PAM Administration

Privileged Threat Analytics

© 2023 CyberArk Software Ltd. All rights reserved

 By the end of this session the participant will be able to:

1. Describe the main functionality of Privileged Threat

Analytics (PTA)

2. Describe the different data sources used

Agenda by the PTA

3. Describe the different attacks and risks detected

by the PTA

4. Describe the alert flow by the PTA

5. Configure and test PTA automatic responses

6. Describe the session analysis

and response flow

© 2023 CyberArk Software Ltd. All rights reserved

 Overview: Privileged Threat Analytics

© 2023 CyberArk Software Ltd. All rights reserved

 Privileged Threat Analytics

COLLECT
Quickly gather and analyze
the most critical data

RESPOND
Enable speedy response
and automated containment DETECT
Rapidly identify and detect
PRIVILEGED THREAT suspicious activities
ANALYTICS

ALERT
Notify security teams with
detailed event information
© 2023 CyberArk Software Ltd. All rights reserved
 Collect The CyberArk Privileged Threat Analytics
collects data from a wide variety of sources

© 2023 CyberArk Software Ltd. All rights reserved

 Collect and Analyze the Right Data
Collect and Analyze
SIEM Data From Critical
Solutions External Components

Digital Vault
Active
Directory

– CYBERARK PTA –
Real-time Analytics Powered
By Proprietary Profiling PSM
Cloud Algorithms to Detect
Anomalous Activity

© 2023 CyberArk Software Ltd. All rights reserved

 • Attacks that bypass security controls

Detect • Statistical anomalies

• Active Directory risks

© 2023 CyberArk Software Ltd. All rights reserved

 Abuse or Bypass
of PAM Controls
PTA continuously monitors the use of
privileged accounts that are managed by
CyberArk, as well as privileged accounts
that are not yet managed, and looks for
indications of abuse or misuse of the
CyberArk platform.

Such abuse or bypasses include:

• Unmanaged privileged access

• Suspected credential theft
• Suspicious password change
• Suspicious activities detected in a
privileged session

© 2023 CyberArk Software Ltd. All rights reserved

 Statistical Anomalies
Using proprietary profiling algorithms, the
PTA distinguishes in real time between
normal and abnormal behavior and raises
alerts when abnormal activity is detected.

Such abnormal behavior includes:

• Access to the Vault during irregular

hours or days
• Access to the Vault from irregular IP
addresses
• Excessive access to privileged
accounts in the Vault
• Activity by dormant vault users

© 2023 CyberArk Software Ltd. All rights reserved

 Active Directory
Risks
PTA proactively monitors risks related to
accounts in Active Directory that can be
abused by attackers and sends alerts to
the security team to handle these risks
before attackers abuse them.

Such risks include:

• Unconstrained Delegation
• Dual Usage

© 2023 CyberArk Software Ltd. All rights reserved

 PTA Detections – Standard
PTA DETECTION VAULT LOGS AD EPM

Suspected credentials theft

Unmanaged privileged access OPTIONAL

Unconstrained delegation

Service account logged on interactively OPTIONAL OPTIONAL

Risky SPN

Suspicious activities detected in a privileged session

Privileged access to the Vault during irregular hours

Excessive access to privileged accounts in the Vault

Privileged access to the Vault from irregular IP

Active dormant Vault user

Machine accessed during irregular hours

© 2023 CyberArk Software Ltd. All rights reserved

 Alert • Security Events

• Security Monitoring Navigation

© 2023 CyberArk Software Ltd. All rights reserved

 Alerts On Suspicious Activity and Behavior

PTA enables security teams to prioritize

and respond to the most critical incidents.

Security events coming from the PTA:

• Are assigned risk scores based on

severity of the detected anomaly

• Contain granular details related to the

suspected attack

• Can easily be reviewed in the PVWA

and/or in a SIEM dashboard

© 2023 CyberArk Software Ltd. All rights reserved

 Security Events You can review security events in the PVWA
according to the timeline and filter the events to
focus on specific groups of events based on:
⎼ Severity
⎼ Event Type
⎼ Date

Visible in the PVWA

under the Security pane

© 2023 CyberArk Software Ltd. All rights reserved

 Security Event Compact View

© 2023 CyberArk Software Ltd. All rights reserved

16

Reviewing Security Events in the PVWA

The last time the event The name of Shown when remediation
was detected. the event has been started.

