© 2014 by Lieberman Software Corporation. Rev 20110321a Introduction
Apr 06, 2016
© 2001-2014 Lieberman Software Corp.
What Are Privileged Accounts?
• Root and Admin
• Service and Process
• Application-to-Application
© 2001-2014 Lieberman Software Corp.
Risks Throughout Your Network
What Roles? What Assets? What Accounts? What Anonymous Actions?
• System Administrators
• Contractors
• Integrators
• Security Administrators
• IT Managers
Server and
Desktop
Computers
Administrator
Root
Super User
Service
Read, copy and alter data
Change security settings
Create and delete accounts
Enable and remove file shares
Run programs
• Security Administrators
• IT Managers
• App Administrators
• App Developers
• Webmasters
• Contract Developers
Directories and
Application
Tiers
Admin
Root
Administrator
Service
Config Files
ASP.Net
Run As
DB Connection
Read, copy, and alter user data
Add and delete users
Change user privileges
Enable remote access
Modify back-end applications
Alter public-facing websites
Read and change DB records
Access transaction data
• DB Administrators
• App Developers
• App Administrators
• Contract Developers
• Integrators
Databases
SA
Root
SYS
SYSDBA
Read and change DB records
Access transaction data
Alter configuration and DB schema
Add and modify stored procedures
• Network Administrators
• Security Administrators
• System Administrators
• Backup Operators
• Contractors
Network,
Backup, and
Security
Appliances
Administrator
Root
Enable
Admin
Super User
Service
Alter configuration settings
Alter security and QoS policies
Grant and deny network access
Access data feeds
Enable and disable monitoring
Browse and save archives
Access transaction data
Delete saved data
Change configuration settings
© 2001-2014 Lieberman Software Corp.
Challenges / Pain
• Has your organization experienced an audit
finding on privileged access?
• Having trouble managing privileged identities at
scale and without causing outages?
• Do you have difficulty limiting contractor access
to systems?
• Are you able to prove
termination of access to
previous employees who
have had access to
your systems?
© 2001-2014 Lieberman Software Corp.
• Cryptographically Weak Logins
• Stale, Common Passwords
• Unchanged Default Logins on
Hardware, Applications,
Appliances, Images, LOM,…
• Hard-Wired Credentials in
Business Applications
• Developer Backdoors
• Vulnerable Service Account
Passwords, and others…
What Are the Vulnerabilities?
Make the network vulnerable to insider
attacks, and to external attackers who
leapfrog from system to system…
© 2001-2014 Lieberman Software Corp.
Privileged Accounts Drive Compliance
• Auditors focus on privileged accounts
because these logins are often neglected
• Privileged accounts are the targets of many
Red Team / Blue Team attacks
• Auditors for HIPAA, PCI-DSS,
NERC/ FERC, FISMA,
NRC and the others
demand a solution
© 2001-2014 Lieberman Software Corp.
What PIM is Not…
Identity & Access Management (IAM)
• Controls user access to computers, applications
and networks
• Provisions and de-provisions users
• IAM products include
Microsoft Active Directory,
Tivoli Identity Manager,
Oracle Access Manager, etc.
© 2001-2014 Lieberman Software Corp.
What PIM is Not…
Single Sign-On (SSO)
• Allows end-users to log in once and gain access
to several systems or applications without being
prompted to log in again repeatedly.
• SSO vendors include Microsoft,
WRQ (Novell), IBM (Tivoli),
Dell (NetIQ), Facebook,
Google, and many more...
© 2001-2014 Lieberman Software Corp.
What PIM is Not…
Privileged User Management (PUM)
• Temporarily changes a user’s privileges so
that he can perform tasks that require
elevated permissions.
• Generally provide controlled shell
access to Linux and UNIX
• PUM vendors include Dell
(NetIQ / BeyondTrust),
FoxT, and others...
© 2001-2014 Lieberman Software Corp.
What PIM Is…
Privileged Identity Management
• Secures admin and root accounts throughout
your network
• Includes discovery, randomization, and audited
retrieval of super-user and admin accounts
• PIM vendors include Lieberman
Software, Cyber-Ark, Thycotic
and others
© 2001-2014 Lieberman Software Corp.
