Case Study for XY Bank. Real-time desktop security monitoring and integration with ArcSight

Transcription

1 Case Study for XY Bank Real-time desktop security monitoring and integration with ArcSight 1

2 Table of Contents Introduction... 3 Customer IT Environment... 3 Issues, Challenges & Objectives... 3 Nexthink Baseline Service Project... 4 Nexthink Project... 4 Risk & Security Compliance Monitoring... 6 User Behavior Monitoring... 7 Non- Blocked Malware Detection... 7 Integration with ArcSight... 8 Case 1: Usage of vulnerable applications Case 2: Non- compliant / High risk Internet connection Case 3: Non- authorized external access to critical server

3 Introduction XY is a retail bank headquartered in Europe with more than 700 branches and 1 Million customers. XY is one of the oldest and leading banks in Europe. Customer IT Environment XY has been investing in a variety of IT systems covering all parts of their infrastructure and applications. As a leading retail bank, data security is a major challenge for the IT team. They invested in several solutions to secure the infrastructure and monitor the network and server usage in real-time. However, like almost all companies, they did not have a solution to monitor the desktop activity in real-time. Issues, Challenges & Objectives XY faced several major security threats during a very short period of time: 1. A worm outbreak, caused by the Conficker virus, quickly infected several workstations, 2. Unusual and suspicious traffic was flagged up by network monitoring tools raising concerns about outgoing spamming activity from within the organization, 3. An increasing number of security incidents were recorded by the desktop antivirus. The IT team did a manual sample audit of 100 workstations, including the infected ones, which lasted over 3 weeks. They found several important issues: 1. Several workstations did not have the latest operating system patch update, 2. A sample of workstations analyzed were using a vulnerable version of Internet Explorer, 3. Conficker infected the organization via a USB key, 3

4 4. Users were using non-authorized applications, 5. 30% of the sample workstations analyzed were not using the current version of the antivirus and the Windows firewall was deactivated. These findings led to more global questions: 1. How can I audit thousands of workstations at the same time to make sure that policies, configurations, and patching is respected? 2. In the future, how can I be alerted in real-time when these kinds of events happen? 3. In the future, how can I monitor our desktop patching activities to make sure that no desktop is vulnerable? 4. How can I monitor thousands of users to make sure they have the right privileges? 5. How can I make sure the antivirus and the Windows security settings are updated correctly? Nexthink Baseline Service Project To select the best solution XY and their IT technology partner performed extensive market research and analyzed several solutions to find a real-time desktop monitoring solution that could solve their issues and meet their objectives. XY analyzed several products through proof-of-concepts and thorough testing, and selected Nexthink as the desktop monitoring solution. Nexthink was short listed with other solutions including Microsoft SCCM, Knoa and Aternity. Nexthink was installed on 1,000 desktops and laptops. The installation took 2 days and after a week Nexthink was able to deliver a full security audit on the 1,000 desktops and laptops: 1. 18% of workstations were using a non-compliant browser version, 2. 47% of workstations did not have the required Windows service pack, 3. 3% of workstations were bypassing the proxy to connect to the Internet, 4. 30% of workstations were using games, cracks, hacking tools and port scans, 5. 5% of workstations were using pirated Windows serial numbers, 6. 2% of laptops and 3 desktops were using a USB 3G Mobile Internet device on the internal network while connected to the internal network, 7. 12% of workstations had the antivirus disabled or not installed, 8. 23% of workstations had the local firewall disabled or not installed, 9. 19% of workstations were executing malware from the USBs, 10. 6% of workstations had active malware, desktops had P2P and remote software tools. Nexthink Project Nexthink provided XY the complete, continuous, real-time desktop, user and application behavior visibility that they needed; allowing XY to have a monitoring solution across all their IT environments. The monitoring solution approach moved from to being in static points on the network to being present in all the desktops, from the head office to the most remote branch. Nexthink s approach let XY measure all the problems from the source (desktop, user and/or application) instead of trying to imagine what the problem was from a remote monitoring point. This unique technology let XY identify the root cause of their IT problems in less than 5 minutes against the hours, days, and weeks that it took before. The Nexthink patented Engine database allows the IT teams to search in seconds through millions of events and months of history. XY is able to detect past security behavior threats and risks, and create real-time alerts for the Security Operations Teams. 4

