Privileged Activity Monitoring
Shell Control Box is an activity monitoring appliance that controls privileged access to remote IT systems, records activities in searchable, movie-like audit trails, and prevents malicious actions. SCB is a quickly deployable enterprise tool with the widest protocol coverage on the market. It is completely independent from clients and servers - integrating seamlessly into existing infrastructures.
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
BalaBit 2015: Control Your IT Staff
1. Yves Van Tongerloo // Sales Manager Belgium|Netherlands|Luxembourg
yves.van.tongerloo@balabit.com
2. 15 years in network security
Global leader in
privileged user monitoring and
log management
+30% annual growth in the last 5 years
1 million (!) installations worldwide
Half of Fortune50 among clients
Headcount: 170
60% developers and system engineers
Global partner network
100 partners in 40+ countries
THE SYSLOG-NG
COMPANY
3. Partnerships & Certifications
ISO 9001:2009 certified company
Awarded to Deloitte Technology Fast 50 CE List (2009-2013)
Appliance performance validated by West Coast Labs (leading test facility, US)
SCB in TOP25 Must Have Software Applications by Computer Technology Review
Citrix Ready PLUS Partner
VMware Technology Alliance Partner
Microsoft Communication Protocol Program (MCPP) Partner
Lieberman Technology Integration Partner
Thycotic Technology Alliance Partner
5. New Trends - New Human Threats
„50% of enterprises use
hybrid cloud by 2017”
„87% of connected devices
sales by 2017 will be
tablets and smartphones”
„1 in 5 enterprises have
experienced an APT attack”
6. Privileged User Fraud
88% of all internal misuses are caused by privilege abuse
71% of all internal misuses are made via LAN access (21% via remote access)
Use of stolen credentials was the top threat action in 2013
Only 1% of security incidents are discovered through log reviews*
* Source: Verizon 2014 Data Breach Investigations Report
14. Purchasing Drivers
Compliance
International standards
Local legislation
Company policy
Security
Monitor IT staff
Control outsource & cloud admins
Audit terminal services users
Operational Efficiency
Fast Troubleshooting &
Forensics
Quick audits
15. Telenor Group
Challenge: Control third-party providers’ (encrypted) access to critical network zones
Solution: Monitoring encrypted (SSH) administrative sessions by SCB
Benefit: transparent audit of a key admin protocol that otherwise is inaccessible to audit.
Central Bank of Hungary
Challenge: Enhancing the protection of the mission-critical currency-system
Solution: SCB to audit IT operators working in VMware View (thin-client) environment
Benefit: Increased accountability of the banking IT staff
Ankara University, Turkey
Challenge: Prevent another data loss on externally managed servers
Solution: SCB to control and monitor remote desktop (RDP) and SSH connections of
externally supported servers
Benefit: Mitigated risk of data loss in IT outsourcing processes
Use Cases – Security
https://www.balabit.com/company/references
16. Leading bank, Germany
Challenge: The bank’s ATM network broke down due to a wrong command
executed by a remote ATM admin
Solution: Record all actions of ATM admins by SCB
Benefit: By searching & replaying the relevant working session, the bank
identified and solved the problem in hours.
Major mobile provider, Russia
Challenge: The provider’s mobile network partially stopped after a junior operator
misconfigured a critical network router
Solution: Record all actions of network operators by SCB
Benefit: By replaying the relevant session, the provider identified the problem and
restored the network rapidly.
Use Cases – Operational Efficiency
https://www.balabit.com/company/references
17. Use Cases – Compliance
https://www.balabit.com/company/references
Fiducia IT AG – financial IT services provider, Germany
Challenge: Audit administrative access to private banking information to comply with BaFin
requirements
Solution: SCB monitors all internal & external administrative access to data center (8,000 UNIX/
Linux servers)
Benefits: Smoothly passing supervisory audits
SIA SSB Group - financial provider, Italy
Challenge: Audit access of 200 administrators’ to credit card data for PCI DSS compliance
Solution: SCB controls and monitors the administrators’ sessions to sensitive servers
Benefit: Full compliance with PCI DSS w/o business disruption
Major telecommunication provider, Taiwan
Challenge: Audit remote accesses to the 3G network infrastructure for ISO 27011 compliance
Solution: SCB monitors remote access of internal and external network operators
Benefit: Full compliance with ISO 27011 and with company access policies.
