1 / 26

Maintain sensitive material securely

Internal Threats: Enterprise Information Protection. Maintain sensitive material securely Pēteris Kokovkins February 20 1 0. Agenda. BTG Overview Common Security Measures Internal Threats Overview Internal Threats Players

kalea
Download Presentation

Maintain sensitive material securely

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Internal Threats: Enterprise Information Protection Maintain sensitive material securely Pēteris Kokovkins February 2010

  2. Agenda • BTG Overview • Common Security Measures • Internal Threats Overview • Internal Threats Players • Existing Security Solutions • SysLog and Shell Control Box (BalaBit IT Security) • NitroView and NitroGuard (NitroSecurity) • Guardium (Guardium – IBM Company) • Intellinx (Intellinx) – proactive Internal Fraud detection • Recommendations

  3. BTG Overview • U.S. corporation, BTG Systems, Inc. and Latvian company, Baltic Technology Group formed in May, 1991 • Development centers in Riga and Daugavpils • 17 years international IT services experience • 200+ projects in the U.S., Europe, Middle East,S.E. Asia, Australia andNew Zealand • Successful on-site, offshore, nearshore and mixed development/support projects

  4. Web Server FTP Server Mail Server DMZ WEB Application Server Database Server Mainframe LAN Firewall VPN Gateway Remote User Internal User Internal User Internal User Common Security Measures Every Element is Secured… …Except for Authorized User Access

  5. Internal Threats Overview • Internal Threats • Surfing the Web during work or after work hours • USB data loss/E-mail attachment/Forum posting • Laptop Theft • Information Leakage • IT Sabotage • Insider Fraud

  6. Top 10 Threats to Enterprise SecuritySource: IDC's 2007 Annual Security Survey of IT and security professionals Internal Threats Overview

  7. Internal Threats vs. External Threats Which Is More Common? 60 50 Internal Sources External Sources About even 40 30 % of respondents 20 10 0 Small Medium Sized Large Very Large Company Size Source: IDC's Security Survey, 2006 Internal Threats Overview

  8. Information Leakage Statistics Internal Threats Overview Source: InfoWatch Leak DB, beginning of 2009

  9. Remember - The perfect fraud is where victims are completely unaware they are victims! Average Cost of Fraud - 7% of annual revenues 60% of all fraud involves employees 60% of fraud is detected by tipping or by accident The average scheme goes on for 24 months prior to detection In 78% of the cases studied, the insiders were authorized users utilizing simple, legitimate user commands Internal Threats–A Critical Problem for Enterprises Internal Threats Overview Source: The ACFE (Association of Certified Fraud Examiners) 2008 survey

  10. There is notany product that can address all possible scenarios Hence organizations usually deploy different types of products for this purpose Each product tackles different aspects of the problem Network, Bypassing, End-Point content filtering Fraud Detection Log Aggregation Internal Threats–Elusive Nature Internals Threat Overview

  11. Network Based Information Leakage Detection & Prevention Vericept, Vontu, Port Authority, Tablus, Reconnex, Zantaz, Fidelis Security, SurfControl, Websense, Tizor, NitroSecurity Desktop Based Information Leakage Detection & Prevention Verdasys, Orchestria, Oakley Networks, Control Guard, Safend, Onigma Fraud Detection solutions FairIsaac, SearchSpace, Mantas, Norkom, Actimize, Intellinx Database Security and Monitoring Solutions Lumigent, Guardium, DataMirror, Teleran, IPLocks, Tizor, Imperva Log Aggregation and Analysis Consul, Vanguard, SenSage, LogLogic, Memento, BalaBit Internal Threats Players

  12. SysLog and Shell Control Box BalaBit IT Security • Syslog-ng - Central syslog server solution System logging application used by network devices like switches and routers, as well as servers, ideal for creating centralized and trusted logging solutions. • Syslog - ng Open source Edition (OSE) • Most popular and widespread logging application in the world, • reliable message transferring using the TCP protocol, • transfer messages securely using TLS, • ability to send log messages directly to an SQL database, • to control the flow of messages to handle minor server outages • Syslog - ng Premium Edition (PE) • advanced features of buffering the messages on the hard disk, • storing messages in encrypted log files, • reading messages from arbitrary files, • support for MS Windows OS • Syslog - ng Store Box (SSB) (It is built around syslog-ng PE) • Complete turn-key logs management solution, • Log collection, encrypted storage, automatic archiving and backups, • Web interface

  13. SysLog and Shell Control Box BalaBit IT Security • Shell Control Box (SCB) It is a device that controls, monitors, and audits remote administrative access to servers and networking devices. It is a tool to oversee server administrators and server administration processes by controlling the encrypted connections used in server administration. It is an external, fully transparent device, completely independent from the clients and the servers. • SCB logs all administrative traffic (including configuration changes, executed commands, etc.) into audit trails, • All data is stored in encrypted, timestamped and signed files, preventing any modification or manipulation, • The circumstances of the event are readily available in the audit trails and the incident can be easily identified, • The recorded audit trails can be displayed like a movie, • 4-eyes authorization and real-time monitoring of the audited connections two directions of the traffic (client-server and server-client) can be separated and encrypted with different keys

  14. SysLog and Shell Control Box BalaBit IT Security • Log aggregation limitations • Do not capture user behaviour, • Do not cover all applications, • Typically do not include query transactions • External Log analysis and log archiving

