SlideShare uma empresa Scribd logo

Advanced Privileged Identity Management: Moving Beyond the Gateway Approach to PIM

Transferir como PPTX, PDF
SSH Communications Security
SSH Communications Security

You understand that that, if left unmonitored, encrypted channels like SSH, SFTP and RDP pose a risk to the organization and you want to do something about it You worry that your SIEM, IDS and DLP solutions are blinded by encryption and you want to gain visibility into your encrypted traffic You recognize that conventional “gateway” based PIM products don’t scale and are interested in a network-based PIM solution You want to monitor and control all of your encrypted traffic, not just the human users You want to learn why one of the world’s largest technology companies (and many others) have recently implemented advanced PIM solutions You want a plug-and-play solution that is invisible to end users and easy to deploy – versus all of that gateway and agent-based nonsense

SoftwareTecnologia
1 de 16
Copyright 2014 SSH Communications SecurityCopyright 2014 SSH Communications Security Advanced Privileged Identity Management: Moving Beyond the Gateway Approach to PIM Jason Thompson Director of Global Marketing SSH Communications Security Jimmy Mills Sr. Solutions Engineer SSH Communications Security
Copyright 2014 SSH Communications Security SSH Communications Security Quick Facts: • Inventors of the SSH protocol • Listed: NASDAQ OMX Helsinki (SSH1V) • 3,000 customers including 6 of the 10 largest US banks What We Do: • Secure Shell Access Controls & Key Management • Privileged Identity Management • Data-in-Transit Encryption SSH COMMUNICATIONS SECURITY IS THE MARKET LEADER IN DEVELOPING ADVANCED SECURITY SOLUTIONS TO MEET TODAY’S BUSINESS, SECURITY AND COMPLIANCE REQUIREMENTS IN ENCRYPTED NETWORKS.
Copyright 2014 SSH Communications Security Some of Our Customers Energy & Utilities Government Financial Retail Healthcare
Copyright 2014 SSH Communications Security Problems We Solve Access Controls • Discover existing legacy keys and trust relationships in the environment so you know who has access to what • Lock down the environment so that only the key manager can access the server to deploy, rotate and remove keys • Continuously monitor the environment for any new keys created outside of the key manager and alert security operations if an unauthorized key is found • Automatically rotate keys to reduce the likelihood that a compromised can be used against you and to meet compliance mandates Privileged Identity Management • Monitor encrypted traffic to ensure that privileged identities aren't stealing data or violating policy • At the network level, control what identities can do within authorized servers and prevent workarounds that allow IT administrators to bypass firewalls • For audit and forensics, store a complete history of privileged user activities and traffic in a secure vault • Enable layered security solutions such as SIEM and DLP to extend the capabilities of these deployments into your Secure Shell environment SSH COMMUNICATIONS SECURITY DELIVERS A CENTRALIZED, 360 DEGREE SECURE SHELL MANAGEMENT PLATFORM INCLUDING ENCRYPTION, ACCESS CONTROL AND PRIVILEGED IDENTITY MANAGEMENT
Copyright 2014 SSH Communications Security Setting the Table DOWNLOAD THE FORRESTER REPORT AT SSH.COM
Copyright 2014 SSH Communications Security Organizations Rely On SSH For Numerous Processes 82% OF RESPONDENTS SAID THEIR ORGANIZATION USES SSH & 68% CONSIDER SSH AS IMPORTANT OR CRITICAL TO THE BUSINESS
Copyright 2014 SSH Communications Security Lack of Visibility Creates a Security and Compliance Challenge • Many organizations said that they are not monitoring & logging SSH activities • Only 44% indicated that they have visibility into how many SSH keys are deployed in their environment, and what those authorizations are used for • Based on real world experience, most organizations only have visibility into interactive user activities* (*Based on security audits performed by SSH Communications Security)
Copyright 2014 SSH Communications Security Below The Surface: M2M Identities Are Rapidly Growing • Most organizations lack sufficient access controls, continuous monitoring, DLP or forensics capabilities in M2M networks • In many cases, M2M authentications vastly outnumber interactive authentication • M2M connections can be hijacked by interactive users • M2M connections often carry high value payloads such as credit card numbers and personally identifiable information • M2M encrypted communications are rarely monitored and the encryption used to protect the data blinds ops & forensics Interactive (Human) users 80% of Identities 20% of Identities
Copyright 2014 SSH Communications Security M2M Transactions And Processes Expected To Increase In 2014 • M2M enables a host of business-critical processes like billing, inventory management, backups, failover and disaster recovery • 62% of US IT decision-makers who said that securing M2M transactions and processes are important or very important activities for their organization expect their company’s use of M2M transactions and processes to increase in 2014 • The rise of big data drives more M2M in the enterprise, largely using Secure Shell to secure communications
