BalaBit Shell Control Box New Concept for Privileged User Monitoring
Agenda Market challenges User Monitoring by BalaBit Conclusion
BalaBit IT Security „The syslog-ng company” 2011 revenue: $10.3 M (35% annual growth) Number of employees: 120 Number of customers - global: commercial customers: 800 open source users: 850.000 12 years experience in IT Security Global partner network, 80+ partners in 30+ countries Awarded to Deloitte Technology Fast 500 and Fast 50 Lists (2010)
External Challenges: Security Breaches The market challenge can be seen in the news almost every day. There are too many security blindspots that allow users – especially privileged users – to access your sensitive data or negatively impact your network. It happens event at many of the largest and most tightly managed organizations, such as Fannie Mae and Bank of New York… and this is because…. THERE ARE SIMPLY TOO MANY BLINDSPOTS OF USER ACTIONS THAT ARE NOT AUDITED
External Challenges: Compliance Pressure to Monitor Users SOX→ COBIT DS5.5 Security monitoring DS9.2 Config.changes DS11.6 Securing Data PCI-DSS Chapter 7, 8 Implement Strong Access Control Chapter 10 Audit Access to Cardholder Data Chapter 12 Maintain sec.policy for personnel ISO27002 A.10.2 Third-party service mngmnt A.10.10 Monitoring user activities A.13.2 Mgmt of Security Incidents HIPAA, Basel II, GPG13… Similar requirements! The ability to monitor user activity and resource access has become part of the standard of due care for a wide variety of regulations across many industry segments. A few examples: • COBIT is the underlying control framework for Sarbanes Oxley. The COBIT controls for security monitoring, change management and securing data require the ability to monitor user activity and resource access. • The payment card industry (PCI) data security standard (DSS) references a need to audit access to cardholder data and the need to implement an access control system. • ISO27001 references a controls for monitoring system use, controls for system administration and operations, and the management of security incidents. The U.K. Government Code of Connection references security requirements that are adapted from ISO27001 and monitoring requirements from Good Practice Guide 13 (GPG13).
Internal Challenges: Uncontrolled „Superuser” Access IT Staff UNLIMITED AND UNCONTROLLED ACCESS!!! SSH Outsourcing partners HTTP, Telnet Control limitations of FWs RDP, VNC Managers Citrix System administrators and other “superusers” are the most privileged users in a company’s IT environment. They have very high or even unrestricted access rights on operating systems, databases and application layers, as well. Having superuser privileges on servers, administrators have the possibility to directly access and manipulate the company’s sensitive information, such as financial or CRM data, personnel records or credit card numbers. Furthermore, several administrators typically access the same privileged account, sharing the account password, which could not be treated as secure from this point. Consequently, it is very hard to answer the question of “who accessed what?” and even more difficult to provide proof of any misuse. In addition, there are access control gaps in the firewalls: FW can only allow or block a connection, no possibility for granular control of user access + there are certain traffic types, which the FW already can’t control: e.g. outbound traffic or in house traffic. In large enterprise environments there can be huge number of servers which are administered by hundreds or thousends of system administrators. Their activity are simply can’t be traceable or controlled. Firewall, Network devices, Databases, Web/file servers, Citrix server… VDI users Too complex environments
Internal Challenges: „Superuser” Fraud BalaBit IT Security surveyed more than 200 IT professionals which concluded the below key findings: Top 6 list of prohibited activities in the workplace among IT staff: 1. 54% of those interviewed said that have already downloaded illegal content in their workplace 2. 48% of them answered that they have made exception rules in the firewall or in other IT systems for personal purposes, to get around the IT policy 3. 29% of them “have taken home” company details 4. 25% have looked into confidential files, stored on the company’s server (e.g. list of salaries) 5. 16% have read their colleagues email (without the colleague’s permission) 6. 15% have already deleted or modified log files (in order to hide or destroy evidence) Source: BalaBit IT professionals survey, 2011
Logging is not enough… 1. Several security events are not logged! 2. Logs typically do not show what was done. 3. Logs often show only obscure techn. details. So, where do these blindspots come from?? Well, most activity logging acts like Fingerprint forensics at a crime scene. DB logs and system logs show the results of what the user did, but then you need to backtrack from this arcane evidence and figure out what it means and how it got there. What’s worse…. There are many, many apps (especially cloud apps and legacy software) that don’t produce any logs at all! In addition, administrators can easily erase the traces of their actions from these logs!!! User Activity Monitoring is different. It acts like a Security Camera, showing the actual user actions. And it captures every activities in apps that don’t produce their own logs.
Key questions to answer… Can you ensure the accountability of your IT staff? Can you monitor the actions of your „superusers”? Can you reliably control your outsourcing partners? Do you really know „who access what” on servers? Can you conduct quick and cheap audits at your company? Can you present bullet-proof evidence in legal proceedings? Are you sure you’d pass audits concerning user monitoring? If you have doubts to give comforting answers to these questions, than you have probably need to think about a possible solution to these challenges….
