Advanced Privileged Identity Management: Moving Beyond the Gateway Approach to PIM

Copyright 2014 SSH Communications SecurityCopyright 2014 SSH Communications Security

Advanced Privileged Identity Management: Moving Beyond the Gateway Approach to PIM

Jason ThompsonDirector of Global MarketingSSH Communications Security

Jimmy Mills Sr. Solutions EngineerSSH Communications Security

Copyright 2014 SSH Communications Security

SSH Communications Security

Quick Facts:

• Inventors of the SSH protocol

• Listed: NASDAQ OMX Helsinki (SSH1V)

• 3,000 customers including 6 of the 10 largest US banks

What We Do:

• Secure Shell Access Controls & Key Management

• Privileged Identity Management

• Data-in-Transit Encryption

SSH COMMUNICATIONS SECURITY IS THE MARKET LEADER IN DEVELOPING ADVANCED SECURITY SOLUTIONS TO MEET TODAY’S BUSINESS, SECURITY AND COMPLIANCE REQUIREMENTS IN ENCRYPTED NETWORKS.


Some of Our Customers

Energy & Utilities

Government

Financial

Retail

Healthcare


Problems We Solve

Access Controls

• Discover existing legacy keys and trust relationships in the environment so you know who has access to what

• Lock down the environment so that only the key manager can access the server to deploy, rotate and remove keys

• Continuously monitor the environment for any new keys created outside of the key manager and alert security operations if an unauthorized key is found

• Automatically rotate keys to reduce the likelihood that a compromised can be used against you and to meet compliance mandates

Privileged Identity Management

• Monitor encrypted traffic to ensure that privileged identities aren't stealing data or violating policy

• At the network level, control what identities can do within authorized servers and prevent workarounds that allow IT administrators to bypass firewalls

• For audit and forensics, store a complete history of privileged user activities and traffic in a secure vault

• Enable layered security solutions such as SIEM and DLP to extend the capabilities of these deployments into your Secure Shell environment

SSH COMMUNICATIONS SECURITY DELIVERS A CENTRALIZED, 360 DEGREE SECURE SHELL MANAGEMENT PLATFORM INCLUDING ENCRYPTION, ACCESS CONTROL AND PRIVILEGED IDENTITY MANAGEMENT


Setting the Table

DOWNLOAD THE FORRESTER REPORT AT SSH.COM


Organizations Rely On SSH For Numerous Processes

82% OF RESPONDENTS SAID THEIR ORGANIZATION USES SSH & 68% CONSIDER SSH AS IMPORTANT OR CRITICAL TO THE BUSINESS


Lack of Visibility Creates a Security and Compliance Challenge

• Many organizations said that they are not monitoring & logging SSH activities

• Only 44% indicated that they have visibility into how many SSH keys are deployed in their environment, and what those authorizations are used for

• Based on real world experience, most organizations only have visibility into interactive user activities*

(*Based on security audits performed by SSH Communications Security)


Below The Surface: M2M Identities Are Rapidly Growing

• Most organizations lack sufficient access controls, continuous monitoring, DLP or forensics capabilities in M2M networks

• In many cases, M2M authentications vastly outnumber interactive authentication

• M2M connections can be hijacked by interactive users

• M2M connections often carry high value payloads such as credit card numbers and personally identifiable information

• M2M encrypted communications are rarely monitored and the encryption used to protect the data blinds ops & forensics

Interactive (Human) users

80%

of Identities

20%

of Identities


M2M Transactions And Processes Expected To Increase In 2014

• M2M enables a host of business-critical processes like billing, inventory management, backups, failover and disaster recovery

• 62% of US IT decision-makers who said that securing M2M transactions and processes are important or very important activities for their organization expect their company’s use of M2M transactions and processes to increase in 2014

• The rise of big data drives more M2M in the enterprise, largely using Secure Shell to secure communications


