Event Recording

Lessons learned from a PAM rollout

Name: Lessons learned from a PAM rollout
Uploaded: 2022-09-14T12:00:00+02:00
Duration: 15 min 24 s

Martin Sandren

IAM Product Lead

IKEA

Posted on Sep 14, 2022

In the last couple of years the ransomeware attacks and other cybersecurity threats has not only brought cybersecurity topics to the board rooms but also widened the attack surface outside of the multi nationals and the financial institutions.

The cyberssecurity approaches and strategies that works well for a multinational with a large and well funded cybersecurity department may not be as applicable for a mid sized company where the security department may be a single person.

Still if the partner company that delivers the cheese to a retailer falls to a cybersecurity attack there is simply no cheese to sell to the customers so the retailer not only loses money but also fails at their most basic task. So how do we as multinationals help our partners with implementing basic controls such as PAM in a way that works in their business reality?

In this session we will be looking at how you as a relatively cybersecurity mature company can do to help your less mature partners. It is also suitable for persons who has been asked to launch a cybersecurity or PAM program without been given the full resource to execute a full program.

Video Description

Show Transcript

So I've been really interesting to listen to the other speakers. We got a good view in Paul with the, the seam and the new technologies coming in. And then we got a look, look at how kind of the best practice for doing Pam. If you go to a very mature environment, you look at financial services, probably the most mature environment when it comes to Pam. Now we're gonna look at it from a little bit of a different viewpoint, which is okay, but if I'm not of financial services, if I don't have hundreds of thousands in yearly, but yet, well, what can I do with Pam?

So the first part, see if I can get my slides to work. They worked fine before, not now, just a quick disclaimer, obviously this information provided is with best of intent, but in any case, there might be things that are different for you, and you should take in many data points and understand your reality, your business context, before you leverage any of this information. So my previous employer was a multinational retailer and as a multinational retailer, all multinationals, we've spent a lot of, of time and money over the years through from cyber security.

And we not only protect our own systems. Of course, we also protect the big parts we're working with. So if you're a supplier to a multinational, and if you're a big supplier, and if you're a mature supplier, you are going to go through all kinds of processes that ensures that your cybersecurity is strong as well. But what we were seeing is that, well, that is of course very important, and we need to continue doing that, but also we need to figure out how to help our smaller partners.

And the reason for this is that if our smaller partners, which many cases do not have a large cybersecurity department, or are not very in this area, if they get attacked this attack, you get through. For example, when you have an attack against a reservoir attack, there is simply no solid in the stores. So an example is enable 20 51, 1 of the partners backlogs was a shipping partner.

They, they slice and ship shes to stores. They got ransomware and the result was there was no shes in the stores. And if you're a Dutch person, you will really feel that this is a huge issue. There's no shoes. And this is also something we see across the industry. And when I talk to, to other people that also work in retail, they have the same problem. How can we ensure that the cybersecurity, the maturity and the resilience becomes better?

Not just across our organization, not just amongst our big mature partner, but also through normal companies that, you know, they may have a couple of thousand employees, but they please, they grow salad or they raise chicken, they slice sheets, Delta cybersecurity. They might have half an FDA or even less to do cybersecurity. So we launched a program that we went out and helped our suppliers with this. And one of these things that we wanted to emphasis on was on Pam. So how does Pam and ransom connect?

Well, when we talk about ransomware, there's lots of different models. We tend to use a quite simple model. We call the in, through and out. So basically that gets in, how do we get in?

Well, there might be available system that's on the internet that hasn't been patched might be Fisher emails might be remote access with the same password as being reused, or is the guessable password or no MFA There is through which means lateral movement. Most of the time when you get into some, the interesting information or systems are not on that system cannot be accessed that account. So you need the lateral movement. You needed to recognize. You need to try to find where the user stuff is. And then you usually to the privilege escalation.

So you get in and accounted as very basic privileges. Then you manage to get more privileges. Then you get the domain admin, then you start doing the, the fine stuff. You encrypt files.

The, you can extract data and demand ran some unless they try to publishing information. So if you now look at, okay, I need Pam. What are the par material model?

Well, both basic part is analog. So basically paper based or Excel file based, use the full password all over the place. Don't rotate in the password. And there are, there's no minimal password complexity and no MFA. There are a little bit more advanced with the basic where we have, we have hopefully automated, but at least the manual privileged account discoveries, you know, what are the most important payroll accounts? You have password waling and you stopped using default password. At least not everywhere.

You start putting MFA on the important stuff and you hopefully can do some automated pass rotation and randomization. In next part, you will go into advanced here. We starting things like password hiding so that the admin person don't necessarily have the password, even if, even if they need to use it. Previous section proxy, previous session proxy, where you have some form of an ability record. When you do privileged work, you are control. And for ice control where you actually has to approve someone has to approve you get access to the systems.