5 All the desktop activity is collected and sent to the main Engine, no configuration was needed on the lightweight driver deployed by Nexthink on the desktops (deploy and forget approach). We were afraid of deploying another agent on the desktop, but in fact the Nexthink Collector is a driver, not a normal agent. You are not aware of the Collector and it does not affect the performance of the desktop. The Nexthink next generation dashboard Portal was promoted to the XY Risk and Security Compliance unified portal, aggregating information from Nexthink and other software tools. The dynamic and interactive dashboards with the information collected on all the desktops allowes the CIO and the CISO to analyze charts and make decisions based on real data. Today, all the decisions are based on real facts and not assumptions or outdated data. Until now, simple questions like how many desktops have IE7? were always difficult to answer, with Nexthink it takes 10 seconds and I can even see the history of usage of the IE7, says the XY CIO. The project at XY was divided in three security areas: Risk and Security Compliance, User Behavior Awareness and Malware Activity. For each area, a central dashboard was delivered so the team can monitor the status from a single console. In addition, for each area a set of real-time alerts was configured so an or an SMS could be sent immediately to the team. 5

6 Risk & Security Compliance Monitoring In the Risk and Security Compliance area, XY requested Nexthink to map their desktop security policies to have an automated and continuous desktop audit. Through some customization, Nexthink created dashboards, alerts, reports and investigations to address the requirements and mapped XY security policies. Now even before the external audits, XY Risk and Security teams already know what the results will be and can take action to improve their audit scores and follow up the mitigation measures of the audits in real-time. One of the biggest issues for XY was the PCI DSS compliance, as this is essential to their business. In the previous audits their worst score was the desktop environment that connects to the PCI cardholder servers. Nexthink addressed the PCI DSS providing visibility about the behavior of the desktops connecting to the cardholder server through dashboards, reports, alerts and specific investigations to map the PCI DSS requirements for desktops. þ Dashboard Antivirus version installed on each desktop Desktops not connecting to the AV service Desktops with AV service availability issues Desktops with outdated or disabled AV Desktops with non-corporate AV Desktops / Applications using blocked ports Desktops / Applications using port 25 Non-standard applications using port 8080 Desktops with anti-spyware problems Desktops with Internet security setting problems Desktops with local firewall problems Desktops with Windows updates problems 6

7 Desktops running vulnerable application versions Desktops missing a Windows security pack Desktops / Applications connecting to the Internet bypassing the official proxy þ Real-time alerts Desktops with old versions of AV Desktops without AV Desktops with firewall at risk Non-authorized desktops using port 25 Successful connections through a blocked port Desktops not running a mandatory Windows pack User Behavior Monitoring For User Behavior, Nexthink provided XY the capability to measure and analyze the behavior of their users so that a strategy could be defined to improve the security user awareness and mitigate risky behavior. Until Nexthink was installed, it was very difficult and sometimes impossible to know what users were doing, when and what they were using the applications for and what was the behavior of the applications. Now with Nexthink, XY IT teams can identify the behavior of the users and applications without affecting their privacy or performance. þ þ Dashboard Usage of Local Administrator Accounts Applications executed from USBs Usage of P2P applications Usage VoIP applications Usage of remote network applications (e.g. LogMeIn) Users of non-authorized applications Users doing scans on the network Real-time alerts Administrative accounts used for non-administrative tasks Users connected to more than 10 desktops per day Users connected from different branches in less than 1 hour Users executing non-authorized applications Users doing scans on the network Non-Blocked Malware Detection Malware threat is one of the biggest threats faced by organizations. As more and more organizations are affected by worm outbreaks, XY needed to strengthen its measures against these threats. XY needed to know how malware could enter into the network and what were the possible and most exposed entry points for malware in their IT environment. Antivirus technologies are based on heuristics and signatures that cannot detect 100% of the malware. Nexthink, through the behavior analysis of all the applications, provided XY the perfect complement to their AV allowing the detection of malware that typically is not detected by the major antivirus vendors. To complement the behavior detection, Nexthink is using their malware database composed of 10 different AV engines. 7