Scanning and Auditing

SECURE SHELL IS WIDELY DEPLOYED, SEEN AS IMPORTANT, YET SECURE SHELL MANAGEMENT IS LACKING – FORRESTER


What is Really Happening

Servers and network devices

The Content Awareness Gap

• Encrypted M2M and P2M processes can be exploited

• Privileged access is the leading vector for insider and APT attacks

• Lack of Visibility, Awareness and Monitoring

External users, hosted and cloud environments, BYOD

Workstation networks

IPS/DLP

$ cd /trans$ cat t1101.datAMEX 1101922VISA 38293928

Fj3()54kj(r¤/DiwIR383EW/3#)k)”#(#(¤¤#)”)mjvcmfis(34j348fR)#

What Layered Defenses See

SIEM

FW


Major Incidents and Threats

• Feb 2014 / Careto (The Mask): “Extremely sophisticated” Advanced Persistent Threat identified– Targets a long list of documents, encryption keys, SSH keys, VPN configurations,

and RDP files– Campaign was active for ~7 years and directed towards government agencies,

embassies, diplomatic offices and energy companies• Nov 2013 / Fokitor: Symantec researchers discovered a new backdoor

– Targets the Linux operating system and is capable of stealing login credentials from secure shell (SSH) connections

– Attackers could have accessed the encryption key that secured the unnamed organizations' internal communications

• June 2013 / Edward Snowden: Attack vector still unknown, however recent high level statements show that keys were probably used to execute the attack– U.S. National Security Agency (NSA) director Keith Alexander told the House

Permanent Select Committee on Intelligence that Snowden was able to gain access to NSA files that he should not have had access to by fabricating digital keys

– An NSA employee resigned from the agency after admitting to federal investigators that he gave former NSA analyst Edward Snowden a digital key that allowed him to gain access to classified materials (AP)

• April 2013 / Insider Attack: A former Host Gator employee used an SSH key to gain unfettered access to 2,700 servers, potentially putting thousands of their customers’ websites at risk


Three Best Practices To Secure M2M

Kill your data to augment data security

Killing data removes value to the data through proper encryption. The SSH protocol can do this internally for M2M transactions and process. Effective encryption will help prevent the repeat of a Snowden/NSA-type of data breach.

Treat M2M identities like human user identities

The identity one machine uses to access another machine’s applications or data is an attractive target of attack. The basic onboarding, off-boarding, audit and monitoring controls widely applied to identities assigned to human users must also be applied to machine based identities.

Centralize SSH management

Centralization helps security and makes it easier to meet compliance, frees up staff time, improves visibility and allows for faster response time to policy violations & exploits. Compliance is the biggest driver of security spend. Most companies have compliance mandates such as PCI or HIPAA. In a post-Snowden world, look for auditors to ask about Secure Shell identity and access management. You have to do it anyway; let’s make it easy.

FEW BUSINESS LEADERS TODAY MAKE THE ASSOCIATION BETWEEN M2M SECURITY AND SSH MANAGEMENT WITH DATA SECURITY AND COMPLIANCE. IT’S TIME TO CHANGE THAT PERCEPTION WITHIN ORGANIZATIONS – FORRESTER


Conventional vs. Advanced PIM

Advanced

• Monitors 100% of network traffic, human or machine

• Content-aware, provides context as to what the user is doing

• Proactive data loss prevention capabilities, integrates into DLP, IDS, SIEM – stop attackers in their tracks

• Advanced search capabilities, video replay and vault enables fast and easy forensics

• Applies policy with centrally controlled, role based access controls

• Can be deployed as a gateway and/or as an inline appliance

• An SSH firewall, stop PI’s from creating work-arounds by denying sub-channels

• Can be deployed inside the perimeter or in tandem with the firewall as a perimeter security solution

Conventional

• Primarily designed to identify privileged “human” users

• Lacks content-awareness capabilities

• Passive “wait until your breached” approach

• Basic recording with limited search capabilities

• Primarily used as in a gateway or jump host set up

• Can’t apply policy and provides limited to no access controls

• Typically deployed inside the perimeter


Success Proves Need

• Top 10 global technology company selects CryptoAuditor to deliver inline, transparent monitoring of Secure Shell tunnels in order to prevent unauthorized transfer of high value intellectual property.

• Major European securities depository selects CryptoAuditor to monitor and control external application developers and administrators working in their data centers

• One of Europe’s largest cloud and IT services providers selects CryptoAuditor to monitor, enforce policy and control access to 30,000+ hosts

Copyright 2014 SSH Communications SecurityCopyright 2014 SSH Communications Security

Thank You

Advanced Privileged Identity Management: Moving Beyond the Gateway Approach to PIM

Software

Transcript of Advanced Privileged Identity Management: Moving Beyond the Gateway Approach to PIM