Introduction
Š 2014 by Lieberman Software Corporation. Rev 20110321a
December 2014
Š 2001-2014 Lieberman Software Corp.
Brasil 2014
Thanks!
Š 2001-2014 Lieberman Software Corp.
What Are Privileged Accounts? • Root and Admin • Service and Process • Application-to-Application
© 2001-2014 Lieberman Software Corp.
Risks Throughout Your Network What Roles?
What Assets?
What Accounts?
• • • • •
System Administrators Contractors Integrators Security Administrators IT Managers
Server and Desktop Computers
Administrator Root Super User Service
• • • • • •
Security Administrators IT Managers App Administrators App Developers Webmasters Contract Developers
Directories and Application Tiers
Admin Root Administrator Service Config Files ASP.Net Run As DB Connection
Read, copy and alter data Change security settings Create and delete accounts Enable and remove file shares Run programs Read, copy, and alter user data Add and delete users Change user privileges Enable remote access Modify back-end applications Alter public-facing websites Read and change DB records Access transaction data
• • • • •
DB Administrators App Developers App Administrators Contract Developers Integrators
Databases
SA Root SYS SYSDBA
Read and change DB records Access transaction data Alter configuration and DB schema Add and modify stored procedures
• • • • •
Network Administrators Security Administrators System Administrators Backup Operators Contractors
Network, Backup, and Security Appliances
Administrator Root Enable Admin Super User Service
What Anonymous Actions?
Alter configuration settings Alter security and QoS policies Grant and deny network access Access data feeds Enable and disable monitoring Browse and save archives Access transaction data Delete saved data Change configuration settings
© 2001-2014 Lieberman Software Corp.
Challenges / Pain • Has your organization experienced an audit finding on privileged access? • Having trouble managing privileged identities at scale and without causing outages? • Do you have difficulty limiting contractor access to systems? • Are you able to prove termination of access to previous employees who have had access to your systems? © 2001-2014 Lieberman Software Corp.
What Are the Vulnerabilities? • Cryptographically Weak Logins • Stale, Common Passwords • Unchanged Default Logins on Hardware, Applications, Appliances, Images, LOM,… • Hard-Wired Credentials in Business Applications • Developer Backdoors
Make the network vulnerable to insider attacks, and to external attackers who leapfrog from system to system…
• Vulnerable Service Account Passwords, and others…
© 2001-2014 Lieberman Software Corp.
Failure Will be Exposed
Š 2001-2014 Lieberman Software Corp.
Privileged Accounts Drive Compliance • Auditors focus on privileged accounts because these logins are often neglected • Privileged accounts are the targets of many Red Team / Blue Team attacks • Auditors for HIPAA, PCI-DSS, NERC/ FERC, FISMA, NRC and the others demand a solution © 2001-2014 Lieberman Software Corp.
What PIM is Not… Identity & Access Management (IAM) • Controls user access to computers, applications and networks • Provisions and de-provisions users
• IAM products include Microsoft Active Directory, Tivoli Identity Manager, Oracle Access Manager, etc.
© 2001-2014 Lieberman Software Corp.
What PIM is Not… Single Sign-On (SSO) • Allows end-users to log in once and gain access to several systems or applications without being prompted to log in again repeatedly. • SSO vendors include Microsoft, WRQ (Novell), IBM (Tivoli), Dell (NetIQ), Facebook, Google, and many more...
© 2001-2014 Lieberman Software Corp.
What PIM is Not… Privileged User Management (PUM) • Temporarily changes a user’s privileges so that he can perform tasks that require elevated permissions. • Generally provide controlled shell access to Linux and UNIX • PUM vendors include Dell (NetIQ / BeyondTrust), FoxT, and others... © 2001-2014 Lieberman Software Corp.
What PIM Is… Privileged Identity Management • Secures admin and root accounts throughout your network • Includes discovery, randomization, and audited retrieval of super-user and admin accounts • PIM vendors include Lieberman Software, Cyber-Ark, Thycotic and others
© 2001-2014 Lieberman Software Corp.
