Mind Management

welcome back I hope everyone had a good lunch um or at least a good break I am pleased to present Eric Woodruff he's going to talk about the management plane uh presumably having to do with identity management here's Eric all right so let me get this going so I appreciate uh everyone shown up especially after lunch I know how I can uh can go so before we jump into mind the management plane and this is all related to cloud and identity security I just quick background of myself so I'm Eric Woodruff in case I forget I can look up here so I currently work for sists it's a identity threat detection and response company I focused on active

directory in a I'm a Microsoft security MVP uh in Prior Rolo I've worked as a identity architect in the whole Microsoft uh partner ecosystem I worked for Microsoft for a few years as a premier field engineer and for about 15 years I worked actually for the state of New York uh and there I managed the Windows Server infrastructure group so uh for the judicial branch uh in our great state here so there it was window server active directory eventually when we went to Cloud Azure Office 365 all that that good stuff and uh love speaking love Community uh might be a little nervous here but so used to Virtual so my socials are here QR codes

right at identity conferences it just goes to my link tree uh so if you want to reach out always uh appreciate you know connecting with folks in the community all right so let's get this going now before we talk about the management plane just some history here right so when we talk about securing Prem and this is a uh simplified sort of washed out map here right we'd have our internal network with our active directory our VMS right some other things or DMZ that we may put some compute workloads in and primarily though the firewall right is the uh thing that sort of kept all the uh the bad folks out right and security or I

shouldn't say security uh trust is implicit right so if you're on the network uh you're essentially trusted and it hasn't always worked out so well for us right so while these are not necessarily faults of our own that manages stuff lots of bugs right here we try to put something out on the internet recently esxi ARS right I think it really hit a bunch of uh folks over in France you talk about exchange server on premises right there's probably two three times a year some sort of huge flaw and Exchange Server again that uh causes headaches for everyone and well right hopefully we're not putting active directory out on the internet um identity is hard to secure

right so uh we have all these red team while pentesters coming in here talking about right owning domain admin owning domains all that sort of stuff and a lot of times right so mandiant reports that uh couple of their principal Consultants indicate that roughly in the the cases they work that active directory is involved in 90% of ransomware cases so you know there's some Shock factor or trying to scare folks here right but I think it just it's it's not to scare folks it's just to say that this stuff obviously is very hard so now we go to the cloud right and I mean if we look at this it looks very much like what we have on Prem we've got

some workload we got Azure ad active directory exchange SharePoint virtual machines kubernetes you know it doesn't really matter what this stuff is and we have our inbound and outbound internet access for those workloads to do whatever it is they're doing but then we also have this thing here the management plane right and so the management plane is that URL or portals right that you go to to manage the cloud so it's like if you went and took vsphere and put it out on the internet right and it's not just your admins it maybe your end users that are accessing these and it's also those threat actors right that can also hit the same thing we can't wrap a firewall

around it um and ultimately it doesn't matter whether you're you know going to a guey via the web using apis right AWS command line Azure CI it's all ending up right you're all going through the manag plane one way or another now a lot of times we have to Plum our data centers up to this stuff as well right so we see here we have some direct connection to our data centers and usually uh some compute workloads like active directory as represented here also extends from the cloud on Prem and we have lots of SAS applications right so we could be multicloud with our gcp and AWS we have Salesforce workday Google workspace all this sort of stuff

and they all also come with their own management planes so you have not just one but now we've got six different management planes that we have to deal with so marketing loves to say that identity is the new security parameter but right when we go look at this again because we have no way of really firewalling these things it is also true right so identity is a thing that keeps the Bad actors out and lets the good folks that work for us or work with us in right so how this ties into the management plane here is that the privileged accounts right are the things that the thread actors want it's not news right they want domain admin on