How ERPM Solves PIM Issues Comprehensive Privileged Credential Management
ERPM Automates:
• Discovery of machines, process accounts, local & fire call
accounts, services and tasks – and everywhere those accounts
are referenced
• Password Change Process for randomizing privileged
accounts and propagating those changes everywhere the
accounts are used to avoid lock outs
• Storage of complex, random passwords in an encrypted
repository
• Role Based Provisioning of password access and delegation
• Auditing of every password request, use and change
© 2001-2014 Lieberman Software Corp.
ERPM Product Overview
• Secures Windows, Linux / UNIX, mainframes, network
appliances, databases, business applications, hypervisors,
LOM cards, ...
• 3/n-tier architecture
scales to the
largest networks
• Available as
a software
installation
or VM
ERPM Architecture
© 2001-2014 Lieberman Software Corp.
1. Create a Management Set
• Management Sets let you organize auto-discovery, password
recovery, and other settings in any way that corresponds to the
physical infrastructure and personnel roles of your organization.
• Dynamic Management Sets
update automatically with
changes in your Directories,
database queries, scanned IP
address ranges, and other criteria you choose.
• Management Set Examples:
– Denver Exchange Servers
– UNIX Systems Worldwide
– Systems Managed by Ed’s Team
© 2001-2014 Lieberman Software Corp.
2. Change Passwords
• You can schedule a password change job by clicking
the Change Passwords button
• You can set password complexity rules in the
Password Settings tab
• You can also change
passwords instantly by
right-clicking systems
in a list
© 2001-2014 Lieberman Software Corp.
3. Job Results
• See live results in the
Active Threads Status
window
• When the job is finished,
view the job status
summary in the
Operation window
© 2001-2014 Lieberman Software Corp.
What Does ERPM Manage?
• Servers
• Workstations
• Network Devices
• Storage Appliances
• Lights Out Devices
• Databases
• Directories
• Configured Applications
© 2001-2014 Lieberman Software Corp.
How Discovery Works
• Native API Discovery – No reliance on WMI or cached information
– Custom Propagation for reliable changes
– Eliminates password change failures and disruptions
caused by stale data
• Automated Dependency Analysis – Real-time discovery before updating
interdependent service accounts
(including clustered services)
– Stops, changes and restarts all
dependencies in the proper order to
assure reliable account changes
© 2001-2014 Lieberman Software Corp.
What Account Details Can ERPM
Discover?
• Password age
• Ownership
• Last login
• Where used
• Account flags
• Profile info
© 2001-2014 Lieberman Software Corp.
ERPM Management Console
Windows application for configuring:
• Data store and authentication
• Management Sets
• Auto-discovery
• Password change jobs
• Workflows and delegation
• Web application
• Compliance reporting
… and lets you explore
systems and accounts
© 2001-2014 Lieberman Software Corp.
Management Sets Logical Groups of Systems/Devices
• Organize any way that corresponds to the physical
infrastructure and personnel roles of your organization
• Dynamic Management Sets update automatically with
changes in Directories, database queries, scanned IP
address ranges, etc.
• Management Set Examples:
– Denver Exchange Servers
– UNIX Systems Worldwide
– Systems Managed by Ed’s Team
– Systems on specific domain(s)
– Systems in AD Container(s)
© 2001-2014 Lieberman Software Corp.
Password Settings
• Password length
(6 -127 digits) and
other constraints
• Windows Account settings
• Change Schedule and
Run settings
• Propagation Settings
and Scope
© 2001-2014 Lieberman Software Corp.
Password Constraints
• Characters, Numbers,
Symbols
• Constrain Symbols
• Position Constraints
© 2001-2014 Lieberman Software Corp.
Password Change Jobs
• Multi-threaded for speed and resilience
• Options for multi-threading
can be user configured
• Automatic retries of
unsuccessful changes
(network congestion, etc.)
• Changes up to 400
machines per minute
• Minimal performance
impact on managed
machines
© 2001-2014 Lieberman Software Corp.