Copyright 2014 SSH Communications Security Scanning and Auditing SECURE SHELL IS WIDELY DEPLOYED, SEEN AS IMPORTANT, YET SECURE SHELL MANAGEMENT IS LACKING – FORRESTER
Copyright 2014 SSH Communications Security What is Really Happening Servers and network devices The Content Awareness Gap • Encrypted M2M and P2M processes can be exploited • Privileged access is the leading vector for insider and APT attacks • Lack of Visibility, Awareness and Monitoring External users, hosted and cloud environments, BYOD Workstation networks IPS/DLP $ cd /trans $ cat t1101.dat AMEX 1101922 VISA 38293928 Fj3()54kj(r¤/Diw IR383EW/3#)k)”#( #(¤¤#)”)mjvcmfis(3 4j348fR)# What Layered Defenses See SIEM FW
Copyright 2014 SSH Communications Security Major Incidents and Threats • Feb 2014 / Careto (The Mask): “Extremely sophisticated” Advanced Persistent Threat identified – Targets a long list of documents, encryption keys, SSH keys, VPN configurations, and RDP files – Campaign was active for ~7 years and directed towards government agencies, embassies, diplomatic offices and energy companies • Nov 2013 / Fokitor: Symantec researchers discovered a new backdoor – Targets the Linux operating system and is capable of stealing login credentials from secure shell (SSH) connections – Attackers could have accessed the encryption key that secured the unnamed organizations' internal communications • June 2013 / Edward Snowden: Attack vector still unknown, however recent high level statements show that keys were probably used to execute the attack – U.S. National Security Agency (NSA) director Keith Alexander told the House Permanent Select Committee on Intelligence that Snowden was able to gain access to NSA files that he should not have had access to by fabricating digital keys – An NSA employee resigned from the agency after admitting to federal investigators that he gave former NSA analyst Edward Snowden a digital key that allowed him to gain access to classified materials (AP) • April 2013 / Insider Attack: A former Host Gator employee used an SSH key to gain unfettered access to 2,700 servers, potentially putting thousands of their customers’ websites at risk
Copyright 2014 SSH Communications Security Three Best Practices To Secure M2M Kill your data to augment data security Killing data removes value to the data through proper encryption. The SSH protocol can do this internally for M2M transactions and process. Effective encryption will help prevent the repeat of a Snowden/NSA-type of data breach. Treat M2M identities like human user identities The identity one machine uses to access another machine’s applications or data is an attractive target of attack. The basic onboarding, off-boarding, audit and monitoring controls widely applied to identities assigned to human users must also be applied to machine based identities. Centralize SSH management Centralization helps security and makes it easier to meet compliance, frees up staff time, improves visibility and allows for faster response time to policy violations & exploits. Compliance is the biggest driver of security spend. Most companies have compliance mandates such as PCI or HIPAA. In a post-Snowden world, look for auditors to ask about Secure Shell identity and access management. You have to do it anyway; let’s make it easy. FEW BUSINESS LEADERS TODAY MAKE THE ASSOCIATION BETWEEN M2M SECURITY AND SSH MANAGEMENT WITH DATA SECURITY AND COMPLIANCE. IT’S TIME TO CHANGE THAT PERCEPTION WITHIN ORGANIZATIONS – FORRESTER
Copyright 2014 SSH Communications Security Conventional vs. Advanced PIM Advanced • Monitors 100% of network traffic, human or machine • Content-aware, provides context as to what the user is doing • Proactive data loss prevention capabilities, integrates into DLP, IDS, SIEM – stop attackers in their tracks • Advanced search capabilities, video replay and vault enables fast and easy forensics • Applies policy with centrally controlled, role based access controls • Can be deployed as a gateway and/or as an inline appliance • An SSH firewall, stop PI’s from creating work-arounds by denying sub-channels • Can be deployed inside the perimeter or in tandem with the firewall as a perimeter security solution Conventional • Primarily designed to identify privileged “human” users • Lacks content-awareness capabilities • Passive “wait until your breached” approach • Basic recording with limited search capabilities • Primarily used as in a gateway or jump host set up • Can’t apply policy and provides limited to no access controls • Typically deployed inside the perimeter
Copyright 2014 SSH Communications Security Success Proves Need • Top 10 global technology company selects CryptoAuditor to deliver inline, transparent monitoring of Secure Shell tunnels in order to prevent unauthorized transfer of high value intellectual property. • Major European securities depository selects CryptoAuditor to monitor and control external application developers and administrators working in their data centers • One of Europe’s largest cloud and IT services providers selects CryptoAuditor to monitor, enforce policy and control access to 30,000+ hosts
Copyright 2014 SSH Communications SecurityCopyright 2014 SSH Communications Security Thank You

