Upload
others
View
5
Download
0
Embed Size (px)
Citation preview
„Welcome to the worldPROactive Cybersecurity"
© 2018 Avecto Inc.avecto.com
Peter Schaudeck Senior Manager, Partner SalesCentral & Eastern Europe
March 14th 2018, RISK Conference Lasko
© 2017 Avectoavecto.com2017
This pdf Version is slightly different than the versionshown during RISK conference.
• Slide Animations are cleaned and adjusted for bettervisibility
• Some extra slides for better understanding of contexthave been added.
© 2017 Avectoavecto.com2017
Similarities ?
© 2017 Avectoavecto.com2017
The „TV5 affair“ !
© 2017 Avectoavecto.com2017
The „facebook“ dilemma !
© 2017 Avectoavecto.com2017
“Companies spend millions of dollars on firewalls, encryption, and secure access devices and it’s money wasted because none of these measures address the weakest link in the security chain: the people who use, administer, operate and account for computer systems that contain protected information.”
Kevin Mitnik, former FBI Most Wanted Hacker
© 2017 Avectoavecto.com2017
The Avecto paradigm
PROactively Stoppingcyberattacks without
stopping user productivity
© 2017 Avectoavecto.com2017
PROactive versus Detection-basedEndpoint Security
• Mitigating attack vectors• „Time to attack“ doesn‘t matter• Malware pattern doesn‘t matter
• It‘s always a race against time• Patterns constantly change• Even „Next-gen“ solution often fail
DETECTIONBASEDMultilayered
approach
© 2017 Avectoavecto.com2017
“The common misconception is that a user with local admin rights can do little harm
and that administrative actions taken at the endpoint are isolated to the endpoint itself.
Gartner, Inc., “Reduce Access to Windows Local Administrator with Endpoint Privilege Management,” Lori Robinson, October 20, 2017
Neither assertion is true.”
© 2017 Avectoavecto.com2017
Magic Question #1
„What can you do with local admin rights and how can you do harm ?“
© 2017 Avectoavecto.com2017
A local admin user has the keys to the kingdom...and beyond!
© 2017 Avectoavecto.com2017
What can they do with the keys to the kingdom?Top 10 secrets of an admin user
1. Change registry keysNavigate around GPO and central management + policies
2. Take control of system services Disable and interfere with other security products such as anti-virus and firewall
3. Take ownership of files and foldersYou can own any file on the system – period: privileges always beat permissions
4. Manage certificates for the local machine Risk of phishing and man-in-the middle attacks
5. Use port scanning toolsCapturing network traffic allows the potential of finding a vulnerability
6. Go from Admin to System Create scheduled tasks to run as System. Applications can be set to run bypassing UAC, processes can be run as System
7. Install and uninstall any application or patchLeave the environment open to vulnerabilities
8. Cover tracksDelete application, system and security event logs
9. Manage and create your own usersCreate multiple admins as needed
10. Access any part of the OSSet ‘traps’ for users with higher privilege such as Domain Admin for privilege escalation attacks
© 2017 Avectoavecto.com2017
„Local admin rights“ isone of the key attackvectors abused by a
large variety ofcyberattacks.
© 2017 Avectoavecto.com2017
„Remove local Admin rights, remove threats, achieve Least Privilege“
Return the keys to the kingdom...
© 2017 Avectoavecto.com2017
Magic Question #2
„What will happen, whenyou remove local admin
rights and switch to a standard user context?
© 2017 Avectoavecto.com2017
What can’t and still can they do without the keys to the kingdom? - EXAMPLESKey challenge: working in standard user mode
Users CAN’T:• do even the basic things any longer
like changing date and time, changing network settings
• Simply install a programeven a simple printer driver installation is getting cumbersome
• ignore User Account control (UAC) for any small system change or installation.It will constantly bother you .
Users still CAN:• Install certain programs like Firefox or
Chrome in local user directorydespite of a fully hardened company wide established Internet Browser
• Install Cloud Storage Tools or Portable appsin your local directory, such as Dropbox, Onedrive, Bittorrent, also from USB stick
• „unwanted“ execution of documentbased attacksinside of trusted or whitelisted applications
© 2017 Avectoavecto.com2017
„Remove local Admin rights, remove threats, achieve Least Privilege“
Return the keys to the kingdom...
