Scribd
Upload
48 views

01-PAM-ADMIN-Introduction to-CyberArk-PAM

Uploaded by

baya062024
Copyright
© © All Rights Reserved
Available Formats
Download as PDF, TXT or read online on Scribd
48 views

01-PAM-ADMIN-Introduction to-CyberArk-PAM

Uploaded by

baya062024
Copyright
© © All Rights Reserved
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 41

PAM Administration

Introduction to CyberArk Privileged Access Management

© 2023 CyberArk Software Ltd. All rights reserved


This session introduces the CyberArk Privileged Access
Management (PAM) solution.

We will look at:

Agenda 1. Overview of basic PAM principles and concepts

2. A common attack method and how CyberArk PAM can


minimize exposure

3. Key features of the CyberArk self-hosted PAM solution

4. The system architecture

5. System interfaces and utilities

6. Online help and customer community

© 2023 CyberArk Software Ltd. All rights reserved


Overview

© 2023 CyberArk Software Ltd. All rights reserved


What are
Privileged Accounts?
A privileged account is any account
that has the capability to change or
impact the operational service of a
business process
Therefore, we often refer to
Privileged Accounts as the
“keys to the kingdom”

© 2023 CyberArk Software Ltd. All rights reserved


Examples of Privileged
Accounts
Some classic examples include
the following accounts:
• Administrator on a Windows server
• Root on a UNIX server
• SYS user on Oracle DBs
• Enable on a Cisco device

© 2023 CyberArk Software Ltd. All rights reserved


Privilege is Everywhere

Privileged accounts exist in every connected device,


database, application, industrial controller, and more!

There are typically

3X more privileged accounts than employees

© 2023 CyberArk Software Ltd. All rights reserved


Privilege Can Be Used By Any Identity

System 3rd-Party & Select Social Networking


Administrators Service Providers Applications Business Users Account Managers

Until recently, IT Admins were considered privileged users

In today’s environment
almost any identity can be privileged under certain conditions

© 2023 CyberArk Software Ltd. All rights reserved


The Challenges and Threats

© 2023 CyberArk Software Ltd. All rights reserved


Attackers NEED INSIDER Credentials

…80% of security breaches


involve compromised privilege
credentials.

APT intruders…prefer to leverage


privileged accounts where possible,
such as Domain Administrators, service
accounts with Domain privileges,
local Administrator accounts, and
privileged user accounts.

The Forrester Wave : Privileged Identity Management, Q3 2018


© 2023 CyberArk Software Ltd. All rights reserved
Technologies Change. Attack Paths Don’t.
PRIVILEGEESCALATION
LIMIT PRIVILEGE ESCALATION&&ABUSE
ABUSE

STOP LATERAL
LATERAL&&VERTICAL
VERTICALMOVEMENT
MOVEMENT

PREVENT CREDENTIAL
CREDENTIAL THEFT
THEFT

Remote Vendor
Internal
Attacker
IT Admin

Business
User

External
Attacker Developer

Robot

Internal Application
Attacker

© 2023 CyberArk Software Ltd. All rights reserved


Privilege is at the Center of the Attack Lifecycle
Typical Lifecycle of a Cyber Attack
• Penetration
• Credential theft
• Reconnaissance
• Lateral movement

EXISTING
• Privilege escalation
ACCESS
Move Laterally Perform
• Repeat
Internal Threats Reconnaissance

Escalate
Privileges
External Threats
Disrupt Business
Network Perimeter
Exfiltrate Data
PERIMETER
COMPROMISE

© 2023 CyberArk Software Ltd. All rights reserved


CyberArk Breaks the Attack Chain
• Penetration
• Credential theft
• Reconnaissance
• Lateral movement

EXISTING
• Privilege escalation
ACCESS
Move Laterally Perform
• Repeat
Internal Threats Reconnaissance

Escalate
Escalate
Privileges
Privileges
External Threats
Disrupt Business
Network Perimeter
Exfiltrate Data
PERIMETER
COMPROMISE

© 2023 CyberArk Software Ltd. All rights reserved


Protecting Privileged Access
PERIMETER SECURITY

SECURITY CONTROLS INSIDE THE NETWORK


MONITORING

PRIVILEGED ACCESS MANAGER

© 2023 CyberArk Software Ltd. All rights reserved


Proactive Protection, Detection, & Response
Proactive protection
• Secured credentials
Insider • Only authorized users
• Individual accountability
External Databases/
Hypervisors
Applications • Session isolation
• Limit scope of privilege
External

Network
Targeted detection
Endpoints
Insider Devices • Continuous monitoring
• Malicious behavior
External • High risk behavior
Industrial
Insider Controls Social Media
• Alerts
External
Real-time response
• Session suspension/termination
Privileged Accounts • Full forensics record of activity

© 2023 CyberArk Software Ltd. All rights reserved


Key Features of
CyberArk PAM

© 2023 CyberArk Software Ltd. All rights reserved


CyberArk PAM

Discover and Isolate Record and Monitor Remediate


manage credentials audit sessions privileged risky
credentials and sessions activity behavior

