SSH.COM CryptoAuditor is a centrally managed virtual appliance for

monitoring, controlling and auditing encrypted privileged access and data

transfers.

What is CryptoAuditor?

SSH.COMCryptoAuditor®

Control and audit encrypted 3rd party sessions. See the unseen.

SSH.COM CryptoAuditor ®

Cloud and on-premise access for

internals and vendors

57% of organizations have more than 100 3rd party vendors

with access to their systems.

Do you know how many Nth parties can

access your data?

57%

2

SSH.COM CryptoAuditor ®

Solve the problem of 3rd party access.CUT THE COST AND RISK OF VENDOR ACCESSNo hardware, no CAPEX. Cut OPEX with process-driven, unified, centralized management of internal and 3rd party privileged access to your digital core. Pay-as-you-use, either direct with SSH.COM or via AWS Marketplace for EC2 deployments >

SIMPLIFY, TRANSPARENT AND NON-INVASIVECryptoAuditor is your trusted audit point. Scalable deployment as virtual appliances at key locations in your enironment. No changes to network architecture, no new agents, no user training and no-disruption for end users.

INTEGRATE WITH YOUR SIEM, DLP, UEBA, IPS/IDS...CryptoAuditor integrates with your event, analytics and perimiter security - and your existing multifactor authentication solution. You get an audit trail of encrypted traffic that runs through SSH, SFTP, RDP and HTTPS, with indexed logging and session video playback.

3

SSH.COM CryptoAuditor ®

Your virtual audit point for 3rd party access.

SSH.COM CryptoAuditor is a centrally managed virtual appliance for monitoring, controlling and auditing encrypted privileged access and data transfers. It’s designed for deployment in front of server farms, databases and network entry points to solve the problem of poorly monitored privileged access, particularly remote vendor access.

It terminates and re-opens privileged user sessions, and inspects and records sessions in real time before re-encrypting and pushing the session forward. Sessions are indexed and stored in an encrypted database for reporting, replay and forensic investigation.

It’s easy to run from the centralized console, and easy to deploy, with no hardware, no agents, no new clients, no user training, and no changes to workflows. It can be deployed in fully transparent mode with no changes to end-user access and login procedures.

SSH.COM CrypoAuditor is cloud-ready, integrates with all major DLP, AV, IDS and SIEM systems, and is used by four of the world’s five largest banks.

4

SSH.COM CryptoAuditor ®

Monitor insider and 3rd party access to your digital core Control remote access by vendors, consultants, home workers, and M2M and IoT connections Define privileged access and activities based on user identity Collect forensic evidence for investigations with every keystroke and every pixel Protect critical data and minimize credentials abuse by enabling two-factor authentication

Integrate with existing firewalls, detect attacks earlier and resolve issues in real time

Address individual accountability even for shared accounts with AD/LDAP infrastructure View encrypted SSH, SFTP and Remote Desktop traffic at your boundary

Prevent data theft with Data Loss Prevention (DLP) and analytics Record, store and index session audit trails for searches, replay and reporting, with support for 4-eyes review

Hardened sessions for the trusted vendors of Fortune 500 companies.

5

SSH.COM CryptoAuditor ®

Cost-effectiveNo hardware, no CAPEX. Cut

OPEX with process-driven, unified, centralized management of 3rd party

and privileged access.

Cloud andon-premiseRapid, scalable deployment. No

changes to network architecture, no new agents, no disruption and no

user training.

Hardened sessions

Compliant session monitoring and auditing, contextual session control, support for four-eyes authorization –

and session video playback.

6

SSH.COM CryptoAuditor ®

Multiple deployment modes: Bastion (non-transparent), Router (Layer 3) and Bridge (Layer 2 with VLAN support).

Distributed architecture with multiple Hound audit-points and shared vault storage.

High-availability Hound clustering with configurable failure tolerance.

Straightforward auditing of privileged activity, including session replay and video sessions.

Monitor and record SSH, SFTP, RDP, SSL.

Block SSH tunneling to mitigate the threat from user-created backdoors.

Searchable database for quick and easy access to recorded session information.

Real-time 4-eyes authorization for critical access scenarios.

Identity-based policy control with integration to directory services to control privileged access and activities.

Manage users and credentials via HTTP REST-based API.

Certified compatibility with McAfee, RSA, IBM and VCE vBlock.

Integrations with SIEM, IDS, DLP, network AV etc.

FIPS 140-2 certified cryptography (certificate #1747).

Directional control of SFTP. Allowing to upload but not download or reverse.

Remote control. Rewind. Relax.

SSH.COM CryptoAuditor is an intelligent proxy designed for deployment in front of server farms, databases and network entry points.

7

SSH.COM CryptoAuditor ®

Compliance and forensics for regulated industries

Does your board need evidence that 3rd party risk is being assessed, managed, and monitored? Are you mandated by GDPR, PCI-DSS, ISO 27001, or by health or communications authorities to secure your supply chain?

8

SSH.COM CryptoAuditor ®

Visibility to encrypted sessions missed by siems

Can your SIEM, DLP or UEBA process encrypted session data? Does your IPS/IDS inspect encrypted traffic? Would you like to empower them to do their job?

9

SSH.COM CryptoAuditor ®

FEATURES AND BENEFITSMultiple deployment modes: Bridge, Router, Bastion

Fits into diverse network topologies including VLAN-based audit and policy control.

High-availability clustering for Hounds, and con gu- rable failure-tolerance policy

Minimal downtime in event of a single Hound node failure. If a single Hound node fails, the system can recover and continue relaying new connections.