„Control your applicationsand system processes“
AND
© 2017 Avectoavecto.com2017
Industry and analyst advice
Implementing these 4 strategies mitigates
85% of cyber threats
Implementing these 4 strategies
mitigates min. 85% of cyber threats
1 Application whitelisting2 Reducing admin users3 OS patching4 Application patching
1 Application whitelisting2 Reducing admin users3 OS patching4 Application patching
© 2017 Avectoavecto.com2017
NSA (US National Security Agency)Industry advise
© 2017 Avectoavecto.com2017
Magic Question #3
„Why are attackersstill winning?“
© 2017 Avectoavecto.com2017
Why are the attackers winning?Security Compromises
Locked & Well Managed
20%
60%
100%
© 2017 Avectoavecto.com2017
Why are the attackers winning?Security Compromises
Locked & Well Managed
20%
60%
100%
• Enforce strong security configuration & controls
• Ensure applications & operating systems are fully patched
© 2017 Avectoavecto.com2017
Why are the attackers winning?Security Compromises
Locked & Well Managed
20%
60%
100%
• Enforce strong security configuration & controls
• Ensure applications & operating systems are fully patched
• Protect vulnerable applications and high risk activities
• Stop unknown & un-approved applications from running
© 2017 Avectoavecto.com2017
Why are the attackers winning?Security Compromises
Locked & Well Managed
20%
60%
100%
• Enforce strong security configuration & controls
• Ensure applications & operating systems are fully patched
• Protect vulnerable applications and high risk activities
• Stop unknown & un-approved applications from running
• Remove local administrative rights to achieve least privilege
© 2017 Avectoavecto.com2017
Why are the attackers winning?Security Compromises
Locked & Well Managed
20%
60%
100%
• Users require freedom & consumer-like experience
• Enforce strong security configuration & controls
• Ensure applications & operating systems are fully patched
• Protect vulnerable applications and high risk activities
• Stop unknown & un-approved applications from running
• Remove local administrative rights to achieve least privilege
© 2017 Avectoavecto.com2017
Why are the attackers winning?Security Compromises
Locked & Well Managed
20%
60%
100%
• Users require freedom & consumer-like experience
• System stability and uptime are the most important factors
• User productivity and efficiency must be maintained
• Enforce strong security configuration & controls
• Ensure applications & operating systems are fully patched
• Protect vulnerable applications and high risk activities
• Stop unknown & un-approved applications from running
• Remove local administrative rights to achieve least privilege
© 2017 Avectoavecto.com2017
Why are the attackers winning?Security Compromises
Locked & Well Managed
20%
60%
100%
• Users require freedom & consumer-like experience
• System stability and uptime are the most important factors
• User productivity and efficiency must be maintained
• Users need the flexibility to run new & undefined applications
• Users need to configure their endpoints & install software
• Enforce strong security configuration & controls
• Ensure applications & operating systems are fully patched
• Protect vulnerable applications and high risk activities
• Stop unknown & un-approved applications from running
• Remove local administrative rights to achieve least privilege
© 2017 Avectoavecto.com2017
Magic Question #4
„How Avecto can helpyou manage this
dilemma…?“
© 2017 Avectoavecto.com2017
The impossible compromiseThe Endpoint Security Paradoxon
SecurityUser
Experience
Objective = Balance both“Underlocked”
All users given admin rights
All users locked down to a standard user
account
Poor user experience leads to privilege creep
Without admin rights users can’t do their job and desktops are difficult to manage
Giving admin rights is professional
negligenceSecurity weakened and the threat is always escalating
support costsfor local admin users increase
support costs for standard users
increase
“Overlocked”
© 2017 Avectoavecto.com2017
Zero admins
DATA
The PROactive
Defendpoint approach
Eliminate admin rights, achieve least privilege
© 2017 Avectoavecto.com2017
Pragmatic whitelisting
Zero admins
DATA
The PROactive
Defendpoint approach
Eliminate admin rights, achieve least privilege
Whitelist trusted apps and block malware
ASSIGN PRIVILEGE TO APPS, TASKS & SCRIPTS but never to users
© 2017 Avectoavecto.com2017
Pragmatic whitelisting
Zero admins
Enhanced security
DATA
The PROactive
Defendpoint approach
Eliminate admin rights, achieve least privilege
Whitelist trusted apps and block malware
ASSIGN PRIVILEGE TO APPS, TASKS & SCRIPTS but never to users
Protect Trusted Apps(e.g. Protect MS Office or Adobe Reader from embedded Malware)
© 2017 Avectoavecto.com2017
Pragmatic whitelisting
Zero admins
Enhanced security
