Integrate CyberArk with a SIEM Solution, Gain Valuable Insights About Advanced Threats

May 24, 2016 Sigalit Kaidar


Reviewing recent breaches, we consistently see the same attack patterns. Simply put, attackers crash through the perimeter, compromise a credential and then use the acquired access to move laterally throughout the network. They escalate privileges until they complete their goal. Whether the mission is to steal data, disrupt operations or destroy infrastructure, attackers tenaciously pursue their goals, using a wide variety of tools and tactics.

Ideally, organizations will break the attack lifecycle early in the cycle. In April 2016, CyberArk launched the C3 Alliance – CyberArk’s global technology partner program, to help organizations better address security challenges and to stop the most advanced cyber threats – those involving privileged accounts. By incorporating CyberArk’s privileged account security best practices, as well as leveraging CyberArk privileged account data within a rich partner ecosystem, mutual customers can maximize their existing security and IT investments to enhance their overall security posture.

For example, CyberArk integrates with leading SIEM solutions to leverage CyberArk privileged account activity data and to deliver more valuable insights about advanced threats to customers. Privileged activity alerts from CyberArk Privileged Threat Analytics are sent to the SIEM solutions, and the alerts can then be correlated with other real-time data collected from the organization, so that the most critical security threats can be identified. With these integrated solutions in place, organizations can leverage enhanced detection capabilities to break the attack lifecycle as early as possible.

Here are two scenarios to demonstrate the advantages of the integrated solutions:

  • An Unmanaged Privileged Account – CyberArk Privileged Threat Analytics integrated with a SIEM solution can detect a privileged account (user or application) that is used in the environment, and flag it if it is not managed in the vault.

By correlating login activity made by privileged accounts received from the SIEM solution with CyberArk Digital Vault data, CyberArk Privileged Threat Analytics verifies if the account is managed by the CyberArk Solution and if not, sends the alert to the SIEM solution. These unmanaged accounts may pose a risk to the customer, as they can be accessed in an uncontrolled way. As a best practice, all privileged accounts should be managed in the CyberArk Solution, especially active accounts in use.

  • Suspected Credential Theft – An attacker compromises a machine and steals privileged credentials using hash harvesting to execute a Pass-the-Hash attack. Once obtaining privileged access, s/he tries to access a different sensitive machine. The SIEM solution, in this case, sends all login activities to CyberArk Privileged Threat Analytics. CyberArk Privileged Threat Analytics correlates the logs from both resources, trying to find a match between a login to an endpoint and a prior password retrieval from the CyberArk Solution. When CyberArk Privileged Threat Analytics detects that a user is connected to a machine with a privileged account without first retrieving the credential from the CyberArk Digital Vault, the solution can prompt an immediate credential rotation and send an alert to the SIEM that there is a suspected credential theft.

Keep in mind, attackers will act inside a network undetected for an average of 146 days. If an organization is able to detect privileged misuse quickly, the time exposed can be significantly reduced, resulting in a corresponding reduction in damage to the business.

To learn more about how CyberArk works with leading SIEM vendors, click here or watch a short video of one of our C3 Alliance members talking about market trends and the advantages of technology integration with Cyberark.

Join us on Tuesday, May 24, 2016 for a webinar with FireEye. The webinar will focus on how attackers find their way into the heart of enterprises, the role privileged credentials (passwords and SSH keys) play in an active cyber attack, and how the integration of the CyberArk Privileged Account Security Solution and the FireEye Threat Analytics Platform (TAP)  can help organizations detect, alert and rapidly respond to cyber attacks.

C³ Alliance: AccelOps & CyberArk

C³ Alliance: FireEye & CyberArk

C³ Alliance: LogRhythm & CyberArk

C³ Alliance: RSA, The Security Division of EMC & CyberArk


Previous Article
Service Accounts – Weakest Link in the Chain?
Service Accounts – Weakest Link in the Chain?

At DerbyCon 2014, Tim Medin introduced a novel technique to elevate privileges by exploiting service accoun...

Next Article
CyberArk Labs: Can Incident Response and Audit Teams Always Trust Windows Security Event Logs?
CyberArk Labs: Can Incident Response and Audit Teams Always Trust Windows Security Event Logs?

Introduction CyberArk Labs recently identified what it believes to be a significant risk in the Microsoft W...