Leverage User Behavior Analytics to Minimize Your Risk Exposure
Today’s threatscape requires security controls to be adaptive to the risk-context, using machine learning to carefully analyze a privileged user’s behavior. Adaptive control means not only being notified of risky activity in real time, but also being able to actively respond to incidents by cutting off sessions, adding additional monitoring, or flagging for forensic follow up. Leveraging Centrify Privilege Threat Analytics Service can make the difference between falling victim to a breach or stopping it in its tracks.
Gain Insights and Stop Breaches in Near Real-Time
Gain insight into privileged user access activity with information related to unusual recent privilege change, command runs, target accessed and privilege elevation.
Understand the risk nature of any specific event computed in real time for every event and expressed as high, medium or low for any anomalous activity.
Quickly identify security factors that triggered an anomaly alert.
Play and easily re-play video sessions within the dashboard to minimize the overhead of switching views.
Customizable alerts for context-relevant visibility and session recording anomaly notifications to facilitate quick investigative action.
Immediate Visibility with Flexible, Holistic View of Access Activity Across the Ecosystem
Leverage a series of dashboards and interactive widgets to better understand IT risk and access patterns across your infrastructure. By tailoring security policy to each user’s behavior and automatically flagging risky behavior, gain immediate visibility into account risk, eliminating the overhead of sifting through millions of log files and massive amounts of historical data.
Rich Tools for Deeper Analysis
Better comprehend access and events by drilling into details around events, across systems, location, time, privileged commands and more. IT users can drill into individual events to understand the risk nature of any specific event. Risk is computed in real time for every event and expressed as high, medium or low for any anomalous activity.
Streamlined Threat Monitoring and Investigation
Gain streamlined insight into anomalous activity with a detailed timeline view. Identify the specific factors contributing to an anomaly for a comprehensive understanding of a potential threat, all from a single console. Security teams can view system access, anomaly detection in high resolutions with analytics tools such as dashboards, explorer views, and investigation tools.
Easy Integration with SIEM Tools
Privileged access data is captured and stored to enable robust querying by log management tools and integration with external reporting tools. Streamlined integration with SIEM and alerting tools such as Micro Focus® ArcSight™, IBM® QRadar™ and Splunk® identify risks or suspicious activity quickly.
Easy Alert Notification by Integration with Webhook-Enabled Endpoints
Leverage Slack or existing on-board incident response systems such as PagerDuty to enable real-time alert delivery, eliminating the need for multiple alert touch points and improving time to response. When an alert event occurs, Centrify Privilege Threat Analytics Service allows the user to easily fire off alerts into third-party applications via Webhook. This capability enables the user to respond to a threat alert and contain the impact.
View Suspicious Activity
Gain specific and detailed information about suspicious privileged activity. IT admins can take immediate remediation actions to protect against potential risk or a threat in progress directly from the alert screen and manually or automatically terminate a session based on risk.
Provide Context-Aware Access Decisions in Real-Time
Events analyzed from the Centrify Privilege Threat Analytics Service are used to profile the normal behavior pattern for a user on any login or privileged activity including commands, so anomalies can be identified in real-time to enable risk-based access control. High-risk events are immediately flagged, alerted, notified and elevated to IT’s attention, speeding analysis and greatly minimizing the effort required to assess risk across today’s hybrid IT environments.
Centrify Privilege Threat Analytics
Centrify Privilege Analytics Service
Watch this video to learn how Centrify Privilege Threat Analytics allow IT and security practitioners to not only be notified of risky activity in real time, but also being able to actively respond to incidents by cutting off sessions, adding additional monitoring, or flagging for forensic follow up.
Tony Goulding: Hello. Welcome to this demo of Centrify’s Privileged Analytics service.
Tony Goulding: I’m going to recreate a typical IT administrator scenario to demonstrate where Privileged Analytics can provide significant value in helping reduce the risk of a security breach.
Tony Goulding: Let’s talk about a best practice for superuser account management. Accounts such as root on Linux and local administrator on Windows should be vaulted and only used in emergency break-glass situations. The rest of the time - typically over 90% of the time, administrators should login as themselves - with their own unique user account that has minimum rights and that’s fully accountable. Privilege elevation on the server allows them to perform admin tasks if they’ve been granted the right roles.
