Lieberman

© 2014 by Lieberman Software Corporation. Rev 20110321a

Introduction

© 2001-2014 Lieberman Software Corp.

December 2014


Brasil 2014

Thanks!


What Are Privileged Accounts?

• Root and Admin

• Service and Process

• Application-to-Application


Risks Throughout Your Network

What Roles? What Assets? What Accounts? What Anonymous Actions?

• System Administrators

• Contractors

• Integrators

• Security Administrators

• IT Managers

Server and

Desktop

Computers

Administrator

Root

Super User

Service

Read, copy and alter data

Change security settings

Create and delete accounts

Enable and remove file shares

Run programs


• IT Managers

• App Administrators

• App Developers

• Webmasters

• Contract Developers

Directories and

Application

Tiers

Admin

Root

Administrator

Service

Config Files

ASP.Net

Run As

DB Connection

Read, copy, and alter user data

Add and delete users

Change user privileges

Enable remote access

Modify back-end applications

Alter public-facing websites

Read and change DB records

Access transaction data

• DB Administrators

• App Developers

• App Administrators

• Contract Developers

• Integrators

Databases

SA

Root

SYS

SYSDBA

Read and change DB records


Alter configuration and DB schema

Add and modify stored procedures

• Network Administrators


• System Administrators

• Backup Operators

• Contractors

Network,

Backup, and

Security

Appliances

Administrator

Root

Enable

Admin

Super User

Service

Alter configuration settings

Alter security and QoS policies

Grant and deny network access

Access data feeds

Enable and disable monitoring

Browse and save archives


Delete saved data

Change configuration settings


Challenges / Pain

• Has your organization experienced an audit

finding on privileged access?

• Having trouble managing privileged identities at

scale and without causing outages?

• Do you have difficulty limiting contractor access

to systems?

• Are you able to prove

termination of access to

previous employees who

have had access to

your systems?


• Cryptographically Weak Logins

• Stale, Common Passwords

• Unchanged Default Logins on

Hardware, Applications,

Appliances, Images, LOM,…

• Hard-Wired Credentials in

Business Applications

• Developer Backdoors

• Vulnerable Service Account

Passwords, and others…

What Are the Vulnerabilities?

Make the network vulnerable to insider

attacks, and to external attackers who

leapfrog from system to system…


Failure Will be Exposed


Privileged Accounts Drive Compliance

• Auditors focus on privileged accounts

because these logins are often neglected

• Privileged accounts are the targets of many

Red Team / Blue Team attacks

• Auditors for HIPAA, PCI-DSS,

NERC/ FERC, FISMA,

NRC and the others

demand a solution


What PIM is Not…

Identity & Access Management (IAM)

• Controls user access to computers, applications

and networks

• Provisions and de-provisions users

• IAM products include

Microsoft Active Directory,

Tivoli Identity Manager,

Oracle Access Manager, etc.


What PIM is Not…

Single Sign-On (SSO)

• Allows end-users to log in once and gain access

to several systems or applications without being

prompted to log in again repeatedly.

• SSO vendors include Microsoft,

WRQ (Novell), IBM (Tivoli),

Dell (NetIQ), Facebook,

Google, and many more...


What PIM is Not…

Privileged User Management (PUM)

• Temporarily changes a user’s privileges so

that he can perform tasks that require

elevated permissions.

• Generally provide controlled shell

access to Linux and UNIX

• PUM vendors include Dell

(NetIQ / BeyondTrust),

FoxT, and others...


What PIM Is…

Privileged Identity Management

• Secures admin and root accounts throughout

your network

• Includes discovery, randomization, and audited

retrieval of super-user and admin accounts

• PIM vendors include Lieberman

Software, Cyber-Ark, Thycotic

and others


How ERPM Solves PIM Issues Comprehensive Privileged Credential Management

ERPM Automates:

• Discovery of machines, process accounts, local & fire call

accounts, services and tasks – and everywhere those accounts

are referenced

• Password Change Process for randomizing privileged

accounts and propagating those changes everywhere the

accounts are used to avoid lock outs

• Storage of complex, random passwords in an encrypted

repository

• Role Based Provisioning of password access and delegation

• Auditing of every password request, use and change


ERPM Product Overview

• Secures Windows, Linux / UNIX, mainframes, network

appliances, databases, business applications, hypervisors,

LOM cards, ...

