Lieberman

Page 1

Introduction

Š 2014 by Lieberman Software Corporation. Rev 20110321a


December 2014

Š 2001-2014 Lieberman Software Corp.


Brasil 2014

Thanks!

Š 2001-2014 Lieberman Software Corp.


What Are Privileged Accounts? • Root and Admin • Service and Process • Application-to-Application

© 2001-2014 Lieberman Software Corp.


Risks Throughout Your Network What Roles?

What Assets?

What Accounts?

• • • • •

System Administrators Contractors Integrators Security Administrators IT Managers

Server and Desktop Computers

 Administrator  Root  Super User  Service

• • • • • •

Security Administrators IT Managers App Administrators App Developers Webmasters Contract Developers

Directories and Application Tiers

 Admin  Root  Administrator  Service  Config Files  ASP.Net  Run As  DB Connection

 Read, copy and alter data  Change security settings  Create and delete accounts  Enable and remove file shares  Run programs  Read, copy, and alter user data  Add and delete users  Change user privileges  Enable remote access  Modify back-end applications  Alter public-facing websites  Read and change DB records  Access transaction data

• • • • •

DB Administrators App Developers App Administrators Contract Developers Integrators

Databases

 SA  Root  SYS  SYSDBA

 Read and change DB records  Access transaction data  Alter configuration and DB schema  Add and modify stored procedures

• • • • •

Network Administrators Security Administrators System Administrators Backup Operators Contractors

Network, Backup, and Security Appliances

 Administrator  Root  Enable  Admin  Super User  Service

What Anonymous Actions?

 Alter configuration settings  Alter security and QoS policies  Grant and deny network access  Access data feeds  Enable and disable monitoring  Browse and save archives  Access transaction data  Delete saved data  Change configuration settings

© 2001-2014 Lieberman Software Corp.


Challenges / Pain • Has your organization experienced an audit finding on privileged access? • Having trouble managing privileged identities at scale and without causing outages? • Do you have difficulty limiting contractor access to systems? • Are you able to prove termination of access to previous employees who have had access to your systems? © 2001-2014 Lieberman Software Corp.


What Are the Vulnerabilities? • Cryptographically Weak Logins • Stale, Common Passwords • Unchanged Default Logins on Hardware, Applications, Appliances, Images, LOM,… • Hard-Wired Credentials in Business Applications • Developer Backdoors

Make the network vulnerable to insider attacks, and to external attackers who leapfrog from system to system…

• Vulnerable Service Account Passwords, and others…

© 2001-2014 Lieberman Software Corp.


Failure Will be Exposed

Š 2001-2014 Lieberman Software Corp.


Privileged Accounts Drive Compliance • Auditors focus on privileged accounts because these logins are often neglected • Privileged accounts are the targets of many Red Team / Blue Team attacks • Auditors for HIPAA, PCI-DSS, NERC/ FERC, FISMA, NRC and the others demand a solution © 2001-2014 Lieberman Software Corp.


What PIM is Not… Identity & Access Management (IAM) • Controls user access to computers, applications and networks • Provisions and de-provisions users

• IAM products include Microsoft Active Directory, Tivoli Identity Manager, Oracle Access Manager, etc.

© 2001-2014 Lieberman Software Corp.


What PIM is Not… Single Sign-On (SSO) • Allows end-users to log in once and gain access to several systems or applications without being prompted to log in again repeatedly. • SSO vendors include Microsoft, WRQ (Novell), IBM (Tivoli), Dell (NetIQ), Facebook, Google, and many more...

© 2001-2014 Lieberman Software Corp.


What PIM is Not… Privileged User Management (PUM) • Temporarily changes a user’s privileges so that he can perform tasks that require elevated permissions. • Generally provide controlled shell access to Linux and UNIX • PUM vendors include Dell (NetIQ / BeyondTrust), FoxT, and others... © 2001-2014 Lieberman Software Corp.


What PIM Is… Privileged Identity Management • Secures admin and root accounts throughout your network • Includes discovery, randomization, and audited retrieval of super-user and admin accounts • PIM vendors include Lieberman Software, Cyber-Ark, Thycotic and others

© 2001-2014 Lieberman Software Corp.