Tony Goulding: However, we see lots of administrators bypassing this. These superuser accounts - root on Linux is what we’ll use in this demo example - even though they’re vaulted, are still freely available to admins. So, as is human nature, they try and reestablish life as it was before the vault came along. They create back door SSH keys so going forward, they can login directly to the servers as root instead of having to go through the vault.
Tony Goulding: Why is this bad?
Tony Goulding: They’re violating a security best practice and circumventing security controls put in place for a reason. By going directly to servers, they’re bypassing the vault which is where your typical vault vendor does its session recording and in many cases, governs what commands can be executed during the session. They also increase the attack surface by opening up privileged back-door mechanisms that could be exploited. And their resulting privileged activities using a shared root account is anonymous, i.e., not easily tied back to a specific individual.
Tony Goulding: With Centrify, we’ll show you that in this scenario, our Privileged Analytics can monitor for such abnormal user behavior and provide real-time alerting when an SSH Key is installed so IT Security can take immediate action. We also show that even when bypassing the vault, we capture all SSH session activities in full forensic detail.
Tony Goulding: I’m logged into the Centrify Vault as an administrator.
Tony Goulding: Now I’ll navigate to my list of system resources and pick the Finance Server I’ll use for this demo. You can see the vaulted root account here. I’ll select it and in the Actions menu, choose to open a secure remote session without the password being revealed.
Tony Goulding: As you can see, I’m logged in as root. Let’s navigate to where SSH Keys are managed on this server. There’s a folder for root and in there is the standard SSH authorized_keys file that contains root’s SSH keys. Our goal is to create a personal SSH key and append it to this file.
Tony Goulding: Let’s create that key using ssh-keygen. I’ll call it TONYTEST. There you see both the public and private key on the disk. Next step, then, is to install that public key by appending it to the authorized_keys file.
Tony Goulding: Let me just re-arrange my desktop so we can see my Slack session as well. For this demo, I’m wearing multiple hats - playing the role of an IT Security admin as well.
Tony Goulding: I’ll now complete the append and in a few seconds… there we see a new notification in Slack.
Tony Goulding: Let's view that.
Tony Goulding: Centrify Privileged Analytics has detected anomalous behavior that’s outside the norm for this user. It’s generated an alert and using standard Webhooks, feeding event data into a dedicated Slack channel. You can see relevant context here - file modification attempted on root’s authorized_keys file and a risk score of high. There’s also a couple of buttons we can use to investigate this anomaly.
Tony Goulding: A second message has arrived providing us with an extra button for even more context.
Tony Goulding: So as an IT Security admin or someone handing incident response, I can go straight to the event in the Analytics portal Explorer view.
Tony Goulding: Here, I can explore the original event in every detail should I wish.
Tony Goulding: There’s the Security Alert event in the event log confirming activity on the root authorized_keys file. One thing I might want to explore is the session timeline to get better overall context. Privileged Analytics provides many tools to get to the root cause and help verify whether the activity is benign or something to be concerned about.
Tony Goulding: Going back to Slack, let’s investigate the activity by pulling up the session recording. Even though in our demo, we circumvented the vault and its session recording, Centrify was able to record the session on the host itself and make a subset available in context.
Tony Goulding: I won’t play all of this but using session recording we’re able to view the entire session and understand what’s going on. We need to put a stop to this.
Tony Goulding: In this demo, we’ve configured another Slack button that allows us to kill that session as you see on the screen. Behind the scenes, it’s calling an AWS lambda script. Your internal policies may dictate another course of action. For example you might elect to disable an account or revoke some roles and rights, all of which can be performed automatically or like this example, triggered off a button press.
Tony Goulding: Point being with Centrify Privileged Analytics, you’re now empowered to rapidly respond to these kinds of events in real time.
Tony Goulding: This was just one example of the many ways Centrify Privileged Analytics Ω can be used to help maintain the security of your infrastructure, on-premises or in the private or public cloud.