How often have you as a security professional looked at the change management process and said, “gosh I hate doing this?” More times than you can count?
Change management has been the bane of many technologists existence. Unintended consequences from administrative changes are a leading cause of security incidents and breaches. Join our webinar with Larry Whiteside Jr., Chief Security Officer at LCRA, to learn how he approaches keeping an organization that operates in over 58 counties in Texas secure while constantly adapting to change.
In this webinar you'll learn:
How to implement security best practices to allow rapid business change with complete accountability
How to be notified in real-time about suspicious or out-of-policy changes that dramatically increase your company's risk
How to integrate user activity monitoring and change management to provide a fully automated platform for secure change management
2. AGENDA
Who am I and why do I care
The History of Change
Who is making your changes
Security’s Relationship with Change
Management
Breach and Change Management
Security’s role in Change Governance
Possible measurements that will positively
impact your security posture
Ask Questions in
GoToWebinar!
3. WHO AM I / WHY DO I
CARE?
Over 20 years Cyber Security/ Risk Management / Physical Security
C-Level Security Executive across many verticals
DoD, Federal, Financial Services, Healthcare, Energy/Utilities
Consulting in many verticals
Education, Healthcare, Financial Services
Community Involvement
Co-Founder of International Consortium of Minority Cyber
Security Professionals (ICMCP), ISSA, ASIS, OWASP, Security
Advisor Alliance (SAA)
Speaking and Writing
SC Magazine, CSO Online, RSA Conference, Gartner Security
Conference, industry webinars, securitycurrent.com,
SecureWorld, Evanta CISO Summit, and many others Larry Whiteside Jr.
Chief Security Officer
4. THE HISTORY OF
CHANGE
1980s
• Change Management as a discipline began to
emerge driven by leading consulting firms
1990s
• Industries undergoing significant and rapid
change in areas such as IT began highlighting
the benefits of Change Management programs
on a broader scale
• ITIL, LEAN, etc…
2000s
• Widespread acceptance of Change Management
as a business competency for leading change
• Marked increase from 34% in 2003 to 72% in
2011
1980s1990s2000s
5. WHO IS MAKING
CHANGES?
Outsiders (Third-parties: IT contractors &
consultants)
Shared Accounts (Windows Admins, root, DBAs,
System Admins,…)
Named Accounts (Developers, IT Contractors,
Network Admin,…)
Service Accounts
Local Account / Credentials
Windows / UNIX system administrator
Help Desk administrator (password
changes/access to files etc. )
6. SECURITY’S RELATIONSHIP WITH
CHANGE MANAGEMENT
You should want
certain questions
answered
IT is responsible,
but Security must
hold them
accountable
7. BREACHES AND CHANGE
MANAGEMENT
3 of 7 Phases of Cyber Kill chain impact
config and change management
Stage #3 Delivery
Stage #4 Exploitation
Stage #5 Installation
Malicious internal users
Configuration mistakes by authorized
people
If security is monitoring change and
configuration, these changes can be
identified
8. SECURITY’S ROLE IN CHANGE
GOVERNANCE
Know your systems and environment
Security should know about more than
just FW changes
Do you check adherence to patch policy
(if you even have a patch policy)?
If a change is made by a legitimate or
non-legitimate admin can you determine
what it was?
How many outages have you had due to
undocumented changes?
9. METRICS THAT WILL POSITIVELY
IMPACT YOUR SECURITY POSTURE
Patch Policy adherence
Unauthorized changes
Changes processes which caused outages
FW changes processed
Other High Risk Scenarios:
Remote connections / ‘leapfrog’ logins
Changes via Embedded Scripts (‘rm’ ‘cp’ with ‘sudo’ )
Changes to Active Directory (Password Resets, Adding Users, Changing Groups,
Modifying Access, etc.)
Changes within Registry Editor such as Edit or Modify Specific Values (Firewalls, User
Access Control, Applications / Software, Windows Components)
10. TAKEAWAYS AND
RECOMMENDATIONS
Know your environment
Get involved in your change process
If you don’t have one, help create one
Find others already doing change and config
management and copy models that work (adapt
and change things to fit your particular business)
No need to recreate the wheel
Create metrics that matter and impact security
12. WHO IS OBSERVEIT?
HQ Boston, MA / R&D Tel Aviv, Israel
Founded 2006
1,200+ Customers Worldwide
$20M Invested by Bain Capital
The leading provider of User Activity
Monitoring for Employees, Privileged
Users and Third-party Vendors
13. Capture User
Activity
Logging for all
user actions
Video-like
Playback
Instant
Notification
Rule-Based
Analytics
Report & Audit
Real-Time Drill
Down
User Interaction
Kill Sessions
USER ACTIVITY MONITORING
Collect Know Act
18. Audit and Compliance
WHO’S BEING OBSERVED?
