les assises 2015 - why people are the most important aspect of it security?
TRANSCRIPT
Balázs Scheidler, Founder & CTO
Agenda
Concept of CSI Platform
A case study of CSI Platform
About BalaBit
Product demo
Agenda
Concept of CSI Platform
A case study of CSI Platform
About BalaBit
Product demo
15 years in network security Global leader in
privileged user monitoring and log management
+30% annual growth in the last 5 years 1 million installations worldwide 23 of the „Fortune100 List” members among clients Headcount: 200+
60% developers and system engineers Global partner network
100+ partners in 40+ countries
About BalaBit
TELCO / IT FINANCEOTHER
INDUSTRIES
References
Agenda
Concept of CSI Platform
A case study of CSI Platform
About BalaBit
Product demo
Security Lifecycle• Based on static, known
threats• Build layers of access
controls, policies and walls • Use predefined patterns
and rules to prevent access • Respond to breaches with
bigger walls and morecontrols
Define
Prevent
Detect
Respond
AccessControls & policies
Breaches continue…Retail giant Target confirmed that credit and debit card information for 40 million of its customers had been compromised. ” – New York Times
The CEO and CIO left the company
Sony Pictures Entertainment has been targeted by computer hackers in an attack which reports say forced it shut down its systems… – BBC
Costs estimated at $15-35m and growing
Office on Personnel Management government data breach impacted 21.5 million people – CNN
Director resigned
Advanced Persistent Threats and malware depend on privileged account hijacking
Cost and time to detect, resolve90% Of breaches went
undetected for over 3 months
80% Of breaches were Unresolved after3 months
2,5
3,14
3,02
9,43
Costs (> $18 mm)
TechnicalsupportLostproductivityRevenue anddisruptionBrand andreputation
Source: IBM/Ponemon Institute
‟The cost of data breaches has increased by 96 percent; the number of successful attacks has increased by 144 percent in the last four years.”
Source: HP State of security operations, 2015 report of capabilities and maturity of cyber defense organizations
Add security in Context• Baseline business as usual• Gather intelligence on
unusual user activities in real-time
• Prioritize investigations based on deviation from the norm, and risk
• Get forensic-level visibility into activities
• Respond immediately
MonitorUsers
Understand the norm
Identify risks
Investigate and prevent
Agenda
Concept of CSI Platform
A case study of CSI Platform
About BalaBit
Product demo
Background• Large European Enterprise• Global operations• Strict compliance regulations
– Under financial regulations– US, Germany & Hong Kong
• No technology they didn’t have– Mainframes, AS400, UNIX,
Windows, Linux, …
IT operations• External suppliers help in IT
operations– Chunks of the infrastructure is
outsourced completely– Other service providers have
more specific scope• Control:
– Traditional security gear (firewall, IPS, DLP, VPN, SIEM)
– SLA– ITIL style change management
Remote access• Suppliers access the
infrastructure remotely– Jumphost
• Basically unrestricted access to data centers
– VPN & VDI• Desktops are constrained
by default• Broad access privileges
also exist
Credentials• Remote access credentials are
assigned to suppliers, not individuals
• Credentials to internal systems are the responsibility of the suppliers
• No insight into supplier credentialmanagement
• No vetting of supplier personnel
Internal separation• Internal separation of
systems is weak• Workstations are
restricted, but there are no firewalls between servers/applications
• Unrestricted IP-level access is just a hop away
The projectGoals• Establish direct controls
over suppliers• Visibility into daily
operations• Restrict access
privileges, „need-to-know”
• Enforce changemanagement
Project scope• ~30-35k remote
sessions per day– 85% SSH– 9% RDP– 6% telnet (tn3270,
tn5250)
The zero line• Traditional security gear does not
give enough context– Firewall, IPS, VPN, DLP, SIEM
• Reasons1. They already have the privilege to
pass2. Logs are not providing the
necessary level of detail3. Complex sequence of actions
cannot be reconstructed
First step• Session recording was introduced
SCB: Immediate Benefits• Transparent setup:
– All supplier sessions forced through
– Without changing workflows, clients/servers (no agent)
• Forensic investigations • Centralizing vendor
authentication, credential management
4-eyes control
15
Authorizer Auditor
Real-Time follow
Enterprise integration
>1234 5678 9123 4567
>scp financial.db
Command detection
Screen-content detection
>cat cred
Window-title detection
17
Neverreaches
other side
Real-time prevention
Review of the audit trails• Due to the internal and external
regulations, audit trails need to be reviewed– Some in real-time using 4eyes– Others later
How to review?• Which part of the audit
trails are the most interesting?
• How to choose which vendors should be reviewed?
• Which solution is significantly better than random sampling?
Second step: adding Behavior Analytics
”Behavior is the internally coordinated responses of whole living organisms to internal and/or
external stimuli”
Daniel A. Levitis, PhD in Integrative Biology
What is behavior?
What could be the elements of digital behavior?• Typical time of logging in• Typing speed• Screen resolution• Range of accessed servers and applications• Activities performed: commands, screen content
User Behavior in practice
The solution: BlindspotterUser Behavior Analytics shows:• Who are the most
risky users?• What are the biggest
anomalies?• Which activities are
the most critical?
Agenda
Concept of the CSI Platform
CSI Platform in real life
About BalaBit
Product demo
SystemLogs
Application Logs
ActivityMonitoring
Threat Management Cockpit
API
UserDirectory
VideoReplay
RiskLand-scape
Search
Report
User Behavior Analytics
Thank you!