Balabit - Shell Control Box

Editor's Notes

• #3: Balabit – headquartered in Luxembourg – is a leading provider of contextual security technologies with the mission of preventing data breaches without constraining business. Balabit operates globally through a network of local offices across the United States and Europe together with partners. We are a well established company, headquartered in Europe with a major R&D center in Budapest, Hungary. Have you heard of Balabit, or any experience of our products? Even if you aren’t aware of us it is likely that somewhere you are using one of our products, Syslog-NG. Balabit is actually the leader in trusted log management, for the reliable and secure collection of logs from devices, systems, applications, users and many more sources. This means we have extensive capability to gather the circumstances surrounding an event, i.e. context. We make it understandable to machines and humans through a functionality such as filtering, normalization and enrichment. You may also know us for Privileged User Monitoring. Many large organizations across the globe use our Shell Control Box product to keep track of privileged and VIP users. SCB records user sessions and makes them searchable. This is important for compliance. It’s also important for security and the prevention of privileged account misuse (for example by an attacker). SCB can detect actions that may be risky (for example a shutdown command) and intervene if the user is not authorized to issue such a command. The search and video replay capabilities allow security teams to drill down into the circumstances surrounding risky user activity. Our latest product, BlindSpotter, is emerging as a thought leading product in the use of machine learning and algorithmic analytics of user behavior to identify risks that were previously unknown, and could not be detected through traditional pre-defined pattern and rule-based approaches to security. Because it baselines user activity and then discovers activity that is out-of-context is can focus in on indicators of compromise that are unique to your business, and could not be identified in any other way. But more of that later.
• #6: Shell Control Box (SCB) is an activity monitoring appliance that controls access to remote servers, virtual desktops, or networking devices, and records the activities of the users accessing these systems. For example, it records as system administrators configure your database servers through SSH protocol, or your employees make transactions using thin-client applications in a Citrix environment. The recorded audit trails can be replayed like a movie to review the events exactly as they occurred. The content of the audit trails is indexed to make searching for events and automatic reporting possible. SCB is especially suited to supervise privileged-user access as mandated by many compliance requirements, like PCI-DSS. It helps you answer the question of who did what and when on your critical servers.
• #7: Fast deployment appliance with extremely low TCO SCB is a turnkey network appliance - its implementation and configuration is fast and simple. Compared to competitors, there is no need to purchase and install any additional software (e.g. Windows or MS SQL servers) or hardware to have SCB fully functioning. Full implementation typically takes only 3-5 days! After deployment, SCB operates in the background like a black box of an airplane - there is no need for any extra workload to operate it. Independent, agentless device Compared to agent-based solutions, there is no need for installing and updating agents on clients or servers, eliminating unnecessary maintenance and potential security issues. As a host independent gateway, SCB can control and monitor access to any type of systems incl. all Windows/UNIX/Linux servers, mainframes, network devices, security devices, web-based applications or thin client environments, such as VMware View, Citrix XenApp or XenDesktop. SCB is an independent audit solution which perfectly separates the monitoring system from the monitored system. It extracts information from the raw network traffic and reconstruct the original session between the endpoints. This prevents anyone from modifying the extracted audit information, as the administrators of the server have no access to the SCB. Transparent, “router-like” operation As a proxy gateway, SCB can operate as a router in the network – invisible to the user and to the server. As a transparent solution, SCB requires minimal changes to the existing network. Also, since it operates on the network level, users can keep using the client applications they are familiar with, and do not have to change their work processes, unlike jump host solutions. All in all, by supporting the most platforms and protocols on the market SCB can be implemented into extremely heterogeneous IT environments.
• #8: Since SCB has full access to the inspected traffic, security managers can granularly control who can access what and when on the servers. For example, they can selectively permit or deny access to protocol channels: enable terminal sessions in SSH, but disable port-forwarding and file transfers, or enable desktop access for RDP, but disable file sharing.
• #9: SCB supports the 4-eyes authorization principle. This is achieved by requiring an authorizer to allow administrators to access the server. The authorizer also has the possibility to monitor the work of the administrator in real-time with the option of instant connection termination.
