Gaining Privileged Access Management Insights with the CyberArk Telemetry Tool

-

Operationalizing security tools into security programs requires proper insight into what’s going on. You need to understand what’s happening within the service in order to compare it to your plan, simply be informed, or help tell your program’s story. A critical piece of telling that story is done through the collection of metrics and data to support it.

IT Security Teams are constantly under pressure to deliver and show progress, often with a lack of resources to do so. Which means engaging with business intelligence and

analytics teams can be challenging for some, you may not even have a team to support this function, or you lack the proper tools to do it yourself. In all of those scenarios, it’s hard to gain the proper insight into your service that you need.

Introduction

The CyberArk Telemetry Tool provides customers with the much-needed insight into the usage of their CyberArk Privileged Access Manager (Privileged Cloud or Self-Hosted)    services. The Telemetry Tool collects data about the usage of PAM components such as   the Enterprise Privilege Vault (EPV) and Session Manager, as well as details about accounts, platforms, active users, and sessions.

The CyberArk Telemetry Tool is an automated process used to collect and present key customer telemetry and metrics in an easy to consume way. There is minimal customer   effort required for setup, and it’s designed to help customers track adoption, compliance, and license utilization for their PAM deployments – all displayed in a user-friendly dash-board. This information is presented in reports and visualizations within the CyberArk Technical Community. The Telemetry Tool is available in the CyberArk Marketplace and is 100% supported by Product Management and R&D.

Simplifying the Extract, Transform and Load (ETL) Process

The CyberArk Telemetry Tool takes the complexity out of designing your own export, transform and load process. A scheduled task batch job runs on a Windows machine with connectivity to both the Digital Vault and two public internet-facing services, and extracts, transforms and loads the telemetry data into the CyberArk Technical Community using predefined visualizations. The Telemetry Tool interface in the Technical Community supports PAM architectures that leverage multiple Vault deployments or instances.

The visualizations created by the telemetry service enable organizations to track program progress and growth, understand the state of risk and compliance, gain operational insight, and ultimately drive the decision-making process surrounding privileged access management.

Figure 1: Telemetry Tool Setup Process

Some of the main elements include:

  • Visualizations & Metrics
  • Active Users (Current) and Users Activities (Historical)
  • Users Allocation (Current) and User Allocation (Historical)
  • Credential Compliance (Current) and Credential Compliance (Historical)
  • License Consumption and Usage
  • Total Credentials by Platform Type (Current) and Compliant Credentials by Platform Type (Current)
  • Credential Compliance by Platform (Current)
  • Credentials With or Without Automatic Rotation
  • Credentials With or Without Automatic Verification
  • User Activity by Platform (Current)
  • Secret Activity Connect vs. Retrieval (Historical)
  • Application ID Allocation (Current) and Application ID Allocation (Historical)
  • Credential Provider Allocation (Current) and Credential Provider Allocation (Historical)
  • Platforms with PSM Enabled (Current)

Operationalizing the Visualizations

Track Program Progress and Growth

When we think about what a PAM program’s purpose is, it’s to secure privileged users and the systems they access, which in turn will help mitigate risk and enable compliance. The visualizations you should focus on for program progress and growth include those related to active users, user allocation and credential compliance. These visualizations help you better understand whether you’re rolling out your PAM controls to the appropriate number of users, to the appropriate number of systems and credentials, and whether the credentials are being managed appropriately.

Understand the State of Risk and Compliance

The goal of most PAM programs is to ultimately reduce risk and increase compliance. The visualizations you should focus on for this are Total Credentials by Platform Type (Current), Compliant Credentials by Platform Type (Current), Credential Compliance by Platform (Current) and Credentials With/Without Automatic Rotation or Verification. The first two charts depict the breakdown of technology types and their total and compliant credential counts, which helps you understand the state of risk across your organization’s technology base (e.g., technologies under PAM controls vs those without). They also help you understand the state of compliance across those technologies on the whole. The third chart goes one level deeper, and looks at the individual platforms, which can provide a more granular level of understanding for risk and compliance. The last two charts provide you with the insight into whether the onboarded credentials have the correct settings configured in order to be properly and securely managed.

