* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project
Download Document
Survey
Document related concepts
Transcript
Maintain sensitive material securely Pēteris Kokovkins February 2010 Agenda BTG Overview Common Security Measures Internal Threats Overview Internal Threats Players Existing Security Solutions SysLog and Shell Control Box (BalaBit IT Security) NitroView and NitroGuard (NitroSecurity) Guardium (Guardium – IBM Company) Intellinx (Intellinx) – proactive Internal Fraud detection Recommendations February, 2010 2 BTG Overview U.S. corporation, BTG Systems, Inc. and Latvian company, Baltic Technology Group formed in May, 1991 Development centers in Riga and Daugavpils 17 years international IT services experience 200+ projects in the U.S., Europe, Middle East, S.E. Asia, Australia and New Zealand Successful on-site, offshore, nearshore and mixed development/support projects February, 2010 3 Common Security Measures Every Element is Secured… …Except for Authorized User Access Web Server FTP Server Mail Server DMZ WEB Application Server Database Server Mainframe LAN Firewall VPN Gateway Remote User February, 2010 Internal User Internal User Internal User 4 Internal Threats Overview Internal Threats Surfing the Web during work or after work hours USB data loss/E-mail attachment/Forum posting Laptop Theft Information Leakage IT Sabotage Insider Fraud February, 2010 5 Internal Threats Overview Top 10 Threats to Enterprise Security Source: IDC's 2007 Annual Security Survey of IT and security professionals February, 2010 6 Internal Threats Overview Internal Threats vs. External Threats Which Is More Common? 60 % of respondents 50 Internal Sources External Sources 40 About even 30 20 10 0 Small Medium Sized Large Very Large Company Size Source: IDC's Security Survey, 2006 February, 2010 7 Internal Threats Overview Information Leakage Statistics Source: InfoWatch Leak DB, beginning of 2009 February, 2010 8 Internal Threats Overview Internal Threats – A Critical Problem for Enterprises Remember - The perfect fraud is where victims are completely unaware they are victims! Average Cost of Fraud - 7% of annual revenues 60% of all fraud involves employees 60% of fraud is detected by tipping or by accident The average scheme goes on for 24 months prior to detection In 78% of the cases studied, the insiders were authorized users utilizing simple, legitimate user commands Source: The ACFE (Association of Certified Fraud Examiners) 2008 survey February, 2010 9 Internals Threat Overview Internal Threats – Elusive Nature There is not any product that can address all possible scenarios Hence organizations usually deploy different types of products for this purpose Each product tackles different aspects of the problem Network, Bypassing, End-Point content filtering Fraud Detection Log Aggregation February, 2010 10 Internal Threats Players Network Based Information Leakage Detection & Prevention Vericept, Vontu, Port Authority, Tablus, Reconnex, Zantaz, Fidelis Security, SurfControl, Websense, Tizor, NitroSecurity Desktop Based Information Leakage Detection & Prevention Verdasys, Orchestria, Oakley Networks, Control Guard, Safend, Onigma Fraud Detection solutions FairIsaac, SearchSpace, Mantas, Norkom, Actimize, Intellinx Database Security and Monitoring Solutions Lumigent, Guardium, DataMirror, Teleran, IPLocks, Tizor, Imperva Log Aggregation and Analysis Consul, Vanguard, SenSage, LogLogic, Memento, BalaBit February, 2010 11 SysLog and Shell Control Box BalaBit IT Security Syslog-ng - Central syslog server solution System logging application used by network devices like switches and routers, as well as servers, ideal for creating centralized and trusted logging solutions. Syslog - ng Open source Edition (OSE) Most popular and widespread logging application in the world, reliable message transferring using the TCP protocol, transfer messages securely using TLS, ability to send log messages directly to an SQL database, to control the flow of messages to handle minor server outages Syslog - ng Premium Edition (PE) advanced features of buffering the messages on the hard disk, storing messages in encrypted log files, reading messages from arbitrary files, support for MS Windows OS Syslog - ng Store Box (SSB) (It is built around syslog-ng PE) Complete turn- key logs management solution, Log collection, encrypted storage, automatic archiving and backups, Web interface February, 2010 12 SysLog and Shell Control Box BalaBit IT Security Shell Control Box (SCB) It is a device that controls, monitors, and audits remote administrative access to servers and networking devices. It is a tool to oversee server administrators and server administration processes by controlling the encrypted connections used in server administration. It is an external, fully transparent device, completely independent from the clients and the servers. SCB logs all administrative traffic (including configuration changes, executed commands, etc.) into audit trails, All data is stored in encrypted, timestamped and signed files, preventing any modification or manipulation, The circumstances of the event are readily available in the audit trails and the incident can be easily identified, The recorded audit trails can be displayed like a movie, 4-eyes authorization and real-time monitoring of the audited connections two directions of the traffic (client-server and server-client) can be separated and encrypted with different keys February, 2010 13 SysLog and Shell Control Box BalaBit IT Security Log aggregation limitations Do not capture user behaviour, Do not cover all applications, Typically do not include query transactions External Log analysis and log archiving February, 2010 14 NitroView and NitroGuard NitroSecurity NitroView ADM – real time application and protocol monitoring, full packet decode and inspection to layer 7 NitroView DBM - inspects data packets sent to databases, to detect rogue users and potential SQL injection attacks, generating alerts to email, SNMP, or to NitroView Enterprise Security manager for mitigation of