HOW OBSERVEIT ADDRESSES 7 OF THE SANS 20 CRITICAL SECURITY CONTROLS

Transcription

1 HOW OBSERVEIT ADDRESSES 7 OF THE SANS 20 CRITICAL SECURITY CONTROLS The 20 Critical Security Controls published by the SANS Institute are a practical set of tactics focused on protecting an organization s IT infrastructure against the most common security risks. Hundreds of organizations, including the US National Security Agency, the British Centre for the Protection of National Infrastructure, and the US Department of Homeland Security Federal Network Security Program, have shifted from a compliance focus to a security focus by adopting these controls. SANS 20 Critical Controls reflect the consensus of major organizations with a deep understanding of how cyber-attacks are carried out in the real world, why the attacks succeed, and what specific controls can stop them or mitigate their damage. ObserveIT s User Activity Monitoring solution addresses many of the 20 Critical Controls in ways that go well beyond the essential technical requirements. Even once organizations have satisfactorily secured their servers and applications from external attacks, the user activity threat remains in full force. This is because the company s employees, administrators and contractors are authorized to operate inside the security perimeter, rendering most traditional security mechanisms nearly useless. It is the activities of authorized users (or outsiders who manage to gain access to authorized user accounts) within applications that pose the greatest IT security risk. Both industry research and the rapidly-growing list of incidents in the news confirm this unfortunate reality. Read on to learn how ObserveIT s User Activity Monitoring solution addresses 7 of the 20 SANS Critical Security Controls. CSC #2: Inventory of Authorized and Unauthorized Software CSC 2-4 specifies, Deploy software inventory tools throughout the organization covering each of the operating system types in use, including servers, workstations, and laptops. As part of its User Activity Monitoring functionality, ObserveIT captures the name of every application run by every user on every monitored server and desktop. This makes it easy to automatically run periodic reports (which are sent to designated recipients) listing every application used during a given time period. These reports include all the users who ran each application and even a video button that plays back the screen recording of the selected time that the application was run. This makes it child s play for an administrator to quickly determine if any application usage posed a danger to the organization. Here is a portion of such a report: OBSERVEIT HOW OBSERVEIT ADDRESSES 7 OF THE SANS 20 CRITICAL SECURITY CONTROLS 1

2 CSC 2-3 specifies, Perform regular scanning for unauthorized software and generate alerts when it is discovered on a system, and CSC 2-6 specifies, Dangerous file types (e.g.,.exe,.zip,.msi) should be closely monitored. ObserveIT s rule-based alerts feature is ideally suited to both these controls: by defining lists of application names and/or file types (or even the actual names of sensitive files), administrators can receive real-time notifications any time any user accesses one of the specified applications, file names or file types. A definition for this kind of alert rule might appear like this: OBSERVEIT HOW OBSERVEIT ADDRESSES 7 OF THE SANS 20 CRITICAL SECURITY CONTROLS 2

3 CSC #4: Continuous Vulnerability Assessment and Remediation, and CSC #16: Account Monitoring and Control Assessing the vulnerability of network, hardware and software infrastructure is critical, but so is assessing the risks posed by users and their activities in applications and servers. Likewise, it is critical to monitor user accounts and to profile usage patterns of user accounts (as enumerated in CSC 16-5, Regularly monitor the use of all accounts, and CSC 16-13, Profile each user's typical account usage). ObserveIT s User Behavior Analytics helps to secure a company s data and systems by automatically and continuously profiling the behavior of every user. After initially profiling the typical, expected behavior of each type of user (and even individual users), these systems are able to automatically detect behavioral anomalies that may indicate negligent or fraudulent activities. For example, if a hacker gains access to a login account, his behavior will appear very differently than the real business or IT user who normally logs in with that account. Another example is a user who is suddenly accessing new resources for the first time, or running unusually large reports. There are numerous types of behavior anomalies that may trigger detection. Examples include: OBSERVEIT HOW OBSERVEIT ADDRESSES 7 OF THE SANS 20 CRITICAL SECURITY CONTROLS 3

