Tequila Sunrise. Or, How to Help Protect Your Servers in the Middle of the Desert

“Bill — you’ve known about this road trip for months now. You signed the paperwork back in January. I’m all packed and planned and hitting the road bright and early tomorrow.”

Bill had forgotten all about Theresa’s California to New Mexico road trip and was far from crazy about her driving over 1,000 miles through places where even the telegraph hadn’t made it yet. When any type of security issue happens in IT, she’s the one person he depends on to save the day and arm him to survive the inevitable C-level grilling.

After much grumbling and juvenile whiny noises, Bill concedes defeat.

”OK, well you’d better pray nothing goes wrong while you’re out. Google a path through internet cafes so you have WiFi in case of any issues.”

Fast forward a bit. Early Sunday morning, a pristine landscape along Historic Route-66. The sun is coming up golden. “Serenity now….”

Route-66 Sunrise

When…yes, you guessed it. A shrill barking noise pierces her zen-like back-to-nature moment. It’s the Bat Signal from her phone. The one that should rarely sound. The one that Bill fears the most.

Theresa let’s out a sigh, pulls over and reads the alert. Their Centrify solution has been doing its routine job of governing and recording privileged session activities. However, this fine Sunday morning it has recorded something suspicious on one of their most sensitive PCI Linux servers, triggering a SIEM alert.

The PCI servers are protected by Centrify Server Suite. But its not the security per se that’s triggered an alert. Brad is a legitimate sys admin with roles that allow him privileged access to these servers based on his job function. Ordinarily, his activities might be considered innocuous but at 4am-ish on a Sunday morning? That doesn’t align with his typical behavior pattern. Centrify’s Session Recording has been video capturing and transcribing every privileged activity on those boxes —including his attempt to make copies of very sensitive data files.

Mountain. No WiFiOf course, the timing sucks. Middle of nowhere, no WiFi, one bar on the phone. What can you do? Quite a bit as it happens.

Theresa pulls out her iPad and even with a weak cell signal, is able to browse to the Centrify Privilege Service portal. No VPN required. Thank <your favorite deity> for SaaS! Once logged in, the Privilege Service dashboard shows an open session by Brad to one of the aforementioned PCI servers.

With a couple of clicks, Theresa is watching Brad’s activities on that PCI server in real time. Although he’s using the Privilege Service to remotely log into the PCI server using his AD account (“brad1”), he’s using the Centrify Server Suite to elevate his privileges and access some very sensitive folders and files. She also sees him run a remote PuTTY session to another PCI server and is able to watch him perform equally questionable stuff there as well, since the CPS “Watch and Terminate” feature sees all.

CPS-WatchAfter a few minutes observing, she decides to take action. So with a couple of clicks, she’s able to remotely terminate Brad’s login session.

With another couple of clicks, the Privilege Service has logged her into a domain controller over another secure remote VPN-less session. From there, it’s an incredibly simple matter to launch the Centrify Server Suite Access Manager, scroll down to the “PCI Zone,” select Brad, and remove him from that container. The net effect of that is to immediately disable his access to every PCI server in that zone.

Although further investigation would be necessary, Theresa is content knowing that her Centrify solutions have given her the tools and visibility necessary to mitigate a potential risk. All in the space of about 10 minutes from an iPad, with no WiFi or VPN, on Route-66, in the desert.

Time for a Tequila Sunrise, methinks!

A few hours later, Michelle on her team had already concluded the investigation — Brad’s credentials had clearly been compromised. The remote “Fake Brad” session was initiated from a server in Asia. Michelle was able to use the Privilege Service recordings to view all recent Fake Brad remote login sessions. She discovered attempts to login to network devices as well as servers. At a more granular level, she was able to leverage Centrify Server Suite on each host to view per-server recorded session activities. Fake Brad had used that initial compromised server to “hop” over to other servers and network devices and install tools and malware.

CPS + CSSShe cleaned it all up and tightened the Server Suite PCI Zone policies to disable resource hopping. She updated their alerting rules to consume Server Suite events that would alert on future attempts to resource hop. Finally, she added new Centrify policies requiring a 2nd factor to login to Privilege Service when not on the corporate net; to checkout a password; and to initiate a remote login session. Similarly on each PCI server, she added a new Server Suite policy requiring a 2nd factor when requesting privilege elevation.

So what we’ve observed here is two solutions organically developed by Centrify, superbly blended, that each played unique but critical roles.

Centrify Server Suite and its patented Zone technology protects those PCI machines. It extends AD’s reach to non-Windows servers, bringing them into the AD fold. Server access, user roles and privileges, segregation of duties, multi-factor authentication, true least-privilege elevation, even AD Group Policy (extended to Linux, Unix, and Mac) — all centrally governed from within AD. Rock solid.

Centrify Privilege Service — the industry’s first cloud-based secure remote access and password management service. Leverage the convenience of the cloud for secure remote VPN-less access to servers and network devices. Layer on multi-factor authentication for added identity assurance.

A week later…back in the office, Bill is chirpy. “It was a quiet time. You could have stayed away longer. I had everything under control.”

Smile and walk back to your desk. You can tell him all about it later.

Check out a short and sweet demonstration of Watch and Terminate in action:

Also, find out more about Centrify Server Suite and Centrify Privilege ServiceWhy not take them for a test drive and experience the modern approach to privileged identity management for yourself with a free trial here and here .