• 3/n-tier architecture

scales to the

largest networks

• Available as

a software

installation

or VM

ERPM Architecture


Product Demo (15 Minutes)


1. Create a Management Set

• Management Sets let you organize auto-discovery, password

recovery, and other settings in any way that corresponds to the

physical infrastructure and personnel roles of your organization.

• Dynamic Management Sets

update automatically with

changes in your Directories,

database queries, scanned IP

address ranges, and other criteria you choose.

• Management Set Examples:

– Denver Exchange Servers

– UNIX Systems Worldwide

– Systems Managed by Ed’s Team


2. Change Passwords

• You can schedule a password change job by clicking

the Change Passwords button

• You can set password complexity rules in the

Password Settings tab

• You can also change

passwords instantly by

right-clicking systems

in a list


3. Job Results

• See live results in the

Active Threads Status

window

• When the job is finished,

view the job status

summary in the

Operation window


Product Overview

Section 2


What Does ERPM Manage?

• Servers

• Workstations

• Network Devices

• Storage Appliances

• Lights Out Devices

• Databases

• Directories

• Configured Applications


How Discovery Works

• Native API Discovery – No reliance on WMI or cached information

– Custom Propagation for reliable changes

– Eliminates password change failures and disruptions

caused by stale data

• Automated Dependency Analysis – Real-time discovery before updating

interdependent service accounts

(including clustered services)

– Stops, changes and restarts all

dependencies in the proper order to

assure reliable account changes


What Account Details Can ERPM

Discover?

• Password age

• Ownership

• Last login

• Where used

• Account flags

• Profile info


ERPM Management Console

Windows application for configuring:

• Data store and authentication

• Management Sets

• Auto-discovery

• Password change jobs

• Workflows and delegation

• Web application

• Compliance reporting

… and lets you explore

systems and accounts


Management Sets Logical Groups of Systems/Devices

• Organize any way that corresponds to the physical

infrastructure and personnel roles of your organization

• Dynamic Management Sets update automatically with

changes in Directories, database queries, scanned IP

address ranges, etc.

• Management Set Examples:

– Denver Exchange Servers

– UNIX Systems Worldwide

– Systems Managed by Ed’s Team

– Systems on specific domain(s)

– Systems in AD Container(s)


Password Settings

• Password length

(6 -127 digits) and

other constraints

• Windows Account settings

• Change Schedule and

Run settings

• Propagation Settings

and Scope


Password Constraints

• Characters, Numbers,

Symbols

• Constrain Symbols

• Position Constraints


Password Change Jobs

• Multi-threaded for speed and resilience

• Options for multi-threading

can be user configured

• Automatic retries of

unsuccessful changes

(network congestion, etc.)

• Changes up to 400

machines per minute

• Minimal performance

impact on managed

machines


Web Delegation Rules

Configures how different users and groups can interact

with the web application, including

• Password check out / check in / extension

• RDP/SSH access (no

passwords disclosed)

• Approvals and workflows

• Require multi-factor

• View reports,

dashboards


ERPM Data Store

• Microsoft SQL Server

(provided by customer)

• Supports clustering and other High

Availability options

• Options for software encryption

(AES-256 or FIPS 140-2 level 1),

or third-party hardware encryption

modules (FIPS 140-2 levels 2 or 3)


Reference Architecture

• Data Store: MS SQL Server Cluster on

Windows Server (2008 / 2012)

• Web Console:

IIS 7.5 on Windows

Server (2008 / 2012)

• Remote DB Cluster

for Disaster Recovery

• Zone Processors

(Remote and DMZ):

Windows Server


Product Details

Section 3


Platform Support Servers and Workstations

• Windows

• Linux and UNIX

• AS/400

• OS/390

• z/OS, and other mainframes

that support telnet and

SSH 2.0 connectivity


Platform Support Network Devices

• CheckPoint

• Cisco IOS

• EMC

• HP ProCurve

• Foundry

• Juniper

• NetApp

• RiverBed

…others that support telnet

and SSH 2.0


Platform Support Directories

• Apache

• Apple Open Directory

• IBM Tivoli Directory

• Microsoft Active Directory

• Novell eDirectory

• Open LDAP

• Oracle Internet Directory

• Sun Java System Directory Server

• ViewDS Directory

… other LDAP compliant directories


Platform Support Lights Out Management Cards

• Dell DRAC 3, 4, 5, 6, 6i

• Dell CMC

• HP iLO, 2, 3

…plus any IPMI compatible card


Platform Support Databases Managed

• MSDE 2000

• MS SQL 2000-2012 Express, Standard and

Enterprise (x86 and x64)