Actionable intelligence
DATA
The PROactive
Defendpoint approach
Eliminate admin rights, achieve least privilege
Whitelist trusted apps and block malware
ASSIGN PRIVILEGE TO APPS, TASKS & SCRIPTS but never to users
Protect Trusted Apps(e.g. Protect MS Office or Adobe Reader from embedded Malware)
Insight and analysis to make informed decisions
© 2017 Avectoavecto.com2017
Pragmatic whitelisting
Zero admins
Enhanced security
Actionable intelligence
DATA
The PROactive
Defendpoint approach
Eliminate admin rights, achieve least privilege
Whitelist trusted apps and block malware
ASSIGN PRIVILEGE TO APPS, TASKS & SCRIPTS but never to users
Protect Trusted Apps(e.g. Protect MS Office or Adobe Reader from embedded Malware)
Insight and analysis to make informed decisionsQuickstart Policy
© 2017 Avectoavecto.com2017
User Interaction / Exception handling
WithoutAvecto
defendpoint
© 2017 Avectoavecto.com2017
User Interaction / Exception handling
WithAvecto
defendpoint
© 2017 Avectoavecto.com2017
“QuickStart Policy” and exception handling / user interactionOut of the Box – How it works
Allow seamless elevationAuto Approval of Business Apps 1
© 2017 Avectoavecto.com2017
Corporate brandingTailored message
Auto Approval Operating System 2 Confirm Execution
“QuickStart Policy” and exception handling / user interactionOut of the Box – How it works
Allow seamless elevationAuto Approval of Business Apps 1
© 2017 Avectoavecto.com2017
3 Corporate brandingTailored message
3rd Party Signed AppsReasonRe-authentication
Corporate brandingTailored message
Auto Approval Operating System 2 Confirm Execution
“QuickStart Policy” and exception handling / user interactionOut of the Box – How it works
Allow seamless elevationAuto Approval of Business Apps 1
© 2017 Avectoavecto.com2017
4 Helpdesk RequestChallenge / Response
Corporate brandingTailored message
Unsigned / Untrusted Apps43 Corporate branding
Tailored message
3rd Party Signed AppsReasonRe-authentication
Corporate brandingTailored message
Auto Approval Operating System 2 Confirm Execution
“QuickStart Policy” and exception handling / user interactionOut of the Box – How it works
Allow seamless elevationAuto Approval of Business Apps 1
© 2017 Avectoavecto.com2017
4 Helpdesk RequestChallenge / Response
Corporate brandingTailored message
Unsigned / Untrusted Apps43 Corporate branding
Tailored message
3rd Party Signed AppsReasonRe-authentication
Corporate brandingTailored message
Auto Approval Operating System 2 Confirm Execution
Admin rights can be removed immediately
Policies can be targeted at different user group, with powerful filtering options
User experience can be customised
Policies can be refined over time
User behaviour captured
“QuickStart Policy” and exception handling / user interactionOut of the Box – How it works
Allow seamless elevationAuto Approval of Business Apps 1
Quickstart Policy
© 2017 Avectoavecto.com2017
Windows & Mac agentWindows & Mac agentWindows & Mac agent
ArchitectureManagement & Deployment
Most Valuable Partner
Part 1 (the agent)
© 2017 Avectoavecto.com2017
Defendpoint ePO EditionClient deployment
Policy management
Built-in auditing & reporting
(Windows Azure)
Policy management
Built-in auditing & reporting
Defendpoint Group Policy Edition
Policy management
Windows & Mac agentWindows & Mac agentWindows & Mac agent
ArchitectureManagement & Deployment
Most Valuable Partner
Part 2 (the Policy Management Platform)
© 2017 Avectoavecto.com2017
Defendpoint ePO EditionClient deployment
Policy management
Built-in auditing & reporting
(Windows Azure)
Policy management
Built-in auditing & reporting
Defendpoint Group Policy Edition
Policy management
Windows & Mac agentWindows & Mac agentWindows & Mac agent
Enterprise ReportingEnterprise ReportingEnterprise ReportingCentralized auditing | Reporting dashboards | Actionable intelligence
ArchitectureManagement & Deployment
Most Valuable Partner
Part 3 (the Enterprise Reporting Platform)
2017
McAfee Security Innovation Alliance Partner of the year 2017
End to end management viaMcAfee ePolicy Orchestrator®
Technology integration withMcAfee Threat Intelligence Exchange(TIE/DXL)
4 Million licenses deployed globally with ePO
Fully integrated security solution
© 2017 Avectoavecto.com2017
About Avecto • UK/Manchester based – founded 2008 - Still privately owned and fast growing• 100% channel focussed• PROactive (not detection based) cybersecurity engine with multilayered approach
(PM, AC, TAP, insights)• Great customer names and use cases
Success Factors:• Our approach – our story: once understood and tested by our customers, they go for it !• Customer Journey – A structured methodology that leads to greater success• Quick Start implementation program – “Starts simple, stays simple”• Highly scalable (no limit in terms of company size)
About Avecto and why we win ?
