Threat Analytics

The key to protecting privileged access

and preventing breaches

Mark McGovern
VP Product Management
C A Te c h n o l o g i e s

13 December 2016
WELCOME

 Have a question for the speaker? Text it Use the Attachments button to
find the following:
in using the Ask A Question button!
 PDF of today’s presentation
 Audio is streamed over your computer
 Link to the Event Home Page where
 Technical issues? Click the ? button
ISACA members can find the CPE Quiz
 Use the Feedback button to share your
 MORE information about upcoming CSX
feedback about today’s event
events
 Questions or suggestions about our
 MORE assets from today’s webcast
webinar series? Visit support.isaca.org

2
TODAY’S SPEAKER

Mark McGovern
VP Product Management
CA Technologies

3
What We’ll Cover Today

The Root Cause for Powerful Strategy Core Elements for

today’s problems to enable enterprises Analytics Solution

4
Why Analytics Are Critical Today
A Spectrum of Real World Threats and Needs

High Risk INSIGHT

EXTERNAL INSIDER & Incident
Hackers Activity Response
& Threat Support

Breach Improved User

Prevention Compliance Experience

5
 Enterprise Defenses are Static

Compromised Privileged access Untrusted

accounts and insiders end points

Provisioning Authentication Bad guys Privileged Identity & Access

Provide new users Validate identity exploit this Access Management
with access when access gap to their Limit admin and Manage and report on
advantage system control access provided
to resources requested access

SIEM IDS

Enterprise security solutions don’t adapt based on behavior

how data is accessed, used or misused
AWS

6
A Proven Approach to Security
Market Leader Providing Data Science Based
Fraud Analytics To Banks

Protect your data

the way the banks
protect your money
using the same approach
used in online credit card
security

Payment Enterprise
Security Security

7
The Key Functions of Credit Card
Security

Insight &
Learning

Activity Detection Integrated

Information Remediation

8
 Applying the Credit Card Model
to PAM

Advanced Entity relationships Automated

Raw data
analytics & risk mapping mitigation
 Focus on domain specific  System extracts critical  Behavior captured  Trigger automated
contextual data – for PAM, information about activities and modeled for fast controls to mitigate risk
initially authentication & and environment evaluation
 Start a session recording
connection events ⎻ Locations  Changes in model
⎻ System access  Force a re-authentication
 Future integration with are evaluated to
other CA products (and ⎻ Devices detect risk and  Generate actionable
their contextual data) ⎻ Sensitivity malicious activity alerts
enable effortless and  Enable context rich
accurate access to event reporting
data

9
Step 1: Stay Focused

The goal is not to “boil the ocean”

Ingest
Start with the critical system Parse
– your PAM system - Normalize
Synchronize
PAM

As SIEM and log aggregation has shown -

this is more difficult than it appears.

Look for an integrated solution

10
Enabling Insight into Users and
Behavior

Discrete event data is analyzed, refined and used to update

longitudinal view of entities

Entity & Relationship Graph

who average, The true difference

what most, between behavior
analytics
where 1st and other existing
capabilities (SIEMs, log
when only, aggregators,…)
how frequent,
new, …
* Track * Test * Inspect *
* Measure *

11
The Entity & Relationship Graph

Entity & Relationship Graph

Actionable insight and context that can be

used by both automated processes and
administrators

12
Making Risk Decisions Using True
Context

Context enables detection of true risk &

avoids reliance on brittle rules
Evaluating changes & new behavior
Significant change?
Consistent with their own past behavior?
Current trends across user population?

Change detected

Remember – the goal of using analytics is to avoid

requiring administrators to be constantly watching and
managing static complex rules.
13
Mitigations: Automated and
Appropriate

Compromised High-risk insider Insight and incident

identity activity & threat response support

Identities compromised by attacks Authorized user actions that pose Blind spots in how systems are
that include: serious risks: used.
 Phishing  Contractors Need quick responses to incidents
Detect  Weak passwords  Partners and SOC inquiries:
 Malware  Policy violators  Identify users and risky activity
 Compromised devices  Disgruntled and departing associated with IP, devices, data
 Man-in-the-middle employees assets

Automatically trigger the right mitigations

Mitigate  Alerting  Automated session recording
 Reporting and insight into system use and risk  Re-authentication

Different threats – demand different

responses

14
Mitigations: Automated and
Appropriate

Look for mitigations that enable real power

Low Friction Complement Existing PAM, Provide context needed to

& Ideally invisible SIEM & SOC Workflows investigate & resolve

 Trigger session recording based on risk

 Session re-authentication on high risk
 Context rich alerts to SIEM and SOC
 Detailed incident reporting

15
Putting it all together

 Stay Focused – Don’t try to boil the ocean

 Analytics that provide insight for both human and machine
 Risk decisions based on full context
 Automated mitigations that enable true power

CA Threat Analytics for PAM

www.ca.com/us/products/ca-threat-analytics-for-privileged-access-manager.html

16
 Questions or further
information:
mark.mcgovern@ca.com
THIS TRAINING CONTENT (“CONTENT”) IS PROVIDED TO YOU WITHOUT WARRANTY, “AS IS” AND “WITH ALL
FAULTS.” ISACA MAKES NO REPRESENTATIONS OR WARRANTIES EXPRESS OR IMPLIED, INCLUDING
THOSE OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE OR PERFORMANCE, AND NON-
INFRINGEMENT, ALL OF WHICH ARE HEREBY EXPRESSLY DISCLAIMED.
YOU ASSUME THE ENTIRE RISK FOR USE OF THE CONTENT AND ACKNOWLEDGE THAT: ISACA HAS
DESIGNED THE CONTENT PRIMARILY AS AN EDUCATIONAL RESOURCE FOR IT PROFESSIONALS AND
THEREFORE THE CONTENT SHOULD NOT BE DEEMED EITHER TO SET FORTH ALL APPROPRIATE
PROCEDURES, TESTS, OR CONTROLS OR TO SUGGEST THAT OTHER PROCEDURES, TESTS, OR
CONTROLS THAT ARE NOT INCLUDED MAY NOT BE APPROPRIATE; ISACA DOES NOT CLAIM THAT USE OF
THE CONTENT WILL ASSURE A SUCCESSFUL OUTCOME AND YOU ARE RESPONSIBLE FOR APPLYING
PROFESSIONAL JUDGMENT TO THE SPECIFIC CIRCUMSTANCES PRESENTED TO DETERMINING THE
APPROPRIATE PROCEDURES, TESTS, OR CONTROLS.

Copyright © 2016 by the Information Systems Audit and Control Association, Inc. (ISACA). All rights reserved. This
webinar may not be used, copied, reproduced, modified, distributed, displayed, stored in a retrieval system, or
transmitted in any form by any means (electronic, mechanical, photocopying, recording or otherwise).
THANK YOU FOR ATTENDING
THIS WEBINAR

For more information, visit www.ISACA.org