SlideShare a Scribd company logo
SUPER USER OR SUPER THREAT?
KNOW WHEN USERS PUT YOUR
BUSINESS AT RISK
Presented by Matt Zanderigo and Kevin Donovan




WHO IS OBSERVEIT?
 HQ Boston, MA / R&D Tel Aviv, Israel
 Founded 2006
 1,200+ Customers Worldwide
 $20M Invested by Bain Capital
The leading provider of User
Behavior Monitoring for Application
Users, Admins and External Vendors
APPLICATION ACCESS
App Admins App Users
PRIVILEGED ACCESS
(Windows Admins, root,
DBAs, System Admins,…)
(Developers, IT Contractors,
Network Admin,…)
Shared Accounts Named Accounts
Entitlement changes
Logging Utilization
PRIVILEGED ACCESS: THE ‘ROOT’
OF TODAY’S BIGGEST BREACHES
78.8M affected by
Anthem breach, DBA
account
compromised
56M affected by
Home Depot Breach,
Privilege Escalation
to Blame
76M affected by
JPMorgan Chase
breach, obtained
admin privileges
Penetrate
Establish
Foothold
Open shell and run
commands to learn
orientation:
• Who Am I?
• Host name
• Location of directory
service
Escalate
Privileges
Move Laterally
Complete
Mission
Uploads and executes
malicious software
Scan memory for active
sessions and extract
passwords
Hackers attacks:
• URL Interpretation
• Input Validation
• SQL Injection
• Impersonation
• Buffer Overflow
LETS EXAMINE AN ATTACK
Hackers Log into AD
to get a targeted list
of machines
Hackers leverage
credentials to
compromise data on
machines
Provisioning &
Governance
_____________________________________________________
User
Monitoring
_____________________________________________________
Password
Vaults
_____________________________________________________
PRIVILEGED ACCESS MANAGEMENT
 Visual Audit Trail of all
privileged user sessions
 App & Access usage
Reporting
 Detailed session analysis:
sudo, privileged escalation,
backdoors…
Escalated
privileges
_____________________________________________________
WHAT SHOULD BE CLOSELY
MONITORED AND ALERTED UPON
Configuration
changes
_____________________________________________________
“The enterprise needs deep and real-time
insight within privileged sessions”
Lateral MovementUnauthorized activity
CONFIGURATION CHANGES
 Changes via Embedded Scripts
 Changes to Active Directory
 Changes within Registry Editor
EMBEDDED SCRIPTS
Super User or Super Threat?
ACTIVE DIRECTORY
Password Resets, Adding Users, Changing Groups, Modifying Access, etc.
REGISTRY EDITOR
Edit and Modify Specific Values
• Firewalls
• User Access Control
• Applications / Software
• Windows Components
UNSECURE ‘SHELL’
TELNET suffers from security
problems.
TELNET requires a login name
and password (when
exchanging text).
Hackers can easily eavesdrop
using snooper software to
capture a login name and the
corresponding password
even if it is encrypted.
TELNET has been largely
replaced by the more secure
SSH protocol.
ESCALATED PRIVILEGES
 ‘rm’ ‘cp’ with ‘sudo’
 Creating “backdoors”
 ‘leapfrog’ logins
‘RM’ ‘CP’ WITH ‘SUDO’
SU
RM
CP
SUDO Into Root Shell
Modifying the Ping Command
CREATING “BACKDOORS”
Super User or Super Threat?
Super User or Super Threat?
‘LEAPFROG’ LOGINS
Challenge:
 The Board of Directors of Ally Bank established a Privileged User Access (PUA)
project for all sessions that are accessing data on 160 servers in-scope for PCI and
SOX compliance.
 Their 5,000 privileged users represented a significant risk in their organization, so
they are rolling out Password vaulting (Lieberman) and needed to implement a
monitoring program in parallel
Solution:
 Needed a monitoring system to collect, alert, and report on the specific use of
applications, functions, or access to specific information
Challenge:
 Needed to comply with SOX, HIPAA, PCI mandates surrounding the audit and
logging of privileged access to 1,130 servers.
 SOX, HIPAA, PCI mandates must include a date/time stamp as well as proof of
what happened in all privileged sessions on regulated servers.
Solution:
 Holistic view of configuration changes across environment
 Real-time alerts and data exported to SIEM (IBM Qradar)
 Reports centered around privileged access as a whole
Super User or Super Threat?

More Related Content

What's hot

Zero Trust Model
Zero Trust ModelZero Trust Model
Zero Trust Model
Yash
 
Top 5 Reasons to Choose Adaptive SSO
Top 5 Reasons to Choose Adaptive SSOTop 5 Reasons to Choose Adaptive SSO
Top 5 Reasons to Choose Adaptive SSO
SecureAuth
 
ObserveIT Webinar: Privileged Identity Management
ObserveIT Webinar: Privileged Identity ManagementObserveIT Webinar: Privileged Identity Management
ObserveIT Webinar: Privileged Identity Management
ObserveIT
 
Stop the Evil, Protect the Endpoint
Stop the Evil, Protect the EndpointStop the Evil, Protect the Endpoint
Stop the Evil, Protect the Endpoint
BeyondTrust
 
The 5 Crazy Mistakes IoT Administrators Make with System Credentials
The 5 Crazy Mistakes IoT Administrators Make with System CredentialsThe 5 Crazy Mistakes IoT Administrators Make with System Credentials
The 5 Crazy Mistakes IoT Administrators Make with System Credentials
BeyondTrust
 
Managing privileged account security
Managing privileged account securityManaging privileged account security
Managing privileged account security
Raleigh ISSA
 
Zero Trust Networks
Zero Trust NetworksZero Trust Networks
Zero Trust Networks
Practical Code, LLC
 
Arbel Zinger | Microsoft Advanced Threat Analytics
Arbel Zinger | Microsoft Advanced Threat AnalyticsArbel Zinger | Microsoft Advanced Threat Analytics
Arbel Zinger | Microsoft Advanced Threat Analytics
Microsoft Österreich
 
BalaBit 2015: Control Your IT Staff
BalaBit 2015: Control Your IT StaffBalaBit 2015: Control Your IT Staff
BalaBit 2015: Control Your IT Staff
Sectricity
 
Solvit identity is the new perimeter
Solvit   identity is the new perimeterSolvit   identity is the new perimeter
Solvit identity is the new perimeter
S.E. CTS CERT-GOV-MD
 
"EL ATAQUE INTERNO"
"EL ATAQUE INTERNO""EL ATAQUE INTERNO"
"EL ATAQUE INTERNO"
Jose Luis Balbiano
 
Black Hat USA 2014 - A Practical Attack Against Virtual Desktop Infrastructur...
Black Hat USA 2014 - A Practical Attack Against Virtual Desktop Infrastructur...Black Hat USA 2014 - A Practical Attack Against Virtual Desktop Infrastructur...
Black Hat USA 2014 - A Practical Attack Against Virtual Desktop Infrastructur...
Lacoon Mobile Security
 
Conférence - Adopter une approche de sécurité applicative avancée - #ACSS 2019
Conférence - Adopter une approche de sécurité applicative avancée - #ACSS 2019Conférence - Adopter une approche de sécurité applicative avancée - #ACSS 2019
Conférence - Adopter une approche de sécurité applicative avancée - #ACSS 2019
African Cyber Security Summit
 