Transparent network applianceNo need to retrain users to have them use another SSH client or portal, or provide them with new SSH keys.

Session replay, including video sessions Straightforward audit of privileged activity.

Searchable database Quick and easy access to recorded session information.

Encrypted storage with audit zonesAudited activity is secured from unauthorized access. Separate audit zones enable access on a need to know basis.

Monitors and records SSH, SFTP, RDP Audit high value, privileged access. Comply with security mandates.

Customizable auditing policies Focus on high value targets, activities.

Real-time 4-eyes authorization. HTTP REST API for requesting connection authorization from third-party solutions.

Extra security layer for accessing critical servers.

Identity-based policy control with integration to directory services

Control which users can access which servers and what activities they can perform.

Distributed architecture with multiple freely-distribut- able Hound audit-points, and shared Vault storage.

Adapts easily to changes in network topologies and business processes, enabling fast deployment and low Total Cost of Ownership.

Integrates with SIEM, IDS, DLP, Network AVCerti ed compatibility with major vendors such as McAfee, RSA, IBM and VCE vBlock.

Public and Private Cloud Instance Virtual ApplianceAmazon Machine Image (AMI) available in AWS MarketplaceOpenStack (on KVM hypervisor)

Supported platforms: VMware ESXi and MS Hyper-VFor evaluation purposes Oracle VirtualBox and VMware Workstation (no production use support)

PERFORMANCE

Throughput• 930 Mbit/s (unaudited passthrough)• 400 Mbit/s (single encrypted SFTP connection)

Connections• Simultaneous connections: 3000 SSH or 300 RDP or 300 SSL/TLS • New connections per second: 3 SSH or 3 RDP or 10 SSL/TLS

* Setup used in the performance test: HP DL320e Gen8 server running VMware ESXi 5.5, CryptoAuditor VM (4 CPUs, 12 GB RAM)

THIRD-PARTY APPLICATION SUPPORT

SIEM & Syslog

• IBMSecurityQRadarSIEM• McAfeeEnterpriseSecurityManager • SplunkEnterprise• RSASecurityAnalytics• HPArcSightLogger• Rsyslog• Syslog-ng

IDS • RSASecurityAnalytics

DLP and Network AV

• RSADataLossPreventionSuite• SymantecCloudProtectionEngine • McAfeeWebGateway• F-SecureInternetGateKeeper* DLP and network AV integration support through the standard ICAP protocol

ssh®, PrivX™, Tectia®, Universal SSH Key Manager® and CryptoAuditor® are registered trademarks or trademarks of SSH Communications Security Corporation and are protected by the relevant jurisdiction-specific and international copyright laws and treaties. Other names and marks are the property of their respective owners. Copyright © 2018 SSH Communications Security Corporation. All rights reserved.

10

SSH.COM CryptoAuditor ®

DEPLOYMENT AND SYSTEM ADMINISTRATION

High Availability• Active-Passive redundancy (Hound)* VMware (and hardware appliance) in production use

Operation• Transparent bridge and router modes• Non-transparent bastion mode• SOCKS proxy functionality for HTTP/HTTPS auditing

VLAN • Supported in bridge mode

Management• Web-based admin UI (current version of Mozilla Firefox for optimal experience) • Dedicated management interface• CLI

Administration• On device management accounts• AD/LDAP-based management accounts• Customizable role-based administration and audit rights

HTTP REST-based API • Managing users and credentials

AUDITING, END-USER AUTHENTICATION & AUTHORIZATION

Inspected Protocols• SSH(v2),SCP,SFTP,RDP• SupportedprotocolscanbeauditedalsorecursivelyinSSHtunnels

Audit Levels • Optionsbetween“Metadataonly”,and“Fullchannels”

Monitoring and Policy Control

• Rulesbyprotocol,address,port,VLAN,orusergroup• Easy-to-useruleveri cationtool• Flexibleusercredentialmanagement(throughHTTPREST-basedAPI)

End-User Authentication & Authorization

• OndevicepasswordorSSHpublickey• Passthroughpasswordorkeyboard-interactive• AD/LDAP-compliantdirectories• RADIUS• RSASecurID/OTP• X.509certi cate(SSHonly),withPIV/CACsmartcardsupport• HTTPRESTAPIforuserauthorization• 4-eyesauthorization.Alertsviae-mail;connectionaccept/rejectintheweb-basedadmin UI

Shared account management

• SecurepasswordandSSH-keysafe

Other• OCR-basedcontentrecognitionforRDP(LatinandCyrillic) • Indexing-enabledfree-textcontentsearching

The information in this document is provided “as is” without any warranty, express or implied, including without any warranties of merchantability, fitness for a particular purpose and any warranty or condition of non-infringement. SSH Communications Security products are warranted according to the terms and conditions of the agreements under which they are provided. SSH Communications Security may make changes to specifications and product descriptions at any time, without notice.

SECURITY

Encryption• KeyExchange:Di e-Hellman,RSA• HostKey:RSA,DSA• Connection:AES-CTR/CBC(128-,192-,256-bit),3DES-CBC,Blow sh,RC4

Data Integrity • HMACSHA-1(160-bit,96-bit) • HMACMD5(128-bit,96-bit)

Compliancy • FIPS140-2compliantoperationthroughcerti edOpenSSLlibrary

System Security• AllcommunicationbetweenHoundandVaultsecuredbyTLS • AllinformationstoredintheVaultisencryptedwith128-bitAES • Nouserpasswordscapturedandstored

11

SSH Communications Security, Inc. Max-Planck-Str. 4 85609 Aschheim

+49 89 24414124-0info.de@ssh.com