19. SHARED
ACCOUNTS
///
External IM
AD / LDAP …
WHO?
16
Client
Server side
auto-logon
Hiding the
password
Server
Retrieve credentials
for the host-user pair
Credential Store
(local or remote)
Audited connection paused until
gateway authentication is successful
Gateway authentication on SCB
Authentication on
the server using
data from the
Credential Store
20. REAL-TIME
ANALYSIS
///
>1234 5678 9123 4567
>scp financial.db
Command detection
Screen-content detection
>cat cred
Window-title detection
17
Never
reaches
other side
21. LICENSE // APPLIANCE
T1 T4 T10 VM
Single QuadCore CPU Single QuadCore CPU Dual 6-Core CPU n/a
8 GB 8 GB 32 GB n/a
1 TB
Software RAID
4 TB
Hardware RAID
10 TB
Hardware RAID
n/a
Redundant PSU
Redundant PSU
Spare disk
n/a
HA HA HA NO
10 -> 500
Protected Hosts
10 -> 5000
Protected Hosts
100 -> Unlimited
Protected Hosts
10 -> Unlimited
Protected Hosts
19
22. Benefits for the IT
Turnkey appliance for privileged user monitoring
Centralized authentication & access control
Faster and higher quality security audits
Lower troubleshooting and forensics costs
Fast deployment, low OPEX
Easy scalability and HA option
Direct 7/24 vendor support (option)
23. Benefits for the Business
Greater chance of passing supervisory audits
Closer employee & partner control – verified SLAs
Improved accountability of staff
Reduced number of human errors
Strong evidence in legal proceedings
Enhanced security against human threats
24. Thank you for your attention!
Yves Van Tongerloo // Sales Manager Belgium|Netherlands|Luxembourg
yves.van.tongerloo@balabit.com
Hinweis der Redaktion
BalaBit – headquartered in Luxembourg – is a European IT security innovator, specialized in advanced monitoring technologies. BalaBit IT Security is an innovative information security company, a global leader in the development of privileged activity monitoring, trusted logging and proxy-based gateway technologies. BalaBit is a fast-growing IT security vendor that was founded in 2000 when the co-founders finished university. The main development centers are based in Hungary.
The company is widely-known for syslog-ng™, its open source log management solution, used by more than a million installations worldwide. This significant user base provides a solid ground for the business expansion which is fueled by Shell Control Box™, a pioneering development for the rapidly-growing niche of privileged activity monitoring market.
BalaBit has customers all over the world including 23 percent of the Fortune 100 companies. Today, the company employs approximately 150 people but we are growing fast both in terms of employees and revenue. Last year, revenues increased 45%. It has sales offices in France, Germany, Hungary, Russia, in the UK and the United States and partners in 40+ countries.
The world is changing. New IT trends represent new and increasing security risks to your company.
In a global environment IT responsibilities are increasingly connected to third party providers, which require connection to your networks. In addition Companies tend to move increasing portion of sensitive data into the cloud for cost efficiency reasons.
There are an increasing number of employees running with tablets, smartphones, notebooks with the need to access the companies internal systems.
Last but not least, the booming danger of Advanced Persistent Threat attackers, who are very well-prepared organized cyber criminals and can easily bypass the traditional security lines.
These are big challenges for security managers:
You have to protect your sensitive databases, you have to control privileged access to your cloud environment, you have to monitor the increasing mass of employees with mobile devices, you have to know what are your service providers doing in your IT systems.
The market challenge can be seen in the news almost every day.
There are too many security blindspots that allow users – especially privileged users – to access your sensitive data or negatively impact your network.