Recomendados

Ethical hacking-guide-infosec
Ethical hacking-guide-infosecEthical hacking-guide-infosec
Ethical hacking-guide-infosec
Erfan Mallick
 
ethical-hacking-guide
ethical-hacking-guideethical-hacking-guide
ethical-hacking-guide
Matt Ford
 
Computer security 7.pptx
Computer security 7.pptxComputer security 7.pptx
Computer security 7.pptx
Khappiyo
 
CNS - Chapter1
CNS - Chapter1CNS - Chapter1
CNS - Chapter1
JeevananthamArumugam
 
Implementing an improved security for collin’s database and telecommuters
Implementing an improved security for collin’s database and telecommutersImplementing an improved security for collin’s database and telecommuters
Implementing an improved security for collin’s database and telecommuters
Rishabh Gupta
 
DTS Solution - Penetration Testing Services v1.0
DTS Solution - Penetration Testing Services v1.0DTS Solution - Penetration Testing Services v1.0
DTS Solution - Penetration Testing Services v1.0
Shah Sheikh
 
GISEC 2015 Your Network in the Eyes of a Hacker - DTS Solution
GISEC 2015 Your Network in the Eyes of a Hacker - DTS SolutionGISEC 2015 Your Network in the Eyes of a Hacker - DTS Solution
GISEC 2015 Your Network in the Eyes of a Hacker - DTS Solution
Shah Sheikh
 
Securing Your Remote Access Desktop Connection
Securing Your Remote Access Desktop ConnectionSecuring Your Remote Access Desktop Connection
Securing Your Remote Access Desktop Connection
SecurityMetrics
 

Recomendados

Ethical hacking-guide-infosec
Ethical hacking-guide-infosecEthical hacking-guide-infosec
Ethical hacking-guide-infosec
Erfan Mallick
 
ethical-hacking-guide
ethical-hacking-guideethical-hacking-guide
ethical-hacking-guide
Matt Ford
 
Computer security 7.pptx
Computer security 7.pptxComputer security 7.pptx
Computer security 7.pptx
Khappiyo
 
CNS - Chapter1
CNS - Chapter1CNS - Chapter1
CNS - Chapter1
JeevananthamArumugam
 
Implementing an improved security for collin’s database and telecommuters
Implementing an improved security for collin’s database and telecommutersImplementing an improved security for collin’s database and telecommuters
Implementing an improved security for collin’s database and telecommuters
Rishabh Gupta
 
DTS Solution - Penetration Testing Services v1.0
DTS Solution - Penetration Testing Services v1.0DTS Solution - Penetration Testing Services v1.0
DTS Solution - Penetration Testing Services v1.0
Shah Sheikh
 
GISEC 2015 Your Network in the Eyes of a Hacker - DTS Solution
GISEC 2015 Your Network in the Eyes of a Hacker - DTS SolutionGISEC 2015 Your Network in the Eyes of a Hacker - DTS Solution
GISEC 2015 Your Network in the Eyes of a Hacker - DTS Solution
Shah Sheikh
 
Securing Your Remote Access Desktop Connection
Securing Your Remote Access Desktop ConnectionSecuring Your Remote Access Desktop Connection
Securing Your Remote Access Desktop Connection
SecurityMetrics
 
Network security by sandhya
Network security by sandhyaNetwork security by sandhya
Network security by sandhya
sandeepsandy75
 
Cyber Attack Survival: Are You Ready?
Cyber Attack Survival: Are You Ready?Cyber Attack Survival: Are You Ready?
Cyber Attack Survival: Are You Ready?
Radware
 
