Внутренняя угроза: выявление и защита с помощью ObserveIT

Editor's Notes

• #2: Today we are going to talk about why User activity monitoring the most effective way to combat insider threats.
• #4: And these are just 4 examples of the over 1,200 customer we have using ObserveIT everyday to identify and manage their user-based risk --click to next slide--
• #5: We have over invested in Firewalls, A/V, DLP…. And yet, we still only have half the picture, we don’t understand what it is our users are actually doing.
• #6: Now that we talked about how the solution works at a high-level, let’s quickly cover where other customers are leveraging our solution. From our Qualification call I know you’re interested in a specific use case, but I wanted to share other areas that might be of interest and why customer are using us. The scope of Insider threats expands Employees, Privileged users and even trusted third-parties. When dealing with Employees most customers are concerned data extraction and fraudulent activity within core applications. The use case can range from monitoring call center employees to individuals on HR Watch-lists. With Privileged Users, we see customer looking to see if users are abusing their access or concerned about data leakage. It can range from Help Desk user to DBAs to enforcing Segregation of Duties. We also see a lot of customers looking to track all High Privilege Accounts like system admins on all their servers. Third-parties is a big one and where our roots tie back too. Most customers are monitoring third-parties to trust, but verify their work and make sure IP isn’t leaving with them or that they aren’t bring down any servers. We see customers monitoring Contractors, Remote Vendors to Completely Outsourced IT shops. Underpinning monitoring all of these groups is Audit and Compliance – whether it’s to satisfy Audit controls or map to a Security Framework. Now that we’ve covered the use cases at a high-level, which do you feel is most relevant to cover in the next part of this discussion?
• #7: Because of the increasing use of applications that can leak data (e.g. Web Email, Drop Box, WeTransfer) and user that have access to sensitive information. Our customers are looking to monitoring employees to see if they are viewing information they shouldn’t be, are concern about User Error and if users are leveraging unauthorized cloud apps. Fraud SoD violations Financial Systems ERP CRM Call Centers Custom Apps Data Leaks “Snooping” Customer data PII /PHI / PCI Employee Turnover / New Hires HR Watch list Layoffs Two weeks notice Remote Workers IP Theft E-mail and instant messaging Thumb drive Exporting & Printing Reports Large copy paste operations   Sharing sensitive files on P2P networks
• #8: Exchange Admins!! Today we see a lot of customers handing out root privileges like after-dinner mints. And when it comes to Privileged user monitoring, customer are concerned with unauthorized changes or access, admins abusing their privileges or what users are doing with local accounts. Unauthorized Changes Entitlement changes Creation of Local Accounts Password resets Abusing Privileges Admin / “Root” logins Lateral Movement ‘rm’ ‘cp’ with ‘sudo’ Creating “backdoors” ‘leapfrog’ logins Unnecessary Access Unauthorized access Unsecure ‘shell’ Unapproved ‘setuid’
• #9: When it comes to 3rd Party Monitoring are customer want to identify any unscheduled tasks, detect abnormal remote access and look into any unauthorized changes. Abnormal Remote Access Using shared accounts through Terminal Services, Citrix and GoToMyPC “leapfrog” to a more restricted machine VPN. RDP, Telnet, SSH during non-business hours Unauthorized Changes Configuration files Entitlement changes Domain Admin rights su or sudo commands Creation of Local Accounts DROP TABLE or DROP INDEX command Password resets Unscheduled Tasks Installing applications (TeamViewer) Installing “backdoors “Snooping” or viewing information they shouldn’t be Data exfiltration Exporting reports large copy operations
• #10: 3 out of 4 Security professionals say they Can’t distinguish between legitimate business use and abuse Crowd-based research in cooperation with the 260,000+ member Information Security Community
• #11: Let’s talk about Insider Threat Intelligence with ObserveIT and what makes us different. First, we focus on the USER – after all – Insider Threats are a People Problem. This approach allows us to provide a clear picture of the risk users present and enables you to do something about it too. Second, we have a 3-step approach for providing the best Insider Threat Intelligence out there: ObserveIT is an agent based solution and essentially screen scrapes all activity and index the textual information on the screen. This includes “Collecting” the information need to distinguish abuse from legitimate use via Visual Screen Recording Technology, and transcribe what’s taking place into User Activity Logs. Next, we have unique capabilities to detect risky insider activity with rule-based User Behavior Analytics, and Activity Alerting. Finally, we have the ability to take action and quickly respond to users putting your business at risk with Live Session Response and Session Shutdown. We’ll dig into each of these capabilities in the demonstration portion of this meeting, but I wanted to give you and idea of how the solution works. 
