Introduction to

CyberArk Privileged Access Management

 This session introduces the CyberArk
Privileged Access Management (PAM)
solution. We will look at:
• Overview of basic PAM principles and
concepts
• A common attack method and how
CyberArk PAM can minimize exposure

Agenda • Key features of the CyberArk self-hosted

PAM solution
• The system architecture
• System interfaces and utilities
• Online help and customer community

Copyright © 2021 CyberArk Software Ltd. All rights reserved. cyberark.com

 Overview

Copyright © 2021 CyberArk Software Ltd. All rights reserved. cyberark.com

 A privileged account is any
account that has the capability to
change or impact the operational
service of a business process
Therefore, we often refer to
Privileged Accounts as the
“keys to the kingdom”

Copyright © 2021 CyberArk Software Ltd. All rights reserved. cyberark.com

cyberark.com
 Some classic examples include
the following accounts:
• Administrator on a Windows
server
• Root on a UNIX server
• SYS user on Oracle DBs
• Enable on a Cisco device

Copyright © 2021 CyberArk Software Ltd. All rights reserved. cyberark.com

Privilege is Everywhere

Privileged accounts exist in every connected device,

database, application, industrial controller, and more!

There are typically

3X privileged accounts than employees

Copyright © 2021 CyberArk Software Ltd. All rights reserved. cyberark.com

 System 3rd-Party & Select Social Networking
Administrators Service Providers Applications Business Users Account Managers

Until recently, IT Admins were considered privileged users

In today’s environment
almost any identity can be privileged under certain conditions
7

Copyright © 2021 CyberArk Software Ltd. All rights reserved. cyberark.com

 The Challenges and Threats

Copyright © 2021 CyberArk Software Ltd. All rights reserved. cyberark.com

 Attackers NEED INSIDER Credentials

“…80% of security breaches involve

compromised privilege credentials.”

“APT intruders…prefer to leverage

privileged accounts where possible,
such as Domain Administrators, service
accounts with Domain privileges,
local Administrator accounts, and
privileged user accounts.”

The Forrester Wave™: Privileged Identity Management, Q3 2018

Copyright © 2021 CyberArk Software Ltd. All rights reserved. cyberark.com
 PRIVILEGEESCALATION
LIMIT PRIVILEGE ESCALATION&&ABUSE
ABUSE

STOP LATERAL
LATERAL&&VERTICAL
VERTICALMOVEMENT
MOVEMENT

PREVENT CREDENTIAL
CREDENTIALTHEFT
THEFT

Remote Vendor
Internal
Attacker
IT Admin

Business
User

External
Attacker Developer

Robot
10

Internal Application
Attacker

Copyright © 2021 CyberArk Software Ltd. All rights reserved. cyberark.com

 Typical Lifecycle of a Cyber Attack
• Penetration
• Credential theft
• Reconnaissance
• Lateral movement
• Privilege escalation
• Repeat

11

Copyright © 2021 CyberArk Software Ltd. All rights reserved. cyberark.com

 Protect Privilege,
Break the Chain

12

Copyright © 2021 CyberArk Software Ltd. All rights reserved. cyberark.com

 • Penetration
• Credential theft
• Reconnaissance
• Lateral movement
• Privilege escalation
• Repeat

13

Copyright © 2021 CyberArk Software Ltd. All rights reserved. cyberark.com

 PERIMETER SECURITY

SECURITY CONTROLS INSIDE THE NETWORK

MONITORING

PRIVILEGED ACCESS MANAGER

14

Copyright © 2021 CyberArk Software Ltd. All rights reserved. cyberark.com

Proactive Protection, Detection, & Response
Proactive protection
• Secured credentials
Insider • Only authorized users
• Individual accountability
External Databases/
Hypervisors
Applications • Session isolation
• Limit scope of privilege
External

Network
Targeted detection
Endpoints
Insider Devices • Continuous monitoring
̶ Malicious behavior
External ̶ High risk behavior
Industrial
Insider Controls Social Media
• Alerts
External
Real-time response
• Session suspension/termination
Privileged Accounts • Full forensics record of activity 15

