Privileged Activity Monitoring

Transcription

1 GUARDING YOUR BUSINESS The Essential Guide to Privileged Activity Monitoring Introduction to Privileged Access Challenges and Privileged Activity Monitoring as a Solution

2 Content Content...2 About this Guide...2 Who are the Privileged Users?...3 Key Security Risks related to Privileged Users...4 Business Challenges...5 Control Internal IT Staff...5 Control Third-party Providers...5 Comply with Regulations...6 Improve Troubleshooting & Forensics...6 Most Affected Sectors...7 Telecommunications...7 Cloud- and Managed Service Providers...8 Finance...9 Government...10 Other Industries...10 The Solution Privileged Activity Monitoring...11 Different Vendors Different Approaches...12 Monitoring and replaying user sessions...13 Best Practices...14 Summary...15 Learn More...16 BalaBit Shell Control Box - A Leading PAM Tool...16 About BalaBit...16 About this Guide One of the greatest challenges of IT is to prevent privileged users from doing things in systems which are not allowed. While the activity of a web-site visitor is well-limited, the same is not true for an employee and certainly not for a system administrator of the company. The freedom of users grows with their access level - the higher rights they have in IT systems, the more risk they carry for the company. Privileged Activity Monitoring (PAM) tools control and monitor the access of privileged users to critical IT assets. This guide provides an easily understandable overview about PAM. It defines the key capabilities of PAM solutions and its benefits for you and your customers. It also examines the key privileged user-related challenges which various industries face. Last but not least, you will learn best practices in order to mitigate the risks related to privileged users, and how to successfully utilize a PAM solution. Regulatory compliance, IT outsourcing as well as advanced cyber-attacks force companies to increase supervision of their privileged users. Implementing a solution to mitigate the risks of privileged activities is one of the toughest jobs for IT leaders today. We believe that this guide is a valuable tool to help IT and security managers to overcome these challenges. 2

3 Who are the Privileged Users? A privileged user refers to any type of user or account that holds special or extra permissions within the enterprise systems. Wikipedia Bank of New York reported that a sub-contractor computer technician has stolen over $1 million by using identity theft of employee data - New York Times A network administrator has allegedly locked up a multimillion-dollar computer system for the city of San Francisco that handles sensitive data, and he is refusing to give police the password. The administrator made changes to the city s Fiber WAN (wide area network), allegedly rendering it inaccessible to other administrators. He also set up devices to gain unauthorized access to the system - PC World An inexperienced operative erased a massive swathe of information during a routine software upgrade for the Royal Bank of Scotland and its subsidiaries... The worker was understood to have been part of a team recruited in Hyderabad after the bank laid off more than 20,000 UK staff and outsourced work abroad Mail Online Nowadays, the news is full of similar cyber-attacks conducted by privileged users or users getting access to privileged accounts. But who are privileged users actually? At first thought, you may think the answer is simple: IT administrators. Actually, privileged users cover not just administrators, but a much wider group of identities within an enterprise. According to the definition of Wikipedia a privileged user refers to any type of user or account that holds special or extra permissions within the enterprise systems. Privileged users can be categorized into the following types: 1 2 Users Accessing Shared Administrative Accounts shared administrative accounts exist in virtually every device or software application. Some examples are the Administrator user on Microsoft Windows, the root user on UNIX/Linux, or the SYS account on Oracle. These accounts hold superuser privileges and are often shared among IT staff, for example among system administrators or network admins. Users Accessing Privileged Personal Accounts privileged personal accounts are powerful accounts that are used by business users and IT personnel. These accounts have a high level of privilege and their use (or misuse) can significantly affect the organization s business. Some examples are the CFO s user, or the Database Administrator (DBA) users. Users accessing these accounts are typically business or IT managers. How privileged users typically work? System administrators and other privileged users have a remote connection to servers via their own desktops. By means of the communication standards (protocols) used, they see the same screen as if they were actually sitting in front of the monitor connected to the server, whereas the accessed computer may as well be in another part of the world. Nowadays large datacenters are distributed in different regions of the world. Large companies have fewer datacenter locations and the various business departments (IT, HR, customer service, sales, finance, etc.) often operate in another country. Therefore remote IT resource access is the de-facto standard. 3 4 Users Accessing Emergency Accounts (also called fire-call IDs or break-glass users) emergency accounts are special generic accounts used when elevated privileges are required to fix urgent problems, such as in cases of business continuity or disaster recovery. Access to these accounts frequently requires managerial approval. Users accessing these accounts are typically administrators, help-desk people, or IT operators. Users Accessing Sensitive Business Systems At companies, there are several special employees who can access and manage sensitive data stored in key applications, such as the SAP or the financial system. Some examples are the accountants, the HR managers, or the customer service employees. As you can see, beyond IT administrators there are several other users in the IT environment which have highlevel privileges. To increase the problem, often several employees share the access to these high-level accounts making it difficult to track actually who was using the account at the time when an incident happened... 3