Prem but now again it's just like we're kind of throwing it out there right for them and so how these two tied together is right we have the management plane here that effectively is a thing that allows access to the control plane right so that's your Cloud identity provider Azure ad you know Google AWS whichever you use could be OCTA ping fed right um they're all still going to have a management plane and then in turn the control plane is what allows you to have access or it's what's saying who has access to do things in the management plane right so there's this sort of symbiotic relationship between the two you can't have one without the

other so going back to our diagram here right and so when we talk about securing the cloud and identity security right we have our users up in all these different places and usually from an identity security perspective right we do identity Federation uh it's either going to be alwaysed to saml or open ID connect these days but effectively what we're doing right is instead of having to worry about the user accounts and all these different places we're tying identity back to some Central identity provider so again here you know take an Azure ad as the example right so when you go to Salesforce you go to sign in right you're redirected to Azure ad again it doesn't have to be that you go

to workday you get redirected to Google what have you right but that way we're only really worried about securing just one account effectively right with MFA and all that good stuff but we also have our highly privileged users right so this is your AWS account owner it's your uh Global administrator right and this user has access to basically get to all these other management planes uh and also access to all your compute workload whatever it is you may have in you know the cloud right now I mean when we talk about well architected uh security we usually try to put boundaries on these things so that we're not using a global admin to get to all this stuff

right and I uh kind of got sick of drawing arrows here but I mean it extends to everything right I think from one of the talks prior you know has mentioned that if you have this high right this is keys to the kingdom tier zero sort of if this account is owned it's game over sort of stuff right and um just want to also point out that many times you also have access to un Prem stuff through some means right so like when we look at bringing active directory out to the class right while we can firewall our connection from right our data centers to uh the cloud usually that firewall is very porous because we need things like active

directory to operate which right needs like a thousand ports open so again looking at our our control and management plane diagram here right and kind of simplifying things right so we have that highly privileged user and again just this is game over scenario and right this is nuanced um so it's not necessarily that all these things can happen right but if this account is compromised potentially everything could be a potential uh thing to be compromised as well right so and let's just look at this a little bit so again when you talk about IAS and PAs and all that sort of stuff in the cloud um right it's not just Windows workloads it could be kubernetes Linux

servers it doesn't matter uh for isas most most of these systems right they need an extension to operate in the cloud again similar to right if you're running VMware hyperv there's extensions on that stuff so in Azure for example uh that extension in Windows will give you system context which is effectively right you're the operating system so if you have po Global admin and maybe you don't have access to those virtual machines you just go give yourself access back and then you run a command a couple commands on uh from the cloud on that VM and now you also have domain admin and you know you're on your way to on Prem I mean that's just one example

there's several different ways that you can move laterally from the cloud back to on Prem uh same thing with like P right I mean all this stuff is effectively that you can just go and manage it uh do whatever you you essentially feel like with it and on the left when we look at or your right um SE applications and multicloud but again these all Federate either with saml or open ID connect and so like saml for example uh if you have something like Global admin you can easily perform transforms on claims and essentially uh essentially claims are the things that tell the other system who you are uh in a it's very easy to spoof those sorts of

things if you have Global admin so you may not have access into Salesforce or workday but if you want to pretend you're the HR person you can actually uh rather undetected say that you're you know someone in HR and get into those systems and again with multicloud right very it's very likely in a multicloud scenario the way identity's architected that if you have Global admin here you can easily give yourself account owner over an AWS so and right and I I will say that that's sort of defining our problem so how do we solve it and you know you go look at Doc and this is from Microsoft and you know it's all this scary stuff

where we have all these lines of attack passs and you know the these graphs are okay but a lot of times it can overwhelm people and I think the thing is is right that end of the day it's an education problem it's not to shame people right Cloud well it may be old it's still new um and many times it's like we get the cloud everyone's going to the cloud and you could almost think of it as like a car and your parents buy you a car and you don't have your driver's license yet right so you go drive it because they tell you to go drive around you get in an accident right it's not your fault

you don't know how to drive and with a lot of identity security in the cloud it's it's very similar at a lot of organizations but when they see stuff like this it doesn't really help because it's all confusing you know a lot of new nomenclature and stuff and folks just don't really understand where do we start what are we supposed to do so instead of looking at this right we'll look at our Global admin here so for securing the cloud just kind of walk through of some you know things we would want to expect organizations to implement from a sort of blue team right identity security perspective here so you have a highly privileged user and