Web Delegation Rules
Configures how different users and groups can interact
with the web application, including
• Password check out / check in / extension
• RDP/SSH access (no
passwords disclosed)
• Approvals and workflows
• Require multi-factor
• View reports,
dashboards
© 2001-2014 Lieberman Software Corp.
ERPM Data Store
• Microsoft SQL Server
(provided by customer)
• Supports clustering and other High
Availability options
• Options for software encryption
(AES-256 or FIPS 140-2 level 1),
or third-party hardware encryption
modules (FIPS 140-2 levels 2 or 3)
© 2001-2014 Lieberman Software Corp.
Reference Architecture
• Data Store: MS SQL Server Cluster on
Windows Server (2008 / 2012)
• Web Console:
IIS 7.5 on Windows
Server (2008 / 2012)
• Remote DB Cluster
for Disaster Recovery
• Zone Processors
(Remote and DMZ):
Windows Server
© 2001-2014 Lieberman Software Corp.
Platform Support Servers and Workstations
• Windows
• Linux and UNIX
• AS/400
• OS/390
• z/OS, and other mainframes
that support telnet and
SSH 2.0 connectivity
© 2001-2014 Lieberman Software Corp.
Platform Support Network Devices
• CheckPoint
• Cisco IOS
• EMC
• HP ProCurve
• Foundry
• Juniper
• NetApp
• RiverBed
…others that support telnet
and SSH 2.0
© 2001-2014 Lieberman Software Corp.
Platform Support Directories
• Apache
• Apple Open Directory
• IBM Tivoli Directory
• Microsoft Active Directory
• Novell eDirectory
• Open LDAP
• Oracle Internet Directory
• Sun Java System Directory Server
• ViewDS Directory
… other LDAP compliant directories
© 2001-2014 Lieberman Software Corp.
Platform Support Lights Out Management Cards
• Dell DRAC 3, 4, 5, 6, 6i
• Dell CMC
• HP iLO, 2, 3
…plus any IPMI compatible card
© 2001-2014 Lieberman Software Corp.
Platform Support Databases Managed
• MSDE 2000
• MS SQL 2000-2012 Express, Standard and
Enterprise (x86 and x64)
• Oracle 9i-11g Express, Personal,
Standard, and Enterprise
• MySQL 4.x-6.x
• DB2 7x-9x Express, Workgroup
Server, Enterprise
• Sybase ASE 12x, 15x
© 2001-2014 Lieberman Software Corp.
Platform Support Service / Process Accounts
• Service accounts are the building blocks of
a service oriented architecture platform
• Allow different software to work together to
provide value-added services to end users
• Example
Email client
connects to email server
connects to SAN storage
© 2001-2014 Lieberman Software Corp.
Service and Process Accounts Challenges
• Hard-wired and misconfigured service accounts
make the network vulnerable to attack
• These passwords must be regularly changed to
comply with regulatory mandates
• Most organizations ignore the risks because these
passwords are too difficult to change
© 2001-2014 Lieberman Software Corp.
• Each account can do different things in different
places, so incomplete password changes could
lock out the account and bring down the
application shutting off business access to end-
user
• Almost impossible to change manually—
– Identify everywhere the service is in use
– Stop all dependent services, in proper order
– Change the password everywhere it is
referenced (“propagation”)
– Re-start all dependent services
Service and Process Accounts Challenges
McAfee ePO Integration
• Whenever ePO
reports problems, view
privileged account
details and check
passwords from the
ePO interface
• Save IT staff hours
gaining approvals and
documenting access
at the most critical
times
© 2001-2014 Lieberman Software Corp.
Help Desk Integrations
• Allow only authorized personnel, with a need for
access as determined by each trouble ticket, to login
using privileged credentials
• Update trouble ticket
status based on
privileged account
activity
• Create new trouble
tickets should the
ERPM report
unexpected events
SCSM Integration
© 2001-2014 Lieberman Software Corp.
Help Desk Integrations (Cont’d)
• Microsoft System Center Service Manager
• HP Service Manager
• BMC Remedy
• ServiceNow
• Event Sink to integrate with most others
© 2001-2014 Lieberman Software Corp.