How ERPM Solves PIM Issues Comprehensive Privileged Credential Management

ERPM Automates: • Discovery of machines, process accounts, local & fire call accounts, services and tasks – and everywhere those accounts are referenced

• Password Change Process for randomizing privileged accounts and propagating those changes everywhere the accounts are used to avoid lock outs • Storage of complex, random passwords in an encrypted repository • Role Based Provisioning of password access and delegation • Auditing of every password request, use and change © 2001-2014 Lieberman Software Corp.


ERPM Product Overview • Secures Windows, Linux / UNIX, mainframes, network appliances, databases, business applications, hypervisors, LOM cards, ... • 3/n-tier architecture scales to the largest networks • Available as a software installation or VM ERPM Architecture © 2001-2014 Lieberman Software Corp.


Product Demo (15 Minutes)

Š 2001-2014 Lieberman Software Corp.


1. Create a Management Set • Management Sets let you organize auto-discovery, password recovery, and other settings in any way that corresponds to the physical infrastructure and personnel roles of your organization. • Dynamic Management Sets update automatically with changes in your Directories, database queries, scanned IP address ranges, and other criteria you choose. • Management Set Examples: – Denver Exchange Servers – UNIX Systems Worldwide – Systems Managed by Ed’s Team

© 2001-2014 Lieberman Software Corp.


2. Change Passwords • You can schedule a password change job by clicking the Change Passwords button • You can set password complexity rules in the Password Settings tab • You can also change passwords instantly by right-clicking systems in a list

© 2001-2014 Lieberman Software Corp.


3. Job Results • See live results in the Active Threads Status window • When the job is finished, view the job status summary in the Operation window

© 2001-2014 Lieberman Software Corp.


Product Overview Section 2

Š 2014 by Lieberman Software Corporation. Rev 20110321a


What Does ERPM Manage? • • • • • • • •

Servers Workstations Network Devices Storage Appliances Lights Out Devices Databases Directories Configured Applications © 2001-2014 Lieberman Software Corp.


How Discovery Works • Native API Discovery – No reliance on WMI or cached information – Custom Propagation for reliable changes – Eliminates password change failures and disruptions caused by stale data

• Automated Dependency Analysis – Real-time discovery before updating interdependent service accounts (including clustered services) – Stops, changes and restarts all dependencies in the proper order to assure reliable account changes © 2001-2014 Lieberman Software Corp.


What Account Details Can ERPM Discover? • Password age

• Where used

• Ownership

• Account flags

• Last login

• Profile info

© 2001-2014 Lieberman Software Corp.


ERPM Management Console Windows application for configuring: • Data store and authentication • Management Sets • Auto-discovery • Password change jobs • Workflows and delegation • Web application • Compliance reporting

… and lets you explore systems and accounts © 2001-2014 Lieberman Software Corp.


Management Sets Logical Groups of Systems/Devices • Organize any way that corresponds to the physical infrastructure and personnel roles of your organization • Dynamic Management Sets update automatically with changes in Directories, database queries, scanned IP address ranges, etc. • Management Set Examples: – – – – –

Denver Exchange Servers UNIX Systems Worldwide Systems Managed by Ed’s Team Systems on specific domain(s) Systems in AD Container(s)

© 2001-2014 Lieberman Software Corp.


Password Settings • Password length (6 -127 digits) and other constraints

• Windows Account settings • Change Schedule and Run settings • Propagation Settings and Scope

© 2001-2014 Lieberman Software Corp.


Password Constraints • Characters, Numbers, Symbols • Constrain Symbols • Position Constraints

© 2001-2014 Lieberman Software Corp.


Password Change Jobs • Multi-threaded for speed and resilience • Options for multi-threading can be user configured

• Automatic retries of unsuccessful changes (network congestion, etc.) • Changes up to 400 machines per minute • Minimal performance impact on managed machines © 2001-2014 Lieberman Software Corp.


Web Delegation Rules Configures how different users and groups can interact with the web application, including • Password check out / check in / extension

• RDP/SSH access (no passwords disclosed) • Approvals and workflows • Require multi-factor • View reports, dashboards

© 2001-2014 Lieberman Software Corp.


