Presentation on theme: "BalaBit Shell Control Box"— Presentation transcript:
1BalaBit Shell Control Box New Concept for Privileged User Monitoring
2AgendaMarket challengesUser Monitoring by BalaBitConclusion
3BalaBit IT Security „The syslog-ng company” 2011 revenue: $10.3 M (35% annual growth)Number of employees: 120Number of customers - global:commercial customers: 800open source users:12 years experience in IT SecurityGlobal partner network, 80+ partners in 30+ countriesAwarded to Deloitte Technology Fast 500 and Fast 50 Lists (2010)
4External Challenges: Security Breaches The market challenge can be seen in the news almost every day.There are too many security blindspots that allow users – especially privileged users – to access your sensitive data or negatively impact your network.It happens event at many of the largest and most tightly managed organizations, such as Fannie Mae and Bank of New York… and this is because….THERE ARE SIMPLY TOO MANY BLINDSPOTS OF USER ACTIONS THAT ARE NOT AUDITED
5External Challenges: Compliance Pressure to Monitor Users SOX→ COBITDS5.5 Security monitoringDS9.2 Config.changesDS11.6 Securing DataPCI-DSS Chapter 7, 8 Implement Strong Access Control Chapter 10 Audit Access to Cardholder Data Chapter 12 Maintain sec.policy for personnelISO27002A Third-party service mngmntA Monitoring user activitiesA Mgmt of Security IncidentsHIPAA, Basel II, GPG13…Similar requirements!The ability to monitor user activity and resource access has become part of the standard of due care for a wide variety of regulations across many industry segments. A few examples:• COBIT is the underlying control framework for Sarbanes Oxley. The COBIT controls for security monitoring, change management and securing data require the ability to monitor user activity and resource access.• The payment card industry (PCI) data security standard (DSS) references a need to audit access to cardholder data and the need to implement an access control system.• ISO27001 references a controls for monitoring system use, controls for system administration and operations, and the management of security incidents.The U.K. Government Code of Connection references security requirements that are adapted from ISO27001 and monitoring requirements from Good Practice Guide 13 (GPG13).
6Internal Challenges: Uncontrolled „Superuser” Access IT StaffUNLIMITED AND UNCONTROLLED ACCESS!!!SSHOutsourcing partnersHTTP, TelnetControl limitations of FWsRDP, VNCManagersCitrixSystem administrators and other “superusers” are the most privileged users in a company’s IT environment. They have very high or even unrestricted access rights on operating systems, databases and application layers, as well. Having superuser privileges on servers, administrators have the possibility to directly access and manipulate the company’s sensitive information, such as financial or CRM data, personnel records or credit card numbers. Furthermore, several administrators typically access the same privileged account, sharing the account password, which could not be treated as secure from this point. Consequently, it is very hard to answer the question of “who accessed what?” and even more difficult to provide proof of any misuse.In addition, there are access control gaps in the firewalls: FW can only allow or block a connection, no possibility for granular control of user access + there are certain traffic types, which the FW already can’t control: e.g. outbound traffic or in house traffic.In large enterprise environments there can be huge number of servers which are administered by hundreds or thousends of system administrators. Their activity are simply can’t be traceable or controlled.Firewall,Network devices,Databases,Web/file servers,Citrix server…VDI usersToo complex environments
7Internal Challenges: „Superuser” Fraud BalaBit IT Security surveyed more than 200 IT professionals which concluded the below key findings:Top 6 list of prohibited activities in the workplace among IT staff:1. 54% of those interviewed said that have already downloaded illegal content in their workplace2. 48% of them answered that they have made exception rules in the firewall or in other IT systems for personal purposes, to get around the IT policy3. 29% of them “have taken home” company details4. 25% have looked into confidential files, stored on the company’s server (e.g. list of salaries)5. 16% have read their colleagues (without the colleague’s permission)6. 15% have already deleted or modified log files (in order to hide or destroy evidence)Source: BalaBit IT professionals survey, 2011
8Logging is not enough…1. Several security events are not logged! 2. Logs typically do not show what was done. 3. Logs often show only obscure techn. details.So, where do these blindspots come from??Well, most activity logging acts like Fingerprint forensics at a crime scene.DB logs and system logs show the results of what the user did, but then you need to backtrack from this arcane evidence and figure out what it means and how it got there.What’s worse…. There are many, many apps (especially cloud apps and legacy software) that don’t produce any logs at all!In addition, administrators can easily erase the traces of their actions from these logs!!!User Activity Monitoring is different. It acts like a Security Camera, showing the actual user actions. And it captures every activities in apps that don’t produce their own logs.