The score and severity of the Recommended action to take / Automatic

event (high, medium, low). remediation action that was taken

© 2023 CyberArk Software Ltd. All rights reserved

 Easy Navigation: Security-Monitoring

© 2023 CyberArk Software Ltd. All rights reserved

 • Automatic Remediation

• PSM – PTA Integration

Respond • Session Analysis and Response

• Risk-based Prioritization

• Configuring Session Analysis and Response Rules

• The Session Analysis and Response Life Cycle

© 2023 CyberArk Software Ltd. All rights reserved

 Respond with
Automatic
Remediations
Automatic response improves
your organization’s security
posture and mitigates risk

PTA can contain in-progress

attacks by automatically:
• Onboarding unmanaged
accounts
• Rotating credentials
• Reconciling credentials

© 2023 CyberArk Software Ltd. All rights reserved

 PSM – PTA Integration

© 2023 CyberArk Software Ltd. All rights reserved

 Session Analysis and Response
• Connecting the PTA and PSM leverages the analytic capabilities of the PTA, which receives
details of PSM privileged sessions and user activities, analyzes them, and assigns a risk score to
each session.
• Audit teams now can prioritize workloads based on risk scores.

© 2023 CyberArk Software Ltd. All rights reserved

 Session Analysis and Response
Once the PTA and PSM are integrated, we can configure Privileged Session Analysis and
Response rules to execute automatic session suspension or termination during high-risk user
activity, thereby reducing response times and the risk of damage to the organization.

© 2023 CyberArk Software Ltd. All rights reserved

 Risk-based Prioritization
Events Privileged Threat Risk-Based Priorities
Analytics Engine
Session #1 Session #323

Session #2 Session #83

Session #3 Session #2

Session #4 Session #421

Session #5 Session #95

Session #6 Session #34

Session #7 Session #297

Session #5364 Session #5364

© 2023 CyberArk Software Ltd. All rights reserved

 Configuring Rules
• You can add new rules or customize
existing rules for session analysis and
response
• The scope of a rule can be granularly
applied to different Vault users,
accounts, and machines.
• In the event of high-risk activity, the
PTA can also be configured to
terminate or suspend the session.

CyberArk recommends that each

organization study the predefined set
of rules for suspicious session
activities and then modify and add
rules according to their needs.
© 2023 CyberArk Software Ltd. All rights reserved
 Configuring Rules
Rules are defined by:
• Category
⎼ SSH
⎼ Universal Keystrokes
⎼ SCP
⎼ SQL
⎼ Windows title
• Pattern: a regular expression to be
monitored
• Session response
⎼ Suspend
⎼ Terminate
⎼ None
• The Threat Score (1-100)
• Scope: To whom or what the rule will
apply

© 2023 CyberArk Software Ltd. All rights reserved

 Session Analysis and Response Life Cycle

ANALYTICS
DEFINE RISKS ALERTS
AUTOMATIC RESPONSE

Security
Team

MANUAL RESPONSE & RISK REVIEW

© 2023 CyberArk Software Ltd. All rights reserved

 Demos

In this section we will review recorded

demos of threat detection and
automatic response demos in:

• Windows

• AWS

2
7
© 2023 CyberArk Software Ltd. All rights reserved
 Privileged Threat Detection
and Automatic Response Demo:

Windows

© 2023 CyberArk Software Ltd. All rights reserved

© 2023 CyberArk Software Ltd. All rights reserved
 Privileged Threat Detection
and Automatic Response Demo:

AWS

© 2023 CyberArk Software Ltd. All rights reserved

 Detect and Respond to Privileged Risks in the Cloud
To help address the challenge of monitoring Privileged Cloud users and detecting, alerting, and responding to
high-risk privileged access, the PTA can be now used to improve the efficiency of Cloud security teams and
to secure threats within Amazon Web Services (AWS) and Microsoft Azure.

• The following capabilities are supported for AWS:

– Detect unmanaged Access Keys and Passwords for IAM
accounts
– Detect compromised privileged IAM accounts
– Detect compromised EC2 accounts

• The following capabilities are supported for Azure:

– Detect unmanaged privileged access
– Detect suspected credential theft

© 2023 CyberArk Software Ltd. All rights reserved

 PTA’s Threat
Detection and
Response Capabilities
within AWS

© 2023 CyberArk Software Ltd. All rights reserved

© 2023 CyberArk Software Ltd. All rights reserved
 Summary

© 2023 CyberArk Software Ltd. All rights reserved

 In this session we:
• Looked at overview of the main functionality
Summary of the PTA
• Viewed the different data sources used by
the PTA
• Described the different attacks and risks
detected by the PTA
• Discussed the alert flow by the PTA
• Looked at the PTA’s automatic responses
• Described the session analysis and response
flow
• Viewed some videos demonstrating PTA
functionality
© 2023 CyberArk Software Ltd. All rights reserved
 You may now complete the following exercises:

Privileged Threat Analytics

Detections and Automatic remediation for UNIX/Linux
• Unmanaged Privileged Access
• Suspected Credential Theft and Automatic Password Rotation
• Suspicious Password Change and Automatic Reconciliation

Exercises • Suspicious activities in a Unix session and automatic suspension

• Security Rules Exceptions

Detections and Automatic Remediation for Windows

• Unmanaged Privileged Access
• Suspicious Activities in a Windows Session and Automatic Suspension

Connect to the PTA Administration Interface