4 running unusual applications accessing unusual systems, files or others resources performing unusual types of operations or running rarely-used commands generating larger-than-usual reports executing a larger number of actions than usual within a given time frame accessing systems from unusual client machines logging in outside normal/expected hours of the day or days of the week ObserveIT s User Behavior Analytics detects these behavioral irregularities and alerts IT security staff about them in real time. The security administrator can then observe the suspicious user session via a streaming video broadcast of the user s desktop, or review the user activity logs generated by the current session (and past sessions). If deemed necessary, administrators can instant-message the user via the desktop or even shut down the session from within the same interface. For lower-severity incidents, such as non-critical out-of-policy behaviors, administrators can later review session transcripts and/or videos to determine if irresponsible or dangerous activities had taken place. CSC #6: Application Software Security Despite an organization s best efforts to ensure that the software used on their networks is secure and that the latest patches/upgrades are applied, software-based vulnerabilities will always remain inevitable. This is true both because software may still have weaknesses to hacking attacks, but also because even hardened software can be abused by the users authorized to use it. For both reasons, it is therefore critical to continuously monitor all user activity within applications. Whether by negligence, carelessness or malicious intent, employees and contractors alike can do things within applications that threaten a company s data and systems. It is extremely difficult to identify unauthorized activity among authorized users, given the large number of actions performed every day by all types of users. However, when organizations fail to notice abnormal activity patterns in the context of IT and business user actions, both hackers and internal malicious users are able to steal, leak or destroy valuable data. Examples of IT administrator activities that can impact on the security of an organization include: Making changes to configuration files that can cause systems to fail Creating unauthorized local or remote access accounts (e.g., VPN or SSH) Escalating privileges on Unix/Linux machines using sudo Changing the administrator or root password Using admin credentials on one machine to leapfrog to a more restricted machine Installing backdoors to enable later penetration Running malicious code that causes denial of service (DOS) to critical services Tampering with data by intentionally modifying data or code Examples of business user activities that can impact on the security of an organization include: Running a report in an application that exports a huge amount of sensitive data Innocently uploading sensitive data to a third-party cloud application, exposing it in various ways Deliberately sharing sensitive data with others via , cloud application, thumb drive, etc. OBSERVEIT HOW OBSERVEIT ADDRESSES 7 OF THE SANS 20 CRITICAL SECURITY CONTROLS 4

5 Installing a remote desktop application to work from home, thus opening a remote back door into the network Responding to a phishing , thus granting network access to a hacker Visiting unauthorized websites that could install malware on the network ObserveIT addresses this gaping security gap with a combination of: Configurable real-time alerts Security administrators can manually define any number of simple or complex alert rules to generate real-time alerts about particular user activities that they want to know about, whenever they occur. When user-based attacks occur, every second counts. The longer a threat goes undetected, the more damage a company will incur in terms of both financial costs and brand reputation. Without the ability to monitor user activity in real-time, companies will continue to suffer from undetected user-based breaches, significantly increasing the scope and costs of those breaches. Bullet-proof IT forensics ObserveIT provides fast, easy and incontrovertible evidence of all actions performed within applications. Keyword-searchable user activity logs and session screen recordings are invaluable for IT troubleshooting, root cause analysis and incident investigations. If user actions are responsible for a system failure, data leak or any other incident, administrators will be able to quickly discover exactly who did what, where, when and how. The deterrence factor ObserveIT s User Activity Monitoring has an effect similar to speed cams on the highway: because users are informed upon every login that their actions are being monitored and recorded, instances of unsanctioned and reckless activity fall dramatically. This is not theoretical; system and security administrators consistently report that, after deploying User Activity Monitoring, employees and contractors alike exhibit much more cautious behavior when accessing sensitive data and systems. CSC #10: Secure Configurations for Network Devices CSC 10-3: Use automated tools to verify standard device configurations and detect changes. All alterations to such files should be automatically reported to security personnel. ObserveIT allows administrators to visually record, replay, monitor and audit all configuration changes made to network devices. Network devices including switches, routers, hubs, firewalls and IP telephony exchanges are the backbone on which businesses run. While making changes to the configuration settings of these sensitive devices is frequently necessary, both human error and malicious intent by those with administrative access have the potential to cause disaster. The most common way these changes are tracked today is by accessing the logs OBSERVEIT HOW OBSERVEIT ADDRESSES 7 OF THE SANS 20 CRITICAL SECURITY CONTROLS 5