9Key questions to answer… Can you ensure the accountability of your IT staff?Can you monitor the actions of your „superusers”?Can you reliably control your outsourcing partners?Do you really know „who access what” on servers?Can you conduct quick and cheap audits at your company?Can you present bullet-proof evidence in legal proceedings?Are you sure you’d pass audits concerning user monitoring?If you have doubts to give comforting answers to these questions, than you have probably need to think about a possible solution to these challenges….
10Privileged Activity Monitoring by Shell Control Box IT StaffPrivileged Activity Monitoring by Shell Control BoxOutsourcing partnersSSHSSHHTTP, TelnetHTTP, TelnetManagersRDP, VNCRDP, VNCCitrixControls, monitors, records, audits, reports and analyzes all widely used remote connections to your critical IT assets.CitrixFirewall,Network devices,Databases,Web/file servers,Citrix server…VDI users
11Privileged Activity Monitoring by BalaBit Shell Control Box Shell Control Box (SCB) is an appliance that controls privileged access to remote systems and records the activities into searchable and re-playable movie-like audit trails.SCB is a network security tool that is able to audit and control remote server administration at the protocol level. It is an independent network device which sits between the administrator and the servers and inspects network traffic. SCB is able to authenticate and control the users when they access to servers. All the traffic details are stored in audit-trail files which can be replayed back like watching a movie. It helps you answer the question of who did what and when on your crititcal servers.Authentication - ADDITIONAL AUTHENTICATION LAYER to your IT environment! (key features: - password mngmnt, strong auth, integration with user directories (AD/LDAP, etc.))Access control – actually, it’s an access control device which can restrict privileged users’ access to servers. It’s GRANULAR ACCESS POLICY ENFORCEMENT POINT in your IT systems! (key features: Central access control gateway, Multi-protocol support - SSH, RDP, VNC, Telnet, Citrix, etc., Access by time policy, 4-eyes authorization, Real-time access monitoring)Real-t alerting and blocking – IMMIDIATE REACTION ON CRITICAL EVENTS! (key features: logging (syslog, SIEM/DLP/IDS,-integration,) snmp & alerts, Alerts for monitoring toolsAlerts for supervisors, Terminates session if risky actionForensics&audit: By auditing all the accesses it is possible to conduct ad-hoc forensics analysis and gather information on user activities. It can be a login, file access, file transfer, launch a program, stop a service and so on. Even more you can search in the audit trails. You can search for a command or for any text appearing on the screen. (key features: Real-time activity monitoring, Tamper-proof, HQ audit trails, Movie-like playback & search, File transfer audit, Independent, transparent audit device)Reporting: customizeable reports, compliance reports (PCI), activity reports
12Authentication Key Benefit: ADDITIONAL AUTHENTICATION LAYER! Security & compliance benefits:Integration with user directories (AD, LDAP, etc.)Shared account personalizationStrong, central authenticationPassword mngmtIndependent auth. of SCB admins and auditorsKey Benefit: ADDITIONAL AUTHENTICATION LAYER!
13Access Control Key Benefit: GRANULAR ACCESS POLICY ENFORCEMENT! Security & compliance benefits:Central access control gatewayMulti-protocol support - SSH, RDP, VNC, Telnet, Citrix, etc.Sub-channel control (e.g. file transfer)Access by time policy4-eyes authorizationReal-time access monitoringKey Benefit: GRANULAR ACCESS POLICY ENFORCEMENT!
14Real-time alerting (& blocking) Security & compliance benefits:Alerts for monitoring toolsAlerts for supervisorsComing in Q4 2012:Terminates session if risky actionRisky actions are customizable (e.g. failed login, program execution, credit card number…)Alerting feature will be ready in summer for SSH and later for the graphical implementation as well in 2012.Terminates session if risky action: emphasize that now we're working on this feature and will be implemented in 2012.Key Benefit: IMMIDIATE REACTION ON CRITICAL EVENTS!
16Key Benefit: GRANULAR ACCESS REPORTS TO HELP COMPLIANCE! ReportingSecurity & compliance benefits:Activity reports (e.g. failed logins, admin commands, etc.)Customizable reportsAdvanced statisticsCompliance reports (PCI) (coming in Q4 2012!)<<<PCI compliance reports: emphasize that now we're working on this feature and will be implemented in summer 2012>>>Key Benefit: GRANULAR ACCESS REPORTS TO HELP COMPLIANCE!