they've got their laptop here right and this is something that I would say the hardened dedicated workstation is the one thing that organizations love to push back on management loves to push back on it I worked at a company where they didn't want to give us extra laptops because we were special if we got that um right but when you look at the tradeoff spending a few grand on a few extra laptops for your Global admins or right do we want to lose like literally millions of dollars a week month what have you right if uh our credentials are popped so that that hard and dedicated workstation right this is a thing you don't go shop Amazon on you

don't watch Netflix on it's it's just for using those Privileges and that also ties into the clean keyboard principle which is sort of part of What's called the clean Source principle right so we want to make sure that when this laptop is issued that it's free from malware and all that sort of stuff but ultimately it goes back to a being a dedicated device and the dedicated device piece is critical because right if we have a laptop that we we run like a admin VM on right well if you own a hypervisor that has lower privileges you own all the VMS on it and you know organizations will look at things like jump boxes or basan

host or you know whatever you want to call them but ultimately right if you are initially entering those credentials over the wire and someone is on that wire along with you right they have potential to uh intercept things so clean keyboard right you have this dedicated device that you're using to manage uh Azure AWS and right again just to clarify this isn't everyone that's using it these are those keys the kingdom people that if you get their creds essentially right it's it's time to shut down shop you know endpoint detection or endpoint protection I should say here uh you know pretty common thing we want to make sure that's on there as well and also though that these folks are using

strong credentials right so with strong credentials we're talking about fishing resistant right which is another new buzzwordy thing but essentially that's PH2 Windows hello for business um certificate based off right so not that we have time to dive into this stuff today but if you look at like attacker in the middle scenarios with something like Evil genics 2 right which is essentially a proxy someone gets fished into going to some URL that's like a portal or something and in most m face scenarios you can capture right their OTP it doesn't matter if it's an authenticator app it doesn't matter if it's SMS right and they can relay that and they essentially have a refresh token or access token that represents

you um right without getting into asymmetric key pairs which is essentially what certificates are right that um to intercept that traffic you have to um uh I should say in intercepting that traffic you're going to break the chain of trust between whatever signed by their credentials on this device and that endpoint and so there's some some good examples out there showing how things like PH2 will prevent attacker in the middle scenarios and and again those are things we want to strive for with these these privilege credentials and you know using Pim and Pam right so for adjust in time access and also making sure that if we're managing other secrets that those things are being vaulted

you know these days right your your endpoint protection usually goes out to an MDM system and your EDR or xdr and you want all those things to happen too but it it's not just so that we know if there's malware but it's also when we look at our identity providers these days that are cloud-based one advantage we do have is that most of them have something that's like a policy engine and so with the policy engine we have essentially what we would call contextual authentication right so we can look at things user risk um right so have we seen for example uh these users credentials somewhere out in public uh some Cloud idps can actually do things

where right if if folks are aware of have I uh have I been owned right some of these have similar services that go out in the dark web and look for any credentials for end users existing out there right it might say we found these things right the application scope right what is it that we're trying to get to again the endpoint protection uh is going to roll up and tell us whether a device is MDM compliant uh we already talked about user risk uh Network risk as well right so a lot of the cloud identity providers have a benefit of being able to take you know their s Collective aggregated Network signals right so uh I might be

fine at home but say I go to Starbucks with this laptop and we've seen malicious activity coming out of star box right so that can feed into Network risk signals that may or may not sort of influence whether or not we're actually going to get to things and again we can look at the authentication strength we can say you know you're not using you know strong credentials right and so ultimately when our admin goes to get to the management plane if all these things are are strong and satisfied right we'll say we're going to let them in but say there is something we don't like right so um again back to the Starbucks scenario if we are trying to act access

from Starbucks and there's malicious traffic rate our access May ultimately get blocked so you know just trying to add some context here um now I'm not B into the sort of name and shame thing but I think a lot of times right in the the news we only see the Gloom we only see organizations that have been compromised right they've been ransomware Etc uh and on the vendor side it's always like Yay look at like how great everyone's doing and we saved this customer and all this and we never really talk about the middle right like there's something between these two spots which unfortunately tend to see uh when it comes to Cloud a lot of a lot of