Gain Operational Insight

You can’t run a successful program without operationalizing it as service, and in doing so there’s certain things to keep an eye on. The License Consumption and Usage table and the User Allocation (Historical) chart provide key insight on the current and historical state of your user licenses, which allows you to understand if you have room to expand or need to plan ahead. The two stacked bar charts for automatic rotation/verification allow you to understand if your platforms are configured to automatically manage the privileged credentials properly or if you’re likely doing actions manually. The User Activity by Platform and Secrets Activity charts provide you with interactive access insight, allowing you to see how the users are actually interacting with the credentials and whether that aligns with your expectations (e.g., too many password checkouts, not enough PSM connections).

Drive Decision-Making Process

Data is your friend, and it should drive your decision-making processes. All of these visualizations should support you and your company in that process. They should help you answer questions like, “Do we need more licenses?”, “Do we have appropriate controls implemented?”, “Is the solution being used as intended?” or “Is our coverage and use cases align with our plan?”. The answers to these questions should inform the decisions you make and influence your response.

Architecture and Security Considerations

Networking

The first major architecture and security consideration is around the networking and communication for the Telemetry Tool. The Telemetry Tool essentially requires only two networking rules, the ability to communicate to the backend CyberArk telemetry service and a certificate service (443), and the ability to connect to the Digital Vault (1858). This means you can easily install it on an internet facing PVWA or CPM (if you have one). However, it could also be installed on some other tools or job server which maintains the same type of connectivity. Alternatively, the Telemetry Tool could also be installed on a workstation running Windows 10, which would enable you to run the job without requiring any other infrastructure, as its common for the workstations of CyberArk Administrators to often be both internet-facing and vault-facing. You can read more about specific telemetry architecture designs in our online documentation.

Should you choose to manually upload telemetry JSON files for network architecture reasons, you can do so via the manual upload page on the Technical Community. Configure the Telemetry Tool in offline mode as described in the Data Privacy section and upload the sf_telemetryData_<date>.json file. Please note that uploading telemetry data in this way will not support multiple environment instances, as the filtering capabilities are no longer supported when data is uploaded this manner.

Data Privacy

The other major security consideration is around data privacy. Since the Telemetry Tool is collecting data from an on-premises installation of PAM and sending it to a cloud-hosted telemetry service, its not uncommon to hear concerns over data privacy. CyberArk does NOT collect any personally identifiable information (PII) using the Telemetry Tool. The data is sent encrypted using SSL encryption while also using Java Schema Input Validation to sanitize unwanted request in addition to WAF inspection. Should you feel the need to, you can always run the Telemetry Tool in an offline-only mode as a test and inspect the JSON file output yourself to see what information is being delivered to the telemetry service. To do this, you’ll need to modify the “URL” parameter to be an empty string within the config.json file (under Installation folder\Config files).

Refer to the Telemetry Tool EULA for more information about the information collected and safeguards for protecting it. For Privilege Cloud, refer to the SaaS Service Terms page. For Self-Hosted PAM Telemetry, ask your Account Team to review the EULA sheet.

Implementation

This section is only relevant if you are using a CyberArk Privileged Access Manager Self-Hosted implementation. These steps are completed automatically for CyberArk Privileged Cloud customers during the initial deployment of the service.

Step 1: Create Your Environment ID

The first step in the process is creating your environment ID. This is unique identifier that you’ll use to register your vault instance within the CyberArk Technical Community. In order to set this up, you must be a Technical Community user with full access to cases (ability to open support cases).

Should your organization want to grant access to these dashboards to a non-CyberArk Administrator, such as your PAM Director or CISO, you must first have them create a Technical Community account, and once registered, you can reach out to CyberArk Users Access and request that they be granted the “Customer Basic Access Cases Read Only” profile.

Step 2: Validate System and Application Prerequisites

The second step is validating that the system you plan on installing and running the Telemetry Tool on is supported and that you have the appropriate network connectivity enabled. The tool needs to be able to connect to telemetry and SSL services that are internet facing, in addition to the vault. The complete list of requirements can be found in our online documentation.