• #12: When we dive deeper into the risk associated with our Users, we see there are many different types of users Business Users, IT Users and Contractors
• #13: This is where ObserveIT comes in ObserveIT solves this critical missing gap – we answer the “WHO’S DOING WHAT” question We capture, record and monitor all user activity whether you Business Users, IT Users, and Thirst Party Contractors We provide video-like playback of the actual activity of your users and we create User Activity Logs that provide searchable, easy-to-understand audit trails for every action performed Our solutions alerts when we detect abnormal and suspicious user activity providing both an actual video replay of the user’s actions and a step by step use activity log of exactly what they did --- Click to Next Slide ---
• #14: So, this is ObserveIT’s intuitive approach: Today, We have an IT Admin logging on to our servers, using generic ID’s such as ‘Administrator’ or ‘dba’ click At the same time, Sam the Security Officer is asking: Who is doing What? click Adding ObserveIT, the situation becomes much more clear. First of all, ObserveIT provides Shared-User Identification. So now, we know that this ‘Admin’ is really ‘Alex’ click Next, ObserveIT steps in with video recording of every user action, as looking over Alex’s shoulder while he is working. The result is a video recording that can easily be played back. click And even more, ObserveIT then analyzes this video session… We extract all the details of what Alex did… The apps he ran, files he opened, and more. click These three pieces of information: user identification, video capture, and video metadata are then collected in a centralized audit database click This of course makes Sam very happy
• #15: Provider [Name] Microsoft-Windows-Security-Auditing   [Guid] {54849625-5478-4994-A5BA-3E3B0328C30D} EventID 4656 Version 1 Level 0 Task 12800 Opcode 0 Keywords 0x8020000000000000 TimeCreated   [ SystemTime] 2012-04-03T12:37:04.239600000Z EventRecordID 679838 Correlation - Execution  [ProcessID] 476   [ThreadID] 492 Channel Security Computer UNI-W08-Prod Security - EventData   SubjectUserSid S-1-5-21-3376939521-1815728488-1984618326-500   SubjectUserName Administrator   SubjectDomainName UNI-W08-Prod   SubjectLogonId 0x6489b   ObjectServer Security   ObjectType File   ObjectName C:\Windows\ObserveIT\Web\ObserveIT\Web.config HandleId 0xd8 TransactionId {00000000-0000-0000-0000-000000000000} AccessList %%1538 %%1541 %%4416 %%4417 %%4418 %%4419 %%4420 %%4423 %%4424 AccessReason %%1538: %%1801 D:(A;ID;FA;;;BA) %%1541: %%1801 AccessMask 0x12019f PrivilegeList - RestrictedSidCount 0 ProcessId 0x44c ProcessName C:\Windows\System32\notepad.exe  
• #16: Point to the Server Diary Tab Point
• #19: Here’s a few examples even. Here we see ObserveIT logs, as presented within CA’s UARM product…
• #20: And here the ObserveIT logs are presented within Splunk.
• #21: With 6.0 we add Insider Threat Intelligence to our User Activity Monitoring Solution to Cover the full scope of insider threat.
• #22: A simple point-and-click Marking Tool allows you to mark - during configuration time – any in-app data elements that you wish to monitor in both your Desktop or Web applications. You can mark an area being viewed in the application, a specific button being clicked, and any data element such as customer names, email addresses, or phone numbers - as you can see in this mockup. ObserveIT agent will record any user exposures and interactions with these marked in-app elements. Once recorded, you can search the Recording Database for these data elements, create Reports, define Alerts, and export to SIEM In addition, Information collected for marked elements is displayed in ObserveIT session diaries and Video Player – providing an important application context while reviewing recorded sessions.
• #24: A calculated user-based risk score will allow you to quickly identify your risky users. The score is a smart aggregation of risky user activities during the last period, taking into account various risk factors such as – how risky is the application involved?
• #25: A dynamic report can automatically show all the sensitive data elements being viewed per user for each business application involved. In this mockup, John Smith viewed 2 customer records in Salesforce – and you can see the EXACT sensitive data that was viewed!
• #26: There are 2 ways that you can deploy ObserveIT…
• #27: The first is the standard deployment according to the architecture that we’ve seen so far… An agent is installed on each server that is being monitored, which feeds log data to the management server.
• #28: A second deployment option is via a gateway server. If users are accessing your servers via a gateway, you can deploy a gateway-based agent only, which then captures the user actions that go through that gateway to each corporate server.
• #29: ObserveIT’s flexibility allows you to deploy both ways simultaneously… A gateway for full network coverage for all standard user access… Plus agents on specific sensitive servers that require more detailed audit