Transcript Document
Maintain sensitive material securely
Pēteris Kokovkins
February 2010
Agenda
BTG Overview
Common Security Measures
Internal Threats Overview
Internal Threats Players
Existing Security Solutions
SysLog and Shell Control Box (BalaBit IT Security)
NitroView and NitroGuard (NitroSecurity)
Guardium (Guardium – IBM Company)
Intellinx (Intellinx) – proactive Internal Fraud detection
Recommendations
February, 2010
2
BTG Overview
U.S. corporation, BTG Systems, Inc. and Latvian
company, Baltic Technology Group formed in May,
1991
Development centers in Riga and Daugavpils
17 years international IT services experience
200+ projects in the U.S., Europe, Middle East, S.E. Asia,
Australia and New Zealand
Successful on-site, offshore, nearshore and mixed
development/support projects
February, 2010
3
Common Security Measures
Every Element is Secured…
…Except for Authorized User Access
Web Server
FTP Server
Mail Server
DMZ
WEB
Application Server
Database Server
Mainframe
LAN
Firewall
VPN Gateway
Remote User
February, 2010
Internal User
Internal User
Internal User
4
Internal Threats Overview
Internal Threats
Surfing the Web during work or after work hours
USB data loss/E-mail attachment/Forum posting
Laptop Theft
Information Leakage
IT Sabotage
Insider Fraud
February, 2010
5
Internal Threats Overview
Top 10 Threats to Enterprise Security
Source: IDC's 2007 Annual Security Survey of IT and security professionals
February, 2010
6
Internal Threats Overview
Internal Threats vs. External Threats
Which Is More Common?
60
% of respondents
50
Internal Sources
External Sources
40
About even
30
20
10
0
Small
Medium Sized
Large
Very Large
Company Size
Source: IDC's Security Survey, 2006
February, 2010
7
Internal Threats Overview
Information Leakage Statistics
Source: InfoWatch Leak DB, beginning of 2009
February, 2010
8
Internal Threats Overview
Internal Threats – A Critical Problem for Enterprises
Remember - The perfect fraud is where victims are completely unaware they are
victims!
Average Cost of Fraud - 7% of annual revenues
60% of all fraud involves employees
60% of fraud is detected by tipping or by accident
The average scheme goes on for 24 months prior to detection
In 78% of the cases studied, the insiders were authorized users
utilizing simple, legitimate user commands
Source: The ACFE (Association of Certified Fraud Examiners) 2008 survey
February, 2010
9
Internals Threat Overview
Internal Threats – Elusive Nature
There is not any product that can address all possible scenarios
Hence organizations usually deploy different types of products
for this purpose
Each product tackles different aspects of the problem
Network, Bypassing, End-Point content filtering
Fraud Detection
Log Aggregation
February, 2010
10
Internal Threats Players
Network Based Information Leakage Detection & Prevention
Vericept, Vontu, Port Authority, Tablus, Reconnex, Zantaz, Fidelis
Security, SurfControl, Websense, Tizor, NitroSecurity
Desktop Based Information Leakage Detection & Prevention
Verdasys, Orchestria, Oakley Networks, Control Guard, Safend, Onigma
Fraud Detection solutions
FairIsaac, SearchSpace, Mantas, Norkom, Actimize, Intellinx
Database Security and Monitoring Solutions
Lumigent, Guardium, DataMirror, Teleran, IPLocks, Tizor, Imperva
Log Aggregation and Analysis
Consul, Vanguard, SenSage, LogLogic, Memento, BalaBit
February, 2010
11
SysLog and Shell Control Box
BalaBit IT Security
Syslog-ng - Central syslog server solution
System logging application used by network devices like switches and routers, as well as servers, ideal for creating centralized and
trusted logging solutions.
Syslog - ng Open source Edition (OSE)
Most popular and widespread logging application in the world,
reliable message transferring using the TCP protocol,
transfer messages securely using TLS,
ability to send log messages directly to an SQL database,
to control the flow of messages to handle minor server outages
Syslog - ng Premium Edition (PE)
advanced features of buffering the messages on the hard disk,
storing messages in encrypted log files,
reading messages from arbitrary files,
support for MS Windows OS
Syslog - ng Store Box (SSB)
(It is built around syslog-ng PE)
Complete turn- key logs management solution,
Log collection, encrypted storage, automatic archiving and backups,
Web interface
February, 2010
12
SysLog and Shell Control Box
BalaBit IT Security
Shell Control Box (SCB)
It is a device that controls, monitors, and audits remote administrative access to servers and networking
devices. It is a tool to oversee server administrators and server administration processes by controlling the
encrypted connections used in server administration. It is an external, fully transparent device, completely
independent from the clients and the servers.