4 Key Security Risks related to Privileged Users 78% of large organizations were attacked by an unauthorized outsider in the UK, in Information Security Breaches Survey 2013 Business users accessing sensitive data Privileged users are a potential security risk in many situations. At most companies, users at different organizational levels have the possibility to directly access and manipulate the most sensitive information, such as CRM data, personnel records or credit card numbers. These users can vary from legal department employees, through HR managers to accountants and customer service people. Through data loss or leakage incidents, these business users can cause great damage to the reputation of your company. Cyber threats: privileged accounts under attack Privileged accounts have emerged as the primary target for cyber criminals and have been exploited to perpetrate some of the most devastating cyber-attacks and data breaches in recent years. Today, these cyber-attacks are so customized and sophisticated, that they can easily bypass the traditional protection lines. APT (Advanced Persistent Threat) intruders prefer to leverage privileged accounts where possible, such as Domain Administrators, local Administrator accounts, service accounts, or privileged user accounts. For example, online attackers have recently penetrated the U.S. Department of Energy (DOE) network and obtained copies of personally identifiable information pertaining to several hundred of the agency s employees and contractors. Superusers accessing everything Beyond privileged business users, there are several superusers, such as administrators, IT contractors or C-level managers, who practically have unrestricted and uncontrolled access to the information assets of your company. While most employees are trustworthy, there are always employees who abuse the trust placed in them, and superusers are no exception. These users can intentionally - or accidentally - perform harmful actions in your IT systems that can cause great damage to your business. The above news about a sub-contractor technician who has stolen $1 million from the Bank of New York is just one from the many examples. Insufficient monitoring of user actions In many cases business applications such as legacy systems or custom developed applications are not capable of sufficient logging. Although, log management and SIEM tools are good at presenting event data, but they have also limitations such as: Hundreds of critical security event types (e.g. configuration of firewall rules) are not logged at all. Those events that are logged typically do not show what was really done. Many times, the logs only show obscure technical details about security events. Consequently, traditional logging has limitations in tracing what your users do in the applications; moreover, a skilled administrator (or attacker) can manipulate the logs to cover his tracks. As the monitored user can compromise the logs, this information source is inadequate for reliable monitoring of privileged users. Figure 1: The key security challenge related to privileged users 4