2017
Proven track recordSuccessful global deployments
Over 1000+ successful implementations
8 million licences deployed globally
Project rollouts of up to 454,000 users
© 2017 Avectoavecto.com2017
Please join Andrej Kreuth from ADD Slovenia tomorrow at 12.25 (Gala Hall) for the ADD/Avecto Customer success Story: a Technical Point of View
Interested to hear more ?
© 2017 Avectoavecto.com2017
Magic Question #5
„How Avecto PROactivelymitgates attack vectors and
how is it different frommany other detection-
based solutions ?“
© 2017 Avectoavecto.com2017
Attack vector mitigationKnown malware Known exploits
Patc
hing
Patc
hing
Anti-
mal
war
eAn
ti-m
alw
are
© 2017 Avectoavecto.com2017
Known malware Known exploits
Patc
hing
Patc
hing
Anti-
mal
war
eAn
ti-m
alw
are
Attack vector mitigation
Replace OS files (start/stop services)Exposure networks to malware (DDOS)System wide config changes Install unauthorized / licensed softwareManipulate user accounts & Pwd (PtH) attacksDisable/uninstall security software/policies Data leakageInstall malware (i.e. root kits)
Social engineering email/installsInfected content on external media APT’s/exploit kits drop files to disk (payloads)Unknown user installed apps (portable)
Document based attacks (macros, active script)Theft of corporate data (IPR)Zero day browser/Apps exploits
© 2017 Avectoavecto.com2017
Known malware Known exploits
Patc
hing
Patc
hing
Anti-
mal
war
eAn
ti-m
alw
are
Attack vector mitigation
Replace OS files (start/stop services)Exposure networks to malware (DDOS)System wide config changes Install unauthorized / licensed softwareManipulate user accounts & Pwd (PtH) attacksDisable/uninstall security software/policies Data leakageInstall malware (i.e. root kits)
Social engineering email/installsInfected content on external media APT’s/exploit kits drop files to disk (payloads)Unknown user installed apps (portable)
Document based attacks (macros, active script)Theft of corporate data (IPR)Zero day browser/Apps exploits
Appl
icatio
n W
hite
listin
gAp
plica
tion
Whi
telis
ting
Leas
t Priv
ilege
Leas
t Priv
ilege
Trus
ted
appl
icatio
n Pr
otec
tion
© 2017 Avectoavecto.com2017
Magic Question #6
„How does all of that fit into the
world?“
© 2017 Avectoavecto.com2017
Privilege Access Management … and why buy it ?A redefined market space
• “Buyers continue to show strong appetite for PAM solutions, driven by fear of breaches and the significantrole privileged user accounts and credentials play in such incidents.
• Another significant market driver is the need to address a wide variety of regulatory and industry mandates, as well as expanding audit requirements, which prescribe controls over privileged users, accounts and credentials.”
© 2017 Avectoavecto.com2017
What is it now ?Privilege Access Management
• Vaulting of privileged credentials
• Session management and access control
• Session recording
• Removal of privileged accounts
• Granular management and elevation of individual tasks
• = PEDM
2017
Managing privileged passwords
• PASM tools monitor and record privileged activity on the systems
• Grant access to privileged user accounts via a password vault
• Controls access to individual accounts with always-on privileges
• Allows the sysadmin to request access to a specific server
• The password vault grants access to the user using a temporary
admin account & attempts to record the sysadmin’s activities
• The admin account is then revoked and the session recording is
logged
PASM - Privileged Account and Session Management
2017
Managing privileged passwords
• Basic level of control • Limited security benefits • Focused on data centre projects, not desktop• Control is all or nothing - full admin privileges or nothing at all• Issuing even temporary admin privileges poses the same level of
risk as a full admin account
Regulation now calls for even greater control – the security bar has been raised!