It happens event at many of the largest and most tightly managed organizations, such as NSA and Bank of New York…
Companies invest a lot in access control solutions like firewalls, authentication systems etc. YET THERE ARE SIMPLY TOO MANY BLINDSPOTS OF USER ACTIONS THAT ARE NOT AUDITED
Related Articles:
http://www.reuters.com/article/2013/09/18/us-usa-security-snowden-idUSBRE98H0J220130918
http://articles.washingtonpost.com/2013-05-27/world/39554997_1_u-s-missile-defenses-weapons-combat-aircraft
http://www.crn.com/slide-shows/security/300073375/the-10-biggest-data-breaches-of-2014-so-far.htm?cid=nl_sec
http://www.nytimes.com/2014/03/14/business/target-missed-signs-of-a-data-breach.html?_r=0
On this slide you can see why SCB is unique comparing with similar solutions on the market:
It’s a transparent, multi-protocol solution
No changes need to be made to the existing IT environment, the IT staff doesn’t need to change their working processes. Customers only need to deploy one single solution to cover all well-known platforms and protocols.
Granular access control
This means that IT security managers can control who can access what and when based on the protocol being used. It’s possible to control file-transfers and other unusual traffic. For example, you can allow or deny protocol channels such as disk redirect, port-forwards and file-transfers based on the user group membership or the time of day.
4-eyes: This is achieved by requiring an authorizer to allow the administrators to access the server. The authorizer also has the possibility to monitor the work of the administrator real-time, just like they were watching the same screen.
High quality auditing and forensics
Forensics investigations can be made much easier by searching the audit trails generated by Shell Control Box. It’s very easy to search for any type of commands entered or screen content. This feature is available for all supported protocols including graphical sessions thanks to the inbuilt optical character recognition engine. SCB is able to extract valuable information real-time during the session or via a post-processing analysis.
The audit trails can be time-stamped, encrypted and digitally signed and can only be accessed by authorized personnel.
These are the market drivers we have related to SCB: regulations, company policies, forensics, IT partner management and sometimes general distrust in staff. These key words have in our customers’ mind and influence the buying process.
Compliance: Pressure for compliance of local regulations and/or industry standards. (for example PCI specifies that every bank, merchants or government organization handling credit card data must audit admin activity, as well!)
Company Policy enforcement: Enformcement of internal rules, company policies, security strategy (who, when, how, from where can access which resources?). Strict Security requirements are typical at big service providers (bank, telco, gov.) which manage sensitive data (personal files, credit card info, etc.)
IT staff control: IT Admins are the most powerful users in IT systems with unrestricted acess rights. Controlling them is essential.
Outsourcing partner control: Monitoring of 3rd party contractors or outsourcing partners (e.g. Hosting providers, remote admins, etc.) (e.g. Demonstration of the mistake of an external system admin) + SLA control
Business users audit: control of average users' working sessions (for example in call centers there is a huge fluctuation – users must be carefully controlled or controlling of remote worker access is also a must in many companies)
Forensics: Identifying and presenting evidences found in IT systems through a „legal” procedure (for example a quick investigation after an accidental misconfiguration)
Detailed SCB use cases can be found here: http://www.balabit.com/support/documentation
Detailed SCB use cases can be found here: http://www.balabit.com/support/documentation
Detailed SCB use cases can be found here: https://www.balabit.com/company/references
A complete solution for activity monitoring, eliminating the need for investment in 3rd party tools.
Central authentication and control: centrailized, strong authentication and access control point in your environment to improve security and reduce user administration costs.
Fast and quality audits: Making all user activities exactly traceable by recording them in high quality, tamper-proof and confidential audit trails. Gathering all necessary information for reporting, troubleshooting or forensic situations.
Lowering troublesh/Forensics costs: When something wrong happens everybody wants to know the real story. Analyzing text- based logs can be a nightmare and may call for the participation of external experts. The ability to easily reconstruct the actions taken in an exact timeframe allows companies to shorten investigation time and avoid unexpected cost.
Compliance audit is one of the most painful event in many companies. If the company doesn’t comply with the local or international regulations, company leaders – including top-level and financial directors – typically take the responsibility.
Employee control: SCB audits, controls and records who, when and what have done e.g. in the financial or SAP system. Aware of this, the employees will do their work with greater sense of responsibility, so the number of human errors can be reduced. By having a tamper-proof activity record, accountability issues can also be eliminated.
Bullet-proof evidence: If a disputed issue related to computer systems (e.g. data theft, external attack or employee sabotage) leads to legal proceedings, SCB helps in reconstructing events and providing evidence.