8 þ þ Dashboard Malware threats per region High threats Medium threats Low threats Top 10 desktops with malware Top 10 malware sources Top 10 malware applications Malware attack destinations Real-time alerts Desktops with high threat malware Malware communicating with Internet Malware scans Malware spreading using shared folders Integration with ArcSight ArcSight is a leading global provider of security and compliance management solutions that protect businesses and government agencies, mainly through the usage of their most successful product ArcSight ESM. Nexthink was integrated with the ArcSight ESM to solve one of the biggest gaps with the ArcSight event correlation, the lack of events and useful information from desktops, applications and user behavior. After the first Nexthink presentation, XY s teams identified immediately that Nexthink could provide the information that was missing on their infrastructure monitoring. They couldn t trust Windows events or scanning solutions to monitor their critical environment, not only because of the impact that scans can have on the network but because they needed a realtime solution. Until Nexthink, the only events available from the desktops were the Windows events. Unfortunately, Windows events are not meant to be used for security and can create a lot of problems like false positives and inaccurate information linked to performance issues on the ArcSight ESM. Desktops are the source of 80% of our security problems. Even with ArcSight we were missing the biggest part of our security issues, ArcSight was not receiving desktop events and we didn t have any trusted source of events. Windows events are not enough and have a lot of junk. We were searching for a solution like Nexthink for a long time and now we know that we are monitoring not only the servers and network but our entire IT environment. Nexthink allows ArcSight to meet the full correlation potential and provides the organization the unique ability to have a monitoring solution across the entire IT environment. Events like: Machine X doing a scan to Machine Y Machine X executed non-authorized software Machine X with OS and AV outdated doing scan with binary nmap.exe to PCI DSS server Machine X bypassing Internet proxy Machine X using vulnerable application (Internet Explorer 6) Machine X installed LogmeIn Machine X using crack.exe from USB Machine X with Windows XP SP1 connecting to payment system Application teamviewer.exe detected in Machine X, Machine Y and Machine Z 8

9 Machine X used by 10 users in the last 1 hour Local administrator user JohnP used on Machine Y to install CasinoPoker Machines X, Machine Y and Machine Z send s through port 25 ArcSight without Nexthink events Lack of Desktop Environment Monitoring ArcSight with Nexthink events Complete Event Monitoring across the organization 9

10 Case 1: Usage of vulnerable applications 1. James Foe opens Internet Explorer 6 (vulnerable version) 2. Nexthink alerts to the usage of a vulnerable application 3. ArcSight ESM adds James Foe to a watch list 4. James Foe opens the website HackMe.com 5. The IDS sends an alert Website with Exploit to IE6 6. ArcSight correlation matches the Nexthink alert to the IDS alert and sends the alert to the SOC team 10

11 Case 2: Non-compliant / High risk Internet connection 1. James Foe deactivates their laptop antivirus 2. Nexthink sends an alert that laptop DP1023 with user James Foe does not have an active antivirus 3. ArcSight adds James Foe to watch list because of the deactivated antivirus 4. James Foe connects a USB 3G Mobile Internet Modem to the laptop DP1023 to avoid company security systems 5. James Foe opens his browser and starts to navigate directly on the Internet without any kind of security controls 6. Nexthink send an alert regarding Internet traffic without the corporate proxy usage coming from James Foe 7. ArcSight matches the James Foe Internet behavior with the deactivated antivirus and fires an alert to the SOC team 11

12 Case 3: Non-authorized external access to critical server 1. James Foe makes three failed connections and one successful connection to the payment system 2. ArcSight adds James Foe to watch list Possible suspicious user 3. James Foe downloads employee payment documents 4. James Foe executes Remote Access tool teamviewer.exe to provide control to his machine to non-authorized computer on the Internet 5. Nexthink alerts on the usage of Remote Access to external networks from user James Foe on Laptop DP ArcSight correlates the information from the payment system and Nexthink and fires the alert Problem detected Information Leakage from James Foe on laptop DP1023 to the SOC team. 12