5 Business Challenges Control Internal IT Staff 74% of the IT staff have already misused the company s IT system, and could have lost their job, if a video recording would have proven their wrongdoing. BalaBit IT Professionals Survey, 2011 System administrators are the most powerful users in an IT environment. Although these users typically sit at the bottom of the organizational hierarchy, they have very high or even unrestricted access rights to operating systems, databases and applications. Having superuser privileges on servers, administrators have the possibility to directly access and manipulate your company s sensitive information, such as financial and client data, or HR records. In contrast, their accountability is low, as they have several opportunities to mask their activities. Typical security risks with IT admins include: Sharing administrative passwords - in many cases IT personnel access the same privileged account and all of them knows the password, which cannot be treated as secure. The Password 2011 Survey of Lieberman Software Corporation revealed that 42% of IT staff shares passwords to access systems or applications in their organizations. This risk greatly increases when an administrator leaves the organization or changes role, and the shared passwords are not changed. Bypassing company policies - BalaBit surveyed 200 IT professionals which revealed that nearly half of them have made exception rules in the firewall to bypass the IT policy. Control Third-party Providers Do you have a private address, like Gmail or Yahoo? How do you know that the administrators of the provider do not read or tamper your mails? In a global environment, IT responsibilities are inevitably connected to outsourced departments, hosting or cloud providers. These third parties are essential to business and IT operations. Among others, they may operate your network infrastructure, maintain your web site, provide or CRM services (salesforce.com), or host your ERP application. Using such services also means that your organization is willing to trust the administrators of this external company with all its data (for example, private and business s, customer information, and so on), or even with the operation of business-critical systems. Typical methods for providing third party access include VPN or jump hosts. These solutions provide firewall rules, but they lack granular access control options. In addition, controlling the activity of external administrators with traditional methods (for example, with internal policies) is quite difficult. Giving responsibility to an IT service provider is always a security risk. You may control the partnership with your vendor with a contract, but monitoring their employees is hardly manageable with a standard Service Level Agreement (SLA). Actually, companies do not have a reliable and easy-to-use solution for validating SLAs and verifying billable activities. Measuring Key Performance Indicators (KPI) such as response times or restricting external administrator access is also a challenging exercise. That is the reason why it is essential to monitor thirdparty access - to know what outsourcing partners do when they connect to your systems. Leaking data - 29% of respondents surveyed by BalaBit have taken home company data and 25% have looked into confidential files (for example, list of salaries). Hiding traces - 15% have already deleted or modified system log files (in order to hide or destroy evidence). External developers, including independent software vendors (ISVs), contractors, or application management providers are a specific group of third-party providers. They require connection to corporate network, can remotely manage business-critical applications and as privileged users they have the possibility to access your sensitive financial databases or customer records. Consequently, giving responsibility to a third-party developer is also a security risk. Top 6 list of most popular naugthy acts committed by admins Source: BalaBit IT Professionals Survey, 2011 DOWNLOADING ILLEGAL CONTENT 54% BREAKING FIREWALL RULES 48% DATA THEFT 29% ACCESSING SENSITIVE DATA 25% READING OTHERS MAILS 16% DESTROYING EVIDENCE 15% 5

6 Business Challenges Comply with Regulations Regulatory compliance is concerned with laws that a business must obey, or risk legal sanctions, up to and including prison for its officers. Gartner Improve Troubleshooting & Forensics 36% of the worst security breaches in the year were caused by inadvertent human error. Information Security Breaches Survey 2013 Compliance is becoming increasingly important in several industries - laws, regulations and industrial standards mandate increasing security awareness and the protection of customer data. Regulations like the Sarbanes- Oxley Act (SOX), the Payment Card Industry - Data Security Standard (PCI-DSS), ISO 27001, or the EU Data Protection Act all mandate the strict protection of sensitive information - be it personal data, credit card data, or financial information. For example: $ SOX mandate CEOs COBIT, among others, The PCI DSS ISO27001 references and CFOs to certify requires security references a need controls for monitoring that all financial data monitoring, to audit access to system use, provided to the auditors change management cardholder data and controls for system is accurate and have and securing data the need to implement administration and not been modified. controls which an access control operations, and the If a firm fails an audit, necessitate the ability system. management of management can even to monitor user activity security incidents. be sentenced to prison and resource access. in case of serious infringements. Consequently, companies have to increase the auditability of their business processes, including the activity of privileged users. Sensitive customer data is usually stored in a database on a central server (perhaps in the cloud), and is accessible only via dedicated applications, such as accounting software. However, this server has to be accessible also by IT administrators for maintenance reasons. Having superuser privileges on the system, these administrators have the possibility to directly access and manipulate the database, and possibility to erase the traces of such actions from the logs. In addition, with standard log collector applications only limited data can be collected: for example, IT auditors would miss critical actions like viewing or manipulating sensitive data by unauthorized personnel. Missing items from the log collection system result in many question marks when an incident occurs. Therefore, organizations must find a reliable solution to be able to audit the actions of their privileged users in order to ensure compliance. The simple question Who did what on our server? is one of the toughest questions to answer in IT today. When something wrong happens, everybody wants to know the real story. For example, when you have to investigate a remote-access incident, the correlation of logs might be necessary between the desktop PC, the firewall, and the accessed servers. Analyzing thousands of text-based logs can be a nightmare and may require the participation of costly external experts. In many cases, computer forensics at larger companies is performed by local Computer Emergency Response (CERT) or Computer Incident Response Teams (CIRT). However, without reliable recording of administrative and privileged access to servers, the investigation of incidents becomes expensive and circumstantial. System management tools are improving the ability of companies to handle system errors, but the solution to human error, the number one cause for server downtime, remains elusive. Without recording the user sessions, the question of who did what and when? is almost impossible to answer, and often leads to accusations along with time and money wasted on investigating the incident. To avoid this, a tamper-proof session-recording solution should be used. 6

