1 / 26

Maintain sensitive material securely Peteris Kokovkins

February, 2010. 2. Agenda . BTG OverviewCommon Security MeasuresInternal Threats OverviewInternal Threats PlayersExisting Security SolutionsSysLog and Shell Control Box (BalaBit IT Security)NitroView and NitroGuard (NitroSecurity)Guardium (Guardium

Audrey
Download Presentation

Maintain sensitive material securely Peteris Kokovkins

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

    2. February, 2010 2

    3. February, 2010 3 BTG Overview U.S. corporation, BTG Systems, Inc. and Latvian company, Baltic Technology Group formed in May, 1991 Development centers in Riga and Daugavpils 17 years international IT services experience 200+ projects in the U.S., Europe, Middle East, S.E. Asia, Australia and New Zealand Successful on-site, offshore, nearshore and mixed development/support projects

    4. February, 2010 4

    5. February, 2010 5 Internal Threats Surfing the Web during work or after work hours USB data loss/E-mail attachment/Forum posting Laptop Theft Information Leakage IT Sabotage Insider Fraud

    6. February, 2010 6 Top 10 Threats to Enterprise Security Source: IDC's 2007 Annual Security Survey of IT and security professionals

    7. February, 2010 7 Internal Threats vs. External Threats Which Is More Common? Most businesses understand that threats can come from both outside (e.g., hackers, crackers, and criminals) and inside (individuals with legitimate access such as employees, customers, partners, consultants, contractors, etc.). While small businesses still perceive that the most serious threats come from external sources, medium-sized companies view internal and external threats as equally important. Large and very large firms clearly realize that the most serious security threats are coming from internal sources. Threats from External Professionals Organized Crime Extortion and protection payments Stock manipulation Massive fraud Hostile and Non-Government Physical destruction by IT manipulation Disruption of Critical Economic Processes Foreign Intelligence Agencies Steal technology secrets Feed confidential data to “friendly firms” Hired Guns & Renegade Consultants Blackmail-based consulting Extract critical business information. Steal pricing, bid data, and proposals Feeding the counterfeiters Most businesses understand that threats can come from both outside (e.g., hackers, crackers, and criminals) and inside (individuals with legitimate access such as employees, customers, partners, consultants, contractors, etc.). While small businesses still perceive that the most serious threats come from external sources, medium-sized companies view internal and external threats as equally important. Large and very large firms clearly realize that the most serious security threats are coming from internal sources. Threats from External Professionals Organized Crime Extortion and protection payments Stock manipulation Massive fraud Hostile and Non-Government Physical destruction by IT manipulation Disruption of Critical Economic Processes Foreign Intelligence Agencies Steal technology secrets Feed confidential data to “friendly firms” Hired Guns & Renegade Consultants Blackmail-based consulting Extract critical business information. Steal pricing, bid data, and proposals Feeding the counterfeiters

    8. February, 2010 8 Information Leakage Statistics

    9. February, 2010 9 Remember - The perfect fraud is where victims are completely unaware they are victims! Average Cost of Fraud - 7% of annual revenues 60% of all fraud involves employees 60% of fraud is detected by tipping or by accident The average scheme goes on for 24 months prior to detection In 78% of the cases studied, the insiders were authorized users utilizing simple, legitimate user commands Internal Threats – A Critical Problem for Enterprises The US Association of Certified Fraud Examiners estimates of the average cost of fraud has been rising and is now at 7%The US Association of Certified Fraud Examiners estimates of the average cost of fraud has been rising and is now at 7%

    10. February, 2010 10 There is not any product that can address all possible scenarios Hence organizations usually deploy different types of products for this purpose Each product tackles different aspects of the problem Network, Bypassing, End-Point content filtering Fraud Detection Log Aggregation Internal Threats – Elusive Nature

    11. February, 2010 11 Network Based Information Leakage Detection & Prevention Vericept, Vontu, Port Authority, Tablus, Reconnex, Zantaz, Fidelis Security, SurfControl, Websense, Tizor, NitroSecurity Desktop Based Information Leakage Detection & Prevention Verdasys, Orchestria, Oakley Networks, Control Guard, Safend, Onigma Fraud Detection solutions FairIsaac, SearchSpace, Mantas, Norkom, Actimize, Intellinx Database Security and Monitoring Solutions Lumigent, Guardium, DataMirror, Teleran, IPLocks, Tizor, Imperva Log Aggregation and Analysis Consul, Vanguard, SenSage, LogLogic, Memento, BalaBit