© 2023 CyberArk Software Ltd. All rights reserved


Discover and Manage Credentials
• Automated processes
for accounts discovery
• Policies to manage: CPM

⎼ Password complexity Tojsd$5fh


y7qeF$1
gviNa9%
lm7yT5w
X5$aq+p

and length
⎼ Rotation frequency Digital
Vault
⎼ Etc. System User Pass
Unix root tops3cr3t

Oracle SYS tops3cr3t

Windows Administrator tops3cr3t

z/OS DB2ADMIN tops3cr3t

Cisco enable tops3cr3t

Enterprise IT Environment

© 2023 CyberArk Software Ltd. All rights reserved


Isolate Credentials and Sessions
• CyberArk enables secure
connections to critical systems PVWA
using a proxy.

• Target systems are fully


isolated, privileged
credentials are not exposed
to end users or their
applications or devices.
RDP
Target Server
• Target systems are configured PSM

not to accept direct connection

Direct RDP
Connection

© 2023 CyberArk Software Ltd. All rights reserved


Record and Audit
Sessions

• Privileged sessions recorded


in video and/or text format
• Stored and encrypted
in the tamper-resistant Digital
Vault
• Recordings have a clickable
timeline to navigate to specific
events

© 2023 CyberArk Software Ltd. All rights reserved


Monitor Privileged Activity

CyberArk session monitoring enables


review of recordings and live sessions,
which can be sorted based on risk

This enables the security


operations personnel
to take a risk-based
approach by prioritizing
the greatest threats that
are detected in the
environment

© 2023 CyberArk Software Ltd. All rights reserved


Remediate Risky Behavior
Unmanaged accounts can be
automatically on-boarded and
managed through CyberArk’s
continuous discovery capabilities

CyberArk can
automatically
rotate credentials
in the event of
risky behavior such
as credential theft,
bypassing the Additionally, administrators can
Digital Vault establish policies to either automatically
suspend or terminate privileged
sessions based on risk assignment

© 2023 CyberArk Software Ltd. All rights reserved


Key Features

Discover & Manage Isolate Record/Audit Monitor Remediate

• Secure and manage • Secure jump-server • Record privileged • View privileged activity • Suspend and/or
privileged passwords, to control credentials sessions and store in by going directly to terminate privileged
SSH keys and other in an isolated centralized specified activities, sessions automatically
secrets instance repository keystrokes, etc. based on risk score
and activity
• Continually scan the • Connect via secure • Audit logs of video • Send automatic alerts
environment to detect jump server using a recording stored to SOC and IT admins • Initiate automatic
privileged accounts variety of native automatically based on risky credential rotation
and credentials workflows activities based on risk in case
• Automatically start
of compromise/theft
• Add accounts to • Prevent malware viewing riskiest • Reduce the number of
pending to validate attacks and control sessions first, at the accounts that can be
privilege or privileged access point of most used to circumvent
automatically suspicious activities privileged controls
onboard and rotate

On Premises Cloud Hybrid

Automation with Rest APIs and policies enhances Core PAS functionality

© 2023 CyberArk Software Ltd. All rights reserved


When ready select “Next” to continue NEXT
System Architecture

© 2023 CyberArk Software Ltd. All rights reserved


CyberArk PAM Components
• A secure server used to store privileged account information
Digital Vault
• Based on a hardened Windows server platform

Password Vault Web Access • The web interface for users to gain access to privileged account information
(PVWA) • Used by Vault administrators to configure policies

• Performs the password changes on devices


Central Policy Manager (CPM)
• Scans the network for privileged accounts

Privileged Session Manager • Isolates and monitors privileged account activity


(PSM) • Records privileged account sessions

Privilege Threat Analytics


• Monitors and detects malicious privileged account behavior.
(PTA)

© 2023 CyberArk Software Ltd. All rights reserved


The Vault
and Its Clients Unmanaged
Target Account
and Servers
Privileged Session
End Users: Manager
IT Staff, Auditor, etc.

Password Vault
Web Access

Central Policy
Manager Managed
Custom Applications, Target Account
Reporting Tools, etc. and Servers

PACli and SDKs

Vault

PrivateArk Client
Unix/Windows
Vault Application Target Databases
Administrators Providers
Privileged Threat
Analytics

Unix/Windows Users

© 2023 CyberArk Software Ltd. All rights reserved


The Vault: End-to-End Security
Stored
Vault User Credential

Discretionary Mandatory
Session File
Firewall Authentication Access Access Auditing
Encryption Encryption
Control Control

• Proprietary • Hardened • Single or Two • Granular • Subnet Based • Tamperproof • Hierarchical


Protocol built-in Factor Permissions Access Control Audit Trail Encryption Model
Windows Authentication
• OpenSSL Firewall (recommended) • Role Based • Time Limits • Event-based • Every object has
Encryption Access Control and Delays Alerts unique key

© 2023 CyberArk Software Ltd. All rights reserved


CyberArk’s Scalable Architecture

Auditors
PVWA
PTA CPM PSM

IT

Vault (HA Cluster)


IT Environment
Main Data Center - US

Auditors/IT Auditors/IT

IT Environment IT Environment

London Hong Kong


DR Site
© 2023 CyberArk Software Ltd. All rights reserved
System
• PVWA
Interfaces
and Utilities • PrivateArk Client

• PAM Web Services (REST API)

• Vault Central Administration Station

• Remote Control Client

© 2023 CyberArk Software Ltd. All rights reserved


Password Vault Web Access – a New Interface

Some features still require the


classic interface, which can be
accessed by a dedicated link.