organizations are in this place so this software company they have about 100 million a year in Revenue they had all their critical workloads in AWS so it's a bunch of kubernetes stuff they were running out there they had no privilege Separation on their devices so right they they had their da driver laptop that they use for whatever it is that they're doing and that same laptop they could actually also use to you know get out there with account owner these are their Cloud Architects uh but it didn't really matter um because their critical workloads they could also get to from their home personal laptops they had no controls in place limiting what devices they could get into this stuff from

right so it doesn't even matter what they're doing on the work laptop they could go you know use their kids's iPad to get to it if they want do and again they were allowing weak MFA right which you know sometimes from an identity perspective we come down harsh on people because it's like fishing resistant again right and you get into that any MFA is better than no MFA but when we're talking about those keys the kingdom accounts Global admin game over things those are the The Limited ones that we want to make sure right that we're using the strongest authentication possible and they had no J in time privileges so their standing privileges were account owner they sign in they're

count owner they don't have to do anything else to obtain those privileges uh and right so this is potentially an incident waiting to happen at this organization right so just to kind of reiterate here what is it that we really want to see organizations do with those tier zero those account owner Global admin accounts right so for all these orgs for those highly privileged accounts you have least standing privilege so I'm a global admin but when I sign into Azure I actually don't have Global admin right I have to go and elevate my privileges to obtain Global admin right so just in time goes along with sort of like just enough Privileges and this stuff is usually time bound so

if I only need to do Global admin stuff for an hour I say I only do Global admin stuff for an hour and then I lose those privileges if I need them longer I go back and you know can extend them again privilege separation so with fishing for example one of the big issues with fishing in the cloud is if my daily driver is also a global admin right and I get fished and I am not using strong off that again when I am fished and there's some scenario there they essentially also can get in with global admin privileges so you want to make sure that that account that you're using just like right most folks would

probably say your domain admin should just be domain admin same thing out in the cloud your Global admin should just be Global admin that Harden Cloud managed dedicated device right and so from the the hybrid perspective where most organizations that are in the cloud are you want to really make sure that when you're managing the cloud that is not tied to on-prem things right so if you're using a on-prem based say it's secm uh platform for device management you don't want that managing these PR privileged to access workstations because then all of a sudden if your domain admin is owned well you can move the other way right here we're we're talking about how if the Cloud's owned

we can own on Prem but you also can flip it and if you own on Prem you can potentially own the cloud and again that contextual authentication so something we will tend to see a lot is organizations will only have um they may have something like conditional access with Azure ad but they're not really using it right and so we want to make sure that these organizations are actually implementing this stuff for those global admins right and it gets back into that this stuff is hard it's not easy to roll all this stuff out to all the organization but we're just talking about focusing on that limited number of accounts already said you know fishing resistant

credentials and minimizing the number of Highly privileged accounts so one other thing that we will tend to see is you go into an organization and the CTO will be a global admin and you're like why and they're like well because I'm the the CTO it's like well right that stuff doesn't really fly these days unfortunately um but we'll go into organizations I had a uh actually State customer who they had 60 Global admins and ultimately it came down to an education thing where they did not understand Cloud arbac right the the delegation models that are potentially available um and as I I think I mentioned already Cloud sourcing those privileged users right we don't want to

tie them to AC directory because ultimately if we do active directories popped uh so is the cloud and I think that's the last one so but this is very high level stuff um and there there's more depth to it but I will also say on the flip that um protecting those highly privileged users doesn't need to take a lot of effort if you can get the time dedicated right and a lot of times in organizations it is prioritizing that stuff which is where you get into right havenu sort to be a little scary that you know you're going to go out of business sort of things if you if you don't do this so um and I think I pretty

much ran up to the end of my time here so you know again if you have any questions want to chat further after this more than happy to and uh appreciate uh everyone uh taking their time so thank you