    12. February, 2010 12 Syslog-ng - Central syslog server solution System logging application used by network devices like switches and routers, as well as servers, ideal for creating centralized and trusted logging solutions. Syslog - ng Open source Edition (OSE) Most popular and widespread logging application in the world, reliable message transferring using the TCP protocol, transfer messages securely using TLS, ability to send log messages directly to an SQL database, to control the flow of messages to handle minor server outages Syslog - ng Premium Edition (PE) advanced features of buffering the messages on the hard disk, storing messages in encrypted log files, reading messages from arbitrary files, support for MS Windows OS Syslog - ng Store Box (SSB) (It is built around syslog-ng PE) Complete turn- key logs management solution, Log collection, encrypted storage, automatic archiving and backups, Web interface

    13. February, 2010 13 Shell Control Box (SCB) It is a device that controls, monitors, and audits remote administrative access to servers and networking devices. It is a tool to oversee server administrators and server administration processes by controlling the encrypted connections used in server administration. It is an external, fully transparent device, completely independent from the clients and the servers. SCB logs all administrative traffic (including configuration changes, executed commands, etc.) into audit trails, All data is stored in encrypted, timestamped and signed files, preventing any modification or manipulation, The circumstances of the event are readily available in the audit trails and the incident can be easily identified, The recorded audit trails can be displayed like a movie, 4-eyes authorization and real-time monitoring of the audited connections two directions of the traffic (client-server and server-client) can be separated and encrypted with different keys

    14. February, 2010 14 Log aggregation limitations Do not capture user behaviour, Do not cover all applications, Typically do not include query transactions External Log analysis and log archiving

    15. February, 2010 15 NitroView ADM – real time application and protocol monitoring, full packet decode and inspection to layer 7 NitroView DBM - inspects data packets sent to databases, to detect rogue users and potential SQL injection attacks, generating alerts to email, SNMP, or to NitroView Enterprise Security manager for mitigation of suspicious database activity NitroView ELM - reliable and scalable log storage management and appliance, usable on its own or as a fully integrated component of the NitroView security platform NitroGuard IPS - purpose-built appliance, providing in-line protection on network connections up to 6 Gbps

    16. February, 2010 16 Technology & Architecture Special appliances with build in engines NitroEDB - a purpose-built database with very high performance Very fast collection of information Efficient compression and storage of information A real time access to the information NitroICE – Intelligent Content Extraction – solution of “information overload” Powerful monitoring capabilities Very high visibility NitroGuard – engine based on SNORT IPS technology Powerful custom IPS engine Invisible to Intruders Powerful library of custom SNORT IPS signatures

    17. February, 2010 17 Limitations Visibility on database session level only Hardware based limitations (e.g. Log size is not configurable and depends on appliance model) Lack of behaviour analysis

    18. February, 2010 18 Real-time database activity monitoring Policy based controls Anomaly detection Auditing & Compliance Creates a continuous, detailed audit trail of all DB activities, including the “who, what, when, where, and how” of each transaction Real time security alerts and blocking Automatically generates compliance reports Change control Tracks all DB changes DB structures (tables, triggers and stored procedures) Critical data values Security and access control objects (Users, roles and permissions) DB configuration files, shell scripts, OS files and executable programs Vulnerability management DB leak prevention – unlike other solutions, Guardian DLP solution addresses leakage at the data source Guardium, category of database security and monitoring solutions. Company, delivers the most widely-used solution for ensuring the integrity of enterprise data and preventing information leaks from the data center

    19. February, 2010 19 Guardium limitations Visibility only to the results of the user actions as reflected in database access Have no visibility to the data that was actually displayed on the user screen or the user actions on the screen Have no visibility to user access to non-database data Track only updates (not read commands) in many cases – not enough for detecting information leakage In many cases user-ids are not tracked since generic user-ids are passed from the application to the database, so the information collected cannot be linked to a specific user

