PAS ADMINISTRATION

Introduction to Core PAS

CyberArk Training
1
LESSON OBJECTIVES

This lesson provides an introduction to the CyberArk Privileged Access Security (PAS) solution.

During this lesson, we will look at:

• Basic system principles

• A common attack method and how CyberArk PAS can minimize exposure

• Key features of the Core PAS solution

• Core PAS architecture

• System interfaces and utilities

• Online help and customer community

2
2
BASIC SYSTEM PRINCIPLES

3
PRIVILEGED ACCESS SECURITY

Privileged accounts are the “keys to the kingdom”

• Administrator on a Windows server

• Root on a UNIX server

• Oracle DBA

• Cisco Enable on a Cisco device

CyberArk’s Privileged Access Security (PAS) solution

enables organizations to secure, manage, control,
and monitor all activities associated with
privileged accounts.

4
4
PRIVILEGED ACCOUNTS CREATE A HUGE ATTACK SURFACE

3rd-Party &
System Service Select Social Networking
Administrators Providers Applications Business Users Account Managers

Privileged accounts exist in every connected device,

database, application, industrial controller, and more!

Typically a ~3X ratio of privileged accounts to employees

5
5
ATTACKERS NEED INSIDER CREDENTIALS

“…100% of breaches
involved stolen
credentials.” “APT intruders…prefer to leverage
privileged accounts where possible, such
as Domain Administrators, service
accounts with Domain privileges, local
Administrator accounts, and privileged
user accounts.”

Mandiant, M-Trends and APT1 Report

6
6
 PRIVILEGE IS AT THE CENTER OF THE ATTACK LIFECYCLE
Typical Lifecycle of a Cyber Attack

• Penetration
• Credential theft
• Reconnaissance
• Lateral movement
• Privilege escalation
• Repeat

7 7
 CYBERARK BREAKS THE ATTACK CHAIN

• Penetration
• Credential theft
• Reconnaissance
• Lateral movement
• Privilege escalation
• Repeat

8 8
PROACTIVE PROTECTION, DETECTION, & RESPONSE

Proactive protection
• Secured credentials
Insider • Only authorized users
• Individual accountability
External Databases/
Hypervisors
Applications • Session isolation
• Limit scope of privilege
External
Targeted detection
Endpoints Network
Insider Devices • Continuous monitoring
• Malicious behavior
External • High risk behavior
Industrial
Insider Controls Social Media • Alerts
External
Real-time response
• Session suspension/termination
Privileged Accounts • Full forensics record of activity

9
9
CYBERARK DELIVERS A NEW CRITICAL SECURITY LAYER

PERIMETER SECURITY

SECURITY CONTROLS INSIDE THE NETWORK

MONITORING

PRIVILEGED ACCESS SECURITY

10
10
A COMMON ATTACK METHOD

11
PASS-THE-HASH

• A common type of attack

• For Windows SSO, password hashes are loaded into the Local Security Authority Subsystem
(Lsass).
• Note: a Hash is an encrypted representation of password

• Widely available tools such as mimikatz can be used to expose the hashes and move laterally
through the network

12
12
CYBERARK PRIVILEGED ACCESS SECURITY

13
13
KEY FEATURES

14
 • Discover and manage credentials

• Isolate credentials and sessions

STANDARD • Record and audit sessions
CORE PAS
• Monitor privileged activity

• Remediate risky behavior

DISCOVER AND MANAGE CREDENTIALS

• Automated processes for accounts

discovery

• Policies to manage: CPM

• Password complexity and length Tojsd$5fh

y7qeF$1
gviNa9%
lm7yT5w
X5$aq+p

• Rotation frequency
Digital
• Etc. Vault
System User Pass
Unix root tops3cr3t
Oracle SYS tops3cr3t
Windows Administrator tops3cr3t
z/OS DB2ADMIN tops3cr3t
Cisco enable tops3cr3t

Enterprise IT Environment

16
ISOLATE CREDENTIALS AND SESSIONS

• CyberArk enables secure

connections to critical
systems through the use
of a proxy. PVWA

• Target systems are fully

isolated, privileged
credentials are not
exposed to end users or
their applications or RDP
Target
devices. PSM Server

• Target systems are

configured not to accept Direct RDP
Connection
direct connection

17
RECORD AND AUDIT SESSIONS

• Privileged sessions
recorded in video and/or
text format

• Stored and encrypted in

the tamper-resistant
Digital Vault
• Recordings have clickable
timeline navigate to
specific events

18
MONITOR PRIVILEGED ACTIVITY

• CyberArk session
monitoring enables review
of recordings and live
sessions

• This enables security

operations center
personnel to take a risk-
based approach by
prioritizing the riskiest
activities occurring within
the environment.

