End-user Security Analytics Strengthens Protection with ArcSight

Transcription

1 Case Study for XY Bank End-user Security Analytics Strengthens Protection with ArcSight INTRODUCTION Detect and respond to advanced persistent threats (APT) in real-time with Nexthink End-user Security Analytics and ArcSight integration ArcSight is an industry leading and well recognized SIEM (Security Information and Event Management) solution from HP. Like all SIEM solutions, ArcSight can only report on events it receives from logs and other data available in the infrastructure, mainly security appliances, network switches/routers and application servers. SIEM solutions do not receive real-time and contextual data from endpoints, and 70% of organizations say they have endpoint information but it s not useful in helping to discover abnormal activity*. As a result 66% of breaches remain undiscovered for months**. With today s increasingly sophisticated threats, it is imperative that you have instant access and real-time visibility of each and every endpoint to understand what is going on with applications, end-user accounts and privileges, device configurations, network connections and web requests inside and outside the organization, including cloud and SaaS services.

2 With rapid detection and response capabilities, Nexthink End-user Security Analytics enable organizations to block the further spread of intrusions. It isn t about finding a better way to catch malware than your Anti-Virus, it enables you to quickly and easily identify validated programs used for malicious purposes, unauthorized use of authentic accounts, suspicious network traffic, targeted malicious code not recognized by AV signatures, and often a combination of all of the of above! Adding the end-user context analytics from Nexthink into your SIEM solution will allow you to: 1. Detect suspicious activity and advanced threats very quickly during the intrusion process to avoid serious and costly breaches with activity scoring, anomaly detection and cloud-based threat intelligence, 2. Run real-time security operations with continuous endpoint visibility to investigate the current state and compare with others, search for changes in the history of the devices configuration and activities to look for indicators of compromise, 3. Consolidate data using analytics to report on risk status and trends, compliance checks, and proactive prevention strategies, by group of end-user risk profiles, roles and departments. *Source: The Case for Endpoint Intelligence; A SANS Survey **Source: Global State of Information Security PwC,

3 CUSTOMER IT ENVIRONMENT XY has been investing in a variety of IT systems covering all parts of their infrastructure and applications. As a leading retail bank, data security is a major challenge for the IT team. They invested in several solutions to secure the infrastructure and monitor the network and server usage in real-time. However, like almost all companies, they did not have analytics and insight on what is happening on the endpoints.

4 ISSUES, CHALLENGES & OBJECTIVES Bank X faced several major security threats during a very short period of time: 1. A worm outbreak, caused by the Conficker virus, quickly infected several workstations 2. Unusual and suspicious traffic was flagged up by network monitoring tools raising concerns about outgoing spamming activity from within the organization 3. The endpoint antivirus program recorded an increasing number of security incidents The IT team did a manual sample audit of 100 workstations, including the infected ones, over 3 weeks. They found several important issues: 1. Several workstations did not have the latest operating system patch and updates 2. A sample of workstations analyzed were using a vulnerable version of Internet Explorer 3. Conficker infected the organization via a USB removable drive 4. Users were using non-authorized applications 5. 30% of the sample workstations analyzed were not using the current version of the corporate antivirus program and the Windows firewall was deactivated These findings led to more global questions: 1. How can Bank X audit thousands of workstations at the same time to make sure that security policies, configurations, and patching are respected? 2. In the future, how can Bank X be alerted in real-time when these kinds of events happen? 3. Going forward, how can Bank X monitor their endpoint patching activities to guarantee that no endpoint is vulnerable? 4. How can Bank X monitor thousands of end-users to make sure they have the right privileges? 5. How can Bank X make sure the antivirus and the Windows security settings are updated correctly?

5 NEXTHINK BASELINE SERVICE PROJECT To select the best solution XY and their IT technology partner performed extensive market research and analyzed several solutions to find an end-user IT analytics solution that could solve their issues and meet their objectives. XY analyzed several products through proof-of-concepts and thorough testing and selected Nexthink as the end-user IT analytics solution. Nexthink was installed on 1,000 endpoints and laptops. The installation took two days and after a week Nexthink was able to deliver a full security audit on the 1,000 endpoints and laptops: 1. 18% of workstations were using a non-compliant version of Internet browser 2. 47% of workstations did not have the required Windows service pack 3. 3% of workstations were bypassing the probank X to connect directly to the Internet 4. 30% of workstations were using games, cracks, hacking tools and port scans 5. 5% of workstations were using pirated Windows serial numbers 6. 2% of laptops and 3 endpoints were using a USB 3G Mobile Internet device on the internal network while connected to the internal network 7. 12% of workstations had the antivirus disabled or not installed 8. 23% of workstations had the local firewall disabled or not installed 9. 19% of workstations were executing malware from USB removable drives 10. 6% of workstations had active malware endpoints had P2P and remote software tools

6 NEXTHINK PROJECT Nexthink provided XY the complete, continuous, real-time endpoint, end-user and application behavior visibility that they needed; allowing XY to have end-user IT Analytics across all their IT environments. Nexthink s approach allows XY to move from a static view coming from the network to real-time visibility of all the endpoints, from the head office to the most remote branch. Nexthink lets XY measure all the problems from the source (endpoint, end-user and/or application) instead of trying to imagine what the problem was from a remote monitoring point. This unique technology enables XY to identify the root cause of their IT problems in less than 5 minutes as opposed to the hours, days, and weeks that it took before. Nexthink s patented technology allows IT teams to search in seconds through millions of events and months of history. XY is able to detect past security activity generating threats and risks, and to create real-time alerts for the Security Operations Teams.