SCB logs all administrative traffic (including configuration changes, executed
commands, etc.) into audit trails,
All data is stored in encrypted, timestamped and signed files, preventing any
modification or manipulation,
The circumstances of the event are readily available in the audit trails and the incident
can be easily identified,
The recorded audit trails can be displayed like a movie,
4-eyes authorization and real-time monitoring of the audited connections
two directions of the traffic (client-server and server-client) can be separated and encrypted with
different keys
February, 2010
13
SysLog and Shell Control Box
BalaBit IT Security
Log aggregation limitations
Do not capture user behaviour,
Do not cover all applications,
Typically do not include query transactions
External Log analysis and log archiving
February, 2010
14
NitroView and NitroGuard
NitroSecurity
NitroView ADM – real time application and protocol monitoring,
full packet decode and inspection to layer 7
NitroView DBM - inspects data packets sent to databases, to
detect rogue users and potential SQL injection attacks,
generating alerts to email, SNMP, or to NitroView Enterprise
Security manager for mitigation of suspicious database activity
NitroView ELM - reliable and scalable log storage management
and appliance, usable on its own or as a fully integrated
component of the NitroView security platform
NitroGuard IPS - purpose-built appliance, providing in-line
protection on network connections up to 6 Gbps
February, 2010
15
NitroView and NitroGuard
NitroSecurity
Technology & Architecture
Special appliances with build in engines
NitroEDB - a purpose-built database with very high performance
Very fast collection of information
Efficient compression and storage of information
A real time access to the information
NitroICE – Intelligent Content Extraction – solution of “information overload”
Powerful monitoring capabilities
Very high visibility
NitroGuard – engine based on SNORT IPS technology
Powerful custom IPS engine
Invisible to Intruders
Powerful library of custom SNORT IPS signatures
February, 2010
16
NitroView and NitroGuard
NitroSecurity
Limitations
Visibility on database session level only
Hardware based limitations (e.g. Log size is not configurable
and depends on appliance model)
Lack of behaviour analysis
February, 2010
17
Guardium
Guardium – IBM Company
Guardium, category of database security and monitoring solutions. Company,
delivers the most widely-used solution for ensuring the integrity of enterprise
data and preventing information leaks from the data center
Real-time database activity monitoring
Policy based controls
Anomaly detection
Auditing & Compliance
Creates a continuous, detailed audit trail of all DB activities, including the “who, what, when, where,
and how” of each transaction
Real time security alerts and blocking
Automatically generates compliance reports
Change control
Tracks all DB changes
DB structures (tables, triggers and stored procedures)
Critical data values
Security and access control objects (Users, roles and permissions)
DB configuration files, shell scripts, OS files and executable programs
Vulnerability management
DB leak prevention – unlike other solutions, Guardian DLP solution addresses leakage at the data
source
February, 2010
18
Guardium
Guardium - IBM Company
Guardium limitations
Visibility
only to the results of the user actions as reflected in database access
Have no visibility to the data that was actually displayed on the user screen or the user
actions on the screen
Have no visibility to user access to non-database data
Track only updates (not read commands) in many cases – not enough for
detecting information leakage
In many cases user-ids are not tracked since generic user-ids are passed
from the application to the database, so the information collected
cannot be linked to a specific user
February, 2010
19
Intellinx – Enterprise Fraud Prevention
Leading provider of end-user surveillance solutions for detecting
& preventing insider fraud and other types of fraud
Data Capture
Network sniffing: transactions, screens, intra-application messages, database access
Log files and databases
Reference Data
Forensic Audit Trail
“Google like” search on captured data, e.g. Who accessed a specific customer account in
a specific timeframe?
Captured data is encrypted and digitally signed - potentially admissible in court when
needed
Fraud Analytics
Dynamic Profiling and scoring of various entities
Customizable business rules
Real-time alerts
New rules may be applied after-the-fact
Investigation Workbench and Case Management
Manage Cases, Alerts and Incidents
Flexible Reporting
Control parameters of rules, profiles and scoring
February, 2010
20
Intellinx – General Architecture
Intellinx
Users
Auditors
Compliance Officers
•Visual
replay
•Reports
•Alerts
•Cases
•Profiles
•Google
like
search
•Google
like
search
Intellinx
Functions
Fraud Investigators
Investigation Center
& Case Manager
Analytic Engine
Search Engine
Analyzed Data
Visual Audit Trail
Data Collector & Consolidator
Monitored Environment
Network Switch
Existing Data Sources
Mainframe
External Users
eBusiness
customers
• Databases
Web Server
Internal Users
•Business User
•Privileged IT User
February, 2010
• Log Files
AS 400
• Reference
tables
Client/ Server
Database Server
21
The Intellinx Technology
Agent-less network traffic sniffing
No Impact on performance
Highly scalable architecture
Very short installation process (several hours), with no risk to normal IT operations
Recordings stored in extremely condensed format
Recording data is encrypted and digitally signed – potentially admissible in court
when needed
Sample Monitored Platforms:
IBM Mainframe: 3270, MQ, LU0, LU6.2
IBM System i: 5250, MPTN
Unisys: T27
Web: HTTP/ HTTPS
Client/Server: TCP/IP, MQ Series, MSMQ, SMB
Telnet, VT100, SSH
Oracle (SQLNET), DB/2 (DRDA), MS SQL(TDS)
SWIFT, FIX, ISO8583 (ATM), others
February, 2010
22
The Deterrence Factor of Real-time Alerts
A Credit Card Company Case Study
Alerts on Celebrity Accounts Snooping
100
Alert# per Week
80
60
40
20
0
1
2
3
4
5
6
7
8
9
10
Weeks
Rule
implemented
Security officers start
calling on suspects
February, 2010
First employee
is laid off
23
Intellinx – Enterprise Fraud Prevention
Intellinx limitations
If layout of the data over the wire is
proprietary, Intellinx cannot parse it (unless given access to the
proprietary protocol)
encrypted in a non standard way (unless given access to the encryption
method)
VPN (“non decryptic” – unless we tap beyond the VPN)
Does not record any activity that runs on the employee's
workstation but only access to the business applications
(Some consider this is a privacy positive!)
February, 2010
24
Recommendations
Get proactive about internal threats
Detecting internal threats and information leakage
requires full visibility into user activity
How?
Move out of the “Silo” approach!
Deploy
User behaviour & link analysis
Real time alerting
After the event forensic
Visual replay on user activity
Non-invasive solution, mitigated risk, fast implementation
Spend money to save costs! Why?
Identify and resolve “issues” before they become costly
Reduce exposure by shortening data breach investigations
February, 2010
25
[email protected]
www.btgsystems.com
February, 2010
26