VoIP security
VoIP securityVoIP security
VoIP security
Mile Blenton
 
Information Security Fundamentals - New Horizons Bulgaria
Information Security Fundamentals - New Horizons BulgariaInformation Security Fundamentals - New Horizons Bulgaria
Information Security Fundamentals - New Horizons Bulgaria
New Horizons Bulgaria
 
Rio olympics ddos attack
Rio olympics ddos attackRio olympics ddos attack
Rio olympics ddos attack
AnukaJinadasa
 
PLNOG16: DNS – przyjaciel e-szpiegów i e-złodziei. Analityka w służbie jej DN...
PLNOG16: DNS – przyjaciel e-szpiegów i e-złodziei. Analityka w służbie jej DN...PLNOG16: DNS – przyjaciel e-szpiegów i e-złodziei. Analityka w służbie jej DN...
PLNOG16: DNS – przyjaciel e-szpiegów i e-złodziei. Analityka w służbie jej DN...
PROIDEA
 
4 (data security in local network using)
4 (data security in local network using)4 (data security in local network using)
4 (data security in local network using)
JIEMS Akkalkuwa
 
Cryptography and system security
Cryptography and system securityCryptography and system security
Cryptography and system security
Gary Mendonca
 
InfoSecurity Europe 2014: The Art Of Cyber War
InfoSecurity Europe 2014: The Art Of Cyber WarInfoSecurity Europe 2014: The Art Of Cyber War
InfoSecurity Europe 2014: The Art Of Cyber War
Radware
 
Wireless Security Needs For Enterprises
Wireless Security Needs For EnterprisesWireless Security Needs For Enterprises
Wireless Security Needs For Enterprises
shrutisreddy
 
Lecture 5
Lecture 5Lecture 5
Lecture 5
Education
 
Threats In Vo Ip
Threats In Vo IpThreats In Vo Ip
Threats In Vo Ip
guest209a2c
 
Scada security webinar 2012
Scada security webinar 2012Scada security webinar 2012
Scada security webinar 2012
AVEVA
 
Game Changing Cyber Defensive Strategies for 2019
Game Changing Cyber Defensive Strategies for 2019Game Changing Cyber Defensive Strategies for 2019
Game Changing Cyber Defensive Strategies for 2019
Fidelis Cybersecurity
 
Lessons Learned Fighting Modern Cyberthreats in Critical ICS Networks
Lessons Learned Fighting Modern Cyberthreats in Critical ICS NetworksLessons Learned Fighting Modern Cyberthreats in Critical ICS Networks
Lessons Learned Fighting Modern Cyberthreats in Critical ICS Networks
Angeloluca Barba
 
Network security
Network security Network security
Network security
Vikas Jagtap
 
You can't detect what you can't see illuminating the entire kill chain
You can't detect what you can't see illuminating the entire kill chainYou can't detect what you can't see illuminating the entire kill chain
You can't detect what you can't see illuminating the entire kill chain
Fidelis Cybersecurity
 
Mattias eriksson
Mattias erikssonMattias eriksson
Mattias eriksson
Hai Nguyen
 
The Art of Cyber War [From Black Hat Brazil 2014]
The Art of Cyber War [From Black Hat Brazil 2014]The Art of Cyber War [From Black Hat Brazil 2014]
The Art of Cyber War [From Black Hat Brazil 2014]
Radware
 
Detection of Rogue Access Point in WLAN using Hopfield Neural Network
Detection of Rogue Access Point in WLAN using Hopfield Neural Network Detection of Rogue Access Point in WLAN using Hopfield Neural Network
Detection of Rogue Access Point in WLAN using Hopfield Neural Network
IJECEIAES
 
Stadiony za všechny prachy
Stadiony za všechny prachyStadiony za všechny prachy
Stadiony za všechny prachy
Jan Hromek
 
Employee Engagement - More than just saying Thanks!
Employee Engagement - More than just saying Thanks! Employee Engagement - More than just saying Thanks!
Employee Engagement - More than just saying Thanks!
Sat Sindhar
 

Mais conteúdo relacionado

Mais procurados

Network security by sandhya
Network security by sandhyaNetwork security by sandhya
Network security by sandhya
sandeepsandy75
 