PASM - Privileged Account and Session Management
2017
Delegating privileged actions
• A more robust and granular approach to user privileges
• Remove admin rights completely and allow all users to operate under
the security of a standard user account
• PEDM will elevate individual commands but not grant access to an
unrestricted privileged session.
• Admin rights assigned only to commands, tasks, applications or scripts
• Ensures the number of admin accounts are dramatically reduced or
eliminated
• 94% critical Microsoft vulnerabilities mitigated
• 90% of critical vulnerabilities in the Windows Server OS mitigated
• Superuser privilege management now classed as PEDM by Gartner
PEDM - Privileged Elevation and Delegation Management
2017
Where to start ?
“Start with PEDM if predominantly Windows based, already have high trust 2FA authentication and allow admins to use accounts with domain admin privileges.
These organizations should eliminate usage of accounts with domain admin privileges except for very specific and extreme situations – elevate privileges from regular user accounts.”
Back to Gardner …
2017
Benefits of a PEDM first approach
Immediate realization of benefits
Remove admin rights completely
Proactive approach to security, not ‘react after the fact’
Remove the greatest risk first across all desktops Create solid foundations
Mitigate 94% of critical vulnerabilities
2017
Complementing an existing PASM solution
Reduce onboarding process and operational workflow (80.20)
Reduce the attack surface by removing admin rights
Reduce noise by auditing and vaulting only high-risk events
Proactive approach to security – block and alert red flag activity
Greater visibility to audit what goes on beneath the surface
Compliance requirements for least privilege and third-party access control
2017
PASM and PEDM can be complimentaryKey differentiators
PASM PEDMReduces admin rights? No Yes
On-demand elevation? No Yes
Proactive approach? No Yes
Elevation of individual commands? No Yes
Vaulting technology? Yes No
Control of router passwords / shared passwords? Yes No
Secure single sign-on? Yes No
Session recording? Yes No
© 2017 Avectoavecto.com2017
Magic Question #7
„How does Prince William fit in this story?
© 2017 Avectoavecto.com2017
Let‘s go back to the beginning…
Cassian EwertSenior Technology ConsultantAvecto Ltd.
Just in front of this Main Hall
2017
Management Summary
1. Why Avecto ?2. What are we doing ?3. How are we doing it ?
2017
Smart & Fundamental Security | Mitigate attack vectors | proactively stop Cyberattacks | increase user productivity
Management Summary
Opperational efficiencySignificantly reduces IT
cost (e.g. reduce numberof helpdesk tickets)
Pragmatic and simple tomanage „Whitelisting“
even for the largestorganisation (e.g. ½ man-day for Bank of America)
superior Policy and agent architecture
Multi Policy distributionframework (AD/GPE,
ePO, iC3)
never outdated, alwaysprotected, even offline
(no exceptions e.g. temporary admin rights)
Extreme safe and patented Anti-tamperprotection. Protects thesolution and its settings
Widest feature set, granular policy settings
highly adaptive to manycustomer use cases
Patching+Whitelisting+removing admin rights: mitigates >85% of all
Security risks(94% of Microsoft vulnerabilities)
Analyse and informed decisions with
defendpoint “insights” Integrate e.g. with SIEM,
Service Desk etc
Highly secure andefficient due to integrated
multilayeredarchitecture (PM, AC,
TAP, insights)
Help customer to meetCompliance regulations
as recommended by NSA, GDPR, SANS, Gartner…
Efficient Implementation with Quickstart Policies„works in hours, not months“ „starts simple, stays simple“
PROactively preventsmany Cyberattacks e.g. Ransomware, e-spionage,
Insider Threats, SocialEngineering, etc.
Remove admin rightscompletly across entire
business for ALLendpoints and even
servers
Privileges are granted to individual applications,
tasks and scripts, never to users
„Remove privileges, preventbreaches and attacks“
without hinderingproductivity or impacting
systems ressources
Ensure a positive user experience with
customized messaging, seamless elevation and
flexible prompts
WhyAvecto ?
Whatdoes Avecto?
HowAvecto isdoing it ?
2017
Thank you…
multumesc
Hvala