Privileged Activity Monitoring by Shell Control Box IT Staff Privileged Activity Monitoring by Shell Control Box Outsourcing partners SSH SSH HTTP, Telnet HTTP, Telnet Managers RDP, VNC RDP, VNC Citrix Controls, monitors, records, audits, reports and analyzes all widely used remote connections to your critical IT assets. Citrix Firewall, Network devices, Databases, Web/file servers, Citrix server… VDI users
Privileged Activity Monitoring by BalaBit Shell Control Box Shell Control Box (SCB) is an appliance that controls privileged access to remote systems and records the activities into searchable and re-playable movie-like audit trails. SCB is a network security tool that is able to audit and control remote server administration at the protocol level. It is an independent network device which sits between the administrator and the servers and inspects network traffic. SCB is able to authenticate and control the users when they access to servers. All the traffic details are stored in audit-trail files which can be replayed back like watching a movie. It helps you answer the question of who did what and when on your crititcal servers. Authentication - ADDITIONAL AUTHENTICATION LAYER to your IT environment! (key features: - password mngmnt, strong auth, integration with user directories (AD/LDAP, etc.)) Access control – actually, it’s an access control device which can restrict privileged users’ access to servers. It’s GRANULAR ACCESS POLICY ENFORCEMENT POINT in your IT systems! (key features: Central access control gateway, Multi-protocol support - SSH, RDP, VNC, Telnet, Citrix, etc., Access by time policy, 4-eyes authorization, Real-time access monitoring) Real-t alerting and blocking – IMMIDIATE REACTION ON CRITICAL EVENTS! (key features: logging (syslog, SIEM/DLP/IDS,-integration,) snmp & email alerts, Alerts for monitoring tools Alerts for supervisors, Terminates session if risky action Forensics&audit: By auditing all the accesses it is possible to conduct ad-hoc forensics analysis and gather information on user activities. It can be a login, file access, file transfer, launch a program, stop a service and so on. Even more you can search in the audit trails. You can search for a command or for any text appearing on the screen. (key features: Real-time activity monitoring, Tamper-proof, HQ audit trails, Movie-like playback & search, File transfer audit, Independent, transparent audit device) Reporting: customizeable reports, compliance reports (PCI), activity reports
Authentication Key Benefit: ADDITIONAL AUTHENTICATION LAYER! Security & compliance benefits: Integration with user directories (AD, LDAP, etc.) Shared account personalization Strong, central authentication Password mngmt Independent auth. of SCB admins and auditors Key Benefit: ADDITIONAL AUTHENTICATION LAYER!
Access Control Key Benefit: GRANULAR ACCESS POLICY ENFORCEMENT! Security & compliance benefits: Central access control gateway Multi-protocol support - SSH, RDP, VNC, Telnet, Citrix, etc. Sub-channel control (e.g. file transfer) Access by time policy 4-eyes authorization Real-time access monitoring Key Benefit: GRANULAR ACCESS POLICY ENFORCEMENT!
Real-time alerting (& blocking) Security & compliance benefits: Alerts for monitoring tools Alerts for supervisors Coming in Q4 2012: Terminates session if risky action Risky actions are customizable (e.g. failed login, program execution, credit card number…) Alerting feature will be ready in summer for SSH and later for the graphical implementation as well in 2012. Terminates session if risky action: emphasize that now we're working on this feature and will be implemented in 2012. Key Benefit: IMMIDIATE REACTION ON CRITICAL EVENTS!
Key Benefit: INDEPENDENT TOOL FOR QUICK AUDITS & FORENSICS! Audit & Forensics Security & compliance benefits: Real-time activity monitoring Tamper-proof, HQ audit trails Movie-like playback & search File transfer audit Independent, transparent audit device Key Benefit: INDEPENDENT TOOL FOR QUICK AUDITS & FORENSICS!
Key Benefit: GRANULAR ACCESS REPORTS TO HELP COMPLIANCE! Reporting Security & compliance benefits: Activity reports (e.g. failed logins, admin commands, etc.) Customizable reports Advanced statistics Compliance reports (PCI) (coming in Q4 2012!) <<<PCI compliance reports: emphasize that now we're working on this feature and will be implemented in summer 2012>>> Key Benefit: GRANULAR ACCESS REPORTS TO HELP COMPLIANCE!
