Q&A: Threat Analytics, Detection and Response in the Cloud

April 25, 2019 Corey O'Connor


A WIRED article detailing a nation state attack recently caught my attention. The piece introduced the concept of “breakout time,” which is essentially the time it takes for a cyber attacker to go from an initial foothold to a full-fledged breach where the attacker has access to critical systems. In this particular post-breach analysis, the breakout time was only 19 minutes. Now consider that the global median “dwell time” (or duration between the start of an intrusion and detection by an internal or external source) is 78 days. That’s a difference of 77 days and 1,421 minutes in the attacker’s favor. Pretty scary stuff. The critical need to minimize this cyber attack dwell time was the driving force behind our decision to make threat analytics a central part of the CyberArk Privileged Access Security Solution.

We believe that the ability to rapidly collect, detect, alert and respond to high-risk activity and behavior is an absolute necessity in mitigating risk from an advanced attack. With the recent introduction of v10.8 of our solution, we’ve taken these capabilities to the cloud.

We recently held a webinar to help customers get a feel for these new features and enhancements. The webinar featured a lively Q&A session as attendees got a chance to virtually “kick the tires” and delve into product specifics. Here’s an abbreviated version of this discussion.  To learn more watch this video  tune into the on-demand webinar and check out this blog post.

The webinar was hosted by Scott Ward, Principal Solutions Manager for AWS Web Services, Corey O’Connor, Senior Product Marketing Manager for CyberArk and Hila Oved, Product Manager for CyberArk. During the webinar, the three fielded frequently asked questions in a question and answer session.

 Can the CyberArk solution be configured to receive data from AWS?

 Ward: Yes. It’s actually designed as a two-way integration. First, CyberArk queries the AWS environment to discover all privileged AWS users. We consider their permissions, their group memberships and assigned policies. The second integration is designed using modern event-driven architecture. Our information is fed from AWS CloudTrail using our CyberArk Lambda function, which collects this information and sends it to threat analytics. This ensures that our solution analyzes every single attempt by every single privileged user to access infrastructure using credentials such as access keys or passwords.

Can these new discovery capabilities help me identify shadow admins in my cloud environments?

Oved: Absolutely. CyberArk can automatically identify all privileged accounts within AWS, such as unmanaged EC2 instances and accounts, as well as identity and access management (IAM) users. This includes shadow admins, or accounts that have privileged access but are not members of a privileged Active Directory, making them easy to overlook. Our new discovery capability enables the tracking of AWS credentials everywhere that they’re created, as they’re created, which speeds up the onboarding process for these unmanaged accounts. Additionally, the CyberArk integration with the AWS Security Hub gives AWS customers enhanced visibility around all privileged credentials tied to their AWS accounts as well as deeper, data-driven insights and enhanced detection capabilities to help them break the attack lifecycle quickly.

 Q: Can CyberArk’s advanced threat analytics capabilities be included in an on-premises deployment?

 O’Connor: Yes! It can be installed on-premises. From there, AWS becomes an additional sensor that feeds information to CyberArk.  Alternatively, the solution can be deployed directly in the cloud. By streamlining deployment and using Amazon’s AMIs for all core components – from vaulting to privileged session management to threat analytics – organizations can be up and running with the CyberArk solution in about 10 minutes.

In closing, I’d like to share a story I recently read in the The Register. A disgruntled, recently laid-off ex-employee of a large enterprise stole a colleague’s AWS login credentials, targeted 23 different servers and took down all of his former employer’s AWS instances. With the stolen privileged credentials, the ex-employee easily logged in, changed the passwords, terminated the servers and logged out – completely undetected. The company suffered a loss of over £500,000 of business-critical data. Additionally, it lost many large customers and contracts and even resorted to another round of layoffs to recover damages.

It’s clear from this story just how costly a poor security posture (and corresponding poor cybersecurity hygiene) can be. Cloud security needs to be a shared responsibility between a cloud vendor and customer organization. This shared responsibility model is one of the many reasons for our long-term strategic partnership with AWS. If you are interested in learning more about how CyberArk can help you secure your native AWS, hybrid, multi-cloud and DevOps environments, check out this on-demand webinar, visit our AWS integration page or get in touch with us directly.


Previous Article
Like the Night King, Perimeter Defense is Dead
Like the Night King, Perimeter Defense is Dead

If you’ve been following the return of Game of Thrones (warning: show spoilers ahead) then you know winter ...

Next Article
ArkCon 2019 Welcomes Top Researchers with a Cybersecurity Challenge
ArkCon 2019 Welcomes Top Researchers with a Cybersecurity Challenge

ArkCon 2019 is just around the corner. CyberArk Labs is hosting its event for top cybersecurity researchers...