Defendpoint approach

Eliminate admin rights, achieve least privilege


Pragmatic whitelisting

Zero admins

DATA

The PROactive



Whitelist trusted apps and block malware

ASSIGN PRIVILEGE TO APPS, TASKS & SCRIPTS but never to users



Zero admins

Enhanced security

DATA

The PROactive





Protect Trusted Apps(e.g. Protect MS Office or Adobe Reader from embedded Malware)



Zero admins

Enhanced security

Actionable intelligence

DATA

The PROactive






Insight and analysis to make informed decisions



Zero admins

Enhanced security

Actionable intelligence

DATA

The PROactive






Insight and analysis to make informed decisionsQuickstart Policy


User Interaction / Exception handling

WithoutAvecto

defendpoint


User Interaction / Exception handling

WithAvecto

defendpoint


“QuickStart Policy” and exception handling / user interactionOut of the Box – How it works

Allow seamless elevationAuto Approval of Business Apps 1


Corporate brandingTailored message

Auto Approval Operating System 2 Confirm Execution




3 Corporate brandingTailored message

3rd Party Signed AppsReasonRe-authentication






4 Helpdesk RequestChallenge / Response


Unsigned / Untrusted Apps43 Corporate branding

Tailored message







4 Helpdesk RequestChallenge / Response


Unsigned / Untrusted Apps43 Corporate branding

Tailored message




Admin rights can be removed immediately

Policies can be targeted at different user group, with powerful filtering options

User experience can be customised

Policies can be refined over time

User behaviour captured



Quickstart Policy


Windows & Mac agentWindows & Mac agentWindows & Mac agent

ArchitectureManagement & Deployment

Most Valuable Partner

Part 1 (the agent)


Defendpoint ePO EditionClient deployment

Policy management

Built-in auditing & reporting

(Windows Azure)

Policy management


Defendpoint Group Policy Edition

Policy management




Part 2 (the Policy Management Platform)


Defendpoint ePO EditionClient deployment

Policy management


(Windows Azure)

Policy management


Defendpoint Group Policy Edition

Policy management


Enterprise ReportingEnterprise ReportingEnterprise ReportingCentralized auditing | Reporting dashboards | Actionable intelligence



Part 3 (the Enterprise Reporting Platform)

2017

McAfee Security Innovation Alliance Partner of the year 2017

End to end management viaMcAfee ePolicy Orchestrator®

Technology integration withMcAfee Threat Intelligence Exchange(TIE/DXL)

4 Million licenses deployed globally with ePO

Fully integrated security solution


About Avecto • UK/Manchester based – founded 2008 - Still privately owned and fast growing• 100% channel focussed• PROactive (not detection based) cybersecurity engine with multilayered approach

(PM, AC, TAP, insights)• Great customer names and use cases

Success Factors:• Our approach – our story: once understood and tested by our customers, they go for it !• Customer Journey – A structured methodology that leads to greater success• Quick Start implementation program – “Starts simple, stays simple”• Highly scalable (no limit in terms of company size)

About Avecto and why we win ?

2017

Proven track recordSuccessful global deployments

Over 1000+ successful implementations

8 million licences deployed globally

Project rollouts of up to 454,000 users


Please join Andrej Kreuth from ADD Slovenia tomorrow at 12.25 (Gala Hall) for the ADD/Avecto Customer success Story: a Technical Point of View

Interested to hear more ?


Magic Question #5

„How Avecto PROactivelymitgates attack vectors and

how is it different frommany other detection-

based solutions ?“


Attack vector mitigationKnown malware Known exploits

Patc

hing

Patc

hing

Anti-

mal

war

eAn

ti-m

alw

are


Known malware Known exploits

Patc

hing

Patc

hing

Anti-

mal

war

eAn

ti-m

alw

are

Attack vector mitigation

Replace OS files (start/stop services)Exposure networks to malware (DDOS)System wide config changes Install unauthorized / licensed softwareManipulate user accounts & Pwd (PtH) attacksDisable/uninstall security software/policies Data leakageInstall malware (i.e. root kits)

Social engineering email/installsInfected content on external media APT’s/exploit kits drop files to disk (payloads)Unknown user installed apps (portable)

Document based attacks (macros, active script)Theft of corporate data (IPR)Zero day browser/Apps exploits


Known malware Known exploits

Patc

hing

Patc

hing

Anti-

mal

war

eAn

ti-m

alw

are

Attack vector mitigation

Replace OS files (start/stop services)Exposure networks to malware (DDOS)System wide config changes Install unauthorized / licensed softwareManipulate user accounts & Pwd (PtH) attacksDisable/uninstall security software/policies Data leakageInstall malware (i.e. root kits)

Social engineering email/installsInfected content on external media APT’s/exploit kits drop files to disk (payloads)Unknown user installed apps (portable)

Document based attacks (macros, active script)Theft of corporate data (IPR)Zero day browser/Apps exploits

Appl

icatio

n W

hite

listin

gAp

plica

tion

Whi

telis

ting

Leas

t Priv

ilege

Leas

t Priv

ilege

Trus

ted

appl

icatio

n Pr

otec

tion


Magic Question #6

„How does all of that fit into the

world?“


Privilege Access Management … and why buy it ?A redefined market space

• “Buyers continue to show strong appetite for PAM solutions, driven by fear of breaches and the significantrole privileged user accounts and credentials play in such incidents.

