Diese Präsentation wurde erfolgreich gemeldet.
Wir verwenden Ihre LinkedIn Profilangaben und Informationen zu Ihren Aktivitäten, um Anzeigen zu personalisieren und Ihnen relevantere Inhalte anzuzeigen. Sie können Ihre Anzeigeneinstellungen jederzeit ändern.
Balázs Scheidler, Founder & CTO
Agenda
Concept of CSI Platform
A case study of CSI Platform
About BalaBit
Product demo
Agenda
Concept of CSI Platform
A case study of CSI Platform
About BalaBit
Product demo
 15 years in network security
 Global leader in
 privileged user monitoring and
 log management
 +30% annual growth i...
TELCO / IT FINANCE
OTHER
INDUSTRIES
References
Agenda
Concept of CSI Platform
A case study of CSI Platform
About BalaBit
Product demo
Security Lifecycle
• Based on static, known
threats
• Build layers of access
controls, policies and walls
• Use predefined...
Breaches continue…
Retail giant Target confirmed that credit and debit
card information for 40 million of its customers ha...
Cost and time to detect, resolve
90% Of breaches went
undetected for over
3 months
80% Of breaches were
Unresolved after
3...
Add security in Context
• Baseline business as usual
• Gather intelligence on
unusual user activities in
real-time
• Prior...
Agenda
Concept of CSI Platform
A case study of CSI Platform
About BalaBit
Product demo
Background
• Large European Enterprise
• Global operations
• Strict compliance regulations
– Under financial regulations
–...
IT operations
• External suppliers help in IT
operations
– Chunks of the infrastructure is
outsourced completely
– Other s...
Remote access
• Suppliers access the
infrastructure remotely
– Jumphost
• Basically unrestricted
access to data centers
– ...
Credentials
• Remote access credentials are
assigned to suppliers, not
individuals
• Credentials to internal systems are
t...
Internal separation
• Internal separation of
systems is weak
• Workstations are
restricted, but there are no
firewalls bet...
The project
Goals
• Establish direct controls
over suppliers
• Visibility into daily
operations
• Restrict access
privileg...
Project scope
• ~30-35k remote
sessions per day
– 85% SSH
– 9% RDP
– 6% telnet (tn3270,
tn5250)
The zero line
• Traditional security gear does not
give enough context
– Firewall, IPS, VPN, DLP, SIEM
• Reasons
1. They a...
First step
• Session recording was introduced
SCB: Immediate Benefits
• Transparent setup:
– All supplier sessions forced
through
– Without changing workflows,
clients/...
4-eyes control
15
Authorizer Auditor
Real-Time follow
Enterprise integration
>1234 5678 9123 4567
>scp financial.db
Command detection
Screen-content detection
>cat cred
Window-title detection
17
Neve...
Review of the audit trails
• Due to the internal and external
regulations, audit trails need to
be reviewed
– Some in real...
How to review?
• Which part of the audit
trails are the most
interesting?
• How to choose which
vendors should be
reviewed...
Second step: adding Behavior
Analytics
”Behavior is the internally coordinated responses
of whole living organisms to internal and/or
external stimuli”
Daniel A....
What could be the elements of digital behavior?
• Typical time of logging in
• Typing speed
• Screen resolution
• Range of...
The solution: Blindspotter
User Behavior Analytics
shows:
• Who are the most
risky users?
• What are the biggest
anomalies...
Agenda
Concept of the CSI Platform
CSI Platform in real life
About BalaBit
Product demo
System
Logs
Application
Logs
Activity
Monitoring
Threat Management
Cockpit
API
User
Directory
Video
Replay
Risk
Land-
scap...
Thank you!
Nächste SlideShare
Wird geladen in …5
×

Les Assises 2015 - Why people are the most important aspect of IT security?

Balázs Scheidler, co-founder and CTO of BalaBit holds a presentation about the importance of privileged users in IT security. He introduces BalaBit's approach to people-centric security - people centric security is a strategic approach to information security that emphasizes individual accountability and trust. It de-emphasizes restrictive, preventive security controls, while the monitoring of user activities is a fundamental element of people centric security.
Mr. Scheidler showcases how cooperates Blindspotter, BalaBit's UBA solution with its Privileged Activity Monitoring tool, Shell Control Box, and how does they provide an effective defense against Advanced Persistent Threats. A live demo of how an APT attack would be prevented will be also part of the presentation.

  • Loggen Sie sich ein, um Kommentare anzuzeigen.

Les Assises 2015 - Why people are the most important aspect of IT security?

