chapter 12 Flashcards
these are all parts of (blank)
collect - quickly gather and analyze the most critical data
detect - rapidly identify and detect suspicious activities
alert - notify security teams with detailed event information
respond - enable speedy response and automated containment
privileged threat analytics
the (blank) collects data from a wide variety of sources
cyberark privileged threat analytics
the (blank) collects and analyzes data from critical external components like
- SIEM solutions
-active directory
-cloud
these are analyzed by the (blank) components:
digital vault which contains risk and analyzes privileged user activities
psm - which alerts and remediates suspicious activities
cyberark privileged threat analytics
cyberark privileged threat analytics which provides real time analytics powered by proprietary profiling algorithms to detect anomalous activity
pta continuously monitors the use of privileged accounts that are managed by cyberark, as well as privileged accounts that are not yet managed and looks for indications of abuse or misuse of the cyberark platform
such abuse or bypasses include
unmanaged privileged access
suspected credential theft
suspicious password change
suspicious activities detected in a privileged session
blank
(blank) uses proprietary profiling algorithms that the pta distinguishes in real time between normal and abnormal behaviour and raises alerts when abnormal activity is detected
such abnormal behaviour includes:
-access to the vault during irregular hours or days
-access to the vault from irregular ip addresses
-excessive access to privileged accounts in the vault
-activity by dormant vault users
statistical anomalies
what kind of situations would trigger the pta
attacks that bypass security controls
statistical anomalies
active directory risks
the pta proactively monitors risks related to accounts in active directory that can be abused by attackers and sends alters to the security team to handle these risks before attackers abused them.
such risks include
1
2
unconstrained delegation
dual usage
the (blank) provides the following pta detections as a standard
- suspected credential theft
- unmanaged privileged access
- service account logged on interactively (optional)
- suspicious activities detected in a privileged session
- privileged access to the vault during irregular hours
- excessive access to privileged accounts in the vault
- privileged access to the vault from irregular ip
- active dormant vault user
vault
the (blank) provides the following pta detections as a standard
- suspected credentials theft
- unmanaged privileged access
- service account logged on interactively
- machine access during irregular hours
logs
the (blank) provides the following pta detections as a standard
- unmanaged privileged access (optional)
- unconstrained delegation
- service account logged on interactively (optional)
- risky spn
AD
pta enables security teams to prioritize and respond to the most critical incidents
security events coming from the pta
-are assigned risk scores based on severity of the detected anomaly
- contain granular details related to the suspected attack
- can easily be review in the (blank) or the (blank)
PVWA
SIEM dashboard
security events are visible in the (blank) pane in the PVWA
you can review security events in the PVWA according to the timeline and filter events to focus on specific groups of events based on:
-severity
- event type
- date
security
what are the items shown in the pvwa security events?
1
2
3
4
5
last time the even was detected
the name of the event
show when remediation started
the score and severity of the event, high, medium, low
recommended action to take/automatic remediation action that was taken
Automatic response improves your organization’s security
posture and mitigates risk
Respond with
Automatic
Remediations
PTA can contain in-progress
attacks by automatically:
1
2
3
- Onboarding unmanaged
accounts - Rotating credentials
- Reconciling credentials
Session Analysis and Response
- Connecting the PTA and PSM leverages the analytic capabilities of the PTA, which receives
details of PSM privileged sessions and user activities, analyzes them, and assigns a risk score to each session. - Audit teams now can prioritize workloads based on risk scores.
blank
Once the PTA and PSM are integrated, we can configure (blank) rules to execute automatic session suspension or termination during high-risk user activity, thereby reducing response times and the risk of damage to the organization.
Privileged Session Analysis and
Response
- You can add new rules or customize
existing rules for session analysis and response - The scope of a rule can be granularly
applied to different Vault users, accounts, and machines. - In the event of high-risk activity, the (blank) can also be configured to
terminate or suspend the session.
CyberArk recommends that each organization study the predefined set
of rules for suspicious session activities and then modify and add
rules according to their needs
pta
configuring rules
Rules are defined by:
* Category
⎼ SSH
⎼ Universal Keystrokes
⎼ SCP
⎼ SQL
⎼ Windows title
* Pattern: a regular expression to be
monitored
* Session response
⎼ Suspend
⎼ Terminate
⎼ None
* The Threat Score (1-100)
* Scope: To whom or what the rule will
apply
blank
Detect and Respond to Privileged Risks in the Cloud
To help address the challenge of monitoring Privileged Cloud users and detecting, alerting, and responding to
high-risk privileged access, the PTA can be now used to improve the efficiency of Cloud security teams and
to secure threats within Amazon Web Services (AWS) and Microsoft Azure.
* The following capabilities are supported for AWS:
– Detect unmanaged Access Keys and Passwords for IAM
accounts
– Detect compromised privileged IAM accounts
– Detect compromised EC2 accounts
* The following capabilities are supported for Azure:
– Detect unmanaged privileged access
– Detect suspected credential theft