7 All the endpoint activities are collected and sent to the Nexthink Engine, no configuration was needed regarding the lightweight driver deployed by Nexthink on the endpoints (deploy and forget approach). We were afraid of deploying another agent on the endpoint, but in fact the Nexthink Collector is a driver, not a normal agent. You are not aware of the Collector and it does not affect the performance of the endpoint, said the XY CIO. The Nexthink next generation dashboard Portal was promoted to the XY Risk and Security Compliance unified portal, aggregating information from Nexthink and other software tools. The dynamic and interactive dashboards with the information collected on all the endpoints allow the CIO and the CISO to analyze charts and make decisions based on real data. Today, all the decisions are based on real facts and not assumptions or outdated data. Until now, simple questions like how many endpoints have IE7? were always difficult to answer, with Nexthink it takes 10 seconds and I can even see the history of usage of the IE7, said the XY CIO. The project at XY was divided in three security areas: Risk and Security Compliance, User Behavior Awareness and Malware Activity. For each area, a central dashboard was delivered so the team can monitor the status from a single console. In addition, for each area a set of real-time alerts was configured so an or an SMS could be sent immediately to the team.

8 RISK & SECURITY COMPLIANCE ANALYTICS In the Risk and Security Compliance area, XY requested Nexthink to map their endpoint security policies to have an automated and continuous endpoint audit. Through some customization, Nexthink created dashboards, alerts, reports and investigations to address the requirements and mapped XY security policies. Now even before the external audits, XY Risk and Security teams already know what the results will be and can take action to improve their audit scores and follow up the mitigation measures of the audits in real-time. One of the biggest issues for XY was the PCI DSS compliance, as this is essential to their business. In the previous audits their worst score was the endpoint environment that connects to the PCI cardholder servers. Nexthink addressed the PCI DSS providing visibility about the behavior of the endpoints connecting to the cardholder server through dashboards, reports, alerts and specific investigations to map the PCI DSS requirements for endpoints.

9 Dashboards Antivirus version installed on each endpoint Endpoints not connecting to the AV service Endpoints with AV service availability issues Endpoints with outdated or disabled AV Endpoints with non-corporate AV Endpoints / Applications using blocked ports Endpoints / Applications using port 25 Non-standard applications using port 8080 Endpoints with anti-spyware problems Endpoints with Internet security setting problems Endpoints with local firewall problems Endpoints with Windows updates problems Endpoints running vulnerable application versions Endpoints missing a Windows security pack Endpoints / Applications connecting to the Internet bypassing the official proxy Real-time alerts Endpoints with old versions of AV Endpoints without AV Endpoints with firewall at risk Non-authorized endpoints using port 25 Successful connections through a blocked port Endpoints not running a mandatory Windows pack

10 USER ACTIVITY ANALYTICS For end-user activity, Nexthink provided XY the capability to measure and analyze the activities of their endusers so that a strategy could be defined to improve end-user security awareness and mitigate risky behavior. Before Nexthink was installed, it was very difficult and sometimes impossible to know what end-users were doing, when and what they were using the applications for and the behavior of the applications. Now with Nexthink, XY IT teams can identify the behavior of the end-users and applications without affecting their privacy or performance. Dashboards Usage of Local Administrator Accounts Applications executed from USBs Usage of P2P applications Usage VoIP applications Usage of remote network applications (e.g. LogMeIn) Users of non-authorized applications Users doing scans on the network Real-time alerts Administrative accounts used for non-administrative tasks Users connected to more than 10 endpoints per day Users connected from different branches in less than 1 hour Users executing non-authorized applications Users doing scans on the network

11 NON-BLOCKED MALWARE DETECTION A malware threat is one of the biggest threats faced by organizations. As more and more organizations are affected by worm outbreaks, XY needed to strengthen its measures against these threats. XY needed to know how malware could enter into the network and what were the possible and most exposed entry points for malware in their IT environment. Antivirus technologies are based on heuristics and signatures that cannot detect 100% of malware. Nexthink, through the behavior analysis of all the applications, provided XY the perfect complement to their AV allowing the detection of malware that typically is not detected by leading antivirus vendors. To complement the behavior detection, Nexthink is using its malware database composed of 10 different AV engines. Dashboards Malware threats per region High threats Medium threats Low threats Top 10 endpoints with malware Top 10 malware sources Top 10 malware applications Malware attack destinations Real-time alerts Endpoints with high threat malware Malware communicating with Internet Malware scans Malware spreading using shared folders

