hello and thank you for joining me today

my name is Damen Brown and I'll take you

through how to demo Beyond trust

privileged remote access

product this is a good introductory demo

which will cover a lot of unique setting

points of Beyond trust privilege remote

access product that this is just a

starting point if you are new to

pre-sales or Beyond trust privilege

remote access product this will seem

like a huge Challenge and depending on

the needs of the client it really can be

the truth is giving a demonstration is

easy giving a good demonstration that

meaningfully communicates the value of

our solution to a prospect is very

difficult many SE get stuck talking

about product features and not how the

feature aligns to the prospect's

needs the aim is to go beyond just

feature-based demonstrations allowing

you to put together a demonstration that

uses the product to prove our key

message in order to show the Beyond

proposal is superior to the

competitors in this introductory demo

I'll cover a lot of unique selling

points of Beyond privilege remote access

the demo is broken down to three

sections a slide presentation which

includes a feature overview note of

epns and an architecture

slide we'll then move on to a product

demonstration which includes the rep

console options whether that be web

based or installed on an OS connection

methods approval

workflows Discovery injection and

elevation From the Vault and

Reporting the final part just to

remember don't forget to not only answer

any questions the customer or Prospect

has but to ask them too reaffirm

throughout the demo but also at the end

that we have understood their needs and

covered off any features on the

product so let's talk about y PR and the

main features of

it it's about secure remote

access provide thirdparty venders with

secure reliable connections to access

your network

externally as we move to more people

working from home this can also be for

your internal IT staff as you also want

to monitor or maybe have the need to

monitor their activity as well it's not

just about auditing what they're doing

it's about learning and training from

the sessions that they have on the

remote

systems we have the ability fire our

vault system for account

rotation rotate or reset vendor accounts

automatically based on your

specifications if they're active

directory accounts we can rotate link to

those and rotate the passwords when

needed based on a time frame that you

set

let's Elevate the access that they have

so we can grant vent is temporar

elevated access or limit that access to

certain time frames it's really powerful

when you want to control what those

vendors are

doing monitoring one of the key points

to the product all session activity is

logged for a complete audit trail that

not only means the video record of

sessions that are going on but also what

is being typed into the system with

keyboard logging as

well and finally why not maximize the

existing investment in your CRM or itm

tools we link with some of the great

providers when it comes to these that

were allowing even more Integrations via

change management systems or if you want

to export logs into other third party

systems say Splunk

so let's talk about what things look

like at the moment typically we would

install a VPN client on the end users

machine so here is our user on a

potentially bring your own device or a

non-compliant

machine and the line represents a

firewall and the corporate Network

behind so what we do at the moment is

install a VPN client onto this machine

to which they authenticate and gain

access to the corporate Network this

means that they and their laptop have

access across the corporate Network

which is completely unmonitored and

unfiltered and you don't necessarily

know when they're coming

in how do we want it to look so let's

look at what Beyond trust

does so we have access to the corporate

Network needed

again the same device which is either

bring own device or non-compliant gains

access to the hardened Appliance either

via the Beyond trust web access

console so no client needs to be

installed or if you want to there's an

OS client as

well once they've authenticated and

there are lots of methods for for

authentication then gain access to the

corporate Network by controlled access

this access also can have part of

workflows set to it

that require your approval and also have

some sort of conditional access that

says they can only get to certain places

within those in your secure

network so once they're inside the

secure network they can gain access to

the critical infrastructure they need

and be compliant with any regulations

you have

set so let's just sum that up for

you no end user device client needed

there a secure pathway into the

network flexible authentication

methods proval workflows needed to gain

access to specific

systems you have the visibility in

auditing when it comes to

logs you have the ability to have

credential management within the Vault

and flexible granular access methods

so let's have a look at the architecture

and how this is put

together here we have a typical customer

environment systems in your data center

or in a or hosted in your Cloud

subscription and either a third party

vendor service provider or an employee

that needs access to

them remote access access today may be

provided by giving the remote vendor

access to the VPN but that is considered

insecure as you're effectively giving

them direct access to the corporate

Network

this is point-to-point access whatam

your vendor's laptop is infected with

Mal and malware can spread across your

network with Beyond trust all remote

access is secured through a privileged

remote is secure through priv access

hardened Appliance there's no need for a

VPN these are available as Hardware or

virtual appliances and can be hosted by

Beyond trust as a SAS solution or on

premises either in your data center or

your Cloud

subscription on premises Appliance are

unique to each customer as they are

hardcoded with asserts meaning the only

software allowed to be used in your

remote access sessions must be