InfoSecurity Europe 2014: The Art Of Cyber War
InfoSecurity Europe 2014: The Art Of Cyber WarInfoSecurity Europe 2014: The Art Of Cyber War
InfoSecurity Europe 2014: The Art Of Cyber War
Radware
 
Threats In Vo Ip
Threats In Vo IpThreats In Vo Ip
Threats In Vo Ip
guest209a2c
 
Mattias eriksson
Mattias erikssonMattias eriksson
Mattias eriksson
Hai Nguyen
 
The Art of Cyber War [From Black Hat Brazil 2014]
The Art of Cyber War [From Black Hat Brazil 2014]The Art of Cyber War [From Black Hat Brazil 2014]
The Art of Cyber War [From Black Hat Brazil 2014]
Radware
 
Detection of Rogue Access Point in WLAN using Hopfield Neural Network
Detection of Rogue Access Point in WLAN using Hopfield Neural Network Detection of Rogue Access Point in WLAN using Hopfield Neural Network
Detection of Rogue Access Point in WLAN using Hopfield Neural Network
IJECEIAES
 

Mais procurados (20)

Network security by sandhya
Network security by sandhyaNetwork security by sandhya
Network security by sandhya
 
Cyber Attack Survival: Are You Ready?
Cyber Attack Survival: Are You Ready?Cyber Attack Survival: Are You Ready?
Cyber Attack Survival: Are You Ready?
 
VoIP security
VoIP securityVoIP security
VoIP security
 
Information Security Fundamentals - New Horizons Bulgaria
Information Security Fundamentals - New Horizons BulgariaInformation Security Fundamentals - New Horizons Bulgaria
Information Security Fundamentals - New Horizons Bulgaria
 
Rio olympics ddos attack
Rio olympics ddos attackRio olympics ddos attack
Rio olympics ddos attack
 
PLNOG16: DNS – przyjaciel e-szpiegów i e-złodziei. Analityka w służbie jej DN...
PLNOG16: DNS – przyjaciel e-szpiegów i e-złodziei. Analityka w służbie jej DN...PLNOG16: DNS – przyjaciel e-szpiegów i e-złodziei. Analityka w służbie jej DN...
PLNOG16: DNS – przyjaciel e-szpiegów i e-złodziei. Analityka w służbie jej DN...
 
4 (data security in local network using)
4 (data security in local network using)4 (data security in local network using)
4 (data security in local network using)
 
Cryptography and system security
Cryptography and system securityCryptography and system security
Cryptography and system security
 
InfoSecurity Europe 2014: The Art Of Cyber War
InfoSecurity Europe 2014: The Art Of Cyber WarInfoSecurity Europe 2014: The Art Of Cyber War
InfoSecurity Europe 2014: The Art Of Cyber War
 
Wireless Security Needs For Enterprises
Wireless Security Needs For EnterprisesWireless Security Needs For Enterprises
Wireless Security Needs For Enterprises
 
Lecture 5
Lecture 5Lecture 5
Lecture 5
 
Threats In Vo Ip
Threats In Vo IpThreats In Vo Ip
Threats In Vo Ip
 
Scada security webinar 2012
Scada security webinar 2012Scada security webinar 2012
Scada security webinar 2012
 
Game Changing Cyber Defensive Strategies for 2019
Game Changing Cyber Defensive Strategies for 2019Game Changing Cyber Defensive Strategies for 2019
Game Changing Cyber Defensive Strategies for 2019
 
Lessons Learned Fighting Modern Cyberthreats in Critical ICS Networks
Lessons Learned Fighting Modern Cyberthreats in Critical ICS NetworksLessons Learned Fighting Modern Cyberthreats in Critical ICS Networks
Lessons Learned Fighting Modern Cyberthreats in Critical ICS Networks
 
Network security
Network security Network security
Network security
 
You can't detect what you can't see illuminating the entire kill chain
You can't detect what you can't see illuminating the entire kill chainYou can't detect what you can't see illuminating the entire kill chain
You can't detect what you can't see illuminating the entire kill chain
 
Mattias eriksson
Mattias erikssonMattias eriksson
Mattias eriksson
 
The Art of Cyber War [From Black Hat Brazil 2014]
The Art of Cyber War [From Black Hat Brazil 2014]The Art of Cyber War [From Black Hat Brazil 2014]
The Art of Cyber War [From Black Hat Brazil 2014]
 