Employees
__________________________________________
Third-parties
__________________________________________
Privileged Users
__________________________________________
SOX
EU Data
Protection Reform HIPAA
Healthcare (PHI) data
Customer (PII) data
Employee data
Company data
Financial data
Intellectual property
Sales & marketing data
Data Leakage Protection Solution
How does the product work with accessing certain applications or files, or areas within an application – how granular can we get, etc
Use for applications installed and also web-based applications
Config. Change:
Embedded Scripts (innocent script story)
Unsecure ‘shell’ (telnet on legacy appliances – SSH is much more secure and passwords are encrypted over the wire)
Unauthorized access (to configuration files) & run commands that they are not supposed to be
Unapproved ‘setuid’
Escalating Privileges
Pass-the Hash
‘rm’ ‘cp’ with ‘sudo’
Installing “backdoors”
“leapfrog” logins
You’ll know what’s happening inside all of your applications– even applications that do not generate logs
There is a huge benefit for reviewing alerts visually.
When reviewing alerts in Slideshow mode, you can immediately understand critical User Context that is never available in log-based alerting systems:
What other application data was the user exposed to?
What other Windows or Applications were open?
The State of the Windows taskbar including tray icons (is something missing or disabled?)
On Unix/Linux: What were the previous commands that the user ran? What output they produced? How does the shell prompt look like?
As we say: One screenshot is worth a thousand logs!
Generate our own logs across all apps
We capture all user activity regardless of where your users are or how they access applications, systems and data
We capture this activity in a video-like format – you SEE exactly what the users are doing
Video playback is great, but you can’t sit there and watch hours of videos, so we translate all user activity into User Activity Logs that you can search, report on and analyze
You’ll know if users are “snooping” or viewing information they shouldn’t be like SS# or customer records
The Rule Editor is Simple yet Powerful. you can easily define new Alert Rules, duplicate and modify existing rules.
Every rule can contain all risky aspects of your monitored users – so normally you need only ONE rule per scenario.
You can define: WHO are the users involved, WHAT is the risky activity that they performed, ON WHICH COMPUTER, WHEN (week days, holidays, time of day?) and FROM WHICH CLIENT COMPUTER they are connected?
A comprehensive list of possible User Activities provides a quick & easy way to define risky user behavior - such as:
Specific applications or processes ran by the user
Websites and URLs being visited, Executed SQL statements, Unix/Linux commands, arguments and command line switches being used – and much more!
In addition, your alert-response process can be tailored by defining the severity of each rule, as well as the audience and timing of email notifications.
Application User Monitoring:
ObserveIT user activity monitoring provides visibility within applications so you have a complete audit trail and proactive detection of suspicious or out of policy user behavior. From large copy operations to exporting reports, you’re able to proactively investigate data extraction processes, unnecessary access to information and the usage of unauthorized cloud applications (e.g. Dropbox, WeTransfer, SnagIt).
Whether it is SAP, EPIC, GuideWire, Pega systems – just to name a few industry specific critical applications - we provide coverage for any application – home grown, SaaS, off-the-self….
Privileged User Monitoring:
ObserveIT provides a complete privileged user monitoring solution that integrates with the other key components of a privileged identity management solution. Compliance regulations put stringent requirements about the ability to audit and report on privileged user activity with the access they have to critical sets of data (PHI, PII, employee data, company data….)
External Vendor Monitoring:
External vendors are one of the highest risk user groups that companies have to hold accountable and audit for compliance regulations. Whether third-party contractors are accessing via jump servers, citrix, vpn or direct access, ObserveIT provides the audit, reporting and real-time analytics you need to leverage the benefit of contractors without sacrificing the security, compliance or control.
Underpinning all of these use cases is audit and compliance. Having complete audit history of all user activity and real time detection of user threats is a key requirement for meeting today’s growing list of compliance needs.