7 Most Affected Sectors Telecommunications A telecommunications company has been accused of using leaked identity credentials to poach Telecom New Zealand customers in a breach that mirrors a similar theft which hit Vodafone Australia weeks earlier. zdnet.com Protecting client and billing data Telecommunication firms possess and must control access to several types of sensitive data, including private customer data, employee records, and company financial information. Not only do service providers maintain large databases containing demographic and transactional data, they also possess massive amounts of usage data information in the form of Call Data Records (CDR) and Internet Traffic and Transaction Data (IPDR). With large numbers of employees, service providers must manage and record access to this sensitive information. Complex, interconnected networks Telecommunication firms operate complex, heterogeneous network environments which are difficult to monitor. They need different monitoring products for different platforms which can be expensive and complex. Larger providers have tens of thousands of servers and networking devices managed by countless external and internal system administrators. Their activity cannot be fully traced or controlled with traditional solutions. For example, an accidental misconfiguration of a mission-critical router can cause a serious service outage. Compliance challenges Telecommunication providers are increasingly subject to data protection regulations from a variety of organizations ranging from the Payment Card Industry (PCI), to governmental agencies, such as the European Union and its Data Retention Directive. Publicly traded US-based telecom companies must also comply with Sarbanes-Oxley (SOX). Laws and standards prescribe keeping clients sensitive data safe and the deployment of a system that does not allow traceless modification of critical information, thus protecting the clients interests. 7

8 Most Affected Sectors Cloud- and Managed Service Providers Gartner predicts that from 2013 through 2016, $677 billion will be spent on cloud services worldwide. Strict measures to keep reputation Amazon, Google, Salesforce.com, Rackspace, and other similar companies are all raising cloud providers, which increasingly affect the IT and business operations of companies. However, these providers, as partners, are expected to provide proactive security solutions and specialized expertise. Damage done by a malicious insider, such as a cloud administrator might be extremely rare, but far more devastating than in a regular computing environment. Therefore, special precautions must be taken to prevent such damage. These precautions should include strong authentication, authorization and the rigorous recording of the actions of the cloud administrators. Brand image and reputation are precious assets in the Managed Service Provider (MSP) and Cloud Service Provider (CSP) sectors. Even minor performance issues, delays or downtime can result in irreparable damage to their reputation. Accountability issues Just like in traditional IT outsourcing, using the services of a cloud provider requires the customer to give up control over his IT infrastructure. Every action a Cloud Service Provider (CSP) performs on its customers servers can trigger playing the blame-game. Consequently, to reassure their customers, CSPs should make the IT management and maintenance more transparent and auditable by the customers. This should include recording complete administrative sessions affecting the part of the cloud infrastructure used by the customer and if requested making these accessible to the customer. If activities can be investigated, most potential attacks from inside are prevented just by the mere existence of the monitoring solution providing objective proof of all events, and CSPs can eliminate the shadow of doubt about their operation. SLA verification Without the possibility to oversee CSP/MSP administrators, the evaluation of their effectiveness is also a challenging exercise. The control over SLA is also a problem, as there is no reliable solution in the hands of a CSP to justify its Key Performance Indicators (for example, response times) and billable activities. Without a tamper-proof activity monitoring solution in-place the provider cannot prove that his work is compliant with the SLA requirements. Compliance challenges MSPs and cloud providers are increasingly subject to data protection regulations from a variety of organizations ranging from the PCI DSS (Cloud Computing Guidelines) through Cloud Security Alliance (Security, Trust & Assurance Registry - STAR) to SAS70 and national law enforcement agencies. Laws and standards require to keep client data safe, to separate roles, and to fully audit administrative access to these data. These regulatory requirements may call for a tamper-proof session-recording tool to pass compliance audits of cloud security processes. A cloud provider that can meet these requirements and offer hard evidence of this compliance can gain significant advantage. 8