• Oracle 9i-11g Express, Personal,

Standard, and Enterprise

• MySQL 4.x-6.x

• DB2 7x-9x Express, Workgroup

Server, Enterprise

• Sybase ASE 12x, 15x


Platform Support Service / Process Accounts

• Service accounts are the building blocks of

a service oriented architecture platform

• Allow different software to work together to

provide value-added services to end users

• Example

Email client

connects to email server

connects to SAN storage


Service and Process Accounts Challenges

• Hard-wired and misconfigured service accounts

make the network vulnerable to attack

• These passwords must be regularly changed to

comply with regulatory mandates

• Most organizations ignore the risks because these

passwords are too difficult to change


• Each account can do different things in different

places, so incomplete password changes could

lock out the account and bring down the

application shutting off business access to end-

user

• Almost impossible to change manually—

– Identify everywhere the service is in use

– Stop all dependent services, in proper order

– Change the password everywhere it is

referenced (“propagation”)

– Re-start all dependent services

Service and Process Accounts Challenges


Technology Integrations

McAfee ePO Integration

• Whenever ePO

reports problems, view

privileged account

details and check

passwords from the

ePO interface

• Save IT staff hours

gaining approvals and

documenting access

at the most critical

times


Help Desk Integrations

• Allow only authorized personnel, with a need for

access as determined by each trouble ticket, to login

using privileged credentials

• Update trouble ticket

status based on

privileged account

activity

• Create new trouble

tickets should the

ERPM report

unexpected events

SCSM Integration


Help Desk Integrations (Cont’d)

• Microsoft System Center Service Manager

• HP Service Manager

• BMC Remedy

• ServiceNow

• Event Sink to integrate with most others


SIEM Integrations Security Information and Event Management (SIEM)

• Enables SIEM to correlate security events

with privileged account activity

• Eliminates a key SIEM blind spot, making

privileged user actions no longer anonymous

• ERPM forwards

comprehensive event

data: console and password

operations, Web application,

file vault, scheduler activity


SIEM Integrations

• HP ArcSight

• Q1 Labs Qradar

• RSA enVision

• Splunk

• …ERPM syslog integrates virtually all others


ERPM Service Catalog in NetWeaver

• ERPM is the first product certified to discover and

manage privileged identities in SAP

• Enables IT compliance by

securing, auditing and

reporting SAP access

• Automatically checks in,

randomizes, and

eliminates sharing of

powerful SAP logins

ERPM – SAP Integration


• Qualys security scanners store super-user passwords

to access systems

• Integration allows QualysGuard to access credentials

stored securely in ERPM to scan Windows, UNIX,

Oracle, MS SQL, IBM DB2 and other resources

• Eliminates double retention

of privileged passwords to

save IT staff time and

remove an attack surface

ERPM – Qualys Integration


• ERPM auto-discovers, randomizes, and grants

secure audited check-out of highly privileged

middleware accounts

• Supports Oracle WebLogic, IBM WebSphere, MS SQL

Reporting Services and others

ERPM – Middleware Integration


Multi-Factor Authentication

• Configurable for access to passwords, and access to

the Management Console

• Out-of-the box support for RSA SecurID, YubiKey,

and other proprietary tokens

• OATH authentication using third-party tokens

• Out-of-band, Time-based One-Time Password

(TOTP) authentication by email and SMS using

OATH (at no additional cost)


