Balabit provides privileged user monitoring solutions including Shell Control Box for monitoring and recording privileged user activities on remote servers. Shell Control Box controls privileged access, prevents malicious actions, and records activities into audit trails. It provides granular access control, 4-eyes authorization, real-time monitoring and prevention of malicious activities, and movie-like playback of recorded sessions. Compliance, security, and operational efficiency are key market drivers for privileged user monitoring solutions.
2. BALABIT
• Log Management
syslog-ng
• Privileged User Monitoring
Shell Control Box
• User Behavior Analytics
Blindspotter
Leading Provider of Contextual Security Intelligence
3. 55 %
Internal misuse
by
PRIVILEGE ABUSE
60 %
Incidents
by
SYSTEM ADMINS
PRIVILEGED ACCOUNT MISUSE
* Source: Verizon 2015 Data Breach Investigations Report
40 %
Top threat actions
by
STOLEN CREDENTIALS
5. SHELL CONTROL BOX
Privileged User Activity Monitoring
Controls
privileged access to remote servers
Prevents
malicious actions
Records
activities into movie-like audit trails
Reports
actions for compliance and/or
decision support reasons
14. MARKET DRIVERS
COMPLIANCE
International standards
Local legislation
Company policy
SECURITY
Monitor IT staff
Control outsource & cloud admins
Audit terminal services users
OPERATIONAL EFFICIENCY
Fast Troubleshooting & Forensics
Quick audits
1 2 3
15. KEY QUESTIONS TO ANSWER…
Can you ensure the accountability of your staff?
Can you monitor the actions of your „superusers”?
Can you reliably control your outsourcing partners?
Do you really know „who did what” on your key servers?
Are you sure you’d pass audits concerning user monitoring?01
02
03
04
05
16. „Balabit SCB is the only
serious product on the
market that is capable of
securely monitoring SSH
sessions”
Øyvind Gielink, IT security Officer,
Telenor
TESTIMONIALS
„ Balabit is the first
company in IT business,
which provided a solution in
promised time...”
Michael Fendt, System & Network
Engineer, Fiducia IT
„ SCB is a core component
of Alfa Bank’s new
Information Security
Strategy.“
Andrey Fedotov, Head of IT
Security, Alfa Bank
Balabit – headquartered in Luxembourg – is a leading provider of contextual security technologies with the mission of preventing data breaches without constraining business. Balabit operates globally through a network of local offices across the United States and Europe together with partners. We are a well established company, headquartered in Europe with a major R&D center in Budapest, Hungary.
Have you heard of Balabit, or any experience of our products? Even if you aren’t aware of us it is likely that somewhere you are using one of our products, Syslog-NG. Balabit is actually the leader in trusted log management, for the reliable and secure collection of logs from devices, systems, applications, users and many more sources. This means we have extensive capability to gather the circumstances surrounding an event, i.e. context. We make it understandable to machines and humans through a functionality such as filtering, normalization and enrichment.
You may also know us for Privileged User Monitoring. Many large organizations across the globe use our Shell Control Box product to keep track of privileged and VIP users. SCB records user sessions and makes them searchable. This is important for compliance. It’s also important for security and the prevention of privileged account misuse (for example by an attacker). SCB can detect actions that may be risky (for example a shutdown command) and intervene if the user is not authorized to issue such a command. The search and video replay capabilities allow security teams to drill down into the circumstances surrounding risky user activity.
Our latest product, BlindSpotter, is emerging as a thought leading product in the use of machine learning and algorithmic analytics of user behavior to identify risks that were previously unknown, and could not be detected through traditional pre-defined pattern and rule-based approaches to security. Because it baselines user activity and then discovers activity that is out-of-context is can focus in on indicators of compromise that are unique to your business, and could not be identified in any other way. But more of that later.
Shell Control Box (SCB) is an activity monitoring appliance that controls access to remote servers, virtual desktops, or networking devices, and records the activities of the users accessing these systems. For example, it records as system administrators configure your database servers through SSH protocol, or your employees make transactions using thin-client applications in a Citrix environment. The recorded audit trails can be replayed like a movie to review the events exactly as they occurred. The content of the audit trails is indexed to make searching for events and automatic reporting possible. SCB is especially suited to supervise privileged-user access as mandated by many compliance requirements, like PCI-DSS. It helps you answer the question of who did what and when on your critical servers.
Fast deployment appliance with extremely low TCO
SCB is a turnkey network appliance - its implementation and configuration is fast and simple. Compared to competitors, there is no need to purchase and install any additional software (e.g. Windows or MS SQL servers) or hardware to have SCB fully functioning. Full implementation typically takes only 3-5 days! After deployment, SCB operates in the background like a black box of an airplane - there is no need for any extra workload to operate it.
Independent, agentless device
Compared to agent-based solutions, there is no need for installing and updating agents on clients or servers, eliminating unnecessary maintenance and potential security issues. As a host independent gateway, SCB can control and monitor access to any type of systems incl. all Windows/UNIX/Linux servers, mainframes, network devices, security devices, web-based applications or thin client environments, such as VMware View, Citrix XenApp or XenDesktop. SCB is an independent audit solution which perfectly separates the monitoring system from the monitored system. It extracts information from the raw network traffic and reconstruct the original session between the endpoints. This prevents anyone from modifying the extracted audit information, as the administrators of the server have no access to the SCB.