Copyright © 2021 CyberArk Software Ltd. All rights reserved. cyberark.com

 Key Features of
CyberArk PAM

16

Copyright © 2021 CyberArk Software Ltd. All rights reserved. cyberark.com

 CyberArk • Discover and manage credentials
PAM
• Isolate credentials and sessions

• Record and audit sessions

• Monitor privileged activity

• Remediate risky behavior

17

Copyright © 2021 CyberArk Software Ltd. All rights reserved. cyberark.com

 • Automated processes
for accounts discovery
• Policies to manage: CPM

– Password complexity and Tojsd$5fh

y7qeF$1
gviNa9%
lm7yT5w
X5$aq+p

length
Digital
– Rotation frequency Vault
System User Pass
– Etc. Unix root tops3cr3t

Oracle SYS tops3cr3t

Windows Administrator tops3cr3t

z/OS DB2ADMIN tops3cr3t

Cisco enable tops3cr3t

Enterprise IT Environment 18

Copyright © 2021 CyberArk Software Ltd. All rights reserved. cyberark.com

 • CyberArk enables secure
connections to critical systems
using a proxy.
• Target systems are fully PVWA

isolated, privileged
credentials are not exposed
to end users or their
applications or devices.
• Target systems are configured RDP
Target
not to accept direct connection Server
PSM

Direct RDP
Connection

19

Copyright © 2021 CyberArk Software Ltd. All rights reserved. cyberark.com

 • Privileged sessions recorded
in video and/or text format
• Stored and encrypted
in the tamper-resistant
Digital Vault
• Recordings have a clickable
timeline to navigate to
specific events

20

Copyright © 2021 CyberArk Software Ltd. All rights reserved. cyberark.com

cyberark.com
 • CyberArk session monitoring
enables review of recordings
and live sessions, which can
be sorted based on risk
• This enables the security
operations personnel to take
a risk-based approach by
prioritizing the greatest
threats that are detected in
the environment

21

Copyright © 2021 CyberArk Software Ltd. All rights reserved. cyberark.com

cyberark.com
 • CyberArk can automatically rotate
credentials in the event of risky
behavior such as credential theft,
bypassing the Digital Vault
• Unmanaged accounts can be
automatically on-boarded and
managed through CyberArk’s
continuous discovery capabilities
• Additionally, administrators can
establish policies to
either automatically suspend or
terminate privileged sessions based
on risk assignment 22

Copyright © 2021 CyberArk Software Ltd. All rights reserved. cyberark.com

cyberark.com
 Discover & Manage Isolate Record/Audit Monitor Remediate

• Secure and manage • Secure jump-server • Record privileged • View privileged activity • Suspend and/or
privileged passwords, to control credentials sessions and store in by going directly to terminate privileged
SSH keys and other in an isolated centralized specified activities, sessions automatically
secrets instance repository keystrokes, etc. based on risk score
and activity
• Continually scan the • Connect via secure • Audit logs of video • Send automatic alerts
environment to detect jump server using a recording stored to SOC and IT admins • Initiate automatic
privileged accounts variety of native automatically based on risky credential rotation
and credentials workflows activities based on risk in case
• Automatically start
of compromise/theft
• Add accounts to • Prevent malware viewing riskiest • Reduce the number of
pending to validate attacks and control sessions first, at the accounts that can be
privilege or privileged access point of most used to circumvent
automatically suspicious activities privileged controls
onboard and rotate

On Premises Cloud Hybrid

23
Automation with Rest APIs and policies enhances Core PAS functionality

Copyright © 2021 CyberArk Software Ltd. All rights reserved. CLICK “NEXT” TO CONTINUE cyberark.com
 System Architecture

24

Copyright © 2021 CyberArk Software Ltd. All rights reserved. cyberark.com

 • A secure server used to store privileged account information
Digital Vault
• Based on a hardened Windows server platform

Password Vault Web • The web interface for users to gain access to privileged account information
Access (PVWA) • Used by Vault administrators to configure policies

Central Policy Manager • Performs the password changes on devices

(CPM) • Scans the network for privileged accounts

Privileged Session • Isolates and monitors privileged account activity.