9 Most Affected Sectors Finance Citigroup Inc. said that hackers accessed the credit card information of North American customers in an online security breach affecting about 200,000 accounts. CBCNews, 2011 Increasing risk of fraud Banks manage and store massive amounts of sensitive data, such as payment transaction and personal financial information. Consequently, the finance industry is the largest target for cyber-criminals, because the IT infrastructures that manage financial transactions have made cyber-crime more prevalent. Risks associated with data loss or data breach can be fatal. Regulatory pressure Besides strict internal IT security policies, industry regulations are increasingly challenging to implement and increasingly important to comply with for finance services firms. For instance, financial institutions need to meet Basel III, the Markets in Financial Instrument Directive (MiFID II), SOX- EuroSox, PCI DSS and several other standards forcing the adoption of IT controls such as ITIL, COBIT or ISO 2700x. Laws and standards require the deployment of IT systems that record all access to sensitive financial information, thus protecting the interests of investors, creditors, and clients. Financial institutions must pass these audits to continue everyday operations and prevent financial losses and damage to their reputation. Complex IT organizations International banks and insurers operate large, distributed data centers, with thousands of servers and applications managed by hundreds of system administrators. Traditional solutions, for example, logging and ticketing systems cannot completely trace and control the activity of these administrators. Without user-session recording, the question of who did what? is almost impossible to answer, and usually leads to finger-pointing along with significant time and money invested in investigation the incident. The clients of this sector do not tolerate longer outages, so reducing downtime and increasing the mean time between failures is essential. Difficulties of controlling third-parties In a global financial environment, responsibilities are unsurprisingly outsourced or sub-contracted to third party. Giving responsibility to an IT service provider is always a security risk. Financial organizations often use custom-developed applications, which are often supported remotely by the external developers. In these cases, third-party developers and administrators might have direct access to sensitive financial databases. Although some financial institutions have custom-developed activity-monitoring solutions in place, these tools often lack the required functionality and support and have interoperability issues with the existing IT environment. 9

10 Most Affected Sectors Government in 2013 [Cyber Warfare] was, for the first time, considered a larger threat than Al Qaeda or terrorism, by many U.S. intelligence officials. Ken Dilanian, Los Angeles Times, March, Cyber Warfare Designs for many of the U.S most sensitive advanced weapons systems have been compromised by Chinese hackers. Washington Post, May, 2013 Security within the government sector is a high-stakes game where getting out ahead of emerging cyber-attacks can be a matter of national security. Cyber warfare is a form of information warfare which refers to politically motivated hacking to conduct sabotage and espionage. Indeed, these attacks can range from Denial-of-Service attacks (DOS) through sabotage in a critical national infrastructure to espionage and national security breaches. It is of paramount importance to improve the efficiency of real-time response to critical situations and security issues. Consequently, government institutions should use advanced security technologies with extra attention towards activity reporting, data collection and analysis. Regulatory pressure The government, being the national regulator, has to articulate new regulations as well as fulfill them afterward, in a cost-effective way. For example, for the U.S. government agencies, complying with FISMA and the new NIST SP requirements pose a real challenge. In addition, several standards, for example, ISO requires special attention paid to privileged users and accounts that handle sensitive data as phrased in the Monitoring and User Access Management (A , A.11.2.) processes. Managing third-party IT providers Giving the lack of deep technical expertise, public sector institutions rely heavily on IT outsourcing providers. Institutions, such as government agencies or healthcare providers operate several custom-developed or proprietary systems, which are managed or supported by third-party vendors or providers. In these cases, third-party developers and administrators might have direct access to sensitive databases, for example, personal records. Other Industries Other industries also face challenges which require the closer monitoring of privileged users. For example, protecting intellectual property, such as R&D information, as well as auditing processes across the supply chain may call for a sessionrecording solution in the manufacturing sector. In the retail industry, PCI-DSS compliance is a must to protect card-holder information, but controlling IT systems among trading companies and their subcontractors is also a challenging exercise. 10