Emma Aubert | Information Protection
Emma Aubert | Information ProtectionEmma Aubert | Information Protection
Emma Aubert | Information Protection
Microsoft Österreich
 
Presentazione-CyberArk-MDM-v3
Presentazione-CyberArk-MDM-v3Presentazione-CyberArk-MDM-v3
Presentazione-CyberArk-MDM-v3
Marco Di Martino
 
An Overview of IT Risk and Control
An Overview of IT Risk and ControlAn Overview of IT Risk and Control
An Overview of IT Risk and Control
Ismail Oduoye CISSP,CISA, CCNP-ROUTE,CCNA, MCITP,MCTS
 
Cybersecurity - Keeping Your Business Protected
Cybersecurity - Keeping Your Business ProtectedCybersecurity - Keeping Your Business Protected
Cybersecurity - Keeping Your Business Protected
Robert E Jones
 
Anatomy of a breach - an e-book by Microsoft in collaboration with the EU
Anatomy of a breach - an e-book by Microsoft in collaboration with the EUAnatomy of a breach - an e-book by Microsoft in collaboration with the EU
Anatomy of a breach - an e-book by Microsoft in collaboration with the EU
University of Essex
 
Two Factor Authentication: Easy Setup, Major Impact
Two Factor Authentication: Easy Setup, Major ImpactTwo Factor Authentication: Easy Setup, Major Impact
Two Factor Authentication: Easy Setup, Major Impact
Salesforce Admins
 
Sudo Mode (part 2): How Privilege Mistakes could Dismantle your Entire Enterp...
Sudo Mode (part 2): How Privilege Mistakes could Dismantle your Entire Enterp...Sudo Mode (part 2): How Privilege Mistakes could Dismantle your Entire Enterp...
Sudo Mode (part 2): How Privilege Mistakes could Dismantle your Entire Enterp...
BeyondTrust
 

What's hot (20)

Zero Trust Model
Zero Trust ModelZero Trust Model
Zero Trust Model
 
Top 5 Reasons to Choose Adaptive SSO
Top 5 Reasons to Choose Adaptive SSOTop 5 Reasons to Choose Adaptive SSO
Top 5 Reasons to Choose Adaptive SSO
 
ObserveIT Webinar: Privileged Identity Management
ObserveIT Webinar: Privileged Identity ManagementObserveIT Webinar: Privileged Identity Management
ObserveIT Webinar: Privileged Identity Management
 
Stop the Evil, Protect the Endpoint
Stop the Evil, Protect the EndpointStop the Evil, Protect the Endpoint
Stop the Evil, Protect the Endpoint
 
The 5 Crazy Mistakes IoT Administrators Make with System Credentials
The 5 Crazy Mistakes IoT Administrators Make with System CredentialsThe 5 Crazy Mistakes IoT Administrators Make with System Credentials
The 5 Crazy Mistakes IoT Administrators Make with System Credentials
 
Managing privileged account security
Managing privileged account securityManaging privileged account security
Managing privileged account security
 
Zero Trust Networks
Zero Trust NetworksZero Trust Networks
Zero Trust Networks
 
Arbel Zinger | Microsoft Advanced Threat Analytics
Arbel Zinger | Microsoft Advanced Threat AnalyticsArbel Zinger | Microsoft Advanced Threat Analytics
Arbel Zinger | Microsoft Advanced Threat Analytics
 
BalaBit 2015: Control Your IT Staff
BalaBit 2015: Control Your IT StaffBalaBit 2015: Control Your IT Staff
BalaBit 2015: Control Your IT Staff
 
Solvit identity is the new perimeter
Solvit   identity is the new perimeterSolvit   identity is the new perimeter
Solvit identity is the new perimeter
 
"EL ATAQUE INTERNO"
"EL ATAQUE INTERNO""EL ATAQUE INTERNO"
"EL ATAQUE INTERNO"
 
Black Hat USA 2014 - A Practical Attack Against Virtual Desktop Infrastructur...
Black Hat USA 2014 - A Practical Attack Against Virtual Desktop Infrastructur...Black Hat USA 2014 - A Practical Attack Against Virtual Desktop Infrastructur...
Black Hat USA 2014 - A Practical Attack Against Virtual Desktop Infrastructur...
 
Conférence - Adopter une approche de sécurité applicative avancée - #ACSS 2019
Conférence - Adopter une approche de sécurité applicative avancée - #ACSS 2019Conférence - Adopter une approche de sécurité applicative avancée - #ACSS 2019
Conférence - Adopter une approche de sécurité applicative avancée - #ACSS 2019
 
Emma Aubert | Information Protection
Emma Aubert | Information ProtectionEmma Aubert | Information Protection
Emma Aubert | Information Protection
 
Presentazione-CyberArk-MDM-v3
Presentazione-CyberArk-MDM-v3Presentazione-CyberArk-MDM-v3
Presentazione-CyberArk-MDM-v3
 
An Overview of IT Risk and Control
An Overview of IT Risk and ControlAn Overview of IT Risk and Control
An Overview of IT Risk and Control
 
Cybersecurity - Keeping Your Business Protected
Cybersecurity - Keeping Your Business ProtectedCybersecurity - Keeping Your Business Protected
Cybersecurity - Keeping Your Business Protected
 
Anatomy of a breach - an e-book by Microsoft in collaboration with the EU
Anatomy of a breach - an e-book by Microsoft in collaboration with the EUAnatomy of a breach - an e-book by Microsoft in collaboration with the EU
Anatomy of a breach - an e-book by Microsoft in collaboration with the EU
 
Two Factor Authentication: Easy Setup, Major Impact
Two Factor Authentication: Easy Setup, Major ImpactTwo Factor Authentication: Easy Setup, Major Impact
Two Factor Authentication: Easy Setup, Major Impact
 
Sudo Mode (part 2): How Privilege Mistakes could Dismantle your Entire Enterp...
Sudo Mode (part 2): How Privilege Mistakes could Dismantle your Entire Enterp...Sudo Mode (part 2): How Privilege Mistakes could Dismantle your Entire Enterp...
Sudo Mode (part 2): How Privilege Mistakes could Dismantle your Entire Enterp...
 

Similar to Super User or Super Threat?

OSB120 Beat Ransomware
OSB120 Beat RansomwareOSB120 Beat Ransomware
OSB120 Beat Ransomware
Ivanti
 
Controlling Access to IBM i Systems and Data
Controlling Access to IBM i Systems and DataControlling Access to IBM i Systems and Data
Controlling Access to IBM i Systems and Data
Precisely
 
Nimrod duck hunter copy
Nimrod duck hunter   copyNimrod duck hunter   copy
Nimrod duck hunter copy
Nimrod Levy
 
Duck Hunter - The return of autorun
Duck Hunter - The return of autorunDuck Hunter - The return of autorun
Duck Hunter - The return of autorun
Nimrod Levy
 
Advanced persistent threats
Advanced persistent threatsAdvanced persistent threats
Advanced persistent threats
Network Intelligence India
 
Network Security - Real and Present Dangers
Network Security - Real and Present DangersNetwork Security - Real and Present Dangers
Network Security - Real and Present Dangers
Peter Wood
 
Expand Your Control of Access to IBM i Systems and Data
Expand Your Control of Access to IBM i Systems and DataExpand Your Control of Access to IBM i Systems and Data
Expand Your Control of Access to IBM i Systems and Data
Precisely
 
Introduction to Identity Management
Introduction to Identity ManagementIntroduction to Identity Management
Introduction to Identity Management
Hitachi ID Systems, Inc.
 