SIEM Integrations Security Information and Event Management (SIEM)
• Enables SIEM to correlate security events
with privileged account activity
• Eliminates a key SIEM blind spot, making
privileged user actions no longer anonymous
• ERPM forwards
comprehensive event
data: console and password
operations, Web application,
file vault, scheduler activity
© 2001-2014 Lieberman Software Corp.
SIEM Integrations
• HP ArcSight
• Q1 Labs Qradar
• RSA enVision
• Splunk
• …ERPM syslog integrates virtually all others
© 2001-2014 Lieberman Software Corp.
ERPM Service Catalog in NetWeaver
• ERPM is the first product certified to discover and
manage privileged identities in SAP
• Enables IT compliance by
securing, auditing and
reporting SAP access
• Automatically checks in,
randomizes, and
eliminates sharing of
powerful SAP logins
ERPM – SAP Integration
© 2001-2014 Lieberman Software Corp.
• Qualys security scanners store super-user passwords
to access systems
• Integration allows QualysGuard to access credentials
stored securely in ERPM to scan Windows, UNIX,
Oracle, MS SQL, IBM DB2 and other resources
• Eliminates double retention
of privileged passwords to
save IT staff time and
remove an attack surface
ERPM – Qualys Integration
© 2001-2014 Lieberman Software Corp.
• ERPM auto-discovers, randomizes, and grants
secure audited check-out of highly privileged
middleware accounts
• Supports Oracle WebLogic, IBM WebSphere, MS SQL
Reporting Services and others
ERPM – Middleware Integration
© 2001-2014 Lieberman Software Corp.
Multi-Factor Authentication
• Configurable for access to passwords, and access to
the Management Console
• Out-of-the box support for RSA SecurID, YubiKey,
and other proprietary tokens
• OATH authentication using third-party tokens
• Out-of-band, Time-based One-Time Password
(TOTP) authentication by email and SMS using
OATH (at no additional cost)
© 2001-2014 Lieberman Software Corp.
Core Product Option
• Auto-Discovery
• Root/Admin Password Management
• Service Account Management
• Repository
• Account Elevation
• Auditing/Reports/Dashboards
• IBM Protocol Support
• DB Account Support
• MSFT Support
• Ticketing System Integration
• Multi-Factor Authentication
© 2001-2014 Lieberman Software Corp.
Disaster Recovery and High Availability
• Cluster License
for High Availability
and Disaster
Recovery
• Zone Processors
for 24/7 remote
availability
regardless
of network issues
© 2001-2014 Lieberman Software Corp.
Session Recording
• Captures full textual Metadata with each
session
• Quickly search and
access by Metadata
• Jump Server
and Agent
options
© 2001-2014 Lieberman Software Corp.
Multi-Language Support
• Web Application works in 20+ languages
• Fully localized (not machine-translated) user
interfaces and
dashboards
• Browser auto-select
or user selectable
© 2001-2014 Lieberman Software Corp.
Application Integration
Event Sinks
• Event triggering, notification and integration
• Wizard easily integrates third-party software
SDK and Web Services
• Custom propagations update
files and applications directly
• Can replace embedded
passwords with ERPM calls
© 2001-2014 Lieberman Software Corp.
PowerShell Integration
• Full automation and programmatic orchestration of
privileged identity management operations
• Allows machine
control of discovery,
password changes,
delegation, auditing
and more…
• Can be used from
within MS System
Center Orchestrator
© 2001-2014 Lieberman Software Corp.
Web Services Interface
• Platform-Agnostic SOAP interface
• Full automation and programmatic orchestration of
privileged identity management operations
• Deploy, manage and de-provision privileged
accounts and file-based
secrets (including x.509
and other certificates and
large binary files) regardless
of the physical or virtual
machine where they reside
Web Services API
© 2001-2014 Lieberman Software Corp.
SAP NetWeaver Integration Optional Feature
• First SAP Certified PIM solution
• Continuously discovers SAP accounts
• Integrates directly with the SAP
NetWeaver Gateway
• Manages accounts in SAP v7.01 and
newer through
direct API calls
© 2001-2014 Lieberman Software Corp.
Encryption Options
Hardware Security Module (HSM)
• Supports use of external FIPS 140-2 certified
encryption modules, including Thales nShield
Software-based Encryption
• Supports up to AES 256
© 2001-2014 Lieberman Software Corp.