suspicious database activity NitroView ELM - reliable and scalable log storage management and appliance, usable on its own or as a fully integrated component of the NitroView security platform NitroGuard IPS - purpose-built appliance, providing in-line protection on network connections up to 6 Gbps February, 2010 15 NitroView and NitroGuard NitroSecurity Technology & Architecture Special appliances with build in engines NitroEDB - a purpose-built database with very high performance Very fast collection of information Efficient compression and storage of information A real time access to the information NitroICE – Intelligent Content Extraction – solution of “information overload” Powerful monitoring capabilities Very high visibility NitroGuard – engine based on SNORT IPS technology Powerful custom IPS engine Invisible to Intruders Powerful library of custom SNORT IPS signatures February, 2010 16 NitroView and NitroGuard NitroSecurity Limitations Visibility on database session level only Hardware based limitations (e.g. Log size is not configurable and depends on appliance model) Lack of behaviour analysis February, 2010 17 Guardium Guardium – IBM Company Guardium, category of database security and monitoring solutions. Company, delivers the most widely-used solution for ensuring the integrity of enterprise data and preventing information leaks from the data center Real-time database activity monitoring Policy based controls Anomaly detection Auditing & Compliance Creates a continuous, detailed audit trail of all DB activities, including the “who, what, when, where, and how” of each transaction Real time security alerts and blocking Automatically generates compliance reports Change control Tracks all DB changes DB structures (tables, triggers and stored procedures) Critical data values Security and access control objects (Users, roles and permissions) DB configuration files, shell scripts, OS files and executable programs Vulnerability management DB leak prevention – unlike other solutions, Guardian DLP solution addresses leakage at the data source February, 2010 18 Guardium Guardium - IBM Company Guardium limitations Visibility only to the results of the user actions as reflected in database access Have no visibility to the data that was actually displayed on the user screen or the user actions on the screen Have no visibility to user access to non-database data Track only updates (not read commands) in many cases – not enough for detecting information leakage In many cases user-ids are not tracked since generic user-ids are passed from the application to the database, so the information collected cannot be linked to a specific user February, 2010 19 Intellinx – Enterprise Fraud Prevention Leading provider of end-user surveillance solutions for detecting & preventing insider fraud and other types of fraud Data Capture Network sniffing: transactions, screens, intra-application messages, database access Log files and databases Reference Data Forensic Audit Trail “Google like” search on captured data, e.g. Who accessed a specific customer account in a specific timeframe? Captured data is encrypted and digitally signed - potentially admissible in court when needed Fraud Analytics Dynamic Profiling and scoring of various entities Customizable business rules Real-time alerts New rules may be applied after-the-fact Investigation Workbench and Case Management Manage Cases, Alerts and Incidents Flexible Reporting Control parameters of rules, profiles and scoring February, 2010 20 Intellinx – General Architecture Intellinx Users Auditors Compliance Officers •Visual replay •Reports •Alerts •Cases •Profiles •Google like search •Google like search Intellinx Functions Fraud Investigators Investigation Center & Case Manager Analytic Engine Search Engine Analyzed Data Visual Audit Trail Data Collector & Consolidator Monitored Environment Network Switch Existing Data Sources Mainframe External Users eBusiness customers • Databases Web Server Internal Users •Business User •Privileged IT User February, 2010 • Log Files AS 400 • Reference tables Client/ Server Database Server 21 The Intellinx Technology Agent-less network traffic sniffing No Impact on performance Highly scalable architecture Very short installation process (several hours), with no risk to normal IT operations Recordings stored in extremely condensed format Recording data is encrypted and digitally signed – potentially admissible in court when needed Sample Monitored Platforms: IBM Mainframe: 3270, MQ, LU0, LU6.2 IBM System i: 5250, MPTN Unisys: T27 Web: HTTP/ HTTPS Client/Server: TCP/IP, MQ Series, MSMQ, SMB Telnet, VT100, SSH Oracle (SQLNET), DB/2 (DRDA), MS SQL(TDS) SWIFT, FIX, ISO8583 (ATM), others February, 2010 22 The Deterrence Factor of Real-time Alerts A Credit Card Company Case Study Alerts on Celebrity Accounts Snooping 100 Alert# per Week 80 60 40 20 0 1 2 3 4 5 6 7 8 9 10 Weeks Rule implemented Security officers start calling on suspects February, 2010 First employee is laid off 23 Intellinx – Enterprise Fraud Prevention Intellinx limitations If layout of the data over the wire is proprietary, Intellinx cannot parse it (unless given access to the proprietary protocol) encrypted in a non standard way (unless given access to the encryption method) VPN (“non decryptic” – unless we tap beyond the VPN) Does not record any activity that runs on the employee's workstation but only access to the business applications (Some consider this is a privacy positive!) February, 2010 24 Recommendations Get proactive about internal threats Detecting internal threats and information leakage requires full visibility into user activity How? Move out of the “Silo” approach! Deploy User behaviour & link analysis Real time alerting After the event forensic Visual replay on user activity Non-invasive solution, mitigated risk, fast implementation Spend money to save costs! Why? Identify and resolve “issues” before they become costly Reduce exposure by shortening data breach investigations February, 2010 25 [email protected] www.btgsystems.com February, 2010 26