Understanding Database Encryption & Protecting Against the Insider Threat wit...
Understanding Database Encryption & Protecting Against the Insider Threat wit...Understanding Database Encryption & Protecting Against the Insider Threat wit...
Understanding Database Encryption & Protecting Against the Insider Threat wit...
MongoDB
 
Secure coding guidelines
Secure coding guidelinesSecure coding guidelines
Secure coding guidelines
Zakaria SMAHI
 
Federation Evolved: How Cloud, Mobile & APIs Change the Way We Broker Identity
Federation Evolved: How Cloud, Mobile & APIs Change the Way We Broker IdentityFederation Evolved: How Cloud, Mobile & APIs Change the Way We Broker Identity
Federation Evolved: How Cloud, Mobile & APIs Change the Way We Broker Identity
CA API Management
 
Who will guard the guards
Who will guard the guardsWho will guard the guards
Who will guard the guards
Network Intelligence India
 
Application security meetup k8_s security with zero trust_29072021
Application security meetup k8_s security with zero trust_29072021Application security meetup k8_s security with zero trust_29072021
Application security meetup k8_s security with zero trust_29072021
lior mazor
 
Top 10 mobile security risks - Khổng Văn Cường
Top 10 mobile security risks - Khổng Văn CườngTop 10 mobile security risks - Khổng Văn Cường
Top 10 mobile security risks - Khổng Văn Cường
Security Bootcamp
 
Solvay secure application layer v2015 seba
Solvay secure application layer v2015   sebaSolvay secure application layer v2015   seba
Solvay secure application layer v2015 seba
Sebastien Deleersnyder
 
Cybersecurity update 12
Cybersecurity update 12Cybersecurity update 12
Cybersecurity update 12
Jim Kaplan CIA CFE
 
19.) security pivot (policy byod nac)
19.) security pivot (policy byod nac)19.) security pivot (policy byod nac)
19.) security pivot (policy byod nac)
Jeff Green
 
19.) security pivot (policy byod nac)
19.) security pivot (policy byod nac)19.) security pivot (policy byod nac)
19.) security pivot (policy byod nac)
Jeff Green
 
For Business's Sake, Let's focus on AppSec
For Business's Sake, Let's focus on AppSecFor Business's Sake, Let's focus on AppSec
For Business's Sake, Let's focus on AppSec
Lalit Kale
 
Cisco Security Presentation
Cisco Security PresentationCisco Security Presentation
Cisco Security Presentation
Simplex
 

Similar to Super User or Super Threat? (20)

OSB120 Beat Ransomware
OSB120 Beat RansomwareOSB120 Beat Ransomware
OSB120 Beat Ransomware
 
Controlling Access to IBM i Systems and Data
Controlling Access to IBM i Systems and DataControlling Access to IBM i Systems and Data
Controlling Access to IBM i Systems and Data
 
Nimrod duck hunter copy
Nimrod duck hunter   copyNimrod duck hunter   copy
Nimrod duck hunter copy
 
Duck Hunter - The return of autorun
Duck Hunter - The return of autorunDuck Hunter - The return of autorun
Duck Hunter - The return of autorun
 
Advanced persistent threats
Advanced persistent threatsAdvanced persistent threats
Advanced persistent threats
 
Network Security - Real and Present Dangers
Network Security - Real and Present DangersNetwork Security - Real and Present Dangers
Network Security - Real and Present Dangers
 
Expand Your Control of Access to IBM i Systems and Data
Expand Your Control of Access to IBM i Systems and DataExpand Your Control of Access to IBM i Systems and Data
Expand Your Control of Access to IBM i Systems and Data
 
Introduction to Identity Management
Introduction to Identity ManagementIntroduction to Identity Management
Introduction to Identity Management
 
Understanding Database Encryption & Protecting Against the Insider Threat wit...
Understanding Database Encryption & Protecting Against the Insider Threat wit...Understanding Database Encryption & Protecting Against the Insider Threat wit...
Understanding Database Encryption & Protecting Against the Insider Threat wit...
 
Secure coding guidelines
Secure coding guidelinesSecure coding guidelines
Secure coding guidelines
 
Federation Evolved: How Cloud, Mobile & APIs Change the Way We Broker Identity
Federation Evolved: How Cloud, Mobile & APIs Change the Way We Broker IdentityFederation Evolved: How Cloud, Mobile & APIs Change the Way We Broker Identity
Federation Evolved: How Cloud, Mobile & APIs Change the Way We Broker Identity
 
Who will guard the guards
Who will guard the guardsWho will guard the guards
Who will guard the guards
 
Application security meetup k8_s security with zero trust_29072021
Application security meetup k8_s security with zero trust_29072021Application security meetup k8_s security with zero trust_29072021
Application security meetup k8_s security with zero trust_29072021
 
Top 10 mobile security risks - Khổng Văn Cường
Top 10 mobile security risks - Khổng Văn CườngTop 10 mobile security risks - Khổng Văn Cường
Top 10 mobile security risks - Khổng Văn Cường
 
Solvay secure application layer v2015 seba
Solvay secure application layer v2015   sebaSolvay secure application layer v2015   seba
Solvay secure application layer v2015 seba
 
Cybersecurity update 12
Cybersecurity update 12Cybersecurity update 12
Cybersecurity update 12
 
19.) security pivot (policy byod nac)
19.) security pivot (policy byod nac)19.) security pivot (policy byod nac)
19.) security pivot (policy byod nac)
 
19.) security pivot (policy byod nac)
19.) security pivot (policy byod nac)19.) security pivot (policy byod nac)
19.) security pivot (policy byod nac)
 
For Business's Sake, Let's focus on AppSec
For Business's Sake, Let's focus on AppSecFor Business's Sake, Let's focus on AppSec
For Business's Sake, Let's focus on AppSec
 
Cisco Security Presentation
Cisco Security PresentationCisco Security Presentation
Cisco Security Presentation
 

More from ObserveIT

Insider Threat Law: Balancing Privacy and Protection
Insider Threat Law: Balancing Privacy and ProtectionInsider Threat Law: Balancing Privacy and Protection
Insider Threat Law: Balancing Privacy and Protection
ObserveIT
 
How to Implement an Insider Threat Program
How to Implement an Insider Threat ProgramHow to Implement an Insider Threat Program
How to Implement an Insider Threat Program
ObserveIT
 
You've caught an Insider Threat, now what? The Human Side of Insider Threat I...
You've caught an Insider Threat, now what? The Human Side of Insider Threat I...You've caught an Insider Threat, now what? The Human Side of Insider Threat I...
You've caught an Insider Threat, now what? The Human Side of Insider Threat I...
ObserveIT
 