12 INTEGRATION WITH ARCSIGHT ArcSight is a leading global provider of security and compliance management solutions that protect businesses and government agencies, mainly through the usage of their most successful product ArcSight ESM. Nexthink was integrated with the ArcSight ESM to solve one of the biggest gaps with the ArcSight event correlation, the lack of events and useful information from endpoints, applications and end-user behavior. After the first Nexthink presentation, XY s teams identified immediately that Nexthink could provide the analytics that were missing to better secure their infrastructure. They couldn t trust Windows events or scanning solutions to monitor their critical environment, not only because of the impact that the scans can have on the network but also because those solutions were not true real-time ones. Before Nexthink, the only events available from the endpoints were the Windows events. Unfortunately, Windows events are not meant to be used for security and can create a lot of problems like false positives and inaccurate information linked to performance issues on the ArcSight ESM. Endpoints are the source of 80% of our security problems. Even with ArcSight we were missing the biggest part of our security issues, ArcSight was not receiving endpoint events and we didn t have any trusted source of events. Windows events are not enough and contain a lot of junk. We were searching for a solution like Nexthink for a long time and now we know that we are monitoring not only the servers and network but our entire IT environment in real-time, said the XY CIO. Nexthink allows ArcSight to meet its full correlation potential and provides the organization the unique ability to have an analytics solution across the entire IT infrastructure. Events like: Machine X doing a scan to Machine Y Machine X executed non-authorized software Machine X with OS and AV outdated doing scan with binary nmap.exe to PCI DSS server

13 Machine X bypassing Internet proxy Machine X using vulnerable application (Internet Explorer 6) Machine X installed LogmeIn Machine X using crack.exe from USB Machine X with Windows XP SP1 connecting to payment system Application teamviewer.exe detected in Machine X, Machine Y and Machine Z Machine X used by 10 users in the last 1 hour Local administrator user JohnP used on Machine Y to install CasinoPoker Machines X, Machine Y and Machine Z send s through port 25

14 CASE 1: USAGE OF VULNERABLE APPLICATIONS 1. James Foe opens Internet Explorer 6 (vulnerable version) 2. Nexthink alerts to the usage of a vulnerable application 3. ArcSight ESM adds James Foe to a watch list 4. James Foe opens the website HackMe.com 5. The IDS sends an alert Website with Exploit to IE6 6. ArcSight correlation matches the Nexthink alert to the IDS alert and sends the alert to the SOC team

15 CASE 2: NON-COMPLIANT / HIGH RISK INTERNET CONNECTIONS 1. James Foe deactivates his laptop antivirus 2. Nexthink sends an alert that laptop DP1023 with user James Foe does not have an active antivirus 3. ArcSight adds James Foe to watch list because of the deactivated antivirus 4. James Foe connects a USB 3G Mobile Internet Modem to the laptop DP1023 to avoid company security systems 5. James Foe opens his browser and starts to navigate directly on the Internet without any kind of security controls 6. Nexthink sends an alert regarding Internet traffic without the corporate probank X usage coming from James Foe 7. ArcSight matches the James Foe Internet behavior with the deactivated antivirus and fires an alert to the SOC team

16 CASE 3: NON-AUTHORIZED EXTERNAL ACCESS TO CRITICAL SERVERS 1. James Foe makes three failed connections and one successful connection to the payment system 2. ArcSight adds James Foe to watch list Possible suspicious user 3. James Foe downloads employee payment documents 4. James Foe executes Remote Access tool teamviewer.exe to provide control to his machine to nonauthorized computer on the Internet 5. Nexthink alerts on the usage of Remote Access to external networks from user James Foe on Laptop DP ArcSight correlates the information from the payment system and Nexthink and fires the alert Problem detected Information Leakage from James Foe on laptop DP1023 to the SOC team.

17 ABOUT NEXTHINK With the addition of more endpoints and with more varied business processes relying upon them, enterprise IT infrastructures are expanding and becoming ever more complex. IT Operations Analytics, or ITOA, a form of real-time analytics recently identified as an emerging and growing sector by Gartner, is set to have a major impact on the IT industry as it develops, enabling new and more cost-effective ways of carrying out business processes and delivering services to end-users. Nexthink is the innovator of End-user IT Analytics for security, ITSM and workplace transformation. Nexthink is recognized as a Cool Vendor in IT Operations Analytics (ITOA). Nexthink maps all the IT services, how they are being consumed, and how the IT infrastructure is operating, from the only perspective that matters most, the end-users (workers). Nexthink s patented self-learning and artificial intelligence construct meaningful patterns and IT analytics. Patterns are analyzed in real-time (every minute), enterprise-wide. Analytics are calculated across time and endpoints to detect possible security threats (new patterns on one or more endpoints) and system failures (common failures across multiple endpoints). What makes Nexthink unique is the real-time analytics of all executions and all network connections and the corresponding real-time visualization that provides new visibility and insight into what it means, in real terms, at that particular moment in time. Nexthink s modular architecture supports customers with more than 250,000 end-user (worker) endpoints. Learn how to get on top of the Big Data challenge posed by today s end-user (worker) computing infrastructure.