downloaded from your

Appliance one method of accessing

systems securely is via a jump client

jump clients are downloaded from the

appliance and on the remote servers or

workstations maybe that be Windows Linux

or Mac OS supported all communication is

outbound over Port

443 with TLS 1.3

encryption therefore highly secure and

extremely simple to deploy no need for

complicated

firewalls the end user accesses the

solution through either a HTML web

console or a lightweight thick console

available on Windows Mac or Linux which

is also downloaded from the

appliance to

authenticate users the solution can be

configured with several security

providers local and can be paired with

two Factor authentication the time based

just in time on time pass on time

passcode Lup S 2 I something like a z

ad which also honors conditional access

secure sign and MFA for

instance role based access determines

the users privileges and memberships

once authenticated

what teams are they in what functions do

they get and what systems can they

access there is likely to be systems

where it's not possible to install an

additional client whether that's because

they're not supported Os or adding

another agent is

forbidden here we can leverage jumpo an

agentless connection where the jumpo

software is downloaded from the

appliance and installed on a Windows or

Linux server allowing users to connect

to remote Target

systems utilizing a jump Point enables

an organization to provide secure access

to additional targets such as Network

Hardware s or tet websites via web jump

publish applications by a secure app and

protocol tunneling with a protocol

tunnel jump to allow client side

applications to communicate directly

with internal

systems Target endpoints that reside in

Secure zones can also be accessed by

leveraging a jump point that access Zone

proxy enabling the benefits of jump

clients to more of these restricted

locations approval workflows or

notifications can be enforced when

authenticated users need access to

critical assets request forms are

presented to the user and the request is

emailed to a list of

approvers these requests can easily be

approved or denied by the appliance web

portal privileged credentials for these

systems can be managed securely by PR

discovering onboarding injecting into a

session which is hidden from the user

and rotating once used just to note

Windows credentials can be discovered

injected and rotated SSH Keys must be

added manually and can't be rotated but

they can be

injected once in the session the user

can take advantage of the remote control

along with file transfer functionality

command shell registry editor and System

Info directly in the P access

console a user can collaborate with

others by sending an invitation to other

authorized colleagues where enabled or

invite a person externally to the

solution and they have no identity

that's in a chaperoning

scenario full auditing with screen

recording keystroke logging forensics

take place once a session is

initiated so now we finished going

through all the features or some of the

main features including architect slides

it's time for a product demonstration

don't forget to ask the customer if

they've got any questions at this time

or is anything they want to

confirm and specifically show within the

product

demonstration the first thing I'm going

to talk to a customer about is the

different connection options to

privilege remote

access the first one of these is via an

installed OS client this can be

installed on Windows Mac or

Linux authentication can happen via um

any of the methods that can be used

along with the web console this includes

its own database built within the

appliance synced with active directory

saml or radius Authentication

just to show you this I'm going to log

in with a local user

account and the windows client is now

logged

in I am however going to continue down

the rest of the demonstration mainly in

the web console so I'm going to close

this down for the time

being as described before not only can I

log in one of those local accounts I can

also use Sam

authentication I'm now going to log into

the appliance with a Sam authentication

via

OCTA once I've specified the username

and password it'll then ask me to

confirm my identity by sending a

notification to my mobile

phone and once I verified that it will

then forward me on and Grant me access

confirming that that multiactor

authentication has

happened the screen that I'm then

presented with gives me me a list of all

the endpoints that I have access

to on the left hand side we have jump

groups and systems can be put in

different Grump jump groups and users

can essentially be granted access to all

systems within the jump group needed

to once we move on to the discussion

points around connection

methods if at any point the customer has

any confusion or you want to reiterate

some of the connection methods and don't

ever hesitate to bring up the

architecture slide again where you can

just reconfirm what connection methods

been used at the point that you are

connecting the first connection method

that I'm going to show the customer is a

jump

client if I quickly bring up the

architecture slide again the jump

clients and what we're talking about is

an agent based installation that can be

installed on any of these operating

systems once this agent is installed we

are then able to leverage that jump

client in order to connect to that

endpoint in this instance I'm going to

connect to a Windows jump client and

this domain controller that I have set

up

here I can expand the line to show

further system information about this

endpoint and then what I can do is

request to jump onto this

I have no workflows in to connect to

this

system but as the system is locked I can

now start to leverage some of the key

components when it comes to Vault

capabilities the user I've logged into

the system as does not know or have any

administrative credentials the

credentials they're logging on with is a

standard user that is synced up with

active directory and using OCTA for MFA

what I'm able to do here is then using