How ERPM Solves PIM Issues Comprehensive Privileged Credential Management
ERPM Automates: • Discovery of machines, process accounts, local & fire call accounts, services and tasks – and everywhere those accounts are referenced
• Password Change Process for randomizing privileged accounts and propagating those changes everywhere the accounts are used to avoid lock outs • Storage of complex, random passwords in an encrypted repository • Role Based Provisioning of password access and delegation • Auditing of every password request, use and change © 2001-2014 Lieberman Software Corp.
ERPM Product Overview • Secures Windows, Linux / UNIX, mainframes, network appliances, databases, business applications, hypervisors, LOM cards, ... • 3/n-tier architecture scales to the largest networks • Available as a software installation or VM ERPM Architecture © 2001-2014 Lieberman Software Corp.
Product Demo (15 Minutes)
Š 2001-2014 Lieberman Software Corp.
1. Create a Management Set • Management Sets let you organize auto-discovery, password recovery, and other settings in any way that corresponds to the physical infrastructure and personnel roles of your organization. • Dynamic Management Sets update automatically with changes in your Directories, database queries, scanned IP address ranges, and other criteria you choose. • Management Set Examples: – Denver Exchange Servers – UNIX Systems Worldwide – Systems Managed by Ed’s Team
© 2001-2014 Lieberman Software Corp.
2. Change Passwords • You can schedule a password change job by clicking the Change Passwords button • You can set password complexity rules in the Password Settings tab • You can also change passwords instantly by right-clicking systems in a list
© 2001-2014 Lieberman Software Corp.
3. Job Results • See live results in the Active Threads Status window • When the job is finished, view the job status summary in the Operation window
© 2001-2014 Lieberman Software Corp.
Product Overview Section 2
Š 2014 by Lieberman Software Corporation. Rev 20110321a
What Does ERPM Manage? • • • • • • • •
Servers Workstations Network Devices Storage Appliances Lights Out Devices Databases Directories Configured Applications © 2001-2014 Lieberman Software Corp.
How Discovery Works • Native API Discovery – No reliance on WMI or cached information – Custom Propagation for reliable changes – Eliminates password change failures and disruptions caused by stale data
• Automated Dependency Analysis – Real-time discovery before updating interdependent service accounts (including clustered services) – Stops, changes and restarts all dependencies in the proper order to assure reliable account changes © 2001-2014 Lieberman Software Corp.
What Account Details Can ERPM Discover? • Password age
• Where used
• Ownership
• Account flags
• Last login
• Profile info
© 2001-2014 Lieberman Software Corp.
ERPM Management Console Windows application for configuring: • Data store and authentication • Management Sets • Auto-discovery • Password change jobs • Workflows and delegation • Web application • Compliance reporting
… and lets you explore systems and accounts © 2001-2014 Lieberman Software Corp.
Management Sets Logical Groups of Systems/Devices • Organize any way that corresponds to the physical infrastructure and personnel roles of your organization • Dynamic Management Sets update automatically with changes in Directories, database queries, scanned IP address ranges, etc. • Management Set Examples: – – – – –
Denver Exchange Servers UNIX Systems Worldwide Systems Managed by Ed’s Team Systems on specific domain(s) Systems in AD Container(s)
© 2001-2014 Lieberman Software Corp.
Password Settings • Password length (6 -127 digits) and other constraints
• Windows Account settings • Change Schedule and Run settings • Propagation Settings and Scope
© 2001-2014 Lieberman Software Corp.
Password Constraints • Characters, Numbers, Symbols • Constrain Symbols • Position Constraints
© 2001-2014 Lieberman Software Corp.
Password Change Jobs • Multi-threaded for speed and resilience • Options for multi-threading can be user configured
• Automatic retries of unsuccessful changes (network congestion, etc.) • Changes up to 400 machines per minute • Minimal performance impact on managed machines © 2001-2014 Lieberman Software Corp.
Web Delegation Rules Configures how different users and groups can interact with the web application, including • Password check out / check in / extension
• RDP/SSH access (no passwords disclosed) • Approvals and workflows • Require multi-factor • View reports, dashboards
© 2001-2014 Lieberman Software Corp.