  15. NitroView and NitroGuard NitroSecurity • NitroView ADM – real time application and protocol monitoring, full packet decode and inspection to layer 7 • NitroView DBM - inspects data packets sent to databases, to detect rogue users and potential SQL injection attacks, generating alerts to email, SNMP, or to NitroView Enterprise Security manager for mitigation of suspicious database activity • NitroView ELM- reliable and scalable log storage management and appliance, usable on its own or as a fully integrated component of the NitroView security platform • NitroGuard IPS - purpose-built appliance, providing in-line protection on network connections up to 6 Gbps

  16. NitroView and NitroGuard NitroSecurity • Technology & Architecture • Special appliances with build in engines • NitroEDB - a purpose-built database with very high performance • Very fast collection of information • Efficient compression and storage of information • A real time access to the information • NitroICE – Intelligent Content Extraction – solution of “information overload” • Powerful monitoring capabilities • Very high visibility • NitroGuard – engine based on SNORT IPS technology • Powerful custom IPS engine • Invisible to Intruders • Powerful library of custom SNORT IPS signatures

  17. NitroView and NitroGuard NitroSecurity • Limitations • Visibility on database session level only • Hardware based limitations (e.g. Log size is not configurable and depends on appliance model) • Lack of behaviour analysis

  18. Real-time database activity monitoring Policy based controls Anomaly detection Auditing & Compliance Creates a continuous, detailed audit trail of all DB activities, including the “who, what, when, where, and how” of each transaction Real time security alerts and blocking Automatically generates compliance reports Change control Tracks all DB changes DB structures (tables, triggers and stored procedures) Critical data values Security and access control objects (Users, roles and permissions) DB configuration files, shell scripts, OS files and executable programs Vulnerability management DB leak prevention – unlike other solutions, Guardian DLP solution addresses leakage at the data source Guardium, category of database security and monitoring solutions. Company, delivers the most widely-used solution for ensuring the integrity of enterprise data and preventing information leaks from the data center Guardium Guardium – IBM Company

  19. Guardium limitations Visibility only to the results of the user actions as reflected in database access Have no visibility to the data that was actually displayed on the user screen or the user actions on the screen Have no visibility to user access to non-database data Track only updates (not read commands) in many cases – not enough for detecting information leakage In many cases user-ids are not tracked since generic user-ids are passed from the application to the database, so the information collected cannot be linked to a specific user Guardium Guardium - IBM Company

  20. Data Capture Network sniffing: transactions, screens, intra-application messages, database access Log files and databases Reference Data Forensic Audit Trail “Google like” search on captured data, e.g. Who accessed a specific customer account in a specific timeframe? Captured data is encrypted and digitally signed - potentially admissible in court when needed Fraud Analytics Dynamic Profiling and scoring of various entities Customizable business rules Real-time alerts New rules may be applied after-the-fact Investigation Workbench and Case Management Manage Cases, Alerts and Incidents Flexible Reporting Control parameters of rules, profiles and scoring Intellinx – Enterprise Fraud PreventionLeading provider of end-user surveillance solutions for detecting & preventing insider fraud and other types of fraud

  21. Intellinx – General Architecture Intellinx Users Auditors Compliance Officers Fraud Investigators • Visual replay • Google like search • Reports • Google like search • Alerts • Cases • Profiles Intellinx Functions Investigation Center & Case Manager Analytic Engine Search Engine Analyzed Data Visual Audit Trail Data Collector & Consolidator Monitored Environment Network Switch Existing Data Sources • Log Files Mainframe External Users eBusiness customers • Databases Web Server • Reference AS 400 tables Internal Users Client/ Server • Business User • Privileged IT User Database Server

  22. Agent-less network traffic sniffing No Impact on performance Highly scalable architecture Very short installation process (several hours), with no risk to normal IT operations Recordings stored in extremely condensed format Recording data is encrypted and digitally signed – potentially admissible in court when needed The Intellinx Technology Sample Monitored Platforms: • IBM Mainframe: 3270, MQ, LU0, LU6.2 • IBM System i: 5250, MPTN • Unisys: T27 • Web: HTTP/ HTTPS • Client/Server: TCP/IP, MQ Series, MSMQ, SMB • Telnet, VT100, SSH • Oracle (SQLNET), DB/2 (DRDA), MS SQL(TDS) • SWIFT, FIX, ISO8583 (ATM), others

  23. The Deterrence Factor of Real-time Alerts A Credit Card Company Case Study Alerts on Celebrity Accounts Snooping 100 80 Alert# per Week 60 40 20 0 1 2 3 4 5 6 7 8 9 10 Weeks Rule implemented Security officers start calling on suspects First employee is laid off

  24. Intellinx limitations If layout of the data over the wire is proprietary, Intellinx cannot parse it (unless given access to the proprietary protocol) encrypted in a non standard way (unless given access to the encryption method) VPN (“non decryptic” – unless we tap beyond the VPN) Does not record any activity that runs on the employee's workstation but only access to the business applications (Some consider this is a privacy positive!) Intellinx – Enterprise Fraud Prevention

  25. Recommendations • Get proactive about internal threats • Detecting internal threats and information leakage requires full visibility into user activity • How? • Move out of the “Silo” approach! • Deploy • User behaviour & link analysis • Real time alerting • After the event forensic • Visual replay on user activity • Non-invasive solution, mitigated risk, fast implementation • Spend money to save costs! Why? • Identify and resolve “issues” before they become costly • Reduce exposure by shortening data breach investigations

  26. peteris.kokovkins@btg.org.lv www.btgsystems.com

More Related