Balázs Scheidler, co-founder and CTO of BalaBit holds a presentation about the importance of privileged users in IT security. He introduces BalaBit's approach to people-centric security - people centric security is a strategic approach to information security that emphasizes individual accountability and trust. It de-emphasizes restrictive, preventive security controls, while the monitoring of user activities is a fundamental element of people centric security.
Mr. Scheidler showcases how cooperates Blindspotter, BalaBit's UBA solution with its Privileged Activity Monitoring tool, Shell Control Box, and how does they provide an effective defense against Advanced Persistent Threats. A live demo of how an APT attack would be prevented will be also part of the presentation.
2. Agenda
Concept of CSI Platform
A case study of CSI Platform
About BalaBit
Product demo
3. Agenda
Concept of CSI Platform
A case study of CSI Platform
About BalaBit
Product demo
4. 15 years in network security
Global leader in
privileged user monitoring and
log management
+30% annual growth in the last 5 years
1 million installations worldwide
23 of the „Fortune100 List” members
among clients
Headcount: 200+
60% developers and system engineers
Global partner network
100+ partners in 40+ countries
About BalaBit
6. Agenda
Concept of CSI Platform
A case study of CSI Platform
About BalaBit
Product demo
7. Security Lifecycle
• Based on static, known
threats
• Build layers of access
controls, policies and walls
• Use predefined patterns
and rules to prevent access
• Respond to breaches with
bigger walls and more
controls
Define
Prevent
Detect
Respond
Access
Controls
& policies
8. Breaches continue…
Retail giant Target confirmed that credit and debit
card information for 40 million of its customers had
been compromised. ” – New York Times
The CEO and CIO left the company
Sony Pictures Entertainment has been targeted by
computer hackers in an attack which reports say
forced it shut down its systems… – BBC
Costs estimated at $15-35m and growing
Office on Personnel Management government data
breach impacted 21.5 million people – CNN
Director resigned
Advanced Persistent
Threats and malware
depend on privileged
account hijacking
9. Cost and time to detect, resolve
90% Of breaches went
undetected for over
3 months
80% Of breaches were
Unresolved after
3 months
2,5
3,14
3,02
9,43
Costs (> $18 mm)
Technical
support
Lost
productivity
Revenue and
disruption
Brand and
reputation
Source: IBM/Ponemon Institute
‟The cost of data breaches has increased by 96 percent; the number of
successful attacks has increased by 144 percent in the last four years.”
Source: HP State of security operations, 2015 report of capabilities and maturity of cyber defense organizations
10. Add security in Context
• Baseline business as usual
• Gather intelligence on
unusual user activities in
real-time
• Prioritize investigations
based on deviation from the
norm, and risk
• Get forensic-level visibility
into activities
• Respond immediately
Monitor
Users
Understand
the norm
Identify
risks
Investigate
and prevent
11. Agenda
Concept of CSI Platform
A case study of CSI Platform
About BalaBit
Product demo
12. Background
• Large European Enterprise
• Global operations
• Strict compliance regulations
– Under financial regulations
– US, Germany & Hong Kong
• No technology they didn’t have
– Mainframes, AS400, UNIX,
Windows, Linux, …
13. IT operations
• External suppliers help in IT
operations
– Chunks of the infrastructure is
outsourced completely
– Other service providers have
more specific scope
• Control:
– Traditional security gear
(firewall, IPS, DLP, VPN, SIEM)
– SLA
– ITIL style change management
14. Remote access
• Suppliers access the
infrastructure remotely
– Jumphost
• Basically unrestricted
access to data centers
– VPN & VDI
• Desktops are constrained
by default
• Broad access privileges
also exist
15. Credentials
• Remote access credentials are
assigned to suppliers, not
individuals
• Credentials to internal systems are
the responsibility of the suppliers
• No insight into supplier credential
management
• No vetting of supplier personnel
16. Internal separation
• Internal separation of
systems is weak
• Workstations are
restricted, but there are no
firewalls between
servers/applications
• Unrestricted IP-level
access is just a hop away
17. The project
Goals
• Establish direct controls
over suppliers
• Visibility into daily
operations
• Restrict access
privileges, „need-to-
know”
• Enforce change
management
18. Project scope
• ~30-35k remote
sessions per day
– 85% SSH
– 9% RDP
– 6% telnet (tn3270,
tn5250)
19. The zero line
• Traditional security gear does not
give enough context
– Firewall, IPS, VPN, DLP, SIEM
• Reasons
1. They already have the privilege to
pass
2. Logs are not providing the
necessary level of detail
3. Complex sequence of actions
cannot be reconstructed
24. >1234 5678 9123 4567
>scp financial.db
Command detection
Screen-content detection
>cat cred
Window-title detection
17
Never
reaches
other side
Real-time
prevention
25. Review of the audit trails
• Due to the internal and external
regulations, audit trails need to
be reviewed
– Some in real-time using 4eyes
– Others later
26. How to review?
• Which part of the audit
trails are the most
interesting?
• How to choose which
vendors should be
reviewed?
• Which solution is
significantly better than
random sampling?
28. ”Behavior is the internally coordinated responses
of whole living organisms to internal and/or
external stimuli”
Daniel A. Levitis, PhD in Integrative Biology
What is behavior?
29. What could be the elements of digital behavior?
• Typical time of logging in
• Typing speed
• Screen resolution
• Range of accessed servers and applications
• Activities performed: commands, screen content
User Behavior in practice
30. The solution: Blindspotter
User Behavior Analytics
shows:
• Who are the most
risky users?
• What are the biggest
anomalies?
• Which activities are
the most critical?
31. Agenda
Concept of the CSI Platform
CSI Platform in real life
About BalaBit
Product demo