ERPM Data Store • Microsoft SQL Server (provided by customer) • Supports clustering and other High Availability options • Options for software encryption (AES-256 or FIPS 140-2 level 1), or third-party hardware encryption modules (FIPS 140-2 levels 2 or 3)
© 2001-2014 Lieberman Software Corp.
Reference Architecture • Data Store: MS SQL Server Cluster on Windows Server (2008 / 2012) • Web Console: IIS 7.5 on Windows Server (2008 / 2012) • Remote DB Cluster for Disaster Recovery • Zone Processors (Remote and DMZ): Windows Server © 2001-2014 Lieberman Software Corp.
Product Details Section 3
Š 2014 by Lieberman Software Corporation. Rev 20110321a
Platform Support Servers and Workstations • Windows • Linux and UNIX
• AS/400 • OS/390 • z/OS, and other mainframes that support telnet and SSH 2.0 connectivity
© 2001-2014 Lieberman Software Corp.
Platform Support Network Devices • • • • • • • •
CheckPoint Cisco IOS EMC HP ProCurve Foundry Juniper NetApp RiverBed
…others that support telnet and SSH 2.0 © 2001-2014 Lieberman Software Corp.
Platform Support Directories • • • • • • • • •
Apache Apple Open Directory IBM Tivoli Directory Microsoft Active Directory Novell eDirectory Open LDAP Oracle Internet Directory Sun Java System Directory Server ViewDS Directory
… other LDAP compliant directories © 2001-2014 Lieberman Software Corp.
Platform Support Lights Out Management Cards
• Dell DRAC 3, 4, 5, 6, 6i • Dell CMC • HP iLO, 2, 3 …plus any IPMI compatible card
© 2001-2014 Lieberman Software Corp.
Platform Support Databases Managed • MSDE 2000 • MS SQL 2000-2012 Express, Standard and Enterprise (x86 and x64) • Oracle 9i-11g Express, Personal, Standard, and Enterprise • MySQL 4.x-6.x • DB2 7x-9x Express, Workgroup Server, Enterprise • Sybase ASE 12x, 15x
© 2001-2014 Lieberman Software Corp.
Platform Support Service / Process Accounts
• Service accounts are the building blocks of a service oriented architecture platform • Allow different software to work together to provide value-added services to end users • Example Email client connects to email server connects to SAN storage
© 2001-2014 Lieberman Software Corp.
Service and Process Accounts Challenges • Hard-wired and misconfigured service accounts make the network vulnerable to attack
• These passwords must be regularly changed to comply with regulatory mandates • Most organizations ignore the risks because these passwords are too difficult to change
© 2001-2014 Lieberman Software Corp.
Service and Process Accounts Challenges • Each account can do different things in different places, so incomplete password changes could lock out the account and bring down the application shutting off business access to enduser
• Almost impossible to change manually— – Identify everywhere the service is in use – Stop all dependent services, in proper order – Change the password everywhere it is referenced (“propagation”) – Re-start all dependent services © 2001-2014 Lieberman Software Corp.
Technology Integrations
Š 2014 by Lieberman Software Corporation. Rev 20110321a
McAfee ePO Integration • Whenever ePO reports problems, view privileged account details and check passwords from the ePO interface • Save IT staff hours gaining approvals and documenting access at the most critical times
Help Desk Integrations • Allow only authorized personnel, with a need for access as determined by each trouble ticket, to login using privileged credentials • Update trouble ticket status based on privileged account activity • Create new trouble tickets should the ERPM report unexpected events SCSM Integration © 2001-2014 Lieberman Software Corp.
Help Desk Integrations (Cont’d) • Microsoft System Center Service Manager • HP Service Manager • BMC Remedy • ServiceNow
• Event Sink to integrate with most others
© 2001-2014 Lieberman Software Corp.
SIEM Integrations Security Information and Event Management (SIEM)
• Enables SIEM to correlate security events with privileged account activity
• Eliminates a key SIEM blind spot, making privileged user actions no longer anonymous • ERPM forwards comprehensive event data: console and password operations, Web application, file vault, scheduler activity © 2001-2014 Lieberman Software Corp.