Phish, Spoof, Scam: Insider Threats, the GDPR & Other Regulations
Phish, Spoof, Scam: Insider Threats, the GDPR & Other RegulationsPhish, Spoof, Scam: Insider Threats, the GDPR & Other Regulations
Phish, Spoof, Scam: Insider Threats, the GDPR & Other Regulations
ObserveIT
 
ObserveIT Customer Webcast: AIG Pioneers User-Centric Security Strategy
ObserveIT Customer Webcast: AIG Pioneers User-Centric Security StrategyObserveIT Customer Webcast: AIG Pioneers User-Centric Security Strategy
ObserveIT Customer Webcast: AIG Pioneers User-Centric Security Strategy
ObserveIT
 
Cloud Security Allianz Webinar
Cloud Security Allianz WebinarCloud Security Allianz Webinar
Cloud Security Allianz Webinar
ObserveIT
 
ObserveIT - Unintentional Insider Threat featuring Dr. Eric Cole
ObserveIT - Unintentional Insider Threat featuring Dr. Eric ColeObserveIT - Unintentional Insider Threat featuring Dr. Eric Cole
ObserveIT - Unintentional Insider Threat featuring Dr. Eric Cole
ObserveIT
 
Insider Threat Summit - The Future of Insider Threat Detection
Insider Threat Summit - The Future of Insider Threat DetectionInsider Threat Summit - The Future of Insider Threat Detection
Insider Threat Summit - The Future of Insider Threat Detection
ObserveIT
 
Why Insider Threat is a C-Level Priority
Why Insider Threat is a C-Level PriorityWhy Insider Threat is a C-Level Priority
Why Insider Threat is a C-Level Priority
ObserveIT
 
How to Build an Insider Threat Program in 30 Minutes
How to Build an Insider Threat Program in 30 Minutes How to Build an Insider Threat Program in 30 Minutes
How to Build an Insider Threat Program in 30 Minutes
ObserveIT
 
Insider Threats: Out of Sight, Out of Mind?
Insider Threats: Out of Sight, Out of Mind?Insider Threats: Out of Sight, Out of Mind?
Insider Threats: Out of Sight, Out of Mind?
ObserveIT
 
Xerox: Improving Data & App Security
Xerox: Improving Data & App SecurityXerox: Improving Data & App Security
Xerox: Improving Data & App Security
ObserveIT
 
2014: The Year of the Data Breach
2014: The Year of the Data Breach2014: The Year of the Data Breach
2014: The Year of the Data Breach
ObserveIT
 
3 steps to 4x the risk coverage of CA ControlMinder
3 steps to 4x the risk coverage of CA ControlMinder3 steps to 4x the risk coverage of CA ControlMinder
3 steps to 4x the risk coverage of CA ControlMinder
ObserveIT
 
3 Tips for Managing Risky User Activity in 2015
3 Tips for Managing Risky User Activity in 20153 Tips for Managing Risky User Activity in 2015
3 Tips for Managing Risky User Activity in 2015
ObserveIT
 
Whitepaper: User Audit Options for Linux and Solaris
Whitepaper: User Audit Options for Linux and SolarisWhitepaper: User Audit Options for Linux and Solaris
Whitepaper: User Audit Options for Linux and Solaris
ObserveIT
 
ObserveIT Brochure - Like a Security Camera on your Servers
ObserveIT Brochure - Like a Security Camera on your ServersObserveIT Brochure - Like a Security Camera on your Servers
ObserveIT Brochure - Like a Security Camera on your Servers
ObserveIT
 
Case Study - System Access Audit Compliance at The Center to Promote HealthCa...
Case Study - System Access Audit Compliance at The Center to Promote HealthCa...Case Study - System Access Audit Compliance at The Center to Promote HealthCa...
Case Study - System Access Audit Compliance at The Center to Promote HealthCa...
ObserveIT
 
Case Study - Auditing remote access of employees at a leading financial insti...
Case Study - Auditing remote access of employees at a leading financial insti...Case Study - Auditing remote access of employees at a leading financial insti...
Case Study - Auditing remote access of employees at a leading financial insti...
ObserveIT
 
Case Study - Customer Auditing and ISO 27001 Certification at BELLIN Treasury
Case Study - Customer Auditing and ISO 27001 Certification at BELLIN TreasuryCase Study - Customer Auditing and ISO 27001 Certification at BELLIN Treasury
Case Study - Customer Auditing and ISO 27001 Certification at BELLIN Treasury
ObserveIT
 

More from ObserveIT (20)

Insider Threat Law: Balancing Privacy and Protection
Insider Threat Law: Balancing Privacy and ProtectionInsider Threat Law: Balancing Privacy and Protection
Insider Threat Law: Balancing Privacy and Protection
 
How to Implement an Insider Threat Program
How to Implement an Insider Threat ProgramHow to Implement an Insider Threat Program
How to Implement an Insider Threat Program
 
You've caught an Insider Threat, now what? The Human Side of Insider Threat I...
You've caught an Insider Threat, now what? The Human Side of Insider Threat I...You've caught an Insider Threat, now what? The Human Side of Insider Threat I...
You've caught an Insider Threat, now what? The Human Side of Insider Threat I...
 
Phish, Spoof, Scam: Insider Threats, the GDPR & Other Regulations
Phish, Spoof, Scam: Insider Threats, the GDPR & Other RegulationsPhish, Spoof, Scam: Insider Threats, the GDPR & Other Regulations
Phish, Spoof, Scam: Insider Threats, the GDPR & Other Regulations
 
ObserveIT Customer Webcast: AIG Pioneers User-Centric Security Strategy
ObserveIT Customer Webcast: AIG Pioneers User-Centric Security StrategyObserveIT Customer Webcast: AIG Pioneers User-Centric Security Strategy
ObserveIT Customer Webcast: AIG Pioneers User-Centric Security Strategy
 
Cloud Security Allianz Webinar
Cloud Security Allianz WebinarCloud Security Allianz Webinar
Cloud Security Allianz Webinar
 
ObserveIT - Unintentional Insider Threat featuring Dr. Eric Cole
ObserveIT - Unintentional Insider Threat featuring Dr. Eric ColeObserveIT - Unintentional Insider Threat featuring Dr. Eric Cole
ObserveIT - Unintentional Insider Threat featuring Dr. Eric Cole
 
Insider Threat Summit - The Future of Insider Threat Detection
Insider Threat Summit - The Future of Insider Threat DetectionInsider Threat Summit - The Future of Insider Threat Detection
Insider Threat Summit - The Future of Insider Threat Detection
 
Why Insider Threat is a C-Level Priority
Why Insider Threat is a C-Level PriorityWhy Insider Threat is a C-Level Priority
Why Insider Threat is a C-Level Priority
 
How to Build an Insider Threat Program in 30 Minutes
How to Build an Insider Threat Program in 30 Minutes How to Build an Insider Threat Program in 30 Minutes
How to Build an Insider Threat Program in 30 Minutes
 
Insider Threats: Out of Sight, Out of Mind?
Insider Threats: Out of Sight, Out of Mind?Insider Threats: Out of Sight, Out of Mind?
Insider Threats: Out of Sight, Out of Mind?
 