The ERPM Product Offering

Section 4


Core Product Option

• Auto-Discovery

• Root/Admin Password Management

• Service Account Management

• Repository

• Account Elevation

• Auditing/Reports/Dashboards

• IBM Protocol Support

• DB Account Support

• MSFT Support

• Ticketing System Integration

• Multi-Factor Authentication


Disaster Recovery and High Availability

• Cluster License

for High Availability

and Disaster

Recovery

• Zone Processors

for 24/7 remote

availability

regardless

of network issues


Session Recording

• Captures full textual Metadata with each

session

• Quickly search and

access by Metadata

• Jump Server

and Agent

options


Multi-Language Support

• Web Application works in 20+ languages

• Fully localized (not machine-translated) user

interfaces and

dashboards

• Browser auto-select

or user selectable


Application Integration

Event Sinks

• Event triggering, notification and integration

• Wizard easily integrates third-party software

SDK and Web Services

• Custom propagations update

files and applications directly

• Can replace embedded

passwords with ERPM calls


PowerShell Integration

• Full automation and programmatic orchestration of

privileged identity management operations

• Allows machine

control of discovery,

password changes,

delegation, auditing

and more…

• Can be used from

within MS System

Center Orchestrator


Web Services Interface

• Platform-Agnostic SOAP interface

• Full automation and programmatic orchestration of

privileged identity management operations

• Deploy, manage and de-provision privileged

accounts and file-based

secrets (including x.509

and other certificates and

large binary files) regardless

of the physical or virtual

machine where they reside

Web Services API


SAP NetWeaver Integration Optional Feature

• First SAP Certified PIM solution

• Continuously discovers SAP accounts

• Integrates directly with the SAP

NetWeaver Gateway

• Manages accounts in SAP v7.01 and

newer through

direct API calls


Encryption Options

Hardware Security Module (HSM)

• Supports use of external FIPS 140-2 certified

encryption modules, including Thales nShield

Software-based Encryption

• Supports up to AES 256


Competitive Landscape


What Differentiates ERPM?

• Rapid, complete deployments (in days, not months)

– User installable and configurable, with no need for scripting, customization,

or professional services

– Easy to upgrade and manage over time

• Superior technology

– Auto-Discovery and Correlation, Propagation

– Unsurpassed service account management

– N-tier deployment architecture

• Open standards: no proprietary technology

• Enterprise-ready for scale, scope, and complex, dynamic

infrastructures

– Resilient solution: without constant IT intervention

• Comprehensive and open documentation


Our Competitive Advantages In Order of Priority

• We win on ease and speed of deployment and ongoing

low TCO. (What is the real cost?)

• In a POC we can prove that we do what we say we can

do – always at the customer site, on their network

• Propagation/Service Account Management

• Auto-Discovery and Correlation

• We are the only company to have point solutions in our

“toolkit” which we use to clean up customer networks

prior to ERPM installation and deployment.


Features / Benefits slide

Need to develop

• CHECK BOXES WHO HAS WHAT


How to Price the Solution

[Sales to provide]



vs. “Company A.”

ERPM uses 100% native API calls and doesn’t

rely on WMI and cached data

• Fewer password change failures

• Fewer service disruptions




ERPM Performs dynamic dependency

analysis with real-time discovery before

updating interdependent service accounts

• Competing solution never

fully eliminates the need for

time-consuming manual

change process




ERPM is installed on industry-standard

Windows Server and your choice of MS SQL

or Oracle databases

• Competing solution is an

appliance that’s built on a

mix of open-source and

proprietary software.




ERPM security is built on trusted protocols

including FIPS 140-2 and AES-256

• Competitor’s security architecture uses

multiple proprietary layers

• Competitor’s known software

vulnerabilities are published

in the NIST.gov database




ERPM is designed for self-service and is typically

deployed in large enterprises in under 3 days

• Competitor relies on professional installation and

configuration services to

uphold its product warranty

• With so many paid services

required to maintain its products,

the Competitor’s “license fee

represents just one-fifth* of

the typical project” costs

*Stated by competitor’s Sales VP, per “CRN UK” 11/2011


Client Case Studies


Client Case Study Client Profile

• Credit union founded in the 1930’s and has branches located throughout the U.S.

and Puerto Rico with approximately 218,000 members.

Situation

• Time consuming manual changes: 10hrs+ per change, not comprehensive

• Ignored complicated service account changes

• Failing frequent financial and regulatory compliance audits

Solution

• ERPM was deployed to the client’s cross-platform enterprise.

Results Improved Operations >> Time and Cost Savings

• Accounts secured regularly without manual intervention

• Eliminated burden of manually producing reports

Reduced Risk Profile

• Automated the discovery and securing of service accounts

Achieved Regulatory Compliance

• Demonstrated control, passed internal, external NCUA audit


Client Case Study Client Profile

• North American subsidiary of a global consumer/commercial financial institution

with presence in key business and financial centers throughout the world.

Situation

• Urgent need to secure privileged accounts before a looming audit

• Zero impact to ongoing IT Operations

Solution

• ERPM was quickly deployed (<2-weeks) across 1100+ servers at three North

American data centers

Results Improved Operations >> Time and Cost Savings

• Deployed with minimal manual effort

• Automated account discovery keeps up with their dynamic environment

Reduced Risk Profile

• All privileged access is delegated, tracked and audited

Achieved Regulatory Compliance

• Demonstrated control, passed immediate internal audit, now “in good shape”


Questions

Documents

Lieberman