ERPM Data Store • Microsoft SQL Server (provided by customer) • Supports clustering and other High Availability options • Options for software encryption (AES-256 or FIPS 140-2 level 1), or third-party hardware encryption modules (FIPS 140-2 levels 2 or 3)

© 2001-2014 Lieberman Software Corp.


Reference Architecture • Data Store: MS SQL Server Cluster on Windows Server (2008 / 2012) • Web Console: IIS 7.5 on Windows Server (2008 / 2012) • Remote DB Cluster for Disaster Recovery • Zone Processors (Remote and DMZ): Windows Server © 2001-2014 Lieberman Software Corp.


Product Details Section 3

Š 2014 by Lieberman Software Corporation. Rev 20110321a


Platform Support Servers and Workstations • Windows • Linux and UNIX

• AS/400 • OS/390 • z/OS, and other mainframes that support telnet and SSH 2.0 connectivity

© 2001-2014 Lieberman Software Corp.


Platform Support Network Devices • • • • • • • •

CheckPoint Cisco IOS EMC HP ProCurve Foundry Juniper NetApp RiverBed

…others that support telnet and SSH 2.0 © 2001-2014 Lieberman Software Corp.


Platform Support Directories • • • • • • • • •

Apache Apple Open Directory IBM Tivoli Directory Microsoft Active Directory Novell eDirectory Open LDAP Oracle Internet Directory Sun Java System Directory Server ViewDS Directory

… other LDAP compliant directories © 2001-2014 Lieberman Software Corp.


Platform Support Lights Out Management Cards

• Dell DRAC 3, 4, 5, 6, 6i • Dell CMC • HP iLO, 2, 3 …plus any IPMI compatible card

© 2001-2014 Lieberman Software Corp.


Platform Support Databases Managed • MSDE 2000 • MS SQL 2000-2012 Express, Standard and Enterprise (x86 and x64) • Oracle 9i-11g Express, Personal, Standard, and Enterprise • MySQL 4.x-6.x • DB2 7x-9x Express, Workgroup Server, Enterprise • Sybase ASE 12x, 15x

© 2001-2014 Lieberman Software Corp.


Platform Support Service / Process Accounts

• Service accounts are the building blocks of a service oriented architecture platform • Allow different software to work together to provide value-added services to end users • Example Email client  connects to email server  connects to SAN storage

© 2001-2014 Lieberman Software Corp.


Service and Process Accounts Challenges • Hard-wired and misconfigured service accounts make the network vulnerable to attack

• These passwords must be regularly changed to comply with regulatory mandates • Most organizations ignore the risks because these passwords are too difficult to change

© 2001-2014 Lieberman Software Corp.


Service and Process Accounts Challenges • Each account can do different things in different places, so incomplete password changes could lock out the account and bring down the application shutting off business access to enduser

• Almost impossible to change manually— – Identify everywhere the service is in use – Stop all dependent services, in proper order – Change the password everywhere it is referenced (“propagation”) – Re-start all dependent services © 2001-2014 Lieberman Software Corp.


Technology Integrations

Š 2014 by Lieberman Software Corporation. Rev 20110321a


McAfee ePO Integration • Whenever ePO reports problems, view privileged account details and check passwords from the ePO interface • Save IT staff hours gaining approvals and documenting access at the most critical times


Help Desk Integrations • Allow only authorized personnel, with a need for access as determined by each trouble ticket, to login using privileged credentials • Update trouble ticket status based on privileged account activity • Create new trouble tickets should the ERPM report unexpected events SCSM Integration © 2001-2014 Lieberman Software Corp.


Help Desk Integrations (Cont’d) • Microsoft System Center Service Manager • HP Service Manager • BMC Remedy • ServiceNow

• Event Sink to integrate with most others

© 2001-2014 Lieberman Software Corp.


SIEM Integrations Security Information and Event Management (SIEM)

• Enables SIEM to correlate security events with privileged account activity

• Eliminates a key SIEM blind spot, making privileged user actions no longer anonymous • ERPM forwards comprehensive event data: console and password operations, Web application, file vault, scheduler activity © 2001-2014 Lieberman Software Corp.