Xerox: Improving Data & App Security
Xerox: Improving Data & App SecurityXerox: Improving Data & App Security
Xerox: Improving Data & App Security
 
2014: The Year of the Data Breach
2014: The Year of the Data Breach2014: The Year of the Data Breach
2014: The Year of the Data Breach
 
3 steps to 4x the risk coverage of CA ControlMinder
3 steps to 4x the risk coverage of CA ControlMinder3 steps to 4x the risk coverage of CA ControlMinder
3 steps to 4x the risk coverage of CA ControlMinder
 
3 Tips for Managing Risky User Activity in 2015
3 Tips for Managing Risky User Activity in 20153 Tips for Managing Risky User Activity in 2015
3 Tips for Managing Risky User Activity in 2015
 
Whitepaper: User Audit Options for Linux and Solaris
Whitepaper: User Audit Options for Linux and SolarisWhitepaper: User Audit Options for Linux and Solaris
Whitepaper: User Audit Options for Linux and Solaris
 
ObserveIT Brochure - Like a Security Camera on your Servers
ObserveIT Brochure - Like a Security Camera on your ServersObserveIT Brochure - Like a Security Camera on your Servers
ObserveIT Brochure - Like a Security Camera on your Servers
 
Case Study - System Access Audit Compliance at The Center to Promote HealthCa...
Case Study - System Access Audit Compliance at The Center to Promote HealthCa...Case Study - System Access Audit Compliance at The Center to Promote HealthCa...
Case Study - System Access Audit Compliance at The Center to Promote HealthCa...
 
Case Study - Auditing remote access of employees at a leading financial insti...
Case Study - Auditing remote access of employees at a leading financial insti...Case Study - Auditing remote access of employees at a leading financial insti...
Case Study - Auditing remote access of employees at a leading financial insti...
 
Case Study - Customer Auditing and ISO 27001 Certification at BELLIN Treasury
Case Study - Customer Auditing and ISO 27001 Certification at BELLIN TreasuryCase Study - Customer Auditing and ISO 27001 Certification at BELLIN Treasury
Case Study - Customer Auditing and ISO 27001 Certification at BELLIN Treasury
 

Recently uploaded

Applying Retrieval-Augmented Generation (RAG) to Combat Hallucinations in GenAI
Applying Retrieval-Augmented Generation (RAG) to Combat Hallucinations in GenAIApplying Retrieval-Augmented Generation (RAG) to Combat Hallucinations in GenAI
Applying Retrieval-Augmented Generation (RAG) to Combat Hallucinations in GenAI
ssuserd4e0d2
 
DealBook of Ukraine: 2024 edition
DealBook of Ukraine: 2024 editionDealBook of Ukraine: 2024 edition
DealBook of Ukraine: 2024 edition
Yevgen Sysoyev
 
(CISOPlatform Summit & SACON 2024) Digital Personal Data Protection Act.pdf
(CISOPlatform Summit & SACON 2024) Digital Personal Data Protection Act.pdf(CISOPlatform Summit & SACON 2024) Digital Personal Data Protection Act.pdf
(CISOPlatform Summit & SACON 2024) Digital Personal Data Protection Act.pdf
Priyanka Aash
 
How Social Media Hackers Help You to See Your Wife's Message.pdf
How Social Media Hackers Help You to See Your Wife's Message.pdfHow Social Media Hackers Help You to See Your Wife's Message.pdf
How Social Media Hackers Help You to See Your Wife's Message.pdf
HackersList
 
IPLOOK Remote-Sensing Satellite Solution
IPLOOK Remote-Sensing Satellite SolutionIPLOOK Remote-Sensing Satellite Solution
IPLOOK Remote-Sensing Satellite Solution
IPLOOK Networks
 
Salesforce AI & Einstein Copilot Workshop
Salesforce AI & Einstein Copilot WorkshopSalesforce AI & Einstein Copilot Workshop
Salesforce AI & Einstein Copilot Workshop
CEPTES Software Inc
 
How to build a generative AI solution A step-by-step guide (2).pdf
How to build a generative AI solution A step-by-step guide (2).pdfHow to build a generative AI solution A step-by-step guide (2).pdf
How to build a generative AI solution A step-by-step guide (2).pdf
ChristopherTHyatt
 
Pigging Unit Lubricant Oil Blending Plant
Pigging Unit Lubricant Oil Blending PlantPigging Unit Lubricant Oil Blending Plant
Pigging Unit Lubricant Oil Blending Plant
LINUS PROJECTS (INDIA)
 
Amul milk launches in US: Key details of its new products ...
Amul milk launches in US: Key details of its new products ...Amul milk launches in US: Key details of its new products ...
Amul milk launches in US: Key details of its new products ...
chetankumar9855
 
Choose our Linux Web Hosting for a seamless and successful online presence
Choose our Linux Web Hosting for a seamless and successful online presenceChoose our Linux Web Hosting for a seamless and successful online presence
Choose our Linux Web Hosting for a seamless and successful online presence
rajancomputerfbd
 
High Profile Girls call Service Pune 000XX00000 Provide Best And Top Girl Ser...
High Profile Girls call Service Pune 000XX00000 Provide Best And Top Girl Ser...High Profile Girls call Service Pune 000XX00000 Provide Best And Top Girl Ser...
High Profile Girls call Service Pune 000XX00000 Provide Best And Top Girl Ser...
bhumivarma35300
 
Three New Criminal Laws in India 1 July 2024
Three New Criminal Laws in India 1 July 2024Three New Criminal Laws in India 1 July 2024
Three New Criminal Laws in India 1 July 2024
aakash malhotra
 
Scaling Connections in PostgreSQL Postgres Bangalore(PGBLR) Meetup-2 - Mydbops
Scaling Connections in PostgreSQL Postgres Bangalore(PGBLR) Meetup-2 - MydbopsScaling Connections in PostgreSQL Postgres Bangalore(PGBLR) Meetup-2 - Mydbops
Scaling Connections in PostgreSQL Postgres Bangalore(PGBLR) Meetup-2 - Mydbops
Mydbops
 
WhatsApp Image 2024-03-27 at 08.19.52_bfd93109.pdf
WhatsApp Image 2024-03-27 at 08.19.52_bfd93109.pdfWhatsApp Image 2024-03-27 at 08.19.52_bfd93109.pdf
WhatsApp Image 2024-03-27 at 08.19.52_bfd93109.pdf
ArgaBisma
 
Girls Call Churchgate 9910780858 Provide Best And Top Girl Service And No1 in...
Girls Call Churchgate 9910780858 Provide Best And Top Girl Service And No1 in...Girls Call Churchgate 9910780858 Provide Best And Top Girl Service And No1 in...
Girls Call Churchgate 9910780858 Provide Best And Top Girl Service And No1 in...
maigasapphire
 
Implementations of Fused Deposition Modeling in real world
Implementations of Fused Deposition Modeling  in real worldImplementations of Fused Deposition Modeling  in real world
Implementations of Fused Deposition Modeling in real world
Emerging Tech
 
Active Inference is a veryyyyyyyyyyyyyyyyyyyyyyyy
Active Inference is a veryyyyyyyyyyyyyyyyyyyyyyyyActive Inference is a veryyyyyyyyyyyyyyyyyyyyyyyy
Active Inference is a veryyyyyyyyyyyyyyyyyyyyyyyy
RaminGhanbari2
 