SIEM Integrations • HP ArcSight • Q1 Labs Qradar
• RSA enVision • Splunk • …ERPM syslog integrates virtually all others
© 2001-2014 Lieberman Software Corp.
ERPM – SAP Integration • ERPM is the first product certified to discover and manage privileged identities in SAP
• Enables IT compliance by securing, auditing and reporting SAP access • Automatically checks in, randomizes, and eliminates sharing of powerful SAP logins ERPM Service Catalog in NetWeaver © 2001-2014 Lieberman Software Corp.
ERPM – Qualys Integration • Qualys security scanners store super-user passwords to access systems
• Integration allows QualysGuard to access credentials stored securely in ERPM to scan Windows, UNIX, Oracle, MS SQL, IBM DB2 and other resources • Eliminates double retention of privileged passwords to save IT staff time and remove an attack surface
© 2001-2014 Lieberman Software Corp.
ERPM – Middleware Integration • ERPM auto-discovers, randomizes, and grants secure audited check-out of highly privileged middleware accounts • Supports Oracle WebLogic, IBM WebSphere, MS SQL Reporting Services and others
© 2001-2014 Lieberman Software Corp.
Multi-Factor Authentication • Configurable for access to passwords, and access to the Management Console • Out-of-the box support for RSA SecurID, YubiKey, and other proprietary tokens • OATH authentication using third-party tokens • Out-of-band, Time-based One-Time Password (TOTP) authentication by email and SMS using OATH (at no additional cost)
© 2001-2014 Lieberman Software Corp.
The ERPM Product Offering Section 4
Š 2014 by Lieberman Software Corporation. Rev 20110321a
Core Product Option • • • • • • • • • • •
Auto-Discovery Root/Admin Password Management Service Account Management Repository Account Elevation Auditing/Reports/Dashboards IBM Protocol Support DB Account Support MSFT Support Ticketing System Integration Multi-Factor Authentication © 2001-2014 Lieberman Software Corp.
Disaster Recovery and High Availability • Cluster License for High Availability and Disaster Recovery • Zone Processors for 24/7 remote availability regardless of network issues
© 2001-2014 Lieberman Software Corp.
Session Recording • Captures full textual Metadata with each session • Quickly search and access by Metadata
• Jump Server and Agent options
© 2001-2014 Lieberman Software Corp.
Multi-Language Support • Web Application works in 20+ languages • Fully localized (not machine-translated) user interfaces and dashboards
• Browser auto-select or user selectable
© 2001-2014 Lieberman Software Corp.
Application Integration Event Sinks • Event triggering, notification and integration
• Wizard easily integrates third-party software SDK and Web Services
• Custom propagations update files and applications directly • Can replace embedded passwords with ERPM calls © 2001-2014 Lieberman Software Corp.
PowerShell Integration • Full automation and programmatic orchestration of privileged identity management operations • Allows machine control of discovery, password changes, delegation, auditing and more… • Can be used from within MS System Center Orchestrator © 2001-2014 Lieberman Software Corp.
Web Services Interface • Platform-Agnostic SOAP interface • Full automation and programmatic orchestration of privileged identity management operations • Deploy, manage and de-provision privileged accounts and file-based secrets (including x.509 and other certificates and large binary files) regardless of the physical or virtual machine where they reside Web Services API © 2001-2014 Lieberman Software Corp.
SAP NetWeaver Integration Optional Feature
• First SAP Certified PIM solution • Continuously discovers SAP accounts
• Integrates directly with the SAP NetWeaver Gateway • Manages accounts in SAP v7.01 and newer through direct API calls
© 2001-2014 Lieberman Software Corp.
Encryption Options Hardware Security Module (HSM) • Supports use of external FIPS 140-2 certified encryption modules, including Thales nShield Software-based Encryption
• Supports up to AES 256
© 2001-2014 Lieberman Software Corp.