11 The Solution Privileged Activity Monitoring All organizations have to balance the security risks associated with privileged accounts against the operational efficiencies gained through the use of such accounts. Gartner Like many new concepts, Privileged Activity Monitoring does not have a clear and perfect definition. Many vendors have introduced new terminology for this concept in an attempt to be first to define the market with mixed results. They are trying to use different naming conventions but similar acronyms: PUM, PAM, PAAM, etc. Privileged User Monitoring, Privileged Activity Monitoring, Privileged Account Activity Management and all the variants of these expressions can be found on Google. In fact, even major IT analyst firms do not have a generally accepted definition, which illustrates how new this concept is. Perhaps the following definition can provide the most accurate description, according to which PAM tools aim to address the following requirements: Controlling the users Managing and controlling Monitoring use of shared Collecting audit access to privileged privileged sessions (for and superuser accounts information for forensics accounts (authenticating example, restricting (for example, root or situations, compliance the users, restricting administrative access to Administrator) reports, and so on. access based on time the servers) policies) Figure 3: Key PAM requirements 11

12 The Solution Different Vendors Different Approaches Privileged Activity Monitoring is still a niche market, with a small but growing number of IT security vendors in the field. Vendors approach this market from different directions and with various core competencies, such as password management, identity and access management, or network forensics. Typically, they market their technologies as essential parts of larger solutions. However, all of these products are trying to meet the same challenge: control and monitor the access of privileged users to critical IT assets. Since there are a number of different ways to approach to the problem, let s review the technologies they use. Jump hosts (Hop gateways) Jump hosts provide a web-based interface for accessing servers: the users access the jump host from their browser, and connect to the target server using a web-based client application that is running on the jump host. In the meantime, the jump host records the actions or logs of the application. As jump-hosts are non-transparent solutions, they make integration into an existing infrastructure difficult. Also, the users must use the applications provided by the jump hosts, which may have compatibility issues with their server applications. Auditing of graphical protocols (for example, Remote Desktop Protocol, or Citrix ICA) is rarely supported, and even if it is, it can become a performance issue. Transferring files between the server and the client can also be problematic, or not supported at all. Network sniffers Network sniffers are based on switch port mirroring; they receive the network traffic going to the servers and try to extract useful information from it. These solutions are easy to integrate and are non-invasive by nature. They also have no effect on the way users do their work. However, all this also means that they are very limited in monitoring encrypted traffic, for example, SSH or RDP. Being passive solutions also limits the capabilities of these devices, so they cannot authenticate users, control protocol channels, or terminate unwanted connections to a server. Agent based solutions Agent based solutions install small applications (agents) on the monitored servers that collect information about the user activities. They can provide detailed monitoring capabilities, but have some general disadvantages: Agents must be installed and maintained on each server. Monitoring is limited to the platforms supported by the agent. Typically, they run only on the most common operating systems, leaving other systems and devices (for example, network devices) unmonitored. They do not have any control over the connection used to access the server, thus cannot limit their use (for example, they cannot restrict file transfers or port-forwarding in SSH, or file redirection on Windows) There is no separation between the monitoring system and the monitored system, so the agents can be manipulated by the monitored superusers. This is essentially the same problem as using the system logs of the monitored system to check the actions of the superuser, who can influence the system logs. 12