Step 3: Install and Configure the Telemetry Tool

The third step is to actually install and configure the Telemetry Tool on your server or workstation of choice per the security considerations. You’ll need admin rights to install and configure the scheduled task. It’s here where you’ll enter the environment ID that you created in step 1 and follow the on-screen prompts to finish the setup process.

Step 4: Run On-Demand

The fourth step is to run the Telemetry Tool on-demand to test that the tool was configured properly and can run successfully. You can do this by right clicking on the scheduled task and selecting run. You should know when the tool is done by the job status indicator in the Task Scheduler. In the event it fails, you can review the log files for more details.

Step 5: Validate the Data

Our last step is validating that the data was collected successfully and is presented in the Technical Community. Sign into the Technical Community and using the navigation bar at the top of the screen, select Telemetry > Dashboard. It’s here you can click on your Tenant Name and confirm that the data has been uploaded.

Next Steps to Building Your Reporting Plan

If you haven’t already downloaded and installed the Telemetry Tool, we highly encourage you to head over to the CyberArk Marketplace to get it. Don’t forget to check out the online documentation for the Telemetry Tool either, and if you have any questions, don’t hesitate to start a discussion with the Telemetry topic in the Technical Community.

A.L 

Reference :  https://cyberark-customers.force.com/s/article/Gaining-Privileged-Access-Management-Insights-with-the-CyberArk-Telemetry-Tool

Comments

Post a Comment

Popular posts from this blog

CISA and ENISA enhance their Cooperation

-
Image
  The European Union Agency for Cybersecurity (ENISA) has signed a Working Arrangement with the Cybersecurity and Infrastructure Security Agency (CISA) of the US, in the areas of capacity-building, best practices exchange and boosting situational awareness. Geopolitics have shaped the cyber threat landscape, bringing like-minded partners closer together in the wake of common cyber challenges and advances in digital technologies. Today at the EU-US Cyber Dialogue, ENISA and CISA announced the signing of their Working Arrangement as an important milestone in the overall cooperation between the United States and the European Union in the field of cybersecurity, also following the Joint Statement of European Commissioner Thierry Breton and U.S. Secretary for Homeland Security Alejandro Mayorkas of January 2023. ENISA’s International Strategy directs the Agency to be selective in engaging with international partners and to limit its overall approach in international cooperation to those are
Read more

The Imperva Content Delivery Network (CDN) to Improve website experience globally

-
Image
Today’s website visitors expect a fast and efficient user experience with no delays or site performance issues. However, high traffic volumes and global reaching websites mean website managers are faced with the challenge of added latency and slow page load times, which can result in lost business. According to WebSiteBuilderExpert.com, 1 in 4 site visitors would abandon a website that takes more than 4 seconds to load. And 46% of site visitors do not revisit poorly performing websites, according to Unbounce.com. A strong Content Delivery Network   (CDN) is critical for website managers and businesses that rely on their websites for success, and here are ten reasons why. Improve your engagement Faster site speed times and more responsive websites bring results in more conversions. As little as a  one-second delay  in page load time can reduce customer satisfaction by 16%. Slow page load times According to  Unbounce , ‘Nearly 70% of consumers admit that page speed influences their likel
Read more

SmartScreen Vulnerability: CVE-2024-21412 Facts and Fixes

-
Image
On Feb. 13, 2024, Microsoft issued a  patch  for CVE-2024-21412, a  Microsoft Defender SmartScreen  vulnerability revolving around internet shortcuts. Previously, we discovered that an advanced persistent threat (APT) group we track under the name Water Hydra has been exploiting CVE-2024-21412 in a sophisticated campaign targeting financial market traders, allowing the group to bypass Microsoft Defender SmartScreen and infect its victims with the DarkMe remote access trojan (RAT). Threat actors are constantly finding new ways of identifying and exploiting gaps to bypass security measures. We found that the bypass of CVE-2023-36025 (a previously patched SmartScreen vulnerability) led to the discovery and exploitation of CVE-2024-21412. This highlights how threat actors can circumvent patches by identifying new vectors of attack around a patched software component. It is important that organizations are able to identify and mitigate vulnerabilities, especially zero-days, in a timely mann
Read more