SIEM Integrations • HP ArcSight • Q1 Labs Qradar

• RSA enVision • Splunk • …ERPM syslog integrates virtually all others

© 2001-2014 Lieberman Software Corp.


ERPM – SAP Integration • ERPM is the first product certified to discover and manage privileged identities in SAP

• Enables IT compliance by securing, auditing and reporting SAP access • Automatically checks in, randomizes, and eliminates sharing of powerful SAP logins ERPM Service Catalog in NetWeaver © 2001-2014 Lieberman Software Corp.


ERPM – Qualys Integration • Qualys security scanners store super-user passwords to access systems

• Integration allows QualysGuard to access credentials stored securely in ERPM to scan Windows, UNIX, Oracle, MS SQL, IBM DB2 and other resources • Eliminates double retention of privileged passwords to save IT staff time and remove an attack surface

© 2001-2014 Lieberman Software Corp.


ERPM – Middleware Integration • ERPM auto-discovers, randomizes, and grants secure audited check-out of highly privileged middleware accounts • Supports Oracle WebLogic, IBM WebSphere, MS SQL Reporting Services and others

© 2001-2014 Lieberman Software Corp.


Multi-Factor Authentication • Configurable for access to passwords, and access to the Management Console • Out-of-the box support for RSA SecurID, YubiKey, and other proprietary tokens • OATH authentication using third-party tokens • Out-of-band, Time-based One-Time Password (TOTP) authentication by email and SMS using OATH (at no additional cost)

© 2001-2014 Lieberman Software Corp.


The ERPM Product Offering Section 4

Š 2014 by Lieberman Software Corporation. Rev 20110321a


Core Product Option • • • • • • • • • • •

Auto-Discovery Root/Admin Password Management Service Account Management Repository Account Elevation Auditing/Reports/Dashboards IBM Protocol Support DB Account Support MSFT Support Ticketing System Integration Multi-Factor Authentication © 2001-2014 Lieberman Software Corp.


Disaster Recovery and High Availability • Cluster License for High Availability and Disaster Recovery • Zone Processors for 24/7 remote availability regardless of network issues

© 2001-2014 Lieberman Software Corp.


Session Recording • Captures full textual Metadata with each session • Quickly search and access by Metadata

• Jump Server and Agent options

© 2001-2014 Lieberman Software Corp.


Multi-Language Support • Web Application works in 20+ languages • Fully localized (not machine-translated) user interfaces and dashboards

• Browser auto-select or user selectable

© 2001-2014 Lieberman Software Corp.


Application Integration Event Sinks • Event triggering, notification and integration

• Wizard easily integrates third-party software SDK and Web Services

• Custom propagations update files and applications directly • Can replace embedded passwords with ERPM calls © 2001-2014 Lieberman Software Corp.


PowerShell Integration • Full automation and programmatic orchestration of privileged identity management operations • Allows machine control of discovery, password changes, delegation, auditing and more… • Can be used from within MS System Center Orchestrator © 2001-2014 Lieberman Software Corp.


Web Services Interface • Platform-Agnostic SOAP interface • Full automation and programmatic orchestration of privileged identity management operations • Deploy, manage and de-provision privileged accounts and file-based secrets (including x.509 and other certificates and large binary files) regardless of the physical or virtual machine where they reside Web Services API © 2001-2014 Lieberman Software Corp.


SAP NetWeaver Integration Optional Feature

• First SAP Certified PIM solution • Continuously discovers SAP accounts

• Integrates directly with the SAP NetWeaver Gateway • Manages accounts in SAP v7.01 and newer through direct API calls

© 2001-2014 Lieberman Software Corp.


Encryption Options Hardware Security Module (HSM) • Supports use of external FIPS 140-2 certified encryption modules, including Thales nShield Software-based Encryption

• Supports up to AES 256

© 2001-2014 Lieberman Software Corp.