13 The Solution Proxy Gateways Proxy gateways are the most mature solutions in terms of control granularity and auditing quality. Proxy-based technologies operate as network gateways: they are placed between the client and the server, and inspect the traffic on the application level. Since these proxies have full access to the inspected traffic, they have full control over protocol features. For example, you can selectively permit or deny access to certain protocol-specific channels: you can enable terminal sessions in SSH, but disable port-forwarding and file transfers, or enable desktop access for the Remote Desktop Protocol, but disable file and printer sharing. Monitoring and replaying user sessions The monitoring and replaying capabilities of PAM solutions show a wide spectrum. Some collect syslog-like log messages, which can be displayed or replayed based on the timestamps of the log messages. Others log only keystrokes. There are solutions that save screenshots from user sessions, or even record the entire session into an AVI file. However, unless some way is provided to process and analyze the content of the screenshots and video files, these are not as useful as they might seem at first. Figure 4: The concept of proxy gateways Proxy gateways can operate transparently in the network and are independent from the client and the monitored server. This prevents anyone from modifying the extracted audit information, as the administrators of the server have no access to the proxy gateway. Certain solutions can even store the audit trails in time-stamped, encrypted, and digitally signed format, so not even the administrator of the gateway can tamper the audit trails. As transparent solutions, proxy gateways require minimum change to existing IT environment. Also, since they operate on the network level, the users can keep using the client applications they are familiar with, and do not have to change their working habits. Standing in the middle of the monitored network traffic allows proxy gateways to actually intervene in the traffic, making it possible, for example, to require the user to authenticate on the gateway, or to pause the connection until it is authorized by someone appropriate. With an appropriate way to stream the traffic to the authorizer, the work of the user can be monitored in real-time. It is also possible to extract the files transferred to the server, and store them with the audit trails for later review. However, movie-like session recording and playback can be a powerful tool, giving auditors the possibility to review all actions of the administrators exactly as they appeared on their monitor. (The proxy gateways stand out with this capability.) This can be immensely useful in forensic situations and reporting, if it can be processed automatically to extract the executed commands, applications, the contents of the screen, and other similar information. To make this happen, advanced PAM solutions index the commands of terminal screens (like SSH or Telnet), and use Optical Character Recognition (OCR) techniques on graphical screens (like in the case of Remote Desktop, Citrix ICA, and so on). The monitoring and auditing of user sessions should make it possible to conduct ad-hoc forensics investigations, analyze recorded data in detail, and also to create custom reports. The subject of the analysis can be, for example, a user login, a file access, a file transfer, the launch of an application, the stopping of a service, and so on. 13

14 Best Practices 01 Adopt the least-privilege principle Give a user account only those privileges which are essential to that user s work. 02 Use God mode only in emergency Generally, system administrators do not need unlimited access to the systems they manage. Lock up your superuser (root, admin, system, and so on) accounts and use them only if absolutely needed. 03 Personalize every single account Make personal accountability possible among your privileged users. The first step to this is minimizing the number of shared accounts. The second rule is that shared-account passwords must not themselves be shared. Then, you can go on with elaboration of functional areas, detecting incompatibilities and segregating of duties. 04 Limit the number of systems in scope for each person s privileged accounts System administrators should have superuser privileges only on the systems that are needed - what is consistent with business and operational needs. This is a common audit recommendation. 05 Build a central user monitoring infrastructure Log management or SIEM solutions do not capture all the necessary information. The easiest way to eliminate these blind spots is to use a Privileged Activity Monitoring solution, which augments the existing logs by showing precisely what the user did (as opposed to the technical results of what he did). 06 Implement an independent and transparent activity monitoring device Implement an independent PAM tool that operates transparently, and extracts the audit information directly from the communication of the client and the server. This prevents anyone from modifying the audited information not even the administrator of the device can tamper the encrypted audit trails. Your existing IT environment requires no change and your staff can do their day-to-day jobs without changing their working habits. 07 Use strong authentication and authorization for privileged accounts Where superuser privileges are assigned to personal accounts, protect those accounts with strong authentication methods. Full-blown system administrators should use higher-assurance methods such as public keys or X.509 smart tokens. To avoid accidental misconfiguration and other human error, certain PAMs support the 4-eyes authorization principle as well. This is achieved by requiring an authorizer to track the administrator actions on the server. 08 Control remote access in detail The most secure way is to control who can access what and when based on the protocol being used. With the right PAM solution it is possible to control file-transfers and other unusual traffic. For example, you can allow or deny protocol channels such as disk sharing, port-forwards or file-transfers based on the group-membership of the user, or the time of day. 09 Prevent malicious actions in real-time Advanced PAM solutions can monitor the traffic of remote connections in real time, and execute various actions if a certain pattern (for example, a suspicious command or text) appears in the command line or on the screen. Certain PAMs can also detect numbers such as credit card numbers. In case of risky user action, the device can send an alert to you or immediately terminate the connection. For example, it can block the connection before a harmful administrator command, such as deleting an essential system file is executed on the server. 10 Improve forensics with movie-like playback and fast search Advanced PAM tools can replay the recorded sessions just like a movie all actions of the users can be seen exactly as they appeared on their monitor. They enable fast forwarding during replays, searching for events (for example, typed commands or pressing Enter) and texts seen by the user. In case of any problems (database manipulation, unexpected shutdown, and so on), the circumstances of the event are readily available in the trails, thus the cause of the incident can be easily identified. 14