• Another significant market driver is the need to address a wide variety of regulatory and industry mandates, as well as expanding audit requirements, which prescribe controls over privileged users, accounts and credentials.”


What is it now ?Privilege Access Management

• Vaulting of privileged credentials

• Session management and access control

• Session recording

• Removal of privileged accounts

• Granular management and elevation of individual tasks

• = PEDM

2017

Managing privileged passwords

• PASM tools monitor and record privileged activity on the systems

• Grant access to privileged user accounts via a password vault

• Controls access to individual accounts with always-on privileges

• Allows the sysadmin to request access to a specific server

• The password vault grants access to the user using a temporary

admin account & attempts to record the sysadmin’s activities

• The admin account is then revoked and the session recording is

logged

PASM - Privileged Account and Session Management

2017

Managing privileged passwords

• Basic level of control • Limited security benefits • Focused on data centre projects, not desktop• Control is all or nothing - full admin privileges or nothing at all• Issuing even temporary admin privileges poses the same level of

risk as a full admin account

Regulation now calls for even greater control – the security bar has been raised!

PASM - Privileged Account and Session Management

2017

Delegating privileged actions

• A more robust and granular approach to user privileges

• Remove admin rights completely and allow all users to operate under

the security of a standard user account

• PEDM will elevate individual commands but not grant access to an

unrestricted privileged session.

• Admin rights assigned only to commands, tasks, applications or scripts

• Ensures the number of admin accounts are dramatically reduced or

eliminated

• 94% critical Microsoft vulnerabilities mitigated

• 90% of critical vulnerabilities in the Windows Server OS mitigated

• Superuser privilege management now classed as PEDM by Gartner

PEDM - Privileged Elevation and Delegation Management

2017

Where to start ?

“Start with PEDM if predominantly Windows based, already have high trust 2FA authentication and allow admins to use accounts with domain admin privileges.

These organizations should eliminate usage of accounts with domain admin privileges except for very specific and extreme situations – elevate privileges from regular user accounts.”

Back to Gardner …

2017

Benefits of a PEDM first approach

Immediate realization of benefits

Remove admin rights completely

Proactive approach to security, not ‘react after the fact’

Remove the greatest risk first across all desktops Create solid foundations

Mitigate 94% of critical vulnerabilities

2017

Complementing an existing PASM solution

Reduce onboarding process and operational workflow (80.20)

Reduce the attack surface by removing admin rights

Reduce noise by auditing and vaulting only high-risk events

Proactive approach to security – block and alert red flag activity

Greater visibility to audit what goes on beneath the surface

Compliance requirements for least privilege and third-party access control

2017

PASM and PEDM can be complimentaryKey differentiators

PASM PEDMReduces admin rights? No Yes

On-demand elevation? No Yes

Proactive approach? No Yes

Elevation of individual commands? No Yes

Vaulting technology? Yes No

Control of router passwords / shared passwords? Yes No

Secure single sign-on? Yes No

Session recording? Yes No


Magic Question #7

„How does Prince William fit in this story?


Let‘s go back to the beginning…

Cassian EwertSenior Technology ConsultantAvecto Ltd.

Just in front of this Main Hall

2017

Management Summary

1. Why Avecto ?2. What are we doing ?3. How are we doing it ?

2017

Smart & Fundamental Security | Mitigate attack vectors | proactively stop Cyberattacks | increase user productivity

Management Summary

Opperational efficiencySignificantly reduces IT

cost (e.g. reduce numberof helpdesk tickets)

Pragmatic and simple tomanage „Whitelisting“

even for the largestorganisation (e.g. ½ man-day for Bank of America)

superior Policy and agent architecture

Multi Policy distributionframework (AD/GPE,

ePO, iC3)

never outdated, alwaysprotected, even offline

(no exceptions e.g. temporary admin rights)

Extreme safe and patented Anti-tamperprotection. Protects thesolution and its settings

Widest feature set, granular policy settings

highly adaptive to manycustomer use cases

Patching+Whitelisting+removing admin rights: mitigates >85% of all

Security risks(94% of Microsoft vulnerabilities)

Analyse and informed decisions with

defendpoint “insights” Integrate e.g. with SIEM,

Service Desk etc

Highly secure andefficient due to integrated

multilayeredarchitecture (PM, AC,

TAP, insights)

Help customer to meetCompliance regulations

as recommended by NSA, GDPR, SANS, Gartner…

Efficient Implementation with Quickstart Policies„works in hours, not months“ „starts simple, stays simple“

PROactively preventsmany Cyberattacks e.g. Ransomware, e-spionage,

Insider Threats, SocialEngineering, etc.

Remove admin rightscompletly across entire

business for ALLendpoints and even

servers

Privileges are granted to individual applications,

tasks and scripts, never to users

„Remove privileges, preventbreaches and attacks“

without hinderingproductivity or impacting

systems ressources

Ensure a positive user experience with

customized messaging, seamless elevation and

flexible prompts

WhyAvecto ?

Whatdoes Avecto?

HowAvecto isdoing it ?

2017

Thank you…

multumesc

Hvala

Documents

Welcome totheworld PROactiveCybersecurity · (Windows Azure) Policy management Built-in auditing & reporting Defendpoint Group Policy Edition Policy management Windows & Mac agent