Detection of Rogue Access Point in WLAN using Hopfield Neural Network
Detection of Rogue Access Point in WLAN using Hopfield Neural Network Detection of Rogue Access Point in WLAN using Hopfield Neural Network
Detection of Rogue Access Point in WLAN using Hopfield Neural Network
 

Destaque

Stadiony za všechny prachy
Stadiony za všechny prachyStadiony za všechny prachy
Stadiony za všechny prachy
Jan Hromek
 
CALENDARIO DE ACTIVIDADES
CALENDARIO DE ACTIVIDADESCALENDARIO DE ACTIVIDADES
CALENDARIO DE ACTIVIDADES
aipvalencia
 
Enid blyton-mystery-08-mystery-of-the-invisible-thief
Enid blyton-mystery-08-mystery-of-the-invisible-thiefEnid blyton-mystery-08-mystery-of-the-invisible-thief
Enid blyton-mystery-08-mystery-of-the-invisible-thief
Hardik Solanki
 

Destaque (16)

Stadiony za všechny prachy
Stadiony za všechny prachyStadiony za všechny prachy
Stadiony za všechny prachy
 
Employee Engagement - More than just saying Thanks!
Employee Engagement - More than just saying Thanks! Employee Engagement - More than just saying Thanks!
Employee Engagement - More than just saying Thanks!
 
Create your own Mobile App, Be on Play store & App store And Go Viral using P...
Create your own Mobile App, Be on Play store & App store And Go Viral using P...Create your own Mobile App, Be on Play store & App store And Go Viral using P...
Create your own Mobile App, Be on Play store & App store And Go Viral using P...
 
Dreamz Maunda
Dreamz MaundaDreamz Maunda
Dreamz Maunda
 
Dreamz Banthra
Dreamz BanthraDreamz Banthra
Dreamz Banthra
 
Di udl.1.14.11
Di udl.1.14.11Di udl.1.14.11
Di udl.1.14.11
 
مستحدثات تكنولوجيا التعليم
مستحدثات تكنولوجيا التعليممستحدثات تكنولوجيا التعليم
مستحدثات تكنولوجيا التعليم
 
resources
resourcesresources
resources
 
Dreamz raebareli road 2 (gaura bazar)
Dreamz raebareli road 2 (gaura bazar)Dreamz raebareli road 2 (gaura bazar)
Dreamz raebareli road 2 (gaura bazar)
 
GIVINGtrax for Auto Dealers - Cloud Software for Giving Back
GIVINGtrax for Auto Dealers - Cloud Software for Giving BackGIVINGtrax for Auto Dealers - Cloud Software for Giving Back
GIVINGtrax for Auto Dealers - Cloud Software for Giving Back
 
GIVINGtrax for Community Engagement & We Care Programs
GIVINGtrax for Community Engagement & We Care ProgramsGIVINGtrax for Community Engagement & We Care Programs
GIVINGtrax for Community Engagement & We Care Programs
 
The Ultimate Employee Handbook - We think so :) !
The Ultimate Employee Handbook - We think so :) !The Ultimate Employee Handbook - We think so :) !
The Ultimate Employee Handbook - We think so :) !
 
CALENDARIO DE ACTIVIDADES
CALENDARIO DE ACTIVIDADESCALENDARIO DE ACTIVIDADES
CALENDARIO DE ACTIVIDADES
 
ApresentaçãO Foto
ApresentaçãO FotoApresentaçãO Foto
ApresentaçãO Foto
 
Enid blyton-mystery-08-mystery-of-the-invisible-thief
Enid blyton-mystery-08-mystery-of-the-invisible-thiefEnid blyton-mystery-08-mystery-of-the-invisible-thief
Enid blyton-mystery-08-mystery-of-the-invisible-thief
 
National Home Sales Totals
National Home Sales TotalsNational Home Sales Totals
National Home Sales Totals
 

Semelhante a Advanced Privileged Identity Management: Moving Beyond the Gateway Approach to PIM

Understanding Database Encryption & Protecting Against the Insider Threat wit...
Understanding Database Encryption & Protecting Against the Insider Threat wit...Understanding Database Encryption & Protecting Against the Insider Threat wit...
Understanding Database Encryption & Protecting Against the Insider Threat wit...
MongoDB
 
The Future of Data Management - the Enterprise Data Hub
The Future of Data Management - the Enterprise Data HubThe Future of Data Management - the Enterprise Data Hub
The Future of Data Management - the Enterprise Data Hub
DataWorks Summit
 