the key icon grab any credentials that

are available to me to use to log onto

systems these credentials can be

specific per endpoint or you may want to

give them access to a range of

credentials that can be used across

different

endpoints in this example I'm going to

Choice choose the it admin

credential now I don't know this

password really get that across to the

customer this password has been

discovered and onboarded in within our

vault and then it's supposed to be

rotated once the credential has been

checked back in after its

usage it has a long complex

password so it's pretty much impossible

to be hacked once I've selected that

credential I then click okay and as you

can see the credential has been injected

straight into this endpoint allowing me

to log on and continue doing my

work before I move on to other

connection methods let's just go through

the console here and see what we have

access to and for the either employees

that are connecting to the system or

your vendors to take advantage

of we have chat functionality here so if

you're um in invite a external user or

anyone else from your team into a

session you have the ability to

collaborate with all of the people in

the session over this

chat for any systems with a slow

connection we can change the quality and

resolution to make sure that the

connection streams as f as fast and as

best as

possible we have the ability to uh tole

the scale and actual

view we can also bring up a virtual

keyboard in case there um are any

specific characters that we don't have

an our keyos to

use and also we all know that having

some issues with RDP connections for

instance with copy and paste having a

specific toggle not only can we utilize

this uh copy and paste function with the

clipboard we can actually control

whether users can copy things to the

system or effectively paste them off and

copy them back to their own systems

gives you that granular level of

control some of the other core

functionality which we can take use of

for the jump client is things like like

special actions and can

scripts what we're able to do here is

customize scripts or specific

applications or ET files that we can

gain access to as we utilize these a lot

this really helps speed up the process

of any third parties or employees coming

in to a server and they want to gain

access to these straight

away in the instance I just run a vent

viewer and that's going to use that as

an elevated

system as you can see see started up

straight away instead of typing in

finding in control

panel just to show that again on

something else say I want to run a can

script and I want to flush the DNS cache

within this Windows system I can just

run

that as you can see that has now we

correctly run all of that information is

being logged and audited within the

system as

well the last thing I normally show

within the connection dashboard it's

just the fact that we can also restrict

toggle and gain access to other parts of

the system by using

this

agent we can go straight into command

shell if needed or restrict access to

that command shell if we want people

just to be able to run certain types of

commands and also with file

transfer people are able to download and

upload files to the remote system if

needed this can also be restricted say

people can only maybe upload

and not download and vice versa it

really is flexible based upon the group

policies or the policies that are set on

specific groups vendors or users

themselves the next connection method

I'm going to share the customer is via

an

RDP connection via a jump point if we

quickly pop back to our Network diagram

we can see again that we're utilizing an

agent installed on another server that's

called a jump Point by this jump point

or effective proxy we can then leverage

other connection methods that may not

be a allow us to install an agent on the

end of that

machine so if I pop back to the window

here I'm just going to do a straight

connection to this app server by

IDP I'm going to be asked now from for

any volted credentials I want to utilize

so again I'm just going to use the it

admin username and password I don't know

it as you can see it's automatically

logged in and connected to that

machine I can still use some of the

functionality that we did before in the

jump client connection method but some

of the features are limited because

effectively we are just using RDP

here one of the main things to specify

again to the

customer is that all the session

forensics and screen recording is

happening so regardless of using a jump

point or an agent based installation all

the analysis and logs which is really

key and important is still

happening the next connection method I

want to show is a shell

jump in this instance I'm going to

connect to a Centos

machine and just leverage again a jump

point to show that connection to a shell

command sline

system in this instance I'm going to use

a specific user to authenticate and

connect to that
machine as you can see once it's

connected I then have access to the

Shell of that machine

after that I'm going to move on using

the privilege remote access desktop

agent or connection

agent and that in a way is very similar

to remote desktop Services which is a

Microsoft based system where you can

present specific

applications via remote

desktop in this instance I'm connecting

back to a Windows server and just

presenting Notepad exe as the

application so as you can see by the

executable path here they're only going

to access to that application and this

can be any application that the customer

wants to use maybe SQL management for

some of their database

developers so if I just jump on

here and authenticate with my Vault

credential and when it connects to the

jump Point by IDP it then logs into the

server and just presents the application

and no other application outside of the

one that we

specify the final jump method I'm going

to talk about before I move on to

workflows is a web

jump a web jump is a pay for service

when it comes to p and can be added on

by the customer at any point but some of