Competitive Landscape

Š 2014 by Lieberman Software Corporation. Rev 20110321a


What Differentiates ERPM? • Rapid, complete deployments (in days, not months) – User installable and configurable, with no need for scripting, customization, or professional services – Easy to upgrade and manage over time

• Superior technology – Auto-Discovery and Correlation, Propagation – Unsurpassed service account management – N-tier deployment architecture

• Open standards: no proprietary technology • Enterprise-ready for scale, scope, and complex, dynamic infrastructures – Resilient solution: without constant IT intervention

• Comprehensive and open documentation © 2001-2014 Lieberman Software Corp.


Our Competitive Advantages In Order of Priority • We win on ease and speed of deployment and ongoing low TCO. (What is the real cost?) • In a POC we can prove that we do what we say we can do – always at the customer site, on their network • Propagation/Service Account Management • Auto-Discovery and Correlation • We are the only company to have point solutions in our “toolkit” which we use to clean up customer networks prior to ERPM installation and deployment.

© 2001-2014 Lieberman Software Corp.


Features / Benefits slide Need to develop • CHECK BOXES WHO HAS WHAT

© 2001-2014 Lieberman Software Corp.


How to Price the Solution [Sales to provide]

Š 2001-2014 Lieberman Software Corp.


Competitive Landscape vs. “Company A.” ERPM uses 100% native API calls and doesn’t rely on WMI and cached data

• Fewer password change failures • Fewer service disruptions

© 2001-2014 Lieberman Software Corp.


Competitive Landscape vs. “Company A.” ERPM Performs dynamic dependency analysis with real-time discovery before updating interdependent service accounts • Competing solution never fully eliminates the need for time-consuming manual change process

© 2001-2014 Lieberman Software Corp.


Competitive Landscape vs. “Company A.” ERPM is installed on industry-standard Windows Server and your choice of MS SQL or Oracle databases • Competing solution is an appliance that’s built on a mix of open-source and proprietary software.

© 2001-2014 Lieberman Software Corp.


Competitive Landscape vs. “Company A.” ERPM security is built on trusted protocols including FIPS 140-2 and AES-256

• Competitor’s security architecture uses multiple proprietary layers • Competitor’s known software vulnerabilities are published in the NIST.gov database

© 2001-2014 Lieberman Software Corp.


Competitive Landscape vs. “Company A.” ERPM is designed for self-service and is typically deployed in large enterprises in under 3 days

• Competitor relies on professional installation and configuration services to uphold its product warranty • With so many paid services required to maintain its products, the Competitor’s “license fee represents just one-fifth* of the typical project” costs *Stated by competitor’s Sales VP, per “CRN UK” 11/2011 © 2001-2014 Lieberman Software Corp.


Client Case Studies

Š 2014 by Lieberman Software Corporation. Rev 20110321a


Client Case Study Client Profile •

Credit union founded in the 1930’s and has branches located throughout the U.S. and Puerto Rico with approximately 218,000 members.

Situation • • •

Time consuming manual changes: 10hrs+ per change, not comprehensive Ignored complicated service account changes Failing frequent financial and regulatory compliance audits

Solution •

ERPM was deployed to the client’s cross-platform enterprise.

Results Improved Operations >> Time and Cost Savings • Accounts secured regularly without manual intervention • Eliminated burden of manually producing reports Reduced Risk Profile • Automated the discovery and securing of service accounts Achieved Regulatory Compliance • Demonstrated control, passed internal, external NCUA audit © 2001-2014 Lieberman Software Corp.


Client Case Study Client Profile •

North American subsidiary of a global consumer/commercial financial institution with presence in key business and financial centers throughout the world.

Situation • •

Urgent need to secure privileged accounts before a looming audit Zero impact to ongoing IT Operations

Solution •

ERPM was quickly deployed (<2-weeks) across 1100+ servers at three North American data centers

Results Improved Operations >> Time and Cost Savings • Deployed with minimal manual effort • Automated account discovery keeps up with their dynamic environment Reduced Risk Profile • All privileged access is delegated, tracked and audited Achieved Regulatory Compliance • Demonstrated control, passed immediate internal audit, now “in good shape” © 2001-2014 Lieberman Software Corp.


Questions

Š 2001-2014 Lieberman Software Corp.


Turn static files into dynamic content formats.

Create a flipbook
Issuu converts static files into: digital portfolios, online yearbooks, online catalogs, digital photo albums and more. Sign up and create your flipbook.