Manager (PSM) • Records privileged account sessions

Privilege Threat
• Monitors and detects malicious privileged account behavior.
Analytics (PTA)

Copyright © 2021 CyberArk Software Ltd. All rights reserved. cyberark.com

The Vault
and Its Clients Unmanaged
Target Account
and Servers

End Users:
IT Staff, Auditor, etc. Privileged Session
Manager

Password Vault
Web Access
Central Policy Managed
Manager Target Account
Custom Applications, and Servers
Reporting Tools, etc.

PACli and SDKs

Vault

Unix/Windows
PrivateArk Client
Application
Providers
Vault Target Databases
Administrators Privileged
Threat Analytics

26

Unix/Windows Users
Copyright © 2021 CyberArk Software Ltd. All rights reserved. cyberark.com
 Stored
Vault User Credential

Discretionary Mandatory
Session File
Firewall Authentication Access Access Auditing
Encryption Encryption
Control Control

• Proprietary • Hardened • Single or Two • Granular • Subnet Based • Tamperproof • Hierarchical

Protocol built-in Factor Permissions Access Control Audit Trail Encryption Model
Windows Authentication
• OpenSSL Firewall (recommended) • Role Based • Time Limits • Event-based • Every object has
Encryption Access Control and Delays Alerts unique key

27

Copyright © 2021 CyberArk Software Ltd. All rights reserved. cyberark.com

 Auditors
PVWA
PTA CPM PSM

IT

Vault (HA Cluster)

IT Environment
Main Data Center - US

Auditors/IT Auditors/IT

IT Environment IT Environment
28
London Hong Kong
DR Site
Copyright © 2021 CyberArk Software Ltd. All rights reserved. cyberark.com
 System Interfaces • PVWA
and Utilities • PrivateArk Client
• PACLI
• PAM Web Services (REST API)
• Vault Central Administration Station
• Remote Control Client

29

Copyright © 2021 CyberArk Software Ltd. All rights reserved. cyberark.com

 • PVWA version 10 introduced
the new user interface, which
focuses on seamless
workflows and easy access.
• End users will use this
interface to retrieve passwords
or launch privileged sessions.
• Auditors will use this interface
to monitor privileged sessions.
• Some features still require the
classic interface, which can be
accessed by a dedicated link 30

Copyright © 2021 CyberArk Software Ltd. All rights reserved. cyberark.com

cyberark.com
 • The classic interface is
mostly used by Vault
Administrators to manage
policies and permissions,
and to configure the PVWA
and the other components.

31

Copyright © 2021 CyberArk Software Ltd. All rights reserved. cyberark.com

cyberark.com
 • The PrivateArk Client is
the legacy interface to
Vault data

• Mostly used by
administrators for certain
tasks that are not
implemented in PVWA

• The PrivateArk Client can

be installed on any station
with access to the Vault

32

Copyright © 2021 CyberArk Software Ltd. All rights reserved. cyberark.com

cyberark.com
 The PrivateArk Command
PACLI INIT
Line Interface (or PACLI) PACLI DEFINEFROMFILE VAULT=NewCo PARMFILE=C:\VAULT.INI
enables CyberArk Vault users PACLI DEFAULT VAULT=NewCo USER=Judy SAFE=marketing
to access the Vault server from FOLDER=Root
any location using an intuitive PACLI LOGON
command-line environment. PACLI SAFESLIST output(ALL,ENCLOSE)
PACLI OPENSAFE
• Bulk adding users PACLI FILESLIST output(NAME,CREATIONDATE,RAW)
• Adding safes PACLI OPENSAFE SAFE=finance
PACLI FOLDERSLIST SAFE=finance output(NAME)
• Modifying properties PACLI FOLDERSLIST output(ALL,ENCLOSE)
• Any other scripting usages PACLI LOGOFF
PACLI TERM