What Differentiates ERPM?
• Rapid, complete deployments (in days, not months)
– User installable and configurable, with no need for scripting, customization,
or professional services
– Easy to upgrade and manage over time
• Superior technology
– Auto-Discovery and Correlation, Propagation
– Unsurpassed service account management
– N-tier deployment architecture
• Open standards: no proprietary technology
• Enterprise-ready for scale, scope, and complex, dynamic
infrastructures
– Resilient solution: without constant IT intervention
• Comprehensive and open documentation
© 2001-2014 Lieberman Software Corp.
Our Competitive Advantages In Order of Priority
• We win on ease and speed of deployment and ongoing
low TCO. (What is the real cost?)
• In a POC we can prove that we do what we say we can
do – always at the customer site, on their network
• Propagation/Service Account Management
• Auto-Discovery and Correlation
• We are the only company to have point solutions in our
“toolkit” which we use to clean up customer networks
prior to ERPM installation and deployment.
© 2001-2014 Lieberman Software Corp.
Features / Benefits slide
Need to develop
• CHECK BOXES WHO HAS WHAT
© 2001-2014 Lieberman Software Corp.
Competitive Landscape
vs. “Company A.”
ERPM uses 100% native API calls and doesn’t
rely on WMI and cached data
• Fewer password change failures
• Fewer service disruptions
© 2001-2014 Lieberman Software Corp.
Competitive Landscape
vs. “Company A.”
ERPM Performs dynamic dependency
analysis with real-time discovery before
updating interdependent service accounts
• Competing solution never
fully eliminates the need for
time-consuming manual
change process
© 2001-2014 Lieberman Software Corp.
Competitive Landscape
vs. “Company A.”
ERPM is installed on industry-standard
Windows Server and your choice of MS SQL
or Oracle databases
• Competing solution is an
appliance that’s built on a
mix of open-source and
proprietary software.
© 2001-2014 Lieberman Software Corp.
Competitive Landscape
vs. “Company A.”
ERPM security is built on trusted protocols
including FIPS 140-2 and AES-256
• Competitor’s security architecture uses
multiple proprietary layers
• Competitor’s known software
vulnerabilities are published
in the NIST.gov database
© 2001-2014 Lieberman Software Corp.
Competitive Landscape
vs. “Company A.”
ERPM is designed for self-service and is typically
deployed in large enterprises in under 3 days
• Competitor relies on professional installation and
configuration services to
uphold its product warranty
• With so many paid services
required to maintain its products,
the Competitor’s “license fee
represents just one-fifth* of
the typical project” costs
*Stated by competitor’s Sales VP, per “CRN UK” 11/2011
© 2001-2014 Lieberman Software Corp.
Client Case Study Client Profile
• Credit union founded in the 1930’s and has branches located throughout the U.S.
and Puerto Rico with approximately 218,000 members.
Situation
• Time consuming manual changes: 10hrs+ per change, not comprehensive
• Ignored complicated service account changes
• Failing frequent financial and regulatory compliance audits
Solution
• ERPM was deployed to the client’s cross-platform enterprise.
Results Improved Operations >> Time and Cost Savings
• Accounts secured regularly without manual intervention
• Eliminated burden of manually producing reports
Reduced Risk Profile
• Automated the discovery and securing of service accounts
Achieved Regulatory Compliance
• Demonstrated control, passed internal, external NCUA audit
© 2001-2014 Lieberman Software Corp.
Client Case Study Client Profile
• North American subsidiary of a global consumer/commercial financial institution
with presence in key business and financial centers throughout the world.
Situation
• Urgent need to secure privileged accounts before a looming audit
• Zero impact to ongoing IT Operations
Solution
• ERPM was quickly deployed (<2-weeks) across 1100+ servers at three North
American data centers
Results Improved Operations >> Time and Cost Savings
• Deployed with minimal manual effort
• Automated account discovery keeps up with their dynamic environment
Reduced Risk Profile
• All privileged access is delegated, tracked and audited
Achieved Regulatory Compliance
• Demonstrated control, passed immediate internal audit, now “in good shape”