SCB in the Compliance & Security Environment Alerts Central mgmt Encrypted traffic analysis IDS Systems Mgmt API: integration with 3rd party applications remote search and management Password Mgmt SCB can smoothly integrate in your heterogeneous IT environment, including your existing security environment, too. SCB fits in to your security environment by removing their blind spots. In addition to storing credentials locally, SCB integrates smoothly to Enterprise Random Password Manager (ERPM), Lieberman Software’s privileged identity management solution. That way, the passwords of the target servers can be managed centrally using the ERPM, while SCB ensures that the protected servers can be accessed only via SCB – since the users do not know the passwords required for direct access. SCB can also remove the encryption from the traffic and forward the unencrypted traffic to an Intrusion Detection System (IDS), making it possible to analyze the contents of the encrypted traffic. That way traffic that was so far unaccessible for IDS analyzes can be inspected real-time. Similarly, the list of files transferred and accessed in the encrypted protocols can be sent to a Data Leakage Prevention (DLP) system. SCB can also send snmp alerts to 3rd party system monitoring tools. We’re working on to make SCB fully manageable by these third party system management solutions, such as HP OpenView or IBM Tivoli. Accountability audit reports are only as good as the logs that they collect. So if your cloud apps or legacy apps don’t generate logs, your audit reports will have gaps. SCB fills this gap by generating records for every app, even those with no internal logs! And these records add bulletproof evidence, via ties to video replay. It is possible to send these records to an external SIEM solution such as Arcsight or SPLUNK, to make more reliable forensics investigations possible. It offers a web-services based API for custom application integration or remote SCB configuration & management. SIEM / Log Mgmt Exact name to generic admin users Password mgnmt Augmented logs Better sec. investigations Better Reporting
Market drivers – Use cases Compliance International standards Local legislation Company policy Distrust Monitoring IT staff IT Outsource (SLA) control VDI user control Operational Efficiency Troubleshooting & Forensics Cloud services monitoring Based on the previous showcase we can easily arrive to see what kind of market drivers we have related to SCB: regulations, company policies, forensics, IT partner management and sometimes general distrust in staff. These key words have in our customers’ mind and influence the buying process. Compliance: Pressure for compliance of local regulations and/or industry standards. (for example PCI specifies that every bank, merchants or government organization handling credit card data must audit admin activity, as well!) Company Policy enforcement: Enformcement of internal rules, company policies, security strategy (who, when, how, from where can access which resources?). Strict Security requirements are typical at big service providers (bank, telco, gov.) which manage sensitive data (personal files, credit card info, etc.) IT staff control: IT Admins are the most powerful users in IT systems with unrestricted acess rights. Controlling them is essential. Outsourcing partner control: Monitoring of 3rd party contractors or outsourcing partners (e.g. Hosting providers, remote admins, etc.) (e.g. Demonstration of the mistake of an external system admin) + SLA control VDI clients control: control of average users' working sessions (for example in call centers there is a huge fluctuation – users must be carefully controlled or controlling of remote worker access is also a must in many companies) Forensics: Identifying and presenting evidences found in IT systems through a „legal” procedure (for example a quick investigation after an accidental misconfiguration) Cloud services monitoring: quick troubleshooting, handle accountability issues, SLA validation and comply with strict cloud security policies and standards.
References
Licensing and Implementation Host based licensing Provided as appliance or virtual image Scalable up to 10TB for auditing „unlimimited” hosts HA option Implementation and training: 2-4 days 7/24 vendor support (option)
Conclusion Benefits for business Faster ROI Lower risk Faster and higher quality audits Lower troubleshooting and forensics costs Centralized authentication & access control Complete solution for user monitoring Lower risk Improved regulatory and industry compliance Better employee/partner control Improved accountability of staff Bullet-proof evidence in legal proceedings Fast and quality audits: The highest quality of audit trail ensures that all the necessary information is findable through ad-hoc forensic analyses or pre-build report. Auditing your in- and out-bound traffics have never been easier and professional. Making all user activities exactly traceable by recording them in high quality, tamper-proof and confidential audit trails. Gathering all necessary information for reporting, troubleshooting or forensic situations. Lowering troublesh/Forensics costs: When something wrong happens everybody wants to know the real story. Analyzing text- based logs can be a nightmare and may call for the participation of external experts. The ability to easily reconstruct the actions taken in an exact timeframe allows companies to shorten investigation time and avoid unexpected cost. Central authentication and control: centrailized, strong authentication and access control point in your environment to improve security and reduce user administration costs. A complete solution for activity monitoring, eliminating the need for investment in 3rd party tools. Compliance audit is one of the most painful event in many companies. If the company doesn’t comply with the local or international regulations, company leaders – including top-level and financial directors – typically take the responsibility. Employee control: SCB audits, controls and records who, when and what have done e.g. in the financial or SAP system. Aware of this, the employees will do their work with greater sense of responsibility, so the number of human errors can be reduced. By having a tamper-proof activity record, accountability issues can also be eliminated. Bullet-proof evidence: If a disputed issue related to computer systems (e.g. data theft, external attack or employee sabotage) leads to legal proceedings, SCB helps in reconstructing events and providing evidence. 21
Thank You!