33

Copyright © 2021 CyberArk Software Ltd. All rights reserved. cyberark.com

cyberark.com
 Client PVWA Vault

• The PAM Web Services is a HTTP CyberArk

RESTful API that enables LOGON Authenticate user
HTTP Response code: 200 Success
users to create, list, modify,
and delete entities in PAM CyberArkLogonResult=
using programs and scripts. AAEAAAD/////AQAAAA
AAAAAMAgAAAFhDe
WJlckFyay5TZXJ2aWN
• The main purpose of the lcy5XZWIsIFZlcnNpb24
9OC4w
PAM Web Services is to
automate tasks that are ADD USER Create the User
usually performed manually HTTP Response code: 201 Success
using the UI and to
incorporate them into
system- and account-
provisioning scripts
34

Copyright © 2021 CyberArk Software Ltd. All rights reserved. cyberark.com

cyberark.com
 stop/start

Only available on Vault server

• Starting and stopping the
PrivateArk Server Windows
ITALOG.LOG
service
• Displaying the Vault Server
log
• Changing the Vault debug
level dynamically

35

Copyright © 2021 CyberArk Software Ltd. All rights reserved. cyberark.com

cyberark.com
 Monitoring the Vault status using the Remote Client:

PARCLIENT> status vault

Password: *********
• Runs from a command line Vault is running.

interface PARCLIENT> stop vault

Are you sure you want to stop the remote Vault (Y/N)? y
Vault was stopped successfully
• Executes tasks on
PARCLIENT> start vault
Vault server via Vault was started, pending service running. use status command for
further details.
Remote Control Agent
PARCLIENT> status vault
• Client and agent Vault is running.

communicate via CyberArk PARCLIENT> status ene

ENE is stopped.
Remote Control protocol on
PARCLIENT> start ene
port 9022 ENE was started, pending service running. use status command for
further details.
• RCC reduces the need to PARCLIENT> status ene
open an RDP port for the ENE is running.

Vault PARCLIENT>

36

Copyright © 2021 CyberArk Software Ltd. All rights reserved. cyberark.com

cyberark.com
 Online Help and
Customer Community

37

Copyright © 2021 CyberArk Software Ltd. All rights reserved. cyberark.com

CyberArk Customer Community
• Online documentation
• Knowledge base
• Training
• Enhancement Requests
• Marketplace

38

Copyright © 2021 CyberArk Software Ltd. All rights reserved. cyberark.com

 • Available in the CyberArk
community as well as the
PVWA

• Published online

• Easily searchable
information

39

Copyright © 2021 CyberArk Software Ltd. All rights reserved. cyberark.com

cyberark.com
 The CyberArk Glossary can be found easily here:

40

Copyright © 2021 CyberArk Software Ltd. All rights reserved. cyberark.com

cyberark.com
 Summary

41

Copyright © 2021 CyberArk Software Ltd. All rights reserved. cyberark.com

Summary
In this session we discussed:

Basic principles and concepts

Key features of the CyberArk PAM

solution

The PAM system architecture

System interfaces and utilities

Online help and customer community

Copyright © 2021 CyberArk Software Ltd. All rights reserved. cyberark.com

 Additional Resources You may now complete the following
exercise:
Introduction to CyberArk Privileged Access
eLearning Management

Introduction to Privileged Access Management • Getting to Know the Acme Corp Environment
̶ Acme Servers
(login required)
• Getting to Know CyberArk PAS

• Log Into the Components Server

Risk Assessment Tools • PVWA
̶ Log in as Mike
̶ Activate the PSM
DNA zBang ̶ Deactivate “Reason for Access”
̶ Connect to an Account in the New UI
̶ Retrieve a Password in the Classic UI

• PrivateArk Client
̶ Connecting
Videos ̶ Accessing a File in a Safe
̶ Modifying the View

DNA CyberArk PAM Overview • Remote Control Client 43

• The Vault Server

Copyright © 2021 CyberArk Software Ltd. All rights reserved. cyberark.com