Transparent, “router-like” operation
As a proxy gateway, SCB can operate as a router in the network – invisible to the user and to the server. As a transparent solution, SCB requires minimal changes to the existing network. Also, since it operates on the network level, users can keep using the client applications they are familiar with, and do not have to change their work processes, unlike jump host solutions. All in all, by supporting the most platforms and protocols on the market SCB can be implemented into extremely heterogeneous IT environments.
Since SCB has full access to the inspected traffic, security managers can granularly control who can access what and when on the servers.
For example, they can selectively permit or deny access to protocol channels: enable terminal sessions in SSH, but disable port-forwarding and file transfers, or enable desktop access for RDP, but disable file sharing.
SCB supports the 4-eyes authorization principle. This is achieved by requiring an authorizer to allow administrators to access the server. The authorizer also has the possibility to monitor the work of the administrator in real-time with the option of instant connection termination.
SCB can monitor the traffic of certain connections in real time, and execute various actions if a certain pattern (for example, a particular command, window or text) appears in the command line or on the screen. SCB can also detect numbers that might be credit card numbers. The patterns to find can be defined as regular expressions.
In case of risky, unwanted or suspicious user action, the following actions can be performed:
Log the event in the system logs.
Immediately terminate the connection.
Send an e-mail or SNMP alerts about the event.
Store the event in the connection database of SCB.
Connections can be searched from the SCB web interface based on their metadata and their actual content as well. Audit trails are indexed. This makes the results searchable on the SCB web GUI. It is also possible to execute searches on a large number of audit trails to find sessions that contain a specific information or event. SCB can also execute searches and generate reports automatically for new audit trails.
SCB records all sessions into searchable audit trails, making it easy to find relevant information in forensics or other situations. The Audit Player application replays the recorded sessions just like a movie – all actions of the administrators can be seen exactly as they appeared on their monitor. This makes the results searchable on the SCB web GUI. The audit player enables fast forwarding during replays, searching for events (for example, mouse clicks, pressing Enter) and texts seen by the administrator.
SCB supports the creation of custom pdf reports and statistics, including user-created statistics and charts based on search results, the contents of audit trails, and other customizable content. SCB can also execute searches and generate reports automatically for new audit trails. These content reports provide detailed documentation about user activities on remote IT systems. In addition, SCB supports the creation of custom reports and statistics, including user-created lists and charts based on search results, the contents of audit trails, and other customizable content. To help you comply with the regulations of the PCI DSS, SCB can generate reports on the compliance status of SCB.
SCB can smoothly integrate in your heterogeneous IT environment, including your existing security environment, too. SCB fits in to your security environment by removing their blind spots.
In addition to storing credentials locally, SCB integrates smoothly to Enterprise Random Password Manager (ERPM), Lieberman Software’s privileged identity management solution, as well as with Quest eDMZ, Tycotic, CyberArk and other widely used password management systems via customizable plugins. That way, the passwords of the target servers can be managed centrally using the external password manager, while SCB ensures that the protected servers can be accessed only via SCB – since the users do not know the passwords required for direct access.
SCB can also send snmp alerts to 3rd party system monitoring tools. Several aspects of SCB can remotely manage with third party system management solutions, such as HP OpenView or IBM Tivoli. It offers a web-services based API and RESTful API for custom application integration or remote SCB configuration & management.
Integration with third-party workflow & ticketing systems - SCB provides a plugin framework to integrate it to external helpdesk ticketing (or issue tracking) systems, allowing to request a ticket ID from the user before authenticating on the target server. That way, SCB can verify that the user has a valid reason to access the server — and optionally terminate the connection if he does not. Supported systems: BMC Remedy, ServiceNow
SIEMs: Accountability audit reports are only as good as the logs that are collected. So if your cloud apps or legacy apps don’t generate logs, your audit reports will have gaps. SCB fills this gap by generating records for every app, even those with no internal logs! And these records add bulletproof evidence, via ties to video replay. It is possible to send SCB logs to an external log management or SIEM solution such as SSB, or Splunk, HP Arcsight to make more reliable forensics investigations possible.
These are the market drivers for SCB: regulations, company policies, forensics, IT partner management and sometimes general distrust of staff. These key words are in our customers’ mind and influence the buying process.
Compliance: Pressure for compliance of local regulations and/or industry standards. (for example PCI specifies that every bank, merchants or government organization handling credit card data must audit admin activity, as well!)
Company Policy enforcement: Enforcement of internal rules, company policies, security strategy (who can access which resources when, how, from where?). Strict Security requirements are typical at big service providers (bank, telco, gov.) which manage sensitive data (personal files, credit card info, etc.)
IT staff control: IT Admins are the most powerful users in IT systems with unrestricted access rights. Controlling them is essential.
Outsourcing partner control: Monitoring of 3rd party contractors or outsourcing partners (e.g. Hosting providers, remote admins, etc.) (e.g. Demonstration of the mistake of an external system admin) + SLA control
Business users audit: control of average users' working sessions (for example in call centers there is huge turnover – users must be carefully controlled or controlling of remote worker access is also a must in many companies)
Forensics: Identifying and presenting evidences found in IT systems through a „legal” procedure (for example a quick investigation after an accidental misconfiguration)
If you have doubts to give comforting answers to these questions, than you have probably need to think about a possible solution to these challenges….