19
REMEDIATE RISKY BEHAVIOR

• CyberArk can automatically

rotate credentials in the
event of risky behavior such
as credential theft,
bypassing the Digital Vault.
• Unmanaged accounts can
be automatically on-boarded
and managed through
CyberArk’s continuous
discovery capabilities.
• Additionally, administrators
can establish policies to
either automatically suspend
or terminate privileged
sessions based on risk
assignment.

20
21
KEY FEATURES: STANDARD CORE PAS

Discover & Manage Isolate Record/Audit Monitor Remediate

Secure and manage Suspend and/or terminate

Secure jump-server to Record privileged View privileged activity by
privileged passwords, privileged sessions
control credentials in an sessions and store in going directly to specified
SSH keys and other automatically based on
isolated instance centralized repository activities, keystrokes, etc.
secrets risk score and activity
Continually scan the Initiate automatic
Connect via secure jump Audit logs of video Send automatic alerts to
environment to detect credential rotation based
server using a variety of recording stored SOC and IT admins based
privileged accounts and on risk in case of
native workflows automatically on risky activities
credentials compromise/theft
Reduce the number of
Add accounts to pending Automatically start viewing
Prevent malware attacks accounts that can be used
to validate privilege or riskiest sessions first, at
and control privileged to circumvent privileged
automatically onboard the point of most
access controls
and rotate suspicious activities
On-Premises Cloud Hybrid
Automation with Rest APIs and policies enhances Core PAS functionality
21
STANDARD CORE PAS ARCHITECTURE

22
STANDARD CORE PAS COMPONENTS

• A hardened and secured server used to store privileged account information

Secure Digital Vault
• Based on a hardened Windows server platform

Password Vault Web • The web interface for users to gain access to privileged account information
Access (PVWA) • Used by Vault administrators to configure policies

Central Policy • Performs the password changes on devices

Manager (CPM) • Scans the network for privileged accounts

Privileged Session • Isolates and monitors privileged account activity.

Manager (PSM) • Records privileged account sessions

Privilege Threat
• Monitors and detects malicious privileged account behavior.
Analytics (PTA)

23
23
THE VAULT AND ITS COMPONENTS

• The Vault is at the center

of the CyberArk PAS Privileged Session
solution Manager

• CyberArk components Password Vault

Web Access
communicate with the Central Policy
Manager
Vault using the CyberArk
proprietary protocol using PACli and SDKs
port 1858
Vault
• Components must
authenticate each time
they connect to the Vault PrivateArk Client
Unix/Windows
Application
Providers
• Each Component has a Privileged
Threat Analytics
User ID and password

24
THE VAULT AND ITS CLIENTS
Unmanaged
Target Account
and Servers

End Users:
IT Staff, Auditor, etc. Privileged Session
Manager

Password Vault
Web Access
Central Policy Managed
Manager Target Account
Custom Applications, and Servers
Reporting Tools, etc.

PACli and SDKs

Vault

Unix/Windows
PrivateArk Client
Application
Vault Providers Target Databases
Administrators Privileged
Threat Analytics

Unix/Windows Users

25
THE VAULT: END-TO-END SECURITY

Stored
Vault User Credential

Discretionary Mandatory
Session File
Firewall Authentication Access Access Auditing
Encryption Encryption
Control Control

• Proprietary • Hardened • Single or Two • Granular • Subnet Based • Tamperproof • Hierarchical

Protocol built-in Factor Permissions Access Control Audit Trail Encryption Model
Windows Authentication
• OpenSSL Firewall (recommended) • Role Based • Time Limits and • Event-based • Every object has
Encryption Access Control Delays Alerts unique key

26
CYBERARK’S SCALABLE ARCHITECTURE

Auditors
PVWA
PTA CPM PSM

IT

Vault (HA Cluster)

IT Environment
Main Data Center - US

Auditors/IT Auditors/IT

IT Environment IT Environment

London Hong Kong

DR Site

27
 • PVWA

SYSTEM • PrivateArk Client

INTERFACES • PACLI

AND • PAS Web Services (REST API)

UTILITIES • Vault Central Administration Station
• Remote Control Client
PASSWORD VAULT WEB ACCESS

• PVWA version 10
introduced the new user
interface, which focuses on
seamless workflows and
easy access.
• End users will use this
interface to retrieve
passwords or launch
privileged sessions.
• Auditors will use this
interface to monitor
privileged sessions.
• Some features still require
the version 9 interface,
which can be accessed by a
dedicated link

29
PVWA – CLASSIC INTERFACE

• The classic interface is

mostly used by Vault
Administrators to manage
policies and permissions,
and to configure the
PVWA and the other
components.

