Balázs Scheidler, co-founder and CTO of BalaBit holds a presentation about the importance of privileged users in IT security. He introduces BalaBit's approach to people-centric security - people centric security is a strategic approach to information security that emphasizes individual accountability and trust. It de-emphasizes restrictive, preventive security controls, while the monitoring of user activities is a fundamental element of people centric security. Mr. Scheidler showcases how cooperates Blindspotter, BalaBit's UBA solution with its Privileged Activity Monitoring tool, Shell Control Box, and how does they provide an effective defense against Advanced Persistent Threats. A live demo of how an APT attack would be prevented will be also part of the presentation.

1. Balázs Scheidler, Founder & CTO

2. Agenda
Concept of CSI Platform
A case study of CSI Platform
About BalaBit
Product demo

3. Agenda
Concept of CSI Platform
A case study of CSI Platform
About BalaBit
Product demo

4.  15 years in network security
 Global leader in
 privileged user monitoring and
 log management
 +30% annual growth in the last 5 years
 1 million installations worldwide
 23 of the „Fortune100 List” members
among clients
 Headcount: 200+
 60% developers and system engineers
 Global partner network
 100+ partners in 40+ countries
About BalaBit

5. TELCO / IT FINANCE
OTHER
INDUSTRIES
References

6. Agenda
Concept of CSI Platform
A case study of CSI Platform
About BalaBit
Product demo

7. Security Lifecycle
• Based on static, known
threats
• Build layers of access
controls, policies and walls
• Use predefined patterns
and rules to prevent access
• Respond to breaches with
bigger walls and more
controls
Define
Prevent
Detect
Respond
Access
Controls
& policies

8. Breaches continue…
Retail giant Target confirmed that credit and debit
card information for 40 million of its customers had
been compromised. ” – New York Times
The CEO and CIO left the company
Sony Pictures Entertainment has been targeted by
computer hackers in an attack which reports say
forced it shut down its systems… – BBC
Costs estimated at $15-35m and growing
Office on Personnel Management government data
breach impacted 21.5 million people – CNN
Director resigned
Advanced Persistent
Threats and malware
depend on privileged
account hijacking

9. Cost and time to detect, resolve
90% Of breaches went
undetected for over
3 months
80% Of breaches were
Unresolved after
3 months
2,5
3,14
3,02
9,43
Costs (> $18 mm)
Technical
support
Lost
productivity
Revenue and
disruption
Brand and
reputation
Source: IBM/Ponemon Institute
‟The cost of data breaches has increased by 96 percent; the number of
successful attacks has increased by 144 percent in the last four years.”
Source: HP State of security operations, 2015 report of capabilities and maturity of cyber defense organizations

10. Add security in Context
• Baseline business as usual
• Gather intelligence on
unusual user activities in
real-time
• Prioritize investigations
based on deviation from the
norm, and risk
• Get forensic-level visibility
into activities
• Respond immediately
Monitor
Users
Understand
the norm
Identify
risks
Investigate
and prevent

11. Agenda
Concept of CSI Platform
A case study of CSI Platform
About BalaBit
Product demo

12. Background
• Large European Enterprise
• Global operations
• Strict compliance regulations
– Under financial regulations
– US, Germany & Hong Kong
• No technology they didn’t have
– Mainframes, AS400, UNIX,
Windows, Linux, …

13. IT operations
• External suppliers help in IT
operations
– Chunks of the infrastructure is
outsourced completely
– Other service providers have
more specific scope
• Control:
– Traditional security gear
(firewall, IPS, DLP, VPN, SIEM)
– SLA
– ITIL style change management

14. Remote access
• Suppliers access the
infrastructure remotely
– Jumphost
• Basically unrestricted
access to data centers
– VPN & VDI
• Desktops are constrained
by default
• Broad access privileges
also exist

15. Credentials
• Remote access credentials are
assigned to suppliers, not
individuals
• Credentials to internal systems are
the responsibility of the suppliers
• No insight into supplier credential
management
• No vetting of supplier personnel

16. Internal separation
• Internal separation of
systems is weak
• Workstations are
restricted, but there are no
firewalls between
servers/applications
• Unrestricted IP-level
access is just a hop away

17. The project
Goals
• Establish direct controls
over suppliers
• Visibility into daily
operations
• Restrict access
privileges, „need-to-
know”
• Enforce change
management

18. Project scope
• ~30-35k remote
sessions per day
– 85% SSH
– 9% RDP
– 6% telnet (tn3270,
tn5250)

19. The zero line
• Traditional security gear does not
give enough context
– Firewall, IPS, VPN, DLP, SIEM
• Reasons
1. They already have the privilege to
pass
2. Logs are not providing the
necessary level of detail
3. Complex sequence of actions
cannot be reconstructed

20. First step
• Session recording was introduced

21. SCB: Immediate Benefits
• Transparent setup:
– All supplier sessions forced
through
– Without changing workflows,
clients/servers (no agent)
• Forensic investigations
• Centralizing vendor
authentication, credential
management

22. 4-eyes control
15
Authorizer Auditor
Real-Time follow

23. Enterprise integration

24. >1234 5678 9123 4567
>scp financial.db
Command detection
Screen-content detection
>cat cred
Window-title detection
17
Never
reaches
other side
Real-time
prevention

25. Review of the audit trails
• Due to the internal and external
regulations, audit trails need to
be reviewed
– Some in real-time using 4eyes
– Others later

26. How to review?
• Which part of the audit
trails are the most
interesting?
• How to choose which
vendors should be
reviewed?
• Which solution is
significantly better than
random sampling?

27. Second step: adding Behavior
Analytics

28. ”Behavior is the internally coordinated responses
of whole living organisms to internal and/or
external stimuli”
Daniel A. Levitis, PhD in Integrative Biology
What is behavior?

29. What could be the elements of digital behavior?
• Typical time of logging in
• Typing speed
• Screen resolution
• Range of accessed servers and applications
• Activities performed: commands, screen content
User Behavior in practice

30. The solution: Blindspotter
User Behavior Analytics
shows:
• Who are the most
risky users?
• What are the biggest
anomalies?
• Which activities are
the most critical?

31. Agenda
Concept of the CSI Platform
CSI Platform in real life
About BalaBit
Product demo

32. System
Logs
Application
Logs
Activity
Monitoring
Threat Management
Cockpit
API
User
Directory
Video
Replay
Risk
Land-
scape
Search
Report
User Behavior Analytics

33. Thank you!