6 maintained by these devices. However, these logs are very technical and were designed by developers for debug purposes and not to provide the types of information of interest to IT admins, security officers and auditors. Because these logs are so difficult and time-consuming to understand, they are not very useful for most investigation and decision-making processes. ObserveIT offers an easy-to-understand visual monitoring and auditing solution for network device configuration changes, featuring: Full recording and playback of every user action while working in configuration utilities Keyword-searchable activity logs of all keyboard activity, mouse clicks and on-screen output Custom alerts based on user-definable granular triggers Tight integration with log management, SIEM, network monitoring and IT ticketing systems If not already the case in the organization, access to the all device configuration user interfaces should be restricted to access via a gateway (e.g., Unix/Linux using SSH, Windows Terminal Server, Citrix). The ObserveIT agent software is installed on the gateway and configured to record all user activity performed while configuring network devices. ObserveIT then generates a comprehensive record of all user activity, including screen video recordings, detailed (searchable) user action log data and easy-to-read summary reports of every session. An additional advantage of this approach is that users can be restricted from logging into a particular device s configuration utility unless they have a valid ticket number from an IT ticketing system (ObserveIT validates the supplied ticket number against ticketing systems such as ServiceNow in real-time). Furthermore, all ObserveIT activity data can be incorporated into a SIEM or networking monitor system for user activity reporting within those environments. CSC #12: Controlled Use of Administrative Privileges CSC 12: The processes and tools used to track/control/prevent/correct the use, assignment, and configuration of administrative privileges on computers, networks, and applications. As recommended by the controls specific in CSC 12, it is very important to minimize the use of privileged accounts within the organization, to enforce strict password controls, to implement two-factor authentication and to ensure that there is executive-level approval of all privileged accounts. However, even once all of these recommendations have been implemented, two important gaps remain: 1. Identification of the actual people logging in using shared administrator accounts (such as administrator, dba, sa and root) it is not enough to log that someone logged in to a system using a shared administrator account; it is very important to know who logged in using that account. 2. Visibility into what users are doing once they ve logged in to sensitive systems using privileged credentials the use of administrator accounts will always be necessary; it is very important to monitor, record and OBSERVEIT HOW OBSERVEIT ADDRESSES 7 OF THE SANS 20 CRITICAL SECURITY CONTROLS 6

7 user activity once they ve logged in and to generate real-time alerts when suspicious activities are detected. ObserveIT comprehensively addresses both of these requirements: ObserveIT Secondary Identification ObserveIT features a built-in privileged user identification solution which ensures unambiguous identification of individual users accessing shared accounts. After logging in to a Windows or Unix/Linux server using a shared account, ObserveIT requires valid individual credentials as well. (When logging into server using a named-user account, this secondary identification window does not appear.) This is how it appears in Windows: Not only does this approach record the name of the actual person logging in to a server using a shared administrator account, it is also a form of two-factor authentication: even if a hacker were to gain access to the password for an administrator account, he would not be able to log in without a user s individual credentials. Screen capture recording and user activity logging ObserveIT provides unparalleled visibility into everything that users are doing on company servers. From the moment that a privileged user logs in until the last keystroke or mouse click of the session, ObserveIT records every screen for later (or real-time streaming) video-like play-back. The software also captures an easy-to-read user activity log so that watching the video is not necessary to get a basic understanding of what the user was up to during the session. Furthermore, the software provides keyword-based search of all activity logs and screen video recordings, making it easy to find any action of interest from among thousands of hours of session recordings. Security administrators and auditors can search by the names of applications run, the titles of windows opened, commands executed, files/resources accessed, text typed/pasted-auto-corrected, checkboxes and radio buttons clicked and much more. Finally, real-time alerts provide immediate awareness of suspicious, dangerous and out-of-policy behaviors. Only this level of visibility ensures that accounts are not being abused by employees, contractors or hackers. OBSERVEIT HOW OBSERVEIT ADDRESSES 7 OF THE SANS 20 CRITICAL SECURITY CONTROLS 7

8 CSC #14: Maintenance, Monitoring, and Analysis of Audit Logs CSC 14: Collect, manage, and analyze audit logs of events that could help detect, understand, or recover from an attack. The specific CSC control implementations relate to system logs, such as those generated by operating systems, network devices, firewalls, IDS/IPS, proxies and remote access systems. While it is very important to correlate, monitor and audit these logs, the fact is that they focus on infrastructure and thus leave open a huge security blindspot: user activity. This blind-spot is the result of three main factors: 1. Logging data is only available from systems, devices and applications which generate logs. Because many critical user actions do not generate any logs at all, there is no data to analyze. 2. The available log data was designed mostly for the purposes of debugging and tracking system changes, and is not suited for understanding and tracking user activity. 3. Logs typically contain hundreds or thousands of discrete events in obscure technical language, while relying on complex and unreliable correlations, making it nearly impossible for anyone but a top security expert with lots of time (and a specific purpose) to determine or infer what a user actually did. To effectively address user-based risks, it is critical for organizations to understand exactly what users are doing with company systems, data and applications. Adding ObserveIT s User Activity Monitoring to an organization s existing security ecosystem fills this critical cyber-security gap and dramatically reduces the time it takes to identify and respond to suspicious user activity, security incidents and data breaches. By integrating ObserveIT s User Activity Monitoring with existing log management, SIEM, IAM and ITSM solutions, organizations gain a complete user- and infrastructurebased security view. Instead of investigating security incidents by drilling down into arcane system logs, security administrators can simply click into actual video playback of user activity at any particular point in time. Also gained is the ability to integrate user-based alerting and reporting. In addition to streamlining incident response for system- and infrastructure-level issues, organizations gain complete visibility into user-based risks and attacks to which they were completely blind before. OBSERVEIT HOW OBSERVEIT ADDRESSES 7 OF THE SANS 20 CRITICAL SECURITY CONTROLS 8