  1. 1. Balázs Scheidler, Founder & CTO
  2. 2. Agenda Concept of CSI Platform A case study of CSI Platform About BalaBit Product demo
  3. 3. Agenda Concept of CSI Platform A case study of CSI Platform About BalaBit Product demo
  4. 4.  15 years in network security  Global leader in  privileged user monitoring and  log management  +30% annual growth in the last 5 years  1 million installations worldwide  23 of the „Fortune100 List” members among clients  Headcount: 200+  60% developers and system engineers  Global partner network  100+ partners in 40+ countries About BalaBit
  5. 5. TELCO / IT FINANCE OTHER INDUSTRIES References
  6. 6. Agenda Concept of CSI Platform A case study of CSI Platform About BalaBit Product demo
  7. 7. Security Lifecycle • Based on static, known threats • Build layers of access controls, policies and walls • Use predefined patterns and rules to prevent access • Respond to breaches with bigger walls and more controls Define Prevent Detect Respond Access Controls & policies
  8. 8. Breaches continue… Retail giant Target confirmed that credit and debit card information for 40 million of its customers had been compromised. ” – New York Times The CEO and CIO left the company Sony Pictures Entertainment has been targeted by computer hackers in an attack which reports say forced it shut down its systems… – BBC Costs estimated at $15-35m and growing Office on Personnel Management government data breach impacted 21.5 million people – CNN Director resigned Advanced Persistent Threats and malware depend on privileged account hijacking
  9. 9. Cost and time to detect, resolve 90% Of breaches went undetected for over 3 months 80% Of breaches were Unresolved after 3 months 2,5 3,14 3,02 9,43 Costs (> $18 mm) Technical support Lost productivity Revenue and disruption Brand and reputation Source: IBM/Ponemon Institute ‟The cost of data breaches has increased by 96 percent; the number of successful attacks has increased by 144 percent in the last four years.” Source: HP State of security operations, 2015 report of capabilities and maturity of cyber defense organizations
  10. 10. Add security in Context • Baseline business as usual • Gather intelligence on unusual user activities in real-time • Prioritize investigations based on deviation from the norm, and risk • Get forensic-level visibility into activities • Respond immediately Monitor Users Understand the norm Identify risks Investigate and prevent
  11. 11. Agenda Concept of CSI Platform A case study of CSI Platform About BalaBit Product demo
  12. 12. Background • Large European Enterprise • Global operations • Strict compliance regulations – Under financial regulations – US, Germany & Hong Kong • No technology they didn’t have – Mainframes, AS400, UNIX, Windows, Linux, …
  13. 13. IT operations • External suppliers help in IT operations – Chunks of the infrastructure is outsourced completely – Other service providers have more specific scope • Control: – Traditional security gear (firewall, IPS, DLP, VPN, SIEM) – SLA – ITIL style change management
  14. 14. Remote access • Suppliers access the infrastructure remotely – Jumphost • Basically unrestricted access to data centers – VPN & VDI • Desktops are constrained by default • Broad access privileges also exist
  15. 15. Credentials • Remote access credentials are assigned to suppliers, not individuals • Credentials to internal systems are the responsibility of the suppliers • No insight into supplier credential management • No vetting of supplier personnel
  16. 16. Internal separation • Internal separation of systems is weak • Workstations are restricted, but there are no firewalls between servers/applications • Unrestricted IP-level access is just a hop away
  17. 17. The project Goals • Establish direct controls over suppliers • Visibility into daily operations • Restrict access privileges, „need-to- know” • Enforce change management
  18. 18. Project scope • ~30-35k remote sessions per day – 85% SSH – 9% RDP – 6% telnet (tn3270, tn5250)
  19. 19. The zero line • Traditional security gear does not give enough context – Firewall, IPS, VPN, DLP, SIEM • Reasons 1. They already have the privilege to pass 2. Logs are not providing the necessary level of detail 3. Complex sequence of actions cannot be reconstructed
  20. 20. First step • Session recording was introduced
  21. 21. SCB: Immediate Benefits • Transparent setup: – All supplier sessions forced through – Without changing workflows, clients/servers (no agent) • Forensic investigations • Centralizing vendor authentication, credential management
  22. 22. 4-eyes control 15 Authorizer Auditor Real-Time follow
  23. 23. Enterprise integration
  24. 24. >1234 5678 9123 4567 >scp financial.db Command detection Screen-content detection >cat cred Window-title detection 17 Never reaches other side Real-time prevention
  25. 25. Review of the audit trails • Due to the internal and external regulations, audit trails need to be reviewed – Some in real-time using 4eyes – Others later
  26. 26. How to review? • Which part of the audit trails are the most interesting? • How to choose which vendors should be reviewed? • Which solution is significantly better than random sampling?
  27. 27. Second step: adding Behavior Analytics
  28. 28. ”Behavior is the internally coordinated responses of whole living organisms to internal and/or external stimuli” Daniel A. Levitis, PhD in Integrative Biology What is behavior?
  29. 29. What could be the elements of digital behavior? • Typical time of logging in • Typing speed • Screen resolution • Range of accessed servers and applications • Activities performed: commands, screen content User Behavior in practice
  30. 30. The solution: Blindspotter User Behavior Analytics shows: • Who are the most risky users? • What are the biggest anomalies? • Which activities are the most critical?
  31. 31. Agenda Concept of the CSI Platform CSI Platform in real life About BalaBit Product demo
  32. 32. System Logs Application Logs Activity Monitoring Threat Management Cockpit API User Directory Video Replay Risk Land- scape Search Report User Behavior Analytics
  33. 33. Thank you!

×