the specific use cases around here are

any admin interfaces when it comes to

things like Office 36 5 or maybe they

have some networking equipment that has

a gooey web interface to it it leverages

a jump point to make that connection via

browser so as you can see here have

connection back to OCTA and the website

and the login page of that and once I'm

connected everything will be

audited so I'm going to jump on there

with some specific credentials my OCTA

credentials that I've been given access

to by the vault

and once the connection is

made it will log on with those and then

present the OCTA MFA authentication to

me as you can see the connection has now

been made I'm going to send the push to

my

phone and confirm that sign in and once

done I'll then be presented with my Opa

apps and again everything is being

recorded everything I then do within

this web browser or interface

is then

audited one of the great features of

privilege remote access and the ability

to jump on

machines is we can add in workflows that

allow either notifications to when um

certain vendors or employees are

connecting to certain endpoints or we

can also put in

approvals when we get to talk about

workflows with the customer we really

want to dig down and highlight that we

can link in with their current workflows

if they have

any or they can add these workflows for

added

security one of the things we spoke

about in one of the early slides was

Integrations with itm

systems Beyond trust can leverage these

Integrations to further add to the

workflows that they have when it comes

to change

management the way that we demo this is

to first show us connecting to a jump

point with an approval notification only

in this instance I'm connecting to a

server here that is set to notify the

administrator of any connection that is

made and as you can see it is alerting

the person who's connecting to the jump

point that an administrator would be

notified of this session and would you

like to start that

session as I click yes to that I'm then

presented R VA credentials to log onto

the jump

point and the jump takes place

as you can see from the end users

perspective there's no difference but

what has happened in the background is a

notification has been sent to the

administrator as it promised alerting

them that that person is

connected this has been sent over email

it's advised that this is the endpoint

they've connected to this is the

username of the person and this is the

date and time so as you can see it

really does allow that full GR ity about

who's connecting to

what the second workflow jump that I'm

going to show is with

approval when the third party vendor or

employee wants to connect to an

endpoint it asks them for a reason to

connect why they're connecting to the

endpoint and then before they can

actually connect it requires someone to

approve

that so what I'm going to show here is

me as a as a vendor

jumping onto this

endpoint it pops up with any

notifications that you want to put on

the

policy and then ask the end user for the

reason they want to

connect once they send that message you

can also add in there if required a date

that may be in the future and a duration

in this instance I'm just going to leave

these as default

once I press send I then don't actually

get the ability to jump onto the

item but what has happened is an email

has been sent to the

administrators asking for one of them to

approve that

jump from the administrator's side they

get an email it advises them of a

pending approval request whatsoever they

want they're going to be connecting to

the date and for the duration they want

to connect the reason that the third

party employees filled in and who

requested that from their perspective

they just respond to this

request and they're presented with the

web page to add any

comments once they've approval

denied the third party who's connected

to the Appliance and logged in is

advised that their approval has has

happened once they press okay

they're then free to jump onto this

machine with the vaed

credentials and once the jump has been

successful they're presented with the

message that the administrator has pro

has put on the approval request form as

well as you can see there please go

ahead they're then free to do the work

they need to do for the time period

that's

allowed going back to one of the slides

we showed before and what we've

discussed throughout this

presentation we talk about knowing who's

doing what on our systems and

when these workflows really do help with

that there's so many times in maybe

current setups we have with vpns when we

don't know a third party vender or an

employees on what servers and systems if

we add these workflows into there not

only are we protecting ourselves from

anything that may go wrong from an

attack

perspective but also with the audit and

login that to us in a moment we're

adding the ability for any training to

happen with internal staff if a third

party vendor does something specific on

a server we're unaware of or we'd like

to learn more about we can use the video

logging to show staff how to fix a

certain problem or what happens with an

application Beyond trust privileged

remote access solution captures an audit

trail of everything that occurs inside

of a Beyond trust session

this data can be viewed on Appliance and

archived off the appliance for long-term

retention within the admin console you

have a reporting section that allows you

to generate and filter detailed reports

on all session

activity if I drill down on a specific

session that took place on a jump

client I not only get the detail of all

the information about the system towards

the bottom

but I also get detailed logs of all the

activity that took

place to take this to the next

level I also can view the screen

recording too this can be valuable

information if an incident has happened

where we need to see what the rep has

done or to help train our teams on

specific

tasks this audit data can be sent to an

external TSM system like service now so

the audit Trail can be viewed in the

context of a ticket