15 Summary Privileged users include not just administrators, but a much wider group within an enterprise. Having extra privileges in the IT environment these (super)users represent a security risk for the business as they can access and manipulate sensitive systems and data. Protecting critical IT assets from advanced cyber-attacks using privileged accounts causes headache for security managers as well. Though logging and SIEM tools do a good job at presenting event data, they have limitations and cannot capture all the required user information. The need to control and monitor the actions of privileged users is typical in the finance, telecommunications, cloud providers, and public sectors. These organizations operate critical infrastructures and handle large amount of sensitive data, the strict protection of which is vital from compliance, reputation and - in some cases - from national security reasons, as well. Privileged Activity Monitoring (PAM) tools can be an ideal solution to these challenges. These tools can restrict privileged access to IT resources and control user sessions. They can even monitor administrative activities and collect audit information for forensics situations, compliance reports, and so on. By implementing PAM, your organization will be able to control the work of its internal IT administrators, powerful business users, as well as its outsourcing partners. Advanced PAM tools support movie-like playback and fast, free-text search in user activities, which dramatically speeds up troubleshooting and forensics investigations. These solutions control and audit who, when and what have done, for example, in the financial or SAP system. Aware of this, your employees will do their work with greater sense of responsibility, thus the number of human errors can be reduced. By having a tamper-proof activity record, accountability issues can also be eliminated. In addition, PAM tools help to fulfill the monitoring-specific requirements of various regulations (for example, PCI-DSS, SOX, ISO 2700x, and so on), supporting you to pass compliance audits quickly and cost-efficiently. All in all, by controlling and auditing the activities of privileged users, PAM solutions help you to notably increase your security and compliance level. 15

16 Learn More BalaBit Shell Control Box - A Leading PAM Tool Shell Control Box (SCB) is an activity monitoring appliance that controls access to remote servers, virtual desktops, or networking devices, and records the activities of the users accessing these systems. For example, it records as the system administrators configure your database servers through SSH protocol, or your employees make transactions using thin-client applications in Citrix environment. The recorded audit trails can be replayed like a movie to review the events exactly as they occurred. The content of the audit trails is indexed to make searching for events and automatic reporting possible. SCB is especially suited to supervise privileged-user access as mandated by many compliance requirements, like PCI-DSS. It is an external, fully transparent proxy gateway, completely independent from the clients and the servers. The server- and client applications do not have to be modified in order to use SCB; it integrates smoothly into the existing infrastructure. SCB solves exactly those problems introduced in this document. Learn More About BalaBit BalaBit IT Security is an innovative information security company, a global leader in the development of privileged activity monitoring, trusted logging and proxy-based gateway technologies. We help protect customers against internal and external threats and meet security and compliance regulations. As an active member of the open source community, we provide solutions to a uniquely wide range of both open source and proprietary platforms, even for the most complex and heterogeneous IT systems across physical, virtual and cloud environments. BalaBit is also known as the logging company, based on the company s flagship product, the open source log server application (the syslog-ng Open Source Edition), which is used by more than companies worldwide and became the globally acknowledged de-facto industry standard. BalaBit, the fastest-growing IT Security company in the Central European region according to Deloitte Technology Fast 50 (2012) list, has local offices in France, Germany, Russia, and in the USA, and cooperates with partners worldwide. Our R&D and global support centers are located in Hungary, Europe. More information: Learn More Shell Control Box homepage Request a callback Request an online demo Find a reseller Figure 5: SCB controls, monitors, records and reports privileged access to remote systems All statements in this report attributable to Gartner represent BalaBit interpretation of data, research opinion or viewpoints published as part of a syndicated subscription service by Gartner, Inc., and have not been reviewed by Gartner. Each Gartner publication speaks as of its original publication date (and not as of the date of this document). The opinions expressed in Gartner publications are not representations of fact, and are subject to change without notice. 16