[Talk] Moving Beyond Spaghetti Infrastructure [AOTB] 2024-07-04.pdf
[Talk] Moving Beyond Spaghetti Infrastructure [AOTB] 2024-07-04.pdf[Talk] Moving Beyond Spaghetti Infrastructure [AOTB] 2024-07-04.pdf
[Talk] Moving Beyond Spaghetti Infrastructure [AOTB] 2024-07-04.pdf
Kief Morris
 
Comparison Table of DiskWarrior Alternatives.pdf
Comparison Table of DiskWarrior Alternatives.pdfComparison Table of DiskWarrior Alternatives.pdf
Comparison Table of DiskWarrior Alternatives.pdf
Andrey Yasko
 
find out more about the role of autonomous vehicles in facing global challenges
find out more about the role of autonomous vehicles in facing global challengesfind out more about the role of autonomous vehicles in facing global challenges
find out more about the role of autonomous vehicles in facing global challenges
huseindihon
 

Recently uploaded (20)

Applying Retrieval-Augmented Generation (RAG) to Combat Hallucinations in GenAI
Applying Retrieval-Augmented Generation (RAG) to Combat Hallucinations in GenAIApplying Retrieval-Augmented Generation (RAG) to Combat Hallucinations in GenAI
Applying Retrieval-Augmented Generation (RAG) to Combat Hallucinations in GenAI
 
DealBook of Ukraine: 2024 edition
DealBook of Ukraine: 2024 editionDealBook of Ukraine: 2024 edition
DealBook of Ukraine: 2024 edition
 
(CISOPlatform Summit & SACON 2024) Digital Personal Data Protection Act.pdf
(CISOPlatform Summit & SACON 2024) Digital Personal Data Protection Act.pdf(CISOPlatform Summit & SACON 2024) Digital Personal Data Protection Act.pdf
(CISOPlatform Summit & SACON 2024) Digital Personal Data Protection Act.pdf
 
How Social Media Hackers Help You to See Your Wife's Message.pdf
How Social Media Hackers Help You to See Your Wife's Message.pdfHow Social Media Hackers Help You to See Your Wife's Message.pdf
How Social Media Hackers Help You to See Your Wife's Message.pdf
 
IPLOOK Remote-Sensing Satellite Solution
IPLOOK Remote-Sensing Satellite SolutionIPLOOK Remote-Sensing Satellite Solution
IPLOOK Remote-Sensing Satellite Solution
 
Salesforce AI & Einstein Copilot Workshop
Salesforce AI & Einstein Copilot WorkshopSalesforce AI & Einstein Copilot Workshop
Salesforce AI & Einstein Copilot Workshop
 
How to build a generative AI solution A step-by-step guide (2).pdf
How to build a generative AI solution A step-by-step guide (2).pdfHow to build a generative AI solution A step-by-step guide (2).pdf
How to build a generative AI solution A step-by-step guide (2).pdf
 
Pigging Unit Lubricant Oil Blending Plant
Pigging Unit Lubricant Oil Blending PlantPigging Unit Lubricant Oil Blending Plant
Pigging Unit Lubricant Oil Blending Plant
 
Amul milk launches in US: Key details of its new products ...
Amul milk launches in US: Key details of its new products ...Amul milk launches in US: Key details of its new products ...
Amul milk launches in US: Key details of its new products ...
 
Choose our Linux Web Hosting for a seamless and successful online presence
Choose our Linux Web Hosting for a seamless and successful online presenceChoose our Linux Web Hosting for a seamless and successful online presence
Choose our Linux Web Hosting for a seamless and successful online presence
 
High Profile Girls call Service Pune 000XX00000 Provide Best And Top Girl Ser...
High Profile Girls call Service Pune 000XX00000 Provide Best And Top Girl Ser...High Profile Girls call Service Pune 000XX00000 Provide Best And Top Girl Ser...
High Profile Girls call Service Pune 000XX00000 Provide Best And Top Girl Ser...
 
Three New Criminal Laws in India 1 July 2024
Three New Criminal Laws in India 1 July 2024Three New Criminal Laws in India 1 July 2024
Three New Criminal Laws in India 1 July 2024
 
Scaling Connections in PostgreSQL Postgres Bangalore(PGBLR) Meetup-2 - Mydbops
Scaling Connections in PostgreSQL Postgres Bangalore(PGBLR) Meetup-2 - MydbopsScaling Connections in PostgreSQL Postgres Bangalore(PGBLR) Meetup-2 - Mydbops
Scaling Connections in PostgreSQL Postgres Bangalore(PGBLR) Meetup-2 - Mydbops
 
WhatsApp Image 2024-03-27 at 08.19.52_bfd93109.pdf
WhatsApp Image 2024-03-27 at 08.19.52_bfd93109.pdfWhatsApp Image 2024-03-27 at 08.19.52_bfd93109.pdf
WhatsApp Image 2024-03-27 at 08.19.52_bfd93109.pdf
 
Girls Call Churchgate 9910780858 Provide Best And Top Girl Service And No1 in...
Girls Call Churchgate 9910780858 Provide Best And Top Girl Service And No1 in...Girls Call Churchgate 9910780858 Provide Best And Top Girl Service And No1 in...
Girls Call Churchgate 9910780858 Provide Best And Top Girl Service And No1 in...
 
Implementations of Fused Deposition Modeling in real world
Implementations of Fused Deposition Modeling  in real worldImplementations of Fused Deposition Modeling  in real world
Implementations of Fused Deposition Modeling in real world
 
Active Inference is a veryyyyyyyyyyyyyyyyyyyyyyyy
Active Inference is a veryyyyyyyyyyyyyyyyyyyyyyyyActive Inference is a veryyyyyyyyyyyyyyyyyyyyyyyy
Active Inference is a veryyyyyyyyyyyyyyyyyyyyyyyy
 
[Talk] Moving Beyond Spaghetti Infrastructure [AOTB] 2024-07-04.pdf
[Talk] Moving Beyond Spaghetti Infrastructure [AOTB] 2024-07-04.pdf[Talk] Moving Beyond Spaghetti Infrastructure [AOTB] 2024-07-04.pdf
[Talk] Moving Beyond Spaghetti Infrastructure [AOTB] 2024-07-04.pdf
 
Comparison Table of DiskWarrior Alternatives.pdf
Comparison Table of DiskWarrior Alternatives.pdfComparison Table of DiskWarrior Alternatives.pdf
Comparison Table of DiskWarrior Alternatives.pdf
 
find out more about the role of autonomous vehicles in facing global challenges
find out more about the role of autonomous vehicles in facing global challengesfind out more about the role of autonomous vehicles in facing global challenges
find out more about the role of autonomous vehicles in facing global challenges
 

Super User or Super Threat?