17SCB in the Compliance & Security Environment AlertsCentral mgmtEncrypted traffic analysisIDSSystems MgmtAPI:integration with 3rd party applicationsremote search and managementPassword MgmtSCB can smoothly integrate in your heterogeneous IT environment, including your existing security environment, too. SCB fits in to your security environment by removing their blind spots.In addition to storing credentials locally, SCB integrates smoothly to Enterprise Random Password Manager (ERPM), Lieberman Software’s privileged identity management solution. That way, the passwords of the target servers can be managed centrally using the ERPM, while SCB ensures that the protected servers can be accessed only via SCB – since the users do not know the passwords required for direct access.SCB can also remove the encryption from the traffic and forward the unencrypted traffic to an Intrusion Detection System (IDS), making it possible to analyze the contents of the encrypted traffic. That way traffic that was so far unaccessible for IDS analyzes can be inspected real-time. Similarly, the list of files transferred and accessed in the encrypted protocols can be sent to aData Leakage Prevention (DLP) system.SCB can also send snmp alerts to 3rd party system monitoring tools. We’re working on to make SCB fully manageable by these third party system management solutions, such as HP OpenView or IBM Tivoli.Accountability audit reports are only as good as the logs that they collect. So if your cloud apps or legacy apps don’t generate logs, your audit reports will have gaps. SCB fills this gap by generating records for every app, even those with no internal logs! And these records add bulletproof evidence, via ties to video replay. It is possible to send these records to an external SIEM solution such as Arcsight or SPLUNK, to make more reliable forensics investigations possible.It offers a web-services based API for custom application integration or remote SCB configuration & management.SIEM / Log MgmtExact name to generic admin usersPassword mgnmtAugmented logsBetter sec. investigationsBetter Reporting
18Market drivers – Use cases ComplianceInternational standardsLocal legislationCompany policyDistrustMonitoring IT staffIT Outsource (SLA) controlVDI user controlOperational EfficiencyTroubleshooting & ForensicsCloud services monitoringBased on the previous showcase we can easily arrive to see what kind of market drivers we have related to SCB: regulations, company policies, forensics, IT partner management and sometimes general distrust in staff. These key words have in our customers’ mind and influence the buying process.Compliance: Pressure for compliance of local regulations and/or industry standards. (for example PCI specifies that every bank, merchants or government organization handling credit card data must audit admin activity, as well!)Company Policy enforcement: Enformcement of internal rules, company policies, security strategy (who, when, how, from where can access which resources?). Strict Security requirements are typical at big service providers (bank, telco, gov.) which manage sensitive data (personal files, credit card info, etc.)IT staff control: IT Admins are the most powerful users in IT systems with unrestricted acess rights. Controlling them is essential.Outsourcing partner control: Monitoring of 3rd party contractors or outsourcing partners (e.g. Hosting providers, remote admins, etc.) (e.g. Demonstration of the mistake of an external system admin) + SLA controlVDI clients control: control of average users' working sessions (for example in call centers there is a huge fluctuation – users must be carefully controlled or controlling of remote worker access is also a must in many companies)Forensics: Identifying and presenting evidences found in IT systems through a „legal” procedure (for example a quick investigation after an accidental misconfiguration)Cloud services monitoring: quick troubleshooting, handle accountability issues, SLA validation and comply with strict cloud security policies and standards.
20Licensing and Implementation Host based licensingProvided as appliance or virtual imageScalable up to 10TB for auditing „unlimimited” hostsHA optionImplementation and training: days7/24 vendor support (option)
21Conclusion Benefits for business Faster ROI Lower risk Faster and higher quality auditsLower troubleshooting and forensics costsCentralized authentication & access controlComplete solution for user monitoringLower riskImproved regulatory and industry complianceBetter employee/partner controlImproved accountability of staffBullet-proof evidence in legal proceedingsFast and quality audits: The highest quality of audit trail ensures that all the necessary information is findable through ad-hoc forensic analyses or pre-build report. Auditing your in- and out-bound traffics have never been easier and professional. Making all user activities exactly traceable by recording them in high quality, tamper-proof and confidential audit trails. Gathering all necessary information for reporting, troubleshooting or forensic situations.Lowering troublesh/Forensics costs: When something wrong happens everybody wants to know the real story. Analyzing text- based logs can be a nightmare and may call for the participation of external experts. The ability to easily reconstruct the actions taken in an exact timeframe allows companies to shorten investigation time and avoid unexpected cost.Central authentication and control: centrailized, strong authentication and access control point in your environment to improve security and reduce user administration costs.A complete solution for activity monitoring, eliminating the need for investment in 3rd party tools.Compliance audit is one of the most painful event in many companies. If the company doesn’t comply with the local or international regulations, company leaders – including top-level and financial directors – typically take the responsibility.Employee control: SCB audits, controls and records who, when and what have done e.g. in the financial or SAP system. Aware of this, the employees will do their work with greater sense of responsibility, so the number of human errors can be reduced. By having a tamper-proof activity record, accountability issues can also be eliminated.Bullet-proof evidence: If a disputed issue related to computer systems (e.g. data theft, external attack or employee sabotage) leads to legal proceedings, SCB helps in reconstructing events and providing evidence.21