30
PRIVATEARK CLIENT

• The PrivateArk Client is

the legacy interface to
Vault data.

• Mostly used by
administrators for certain
tasks that are not
implemented in PVWA or
any tasks involving file
movements, which is more
convenient in PrivateArk
than PVWA.

• The PrivateArk Client can

be installed on any station
with access to the Vault.

31
 LEGACY – PACLI
The PrivateArk Command
Line Interface (or PACLI)
enables CyberArk Vault users
to access the Vault server from
any location using an intuitive
command-line environment.
• Bulk adding users
• Adding safes
• Modifying properties
• Any other scripting usages.
PACLI INIT
PACLI DEFINEFROMFILE VAULT=NewCo PARMFILE=C:\VAULT.INI
PACLI DEFAULT VAULT=NewCo USER=Judy SAFE=marketing
FOLDER=Root
PACLI LOGON
PACLI SAFESLIST output(ALL,ENCLOSE)
PACLI OPENSAFE
PACLI FILESLIST output(NAME,CREATIONDATE,RAW)
PACLI OPENSAFE SAFE=finance
PACLI FOLDERSLIST SAFE=finance output(NAME)
PACLI FOLDERSLIST output(ALL,ENCLOSE)
PACLI LOGOFF
PACLI TERM
32
PAS WEB SERVICES

Client PVWA Vault

• The PAS Web Services is
a RESTful API that HTTP CyberArk
enables users to create, LOGON Authenticate user
list, modify, and delete HTTP Response code: 200 Success
entities in PAS using
CyberArkLogonResu
programs and scripts. lt=AAEAAAD/////AQA
AAAAAAAAMAgAA
• The main purpose of the AFhDeWJlckFyay5T
ZXJ2aWNlcy5XZWIs
PAS Web Services is to IFZlcnNpb249OC4w

automate tasks that are ADD USER Create the User

usually performed HTTP Response code: 201 Success
manually using the UI and
to incorporate them into
system- and account-
provisioning scripts

33
 VAULT CENTRAL ADMINISTRATION STATION

Only available on Vault server

stop/start
• Starting and stopping the
PrivateArk Server Windows
service
• Displaying the Vault Server
log
ITALOG.LOG
• Changing the Vault debug
level dynamically

34
REMOTE CONTROL CLIENT
• Runs from a command line
interface
• Executes tasks on Vault
server via
Remote Control Agent
Monitoring the Vault status using the Remote Client:
PARCLIENT> status vault
Password: *********
Vault is running.
PARCLIENT> stop vault
Are you sure you want to stop the remote Vault (Y/N)? y
Vault was stopped successfully

PARCLIENT> start vault

• Client and agent Vault was started, pending service running. use status command for
further details.
communicate via CyberArk
PARCLIENT> status vault
Remote Control protocol on Vault is running.
port 9022. PARCLIENT> status ene
ENE is stopped.
• RCC reduces the need to
PARCLIENT> start ene
open an RDP port for the ENE was started, pending service running. use status command for
further details.
Vault.
PARCLIENT> status ene
ENE is running.

PARCLIENT>

35
ONLINE HELP AND CUSTOMER COMMUNITY

36
CYBERARK CUSTOMER COMMUNITY

• Online documentation

• Knowledge base

• Training

• Enhancement Requests

• Marketplace

37
ON-LINE DOCUMENTATION

• From version 10.10

• Available in the CyberArk

community as well as the
PVWA
• Pubished on line

• Easily searchable
information

38
CYBERARK ACRONYMS

The CyberArk Glossary can be found easily here:

https://docs.cyberark.com/Product-Doc/OnlineHelp/PAS/Latest/en/Content/CyberArk-Acronyms.htm

39
39
SUMMARY

40
SUMMARY

In this session we discussed:

• Basic system principles
• A common attack method and how CyberArk PAS can minimize exposure
• Key features of the Core PAS solution
• Core PAS architecture
• System interfaces and utilities
• Online help and customer community

41
41
EXERCISES

• You may now proceed to completing the following exercise:

INTRODUCTION TO CORE PAS

• PVWA
• Log in as Administrator
• Activate the PSM
• Deactivate “Reason for Access”
• Connect using a stored account in the New UI
• Connect using a stored account in the Classic UI
• PrivateArk Client
• Remote Control Client
• PrivateArk Server

42
ADDITIONAL RESOURCES

eLearning

• Introduction to Privileged Access Security

(login required)

Risk Assessment Tools

• DNA

• zBang

Videos

• DNA

• CyberArk PAS Overview

43
THANK YOU

44