  • 1. SUPER USER OR SUPER THREAT? KNOW WHEN USERS PUT YOUR BUSINESS AT RISK Presented by Matt Zanderigo and Kevin Donovan
  • 3. WHO IS OBSERVEIT?  HQ Boston, MA / R&D Tel Aviv, Israel  Founded 2006  1,200+ Customers Worldwide  $20M Invested by Bain Capital The leading provider of User Behavior Monitoring for Application Users, Admins and External Vendors
  • 4. APPLICATION ACCESS App Admins App Users PRIVILEGED ACCESS (Windows Admins, root, DBAs, System Admins,…) (Developers, IT Contractors, Network Admin,…) Shared Accounts Named Accounts Entitlement changes Logging Utilization
  • 5. PRIVILEGED ACCESS: THE ‘ROOT’ OF TODAY’S BIGGEST BREACHES 78.8M affected by Anthem breach, DBA account compromised 56M affected by Home Depot Breach, Privilege Escalation to Blame 76M affected by JPMorgan Chase breach, obtained admin privileges
  • 6. Penetrate Establish Foothold Open shell and run commands to learn orientation: • Who Am I? • Host name • Location of directory service Escalate Privileges Move Laterally Complete Mission Uploads and executes malicious software Scan memory for active sessions and extract passwords Hackers attacks: • URL Interpretation • Input Validation • SQL Injection • Impersonation • Buffer Overflow LETS EXAMINE AN ATTACK Hackers Log into AD to get a targeted list of machines Hackers leverage credentials to compromise data on machines
  • 7. Provisioning & Governance _____________________________________________________ User Monitoring _____________________________________________________ Password Vaults _____________________________________________________ PRIVILEGED ACCESS MANAGEMENT  Visual Audit Trail of all privileged user sessions  App & Access usage Reporting  Detailed session analysis: sudo, privileged escalation, backdoors…
  • 8. Escalated privileges _____________________________________________________ WHAT SHOULD BE CLOSELY MONITORED AND ALERTED UPON Configuration changes _____________________________________________________ “The enterprise needs deep and real-time insight within privileged sessions” Lateral MovementUnauthorized activity
  • 9. CONFIGURATION CHANGES  Changes via Embedded Scripts  Changes to Active Directory  Changes within Registry Editor
  • 12. ACTIVE DIRECTORY Password Resets, Adding Users, Changing Groups, Modifying Access, etc.
  • 13. REGISTRY EDITOR Edit and Modify Specific Values • Firewalls • User Access Control • Applications / Software • Windows Components
  • 14. UNSECURE ‘SHELL’ TELNET suffers from security problems. TELNET requires a login name and password (when exchanging text). Hackers can easily eavesdrop using snooper software to capture a login name and the corresponding password even if it is encrypted. TELNET has been largely replaced by the more secure SSH protocol.
  • 15. ESCALATED PRIVILEGES  ‘rm’ ‘cp’ with ‘sudo’  Creating “backdoors”  ‘leapfrog’ logins
  • 16. ‘RM’ ‘CP’ WITH ‘SUDO’ SU RM CP
  • 17. SUDO Into Root Shell
  • 18. Modifying the Ping Command CREATING “BACKDOORS”
  • 22. Challenge:  The Board of Directors of Ally Bank established a Privileged User Access (PUA) project for all sessions that are accessing data on 160 servers in-scope for PCI and SOX compliance.  Their 5,000 privileged users represented a significant risk in their organization, so they are rolling out Password vaulting (Lieberman) and needed to implement a monitoring program in parallel Solution:  Needed a monitoring system to collect, alert, and report on the specific use of applications, functions, or access to specific information
  • 23. Challenge:  Needed to comply with SOX, HIPAA, PCI mandates surrounding the audit and logging of privileged access to 1,130 servers.  SOX, HIPAA, PCI mandates must include a date/time stamp as well as proof of what happened in all privileged sessions on regulated servers. Solution:  Holistic view of configuration changes across environment  Real-time alerts and data exported to SIEM (IBM Qradar)  Reports centered around privileged access as a whole