• #10: SCB can monitor the traffic of certain connections in real time, and execute various actions if a certain pattern (for example, a particular command, window or text) appears in the command line or on the screen. SCB can also detect numbers that might be credit card numbers. The patterns to find can be defined as regular expressions. In case of risky, unwanted or suspicious user action, the following actions can be performed: Log the event in the system logs. Immediately terminate the connection. Send an e-mail or SNMP alerts about the event. Store the event in the connection database of SCB.
• #11: Connections can be searched from the SCB web interface based on their metadata and their actual content as well. Audit trails are indexed. This makes the results searchable on the SCB web GUI. It is also possible to execute searches on a large number of audit trails to find sessions that contain a specific information or event. SCB can also execute searches and generate reports automatically for new audit trails.
• #12: SCB records all sessions into searchable audit trails, making it easy to find relevant information in forensics or other situations. The Audit Player application replays the recorded sessions just like a movie – all actions of the administrators can be seen exactly as they appeared on their monitor. This makes the results searchable on the SCB web GUI. The audit player enables fast forwarding during replays, searching for events (for example, mouse clicks, pressing Enter) and texts seen by the administrator.
• #13: SCB supports the creation of custom pdf reports and statistics, including user-created statistics and charts based on search results, the contents of audit trails, and other customizable content. SCB can also execute searches and generate reports automatically for new audit trails. These content reports provide detailed documentation about user activities on remote IT systems. In addition, SCB supports the creation of custom reports and statistics, including user-created lists and charts based on search results, the contents of audit trails, and other customizable content. To help you comply with the regulations of the PCI DSS, SCB can generate reports on the compliance status of SCB.
• #14: SCB can smoothly integrate in your heterogeneous IT environment, including your existing security environment, too. SCB fits in to your security environment by removing their blind spots. In addition to storing credentials locally, SCB integrates smoothly to Enterprise Random Password Manager (ERPM), Lieberman Software’s privileged identity management solution, as well as with Quest eDMZ, Tycotic, CyberArk and other widely used password management systems via customizable plugins. That way, the passwords of the target servers can be managed centrally using the external password manager, while SCB ensures that the protected servers can be accessed only via SCB – since the users do not know the passwords required for direct access.   SCB can also send snmp alerts to 3rd party system monitoring tools. Several aspects of SCB can remotely manage with third party system management solutions, such as HP OpenView or IBM Tivoli. It offers a web-services based API and RESTful API for custom application integration or remote SCB configuration & management. Integration with third-party workflow & ticketing systems - SCB provides a plugin framework to integrate it to external helpdesk ticketing (or issue tracking) systems, allowing to request a ticket ID from the user before authenticating on the target server. That way, SCB can verify that the user has a valid reason to access the server — and optionally terminate the connection if he does not. Supported systems: BMC Remedy, ServiceNow SIEMs: Accountability audit reports are only as good as the logs that are collected. So if your cloud apps or legacy apps don’t generate logs, your audit reports will have gaps. SCB fills this gap by generating records for every app, even those with no internal logs! And these records add bulletproof evidence, via ties to video replay. It is possible to send SCB logs to an external log management or SIEM solution such as SSB, or Splunk, HP Arcsight to make more reliable forensics investigations possible.
• #15: These are the market drivers for SCB: regulations, company policies, forensics, IT partner management and sometimes general distrust of staff. These key words are in our customers’ mind and influence the buying process. Compliance: Pressure for compliance of local regulations and/or industry standards. (for example PCI specifies that every bank, merchants or government organization handling credit card data must audit admin activity, as well!) Company Policy enforcement: Enforcement of internal rules, company policies, security strategy (who can access which resources when, how, from where?). Strict Security requirements are typical at big service providers (bank, telco, gov.) which manage sensitive data (personal files, credit card info, etc.) IT staff control: IT Admins are the most powerful users in IT systems with unrestricted access rights. Controlling them is essential. Outsourcing partner control: Monitoring of 3rd party contractors or outsourcing partners (e.g. Hosting providers, remote admins, etc.) (e.g. Demonstration of the mistake of an external system admin) + SLA control Business users audit: control of average users' working sessions (for example in call centers there is huge turnover – users must be carefully controlled or controlling of remote worker access is also a must in many companies) Forensics: Identifying and presenting evidences found in IT systems through a „legal” procedure (for example a quick investigation after an accidental misconfiguration)
• #16: If you have doubts to give comforting answers to these questions, than you have probably need to think about a possible solution to these challenges….