PVWA version 10 introduced


End users will use this Auditors will use this
the new user interface, which
interface to retrieve passwords interface to monitor privileged
focuses on seamless
or launch privileged sessions. sessions.
workflows and easy access.

© 2023 CyberArk Software Ltd. All rights reserved


PVWA – Classic Interface
• The classic interface is mostly used by Vault Administrators to manage policies and permissions,
and to configure the PVWA and the other components.

© 2023 CyberArk Software Ltd. All rights reserved


PrivateArk Client

• The PrivateArk Client is


the legacy interface to
Vault data

• Mostly used by
administrators for certain
tasks that are not
implemented in PVWA

• The PrivateArk Client can


be installed on any station
with access to the Vault

© 2023 CyberArk Software Ltd. All rights reserved


PAM Web Services
Client PVWA Vault

HTTP CyberArk
• The PAM Web Services is a LOGON Authenticate user
RESTful API that enables HTTP Response code: 200 Success
users to create, list, modify,
CyberArkLogonResult=
and delete entities in PAM AAEAAAD/////AQAAAA
using programs and scripts. AAAAAMAgAAAFhDe
WJlckFyay5TZXJ2aWN
lcy5XZWIsIFZlcnNpb24
• The main purpose of the PAM 9OC4w

Web Services is to automate


ADD USER Create the User
tasks that are usually HTTP Response code: 201 Success
performed manually using the
UI and to incorporate them
into system- and account-
provisioning scripts

© 2023 CyberArk Software Ltd. All rights reserved


Vault Central
Administration
Station stop/start

Only available on Vault server


• Starting and stopping the
PrivateArk Server Windows
service
ITALOG.LOG
• Displaying the Vault Server
log
• Changing the Vault debug
level dynamically

© 2023 CyberArk Software Ltd. All rights reserved


Remote Control Monitoring the Vault status using the Remote Client:
Client
PARCLIENT> status vault
Password: *********
Vault is running.

PARCLIENT> stop vault


• Runs from a command line Are you sure you want to stop the remote Vault (Y/N)? y
Vault was stopped successfully
interface
PARCLIENT> start vault
• Executes tasks on Vault was started, pending service running. use status command for
further details.
Vault server via
PARCLIENT> status vault
Remote Control Agent Vault is running.

PARCLIENT> status ene


• Client and agent communicate ENE is stopped.
via CyberArk Remote PARCLIENT> start ene
Control Protocol on port ENE was started, pending service running. use status command for
further details.
9022 PARCLIENT> status ene
ENE is running.
• RCC reduces the need to
PARCLIENT>
open an RDP port for the
Vault

© 2023 CyberArk Software Ltd. All rights reserved


Online Help and
Customer Community

© 2023 CyberArk Software Ltd. All rights reserved


CyberArk Customer Community

• Online documentation
• Knowledge base

• Training
• Enhancement
Requests
• Marketplace

© 2023 CyberArk Software Ltd. All rights reserved


On-line
Documentation

• Available in the CyberArk


Customer Community

• Published online

• Easily searchable information

© 2023 CyberArk Software Ltd. All rights reserved


CyberArk Acronyms

The CyberArk Glossary can be found easily here:

© 2023 CyberArk Software Ltd. All rights reserved


Summary

© 2023 CyberArk Software Ltd. All rights reserved


Summary
In this session we discussed:
• Basic principles and concepts

• Key features of the CyberArk PAM


solution

• The PAM system architecture

• System interfaces and utilities

• Online help and customer community

© 2023 CyberArk Software Ltd. All rights reserved


Online Training Risk Assessment Tools Video

Introduction to Privileged

Additional
DNA zBang DNA
Access Management

Resources You may now complete the following exercise:


Introduction to CyberArk Privileged Access Management

• Getting to Know the Acme Corp Environment • PrivateArk Client


̶ Acme Servers ̶ Connecting
̶ Accessing a File in a Safe
• Getting to Know CyberArk PAM
̶ Modifying the View
• Log Into the Components Server
• Remote Control Client
• PVWA
• The Vault Server
̶ Log in as Mike
̶ Activate the PSM
̶ Deactivate “Reason for Access”
̶ Connect to an Account in the New UI
̶ Retrieve a Password in the Classic UI
© 2023 CyberArk Software Ltd. All rights reserved

You might also like