9 WHAT IS USER ACTIVITY MONITORING? ObserveIT s User Activity Monitoring system generates video recordings of every user session, providing unparalleled insight into what is being done on company servers and desktops. Whereas standard logs collect data on server and network activity, session recordings and logs focus on the user activity within the operating system and every application (commercial, bespoke, legacy and cloud). This granular, user-focused monitoring capability offers a detailed and invaluable tool with which to understand what application users, administrators and remote contractors are doing on monitored servers. ObserveIT goes far beyond simply recording the on-screen activity to video: the software transcribes every session into an easy-to-read user activity log so that watching the video isn t necessary to know what the user did. Clicking on any particular event in the log launches the video playback from that exact moment. This activity analysis is also used to generate keyword-searchable video indexes, real-time user activity alerts and comprehensive user activity reporting. Integration with other systems including log analysis, security information and event monitoring (SIEM), access control and IT ticketing systems further leverages the value of the session recordings and text logs by making them readily available when and where they are needed. Learn more about ObserveIT at OBSERVEIT HOW OBSERVEIT ADDRESSES 7 OF THE SANS 20 CRITICAL SECURITY CONTROLS 9

10 ZERO-GAP MONITORING, ANALYSIS, ALERTING AND INTERVENTION ObserveIT monitors, records and analyzes all user activity in every application, webpage and window, over any connection method (Remote Desktop, Terminal Services, GoToMyPC, LogMeIn, PC Anywhere, local login, etc.). ObserveIT also records Windows sessions running as Citrix published applications, in Citrix virtual desktops and VMware environments, as well as standalone Windows, Unix/Linux desktops and servers. Addressing a major security gap in most organizations, ObserveIT generates user activity logs and screen recordings for commercial, legacy, bespoke and cloud apps, including those with no internal logging facilities of their own. Administrators can watch live sessions and can even lock a session and user account from within ObserveIT if they wish to immediately stop a suspicious activity. This is particularly useful in the event that the system generates a real-time alert: the administrator receiving the alert can view all activity occurring in the live session screen, rewind to see the actions that led up the alert and take immediate action to halt the session. Additionally, the recordings and resulting user activity logs are valuable for root cause analysis, ad hoc IT forensics and regulatory compliance audit reporting. Reports can be customized to specific business needs and can be scheduled or run on demand. LOW RESOURCE REQUIREMENTS ObserveIT utilizes ultra-efficient data storage, requiring less than 250GB/year for a high-usage, 1000-server environment. The local agents have a minimal footprint of 1%-2% CPU utilization, 10 MB RAM during session and 0% CPU when users are inactive. OBSERVEIT HOW OBSERVEIT ADDRESSES 7 OF THE SANS 20 CRITICAL SECURITY CONTROLS 10

11 OBSERVEIT FEATURE HIGHLIGHTS Screen capture recording plus video activity analysis for searchable, text-based logging of all user activity Real-time alerts provide immediate awareness of suspicious, dangerous and out-of-policy behavior Advanced keylogging enables keyword searching to instantly find any on-screen mouse or keyboard action Records actions in all system areas and all apps zero-gap recording of all commercial, legacy, bespoke and cloud apps plus all system areas Supports all connection methods, including local login, Remote Desktop, Terminal Services, PC Anywhere, Citrix, VMware, VNC, Dameware, etc. SIEM, NMS and IT ticketing system integration for better security and easier investigations including direct links to session replay and user activity logs Privileged User Identification, without requiring password rotation or check-in/check-out Threat detection console detects and pinpoints suspicious activity DBA Activity Audit monitors and audits all SQL queries executed by DBAs against production databases Pre-built and customizable audit reports can be exported to Excel or XML, or scheduled to run automatically for delivery TRUSTED BY CUSTOMERS OBSERVEIT IDENTIFY AND MANAGE USER-BASED RISK Start monitoring in minutes, free: OBSERVEIT HOW OBSERVEIT ADDRESSES 7 OF THE SANS 20 CRITICAL SECURITY CONTROLS 11