So you monitoring in mutable privileged activity audit so that even the admin cannot change the fact that he has the, the recording of the privilege activity. And perhaps also main point to this privilege control, and finally have the adaptive intelligence where you use artificial intelligence, machine learning or analytics to discover anomal. And when you have anomal, you can then react to them, perhaps require an extra MYFA or perhaps have at least notified the sock that something strange is going on. So if I want to, one, should I is the only thing I can do is to start a Pam program.

Well, it's mostly in many cases might be a good idea to start a Pam program, but there are quite a lot of things you can do, even if you don't have the money for a Pam program available in this year's budget. The first part is to know what are you found jewels? So what are the systems are critical? It's gonna be some security systems. It's gonna be probably active directory in many cases, Azure active directory, or perhaps your Okta, or how else you give access to people to access systems.

It's gonna be the, the main routers and the main firewalls, but it's also gonna be like your E R P systems SAP systems or HR systems. The things that your business basically really, really needs. And it contains the sensitive information. Financial systems are always the most important part, do not three use passwords and against across yours applications, your separate accounts for admin work for day to day activities consider a password manager. The black book is better than reusing a password and a key accounts for crown jewel systems.

So another question we discussed partly cloud on premise, well, obviously not, not one size fits all, but the, the main thing about Pam systems is that if you look at the on premise system, they are often require a lot of servers. They can be complex to configure that's often because they contain a lot of flexibility. And if you don't have the right team to both build and maintain it, the cloud brands has the advantage that you can spend more time on doing actually onboarding applications and configuring the, the process you need and less time on installing servers.

One other important factors. Of course, if you are a hundred percent on premise and have nothing else, perhaps Pam is not the first thing you should put in the cloud, but if you, most of your stuff is in the cloud anyway, then is really a good idea to have the Pam system on premise. And one thing that is, is important to realize is that when you do a Pam implementation on premise, it tends to take quite a lot of time and effort.

And often you burn through all of your time and resources on the action implementation, where, where you really should put your resources is to go out and market and sell your Pam system out to the organization, actually get usage on it. So how do I roll out? If you say that rollout is the hardest and most important thing, how do I roll out?

Well, there's a couple of different options here. There is the traditionally we talked about verticals horizontals. So one approach to say, well, I have a set of, of crown jewels and I need to put in everything I done. So for those, I do application level, I do the, the databases I do the hosts that way is the, the horizontal part.

I say, I do all the active director servers. I do all windows servers, do all my Oracle databases. The horizontal approach has advantage that you get a lot of, of area covered, but disadvantage is that you, you don't give any, any priority on the importance of the actual data or the process that you protect today. I think that for most, especially if you are a, a, on a budget pressure doing the, the crown jewel approach is the best way to do it.

That is usually the way to get some form of return on investment quickly for the business, especially in a, in a smaller, less complex business Integration with IM well, when you have a Pam system, you, you usually, unless you're a very small business, whereas, you know, a handful of admins or something like that in then integration with IM you can get the joiner. We believe in places quite important.

Firstly, because for the joiner part, you want your people, you hire as staff. They need to be able to access the system quickly. And also believer that when a person leaves, they should no longer have access. And in a prime installation, this is very important to have a strong process for be able to shut down access. When you have a situation where an admin found to no longer be trustable or has performed actions that are questionable on the, the, on the authentication side, of course, MFA is highly recommended.

And if you do, especially if external users, some form of certification that ensures that these users still should have access is critical. This is a very important point as well. So this was a little bit of a, a look into the, to the past about the last five to 10 years, and we're done time implantation. So let's talk a little bit about what has happened lately. That's come become important for payment implementations.

Well, one area is the same area, the multi-cloud security target station, and what basically is happening in the business that the business is requiring cloud implementations. And unless you're in a very specific regulatory or, or business area where they can stay on premise, you're going to have cloud.

Now, if you have one cloud, then your life is a lot easier because in most cases, all of the cloud have good support for Pam. Problem comes in when you have multi-cloud and how you handle assets that are in other clouds. And in most cases, then you need some form of a dedicated tool to handle this.

The, for example, I believe that the, if you look in Azure, Azure has good support for handling assets inside of Azure. The, the support for handling things that are in, in AWS is significantly weaker. So there you do need to look at what kind of tools you need to have placed to handle that. Another part is the rest, our Harding, which is changing the game slightly.

So it's also why we look at the, the rollout of power that in many cases could be that it makes sense to have a ransomware pardoning part of your rollout program, where you give priority to make sure that the path for the ransomware protection is secured all the way from the on-premise to the cloud and the dev of support, the doing more things than just kind of granting access databases and to servers is important. How do you handle CICD pipelines and all of those things.

And again, there need to be in contact with what your business really wants, what the business needs and what the business requires. So thank you a lot for, for listening to me. And if you have any further questions, do, please reach out to my team account here. And if you have questions, one, happy to have a cup of coffee with you, or have some Swedish meatballs, one of the Ikea stores. Thank you.

Like this?

Don't like this?

Why don't you like this?

Lessons learned from a PAM rollout