Feels like a Cyber Security Groundhog’s Day
February 9, 2018 | Endpoint | Stephen Lowing
While nobody has a crystal ball for what’s coming this year, I think we can all agree tough security lessons were learned in 2017. From Yahoo indicating that every one of its 3 Billion email accounts (that’s a B) was exposed in a breach to some pretty serious hacking tools believed to have been developed by the NSA. Additionally, we saw the WannaCry, NotPeyta and BadRabbit ransomwares making everyone aware of how important it is to update your operating system and key applications along with a strategy that mitigates risks from a diverse, targeted and motivated set of attackers. In short, the guidance here would not be much different from the last few years on what to do to help to prevent these attacks. This should give us a sense of pause – are we in some sort of a Cyber Security Groundhog’s Day where we keep repeating the same old thing?
How much wood can a Cyber wood chuck, chuck if a….
So at the risk of sounding like a broken record, I want to restate something that you have heard from CyberArk. Privilege is an endpoint problem, and it is solvable. Privileged account security is something that should be properly handled alongside other security hardening and defense-in-depth strategies. We have been saying this for a long time, but it’s great to see other vendors make this argument too. The analyst community also notes this as a key tenant for a defensive strategy.
Along with privileged account security, and this means effortlessly implementing the principles of Least Privilege (coincidently in the top 5 Critical Cyber Controls advocated by the Center for Internet Security to reduce the attack surface), we see two other critical areas we featured in our recent release: application control and credential theft protections.
Application control is something we have discussed previously. Coupling this with Ransomware policy automation, customers that leverage Endpoint Privilege Manager are able to quickly insulate their environments from one of the biggest plagues of 2017 in very aware ransomware (say that 10 times fast). While some look at app control as passé, the reality is that there is more than a “give and take” that happens when properly implemented. I like to look at it as “help me to help you.” CyberArk has many large customers leveraging this capability across multi-national organizations with different levels of control that enable their respective businesses to operate at peak efficiencies. The result: instead of chasing down instability issues, CyberArk Endpoint Privilege Manager customers can focus more energies on the important matters of the business.
Now available to all deployments of Endpoint Privilege Manager is CyberArk Application Risk Analysis (ARA) service. This service enables IT security analysts to make timely decisions around policy for unknown applications that enter their environments. ARA combines machine learning, to identify risky applications, with several layers of malware identification to arrive at a risk score for an unknown application. The key benefit is to enable unknown applications to be properly handled by policy.
Watch this video to see CyberArk Application Risk Analysis in action:
“Do you ever have déjà vu, Mrs. Lancaster?”
As it’s been said many times by analysts and the industry as a whole, target credentials for a privileged or administrative user to achieve their objectives. At CyberArk this hits home since controlling privilege is the name of the game. Having preventative measures to keep the bad guys out (i.e. not getting on the endpoint in the first place) is really an arms race that several Cyber Security companies embark upon. Eventually, the bad guys will get on your endpoint, and most agree inevitably, thus the change in tone and posture to not simply focus on prevention but also detection.
Once inside, it’s what happens next that matters most. This usually means attacks on the environment directly as the user (if say, for example, they are operating with administrative permissions, which our application control does a great job interrupting) or in many cases now a days, stealing an admin credential or residual privilege on the endpoint from a prior login.
“Thinking like an attacker” enables CyberArk Endpoint Privilege Manager can help when the bad guys get around your NGAV or EDR solution to provide a means to contain their activities to the endpoint via credential theft protection. CyberArk credential theft protection leads the industry with the most diverse coverage of theft detections and blocking of every Windows OS credentials store, every browser-based credential store and also includes local AWS secret keys residing on the endpoint. By keeping the bad guys from stealing a privileged credential, this often means that they are unable to escalate privilege to pivot onto more sensitive systems. In many cases, this sufficiently deters or outright breaks the attack chain on this attacker allowing your incident response teams to clean up the infiltration on the endpoint.
To help ensure the outcomes are as described, Endpoint Privilege Manager ships with protections across Local Security Authority Subsystem Service (LSASS), Security Account Manager (SAM), Domain Credentials Cache (msvcachedv2), the Local Security Authority (LSA), Safe Mode turning off Microsoft’s Virtual Secure Module (VSM), Microsoft Vault as well as Internet Explorer, Chrome and Firefox browser threats that aim to steal stored credentials. Various remote access tools such as WinSCP and mRemoteNG are protected as well since they retain local cached credentials. This lateral movement protection helps to keep your organization safe from Golden Ticket and Golden SAML attacks.
Keep on trolling
With 2018 looking like we are heading toward another Cyber Security Groundhog’s day, don’t let yourself repeat last year and cause grave impact to your systems. Look to control privilege on your endpoints and take proactive steps to control applications and the threat of ransomware. Take CyberArk ARA out for a spin all while keeping the privileged credentials you do use, safe. Now that’s a happy ending I think we can all agree on.
To help get you on the right path, contact us today to get a DNA Scan of your environment and see where privilege is hiding.