Competitive Landscape
Š 2014 by Lieberman Software Corporation. Rev 20110321a
What Differentiates ERPM? • Rapid, complete deployments (in days, not months) – User installable and configurable, with no need for scripting, customization, or professional services – Easy to upgrade and manage over time
• Superior technology – Auto-Discovery and Correlation, Propagation – Unsurpassed service account management – N-tier deployment architecture
• Open standards: no proprietary technology • Enterprise-ready for scale, scope, and complex, dynamic infrastructures – Resilient solution: without constant IT intervention
• Comprehensive and open documentation © 2001-2014 Lieberman Software Corp.
Our Competitive Advantages In Order of Priority • We win on ease and speed of deployment and ongoing low TCO. (What is the real cost?) • In a POC we can prove that we do what we say we can do – always at the customer site, on their network • Propagation/Service Account Management • Auto-Discovery and Correlation • We are the only company to have point solutions in our “toolkit” which we use to clean up customer networks prior to ERPM installation and deployment.
© 2001-2014 Lieberman Software Corp.
Features / Benefits slide Need to develop • CHECK BOXES WHO HAS WHAT
© 2001-2014 Lieberman Software Corp.
How to Price the Solution [Sales to provide]
Š 2001-2014 Lieberman Software Corp.
Competitive Landscape vs. “Company A.” ERPM uses 100% native API calls and doesn’t rely on WMI and cached data
• Fewer password change failures • Fewer service disruptions
© 2001-2014 Lieberman Software Corp.
Competitive Landscape vs. “Company A.” ERPM Performs dynamic dependency analysis with real-time discovery before updating interdependent service accounts • Competing solution never fully eliminates the need for time-consuming manual change process
© 2001-2014 Lieberman Software Corp.
Competitive Landscape vs. “Company A.” ERPM is installed on industry-standard Windows Server and your choice of MS SQL or Oracle databases • Competing solution is an appliance that’s built on a mix of open-source and proprietary software.
© 2001-2014 Lieberman Software Corp.
Competitive Landscape vs. “Company A.” ERPM security is built on trusted protocols including FIPS 140-2 and AES-256
• Competitor’s security architecture uses multiple proprietary layers • Competitor’s known software vulnerabilities are published in the NIST.gov database
© 2001-2014 Lieberman Software Corp.
Competitive Landscape vs. “Company A.” ERPM is designed for self-service and is typically deployed in large enterprises in under 3 days
• Competitor relies on professional installation and configuration services to uphold its product warranty • With so many paid services required to maintain its products, the Competitor’s “license fee represents just one-fifth* of the typical project” costs *Stated by competitor’s Sales VP, per “CRN UK” 11/2011 © 2001-2014 Lieberman Software Corp.
Client Case Studies
Š 2014 by Lieberman Software Corporation. Rev 20110321a
Client Case Study Client Profile •
Credit union founded in the 1930’s and has branches located throughout the U.S. and Puerto Rico with approximately 218,000 members.
Situation • • •
Time consuming manual changes: 10hrs+ per change, not comprehensive Ignored complicated service account changes Failing frequent financial and regulatory compliance audits
Solution •
ERPM was deployed to the client’s cross-platform enterprise.
Results Improved Operations >> Time and Cost Savings • Accounts secured regularly without manual intervention • Eliminated burden of manually producing reports Reduced Risk Profile • Automated the discovery and securing of service accounts Achieved Regulatory Compliance • Demonstrated control, passed internal, external NCUA audit © 2001-2014 Lieberman Software Corp.
Client Case Study Client Profile •
North American subsidiary of a global consumer/commercial financial institution with presence in key business and financial centers throughout the world.
Situation • •
Urgent need to secure privileged accounts before a looming audit Zero impact to ongoing IT Operations
Solution •
ERPM was quickly deployed (<2-weeks) across 1100+ servers at three North American data centers
Results Improved Operations >> Time and Cost Savings • Deployed with minimal manual effort • Automated account discovery keeps up with their dynamic environment Reduced Risk Profile • All privileged access is delegated, tracked and audited Achieved Regulatory Compliance • Demonstrated control, passed immediate internal audit, now “in good shape” © 2001-2014 Lieberman Software Corp.
Questions
Š 2001-2014 Lieberman Software Corp.