Editor's Notes

  1. What privileged user activities should be closely monitored and alerted upon What’s happening in all admins sessions and even for actions that do not generate logs How to see if users are accessing information they shouldn’t be in critical systems or deleting files How to identify which users are remotely accessing your systems or changing permissions
  2. ObserveIT can alert on Terminal creation Tool upload via FTP Shell command execution ObserveIT will alert on Surrogate to root Commands running as root Data Exfiltration Hackers Exploit Your AWS WebServer via SQL Injection Hackers open shell & run commands for orientation & to discover host name & location of AD / directory service Hackers upload & execute malicious software to scan memory for active sessions and extract passwords Hackers Log into AD to get a targeted list of machines Hackers leverage credentials to compromise data on machines Malware Distribution Hackers Exploit Your AWS WebServer via SQL Injection Hackers open shell & run commands for orientation & to discover host name & location of AD / directory service Hackers uploads malware to the server Hacker modifies JSP pages to distribute the malicious software Hacker cleans the audit files to cover their tracks
  3. Monitoring Privileged Users is a key part of a Privileged Identity Management initiative. Let’s explore the three major components of Privileged Identity Management: Provisioning & Governance Controlling the complete lifecycle of who has access to your critical systems is critical and that is where provisioning comes in. The ability to report on who has access to these systems is where governance solutions come in. Password Vaults We all know how important protecting privileged account passwords is and this is where Password Vaults come in. We all know how dangerous it is when privileged users are using sticky notes to remember admin passwords for shared accounts. User Monitoring Controlling who has access is absolutely a critical need. And protecting the passwords is also critically important, but they both lack the ability to monitor and auditing what users actually do this access and passwords they have. Further, password vaults introduce increased complexity and single points of failure and because of this are often only deployed to protect a select number of servers. ObserveIT fills a critical missing component required to meet compliance regulations, detecting and stopping data breaches, and deterring careless and malicious activity and monitoring all Privildeged users with the ability to extend this visibility easily to your entire user population. Integrations ObserveIT integrates with provisioning and Passwords Vaults to provide monitoring of all user activity and behavior across the entire lifecyle of your privileged users. --click to next slide---
  4. Create new system users, access files, authorize network activity, and change system settings. cron jobs Config. Change: Embedded Scripts (innocent script story) Unsecure ‘shell’ (telnet on legacy appliances – SSH is much more secure and passwords are encrypted over the wire) Unauthorized access (to configuration files) & run commands that they are not supposed to be Unapproved ‘setuid’ Escalating Privileges Pass-the Hash ‘rm’ ‘cp’ with ‘sudo’ Installing “backdoors” “leapfrog” logins
  5. Legacy systems like routers and phone systems and other applications – like IP address in router Systems still have a place in the business and if your privileged users still need to access telnet sessions we can monitor
  6. 1) Sudo into root shell - A sudo allows an admin to delegate authority to give selected users the ability to run commands as a root or another user. ObserveIT alerts if someone is running a sudo command to interactively open a root shell that does not require a root password. Traditionally, it is difficult to track user actions because in shell you are not limited to a specific command but with ObserveIT it’s simple. 2) Update root cron jobs - A cron is a time-based scheduler program that enables UNIX users to automatically execute commands or scripts at a specific time and date. Cron jobs are used for scheduling tasks to run on the server. ObserveIT alerts when the –e option is used with root permissions to modify cron jobs that will later run with root permissions, enabling potential backdoor user activity at a later date. 3) Edit sudoers files - The sudoers file controls who can run specific commands as specific users on specific machines and can also control special actions like whether you need a password for particular commands. ObserveIT alerts when the sudoers file is edited, as this could enable unauthorized root permissions for the user. 4) Changing a program to a setuid programs (possible backdoor) – Setuid short for “set user ID upon execution” are UNIX access rights flags that allow users to run programs with temporarily elevated privileges in order to perform a specific task. ObserveIT alerts when a user tries to change a program to a “setuid” program (which automatically provides root permissions while the program runs), since this could enable potential backdoor user activity. 5) Opening generic root shell – root shell is one of the main targets of hackers since they can then run whatever command they want, under full authority and it is very hard to track what they do when they get it, ObserveIT can track when a regular user opens a root shell so it can be monitored to make sure is a legitimate action, and commands done under the sensitive shell can be monitored. 6) Creating local user with duplicate user ID - ObserveIT alerts when a user with privileged permissions creates a new user with the same ID as an existing user. The newly-created user could login with his/her own password and perform actions as if they were performed by a different user (especially suspicious for power users like root) 7) Su into root shell with no password - In UNIX, the “root” user has control over the machine. An attacker will want to obtain a shell prompt so that any command can be entered that will execute with root privileges. ObserveIT alerts when a regular user runs a program that opens a root shell using "sudo su". The user will not be asked for the root user password and will have root user permissions without knowing the root password.
  7. Here, a low-level user is seen running the Ping command twice, once normally and once with a special parameter, LetMeIn. The second version actually provides this low-level user with root-level permissions for this session: At this point, this user can do almost anything on the machine, from stealing sensitive data to crashing the system.
  8. It is actually rather easy to deploy this kind of backdoor; only a few short lines of C code are required, like this: This code shows how the Ping command is modified to run normally, unless the LetMeIn parameter is specified on the command line. When this parameter is invoked, the normally-harmless Ping command opens a root-level shell for the user running it. (The printf commands are included for illustrative purposes and would not be included in real-life usage of this exploit.)
  9. An alert was generated by the system in response to the user executing a sudo comment to give himself root permissions. The administrators received this alert by email and also in the console. Here, we see the details of the alert shown in an overlay shown within a video recording of the action itself: Watching a video at the moment that an alert was generated makes it explicitly clear what the user was doing, and if it warrants further attention. For the second alert – generated when the user executed the Ping backdoor exploit – we see the level of detailed “behind the scenes” information provided to administrators. While the session video does not show the system-level effects of that modified Ping command, the user activity log presents all the underlying system commands very clearly.
  10. OIT Reps: Angela Halliwell, Daniel Petri, Alex Ellis   Deal details: $298,500 for 615 multi-platform server agents   Lead source: Existing customer (already have 450 server agents deployed)   Use cases:  Primary – Audit and Compliance     Secondary – Threat Management   Customer Summary:   Publicly traded NYSE: CI, Industry: Managed Health Care, $32.4 billion in annual revenue with 35,000 employees worldwide, 80 million global customer relationships, sales in more than 30 countries, Cigna is a global health services company dedicated to helping people improve their health, well-being, and sense of security.  All products and services are provided exclusively through operating subsidiaries of Cigna Corporation.  Products and services include an integrated suite of health services, such as medical, dental, behavioral health, pharmacy and vision benefits, and other related products including group disability life, and accident coverage.    Main players: Deb Cody - CISO (executive sponsor) John Shepard – Director, Information Protection (economic buyer) – reports to Deb, Chris’s peer Linda Bird – Manager, Information Protection Security Engineering (technical buyer) – reports to John Christina Fryman – Manager, Audit & Compliance, Access Management & Governance (primary consumer of OIT data/reports) – reports to John Carmine D’Uva – IAM product support (influencer – hands on, deploys new agents) Chris Lockery – Director, Information Protection – runs Threat Management Team & Forensics – reports to Deb, John’s peer Edmond Mac – Incident Response & Forensics – reports to Chris Jim Jeffers – Incident Response & Forensics – reports to Chris Mac Edmond – Incident Response & Forensics – reports to Chris Tyse Water – Incident Response & Forensics – reports to Chris   Main Driver: Compliance/Audit and enable business securely – Trust But Verify.  OIT provides Access Mgmt & Governance with the attestation they need to comply with SOX, HIPAA, PCI mandates to include a date/time stamp as well as proof of business approval.   They are monitoring privileged users with privileged access; for example, who on the App team should have access to service accounts?  They verify, spot check, and provide reporting to Christina.  The second phase of their deployment will involve Chris Lockery and the Threat Mgmt Team now that we have alerting and can be used more proactively.   Environment:  Server environment is mostly Windows which are first priority because they hold high value assets,  then mid-range Unix and Linux.  Deployment to US first then Glasgow/EUR and APAC, all done by Carmine out of Philly site.  Workstations are mostly Windows but their small percentage of Mac users is rapidly growing.   For ticketing, they use  HP Service Manager and we’ve manually integrated with their SIEM, IBM QRadar, via a week of onsite PS delivered by Daniel Petri.  They also use CA Controlminder and SYMC DLP solution.   Issues/Challenges:  John Shepard and Linda Bird are good, strong fans of OIT and really understand the value that we bring.  I’ve been able to develop good coaching relationships with both but haven’t yet developed either one in to a true “champion” in the sense that without consensus and collaboration, neither of them could have pulled the trigger to get a Q4 deal done, which is not ideal.  They were non-committal on timeline all through Q3 and early Q4 so I expected this to be a 2015 deal and didn’t feel like I had accurate forecasting ability on this one.   There has not been a time-specific driver so it was challenging to push them faster or create a catalyst to buy.   How it was won: We provide, as a team, a ton of attention to this account and it pays off.  We worked very closely with John, Linda, Christina and Carmine starting in May to get all of their licenses upgraded and deployed to non-prod then prod via a very detailed, rigorous process (Daniel held their hands quite a bit!) with the expectation that if success criteria were met, expansion globally would be a next step to cover HVA’s first and then mid-tier second.  We had some challenges along the way but this team is extremely communicative and detailed with requests to sales, support, and product management for feature requests.   We coordinated several calls and meetings and included Avi, Gaby and Micky to ensure that their extensive input to roadmap was captured and documented and that every issue or concern was resolved.   We committed to doing their QRadar integration and had to reset a few times but because the communication had been so consistent, we weathered hiccups pretty.   This is a classic case of being in the right place to grab year end budget flush!  The day before Thanksgiving Linda and John called and asked if I wanted an early holiday gift -- $300K of use-or-lose budget for server licenses.  WooHOO!  Of note, they specifically said that they thought about parsing it out across a handful of vendors but that they ultimately decided to give it all to us.  Cigna is a large and important customer to OIT and it’s clear to me that they feel very well taken care of by a broad “One-OIT” Team including those mentioned already plus Tal, Yaniv, Dimitri, Matt Z, Gaby, Avi, Makesh, and more.   Next steps: Continue working closely with our primary contacts to get these licenses deployed.  Webinar and Case Study including joint marketing with QRadar team Partner with Chris Lockery to get Threat Management Team comfortable with integrating OIT in to the suite of tools they use for Incident Response and Forensics to ensure that this leads to a workstation opportunity next. Introduce Deb Cody, CISO, to Paul Brady next time she’s in Boston or coordinate Paul to meet her in Philadelphia or a CT site.