    20. February, 2010 20 Data Capture Network sniffing: transactions, screens, intra-application messages, database access Log files and databases Reference Data Forensic Audit Trail “Google like” search on captured data, e.g. Who accessed a specific customer account in a specific timeframe? Captured data is encrypted and digitally signed - potentially admissible in court when needed Fraud Analytics Dynamic Profiling and scoring of various entities Customizable business rules Real-time alerts New rules may be applied after-the-fact Investigation Workbench and Case Management Manage Cases, Alerts and Incidents Flexible Reporting Control parameters of rules, profiles and scoring Intellinx – Enterprise Fraud Prevention Leading provider of end-user surveillance solutions for detecting & preventing insider fraud and other types of fraud The concept of how Intellinx works is very simple: Record Data by network sniffing transactional data interactions being conducted by authorized users (employees and /or customers) and applications. Provide the ability to both real time alert on scenarios one is proactively looking for and conduct ‘after-the-event’ forensics. Replay exactly what users saw and did on their laptops and desktops Through the Investigation Center, conduct multiple case investigations in an orderly controlled fashion. Print off screen pictures to make evidence clearly understandable – especially useful when legal cases are likely. The strength of this evidence in this format rather than in boxes containing many, many sheets of ‘code’ can be such that it will prevent situations going to court, save time and enormous amounts of money and thus Pay for itself in very short period. The concept of how Intellinx works is very simple: Record Data by network sniffing transactional data interactions being conducted by authorized users (employees and /or customers) and applications. Provide the ability to both real time alert on scenarios one is proactively looking for and conduct ‘after-the-event’ forensics. Replay exactly what users saw and did on their laptops and desktops Through the Investigation Center, conduct multiple case investigations in an orderly controlled fashion. Print off screen pictures to make evidence clearly understandable – especially useful when legal cases are likely. The strength of this evidence in this format rather than in boxes containing many, many sheets of ‘code’ can be such that it will prevent situations going to court, save time and enormous amounts of money and thus Pay for itself in very short period.

    21. February, 2010 21 Intellinx – General Architecture This environment is very much simplified as there are usually a multitude of network switches. We only have to ‘sniff’ on one or at most a few in front of the applications to pick up interactions. And remember, Intellinx is application agnostic – we are deciphering the protocols. Customers whose Networks have encrypted protocols, with the cooperation of clients Intellinx will need to decipher in order to operate. This permission is normally forthcoming as its in the best interest of the customer. This environment is very much simplified as there are usually a multitude of network switches. We only have to ‘sniff’ on one or at most a few in front of the applications to pick up interactions. And remember, Intellinx is application agnostic – we are deciphering the protocols. Customers whose Networks have encrypted protocols, with the cooperation of clients Intellinx will need to decipher in order to operate. This permission is normally forthcoming as its in the best interest of the customer.

    22. February, 2010 22 Agent-less network traffic sniffing No Impact on performance Highly scalable architecture Very short installation process (several hours), with no risk to normal IT operations Recordings stored in extremely condensed format Recording data is encrypted and digitally signed – potentially admissible in court when needed The Intellinx Technology This is a representation of the platforms and protocols monitored. This is a representation of the platforms and protocols monitored.

    23. February, 2010 23 The Deterrence Factor of Real-time Alerts

    24. February, 2010 24 Intellinx limitations If layout of the data over the wire is proprietary, Intellinx cannot parse it (unless given access to the proprietary protocol) encrypted in a non standard way (unless given access to the encryption method) VPN (“non decryptic” – unless we tap beyond the VPN) Does not record any activity that runs on the employee's workstation but only access to the business applications (Some consider this is a privacy positive!) Intellinx – Enterprise Fraud Prevention The concept of how Intellinx works is very simple: Record Data by network sniffing transactional data interactions being conducted by authorized users (employees and /or customers) and applications. Provide the ability to both real time alert on scenarios one is proactively looking for and conduct ‘after-the-event’ forensics. Replay exactly what users saw and did on their laptops and desktops Through the Investigation Center, conduct multiple case investigations in an orderly controlled fashion. Print off screen pictures to make evidence clearly understandable – especially useful when legal cases are likely. The strength of this evidence in this format rather than in boxes containing many, many sheets of ‘code’ can be such that it will prevent situations going to court, save time and enormous amounts of money and thus Pay for itself in very short period. The concept of how Intellinx works is very simple: Record Data by network sniffing transactional data interactions being conducted by authorized users (employees and /or customers) and applications. Provide the ability to both real time alert on scenarios one is proactively looking for and conduct ‘after-the-event’ forensics. Replay exactly what users saw and did on their laptops and desktops Through the Investigation Center, conduct multiple case investigations in an orderly controlled fashion. Print off screen pictures to make evidence clearly understandable – especially useful when legal cases are likely. The strength of this evidence in this format rather than in boxes containing many, many sheets of ‘code’ can be such that it will prevent situations going to court, save time and enormous amounts of money and thus Pay for itself in very short period.

    25. February, 2010 25 Recommendations Get proactive about internal threats Detecting internal threats and information leakage requires full visibility into user activity How? Move out of the “Silo” approach! Deploy User behaviour & link analysis Real time alerting After the event forensic Visual replay on user activity Non-invasive solution, mitigated risk, fast implementation Spend money to save costs! Why? Identify and resolve “issues” before they become costly Reduce exposure by shortening data breach investigations

    26. February, 2010 26

More Related