MOBILE & WIRELESS SECURITY And MOBILE & WIRELESS SECURITY
MOBILE & WIRELESS SECURITY And MOBILE & WIRELESS SECURITYMOBILE & WIRELESS SECURITY And MOBILE & WIRELESS SECURITY
MOBILE & WIRELESS SECURITY And MOBILE & WIRELESS SECURITY
DEEPAK948083
 
Preparing for the Cybersecurity Renaissance
Preparing for the Cybersecurity RenaissancePreparing for the Cybersecurity Renaissance
Preparing for the Cybersecurity Renaissance
Cloudera, Inc.
 
Securing your digital world - Cybersecurity for SBEs
Securing your digital world - Cybersecurity for SBEsSecuring your digital world - Cybersecurity for SBEs
Securing your digital world - Cybersecurity for SBEs
Sonny Hashmi
 

Semelhante a Advanced Privileged Identity Management: Moving Beyond the Gateway Approach to PIM (20)

The Myth of SSH Key Rotation Mythcracker Webcast Series Part 3
The Myth of SSH Key Rotation Mythcracker Webcast Series Part 3 The Myth of SSH Key Rotation Mythcracker Webcast Series Part 3
The Myth of SSH Key Rotation Mythcracker Webcast Series Part 3
 
Understanding Database Encryption & Protecting Against the Insider Threat wit...
Understanding Database Encryption & Protecting Against the Insider Threat wit...Understanding Database Encryption & Protecting Against the Insider Threat wit...
Understanding Database Encryption & Protecting Against the Insider Threat wit...
 
SSH Keys: Security Asset or Liability?
SSH Keys: Security Asset or Liability?SSH Keys: Security Asset or Liability?
SSH Keys: Security Asset or Liability?
 
Comprehensive Hadoop Security for the Enterprise | Part I | Compliance Ready ...
Comprehensive Hadoop Security for the Enterprise | Part I | Compliance Ready ...Comprehensive Hadoop Security for the Enterprise | Part I | Compliance Ready ...
Comprehensive Hadoop Security for the Enterprise | Part I | Compliance Ready ...
 
Multi Factor Authentication Whitepaper Arx - Intellect Design
Multi Factor Authentication Whitepaper Arx - Intellect DesignMulti Factor Authentication Whitepaper Arx - Intellect Design
Multi Factor Authentication Whitepaper Arx - Intellect Design
 
Whose Cloud Is It Anyway: Exploring Data Security Ownership and Control
Whose Cloud Is It Anyway: Exploring Data Security Ownership and ControlWhose Cloud Is It Anyway: Exploring Data Security Ownership and Control
Whose Cloud Is It Anyway: Exploring Data Security Ownership and Control
 
The Future of Data Management - the Enterprise Data Hub
The Future of Data Management - the Enterprise Data HubThe Future of Data Management - the Enterprise Data Hub
The Future of Data Management - the Enterprise Data Hub
 
The Future of Hadoop Security - Hadoop Summit 2014
The Future of Hadoop Security - Hadoop Summit 2014The Future of Hadoop Security - Hadoop Summit 2014
The Future of Hadoop Security - Hadoop Summit 2014
 
DDS Security for the Industrial Internet - London Connext DDS Conference
DDS Security for the Industrial Internet - London Connext DDS ConferenceDDS Security for the Industrial Internet - London Connext DDS Conference
DDS Security for the Industrial Internet - London Connext DDS Conference
 
Network security and firewalls
Network security and firewallsNetwork security and firewalls
Network security and firewalls
 
MOBILE & WIRELESS SECURITY And MOBILE & WIRELESS SECURITY
MOBILE & WIRELESS SECURITY And MOBILE & WIRELESS SECURITYMOBILE & WIRELESS SECURITY And MOBILE & WIRELESS SECURITY
MOBILE & WIRELESS SECURITY And MOBILE & WIRELESS SECURITY
 
Intel boubker el mouttahid
Intel boubker el mouttahidIntel boubker el mouttahid
Intel boubker el mouttahid
 
The Zero Trust Security Model for Modern Businesses!
The Zero Trust Security Model for Modern Businesses!The Zero Trust Security Model for Modern Businesses!
The Zero Trust Security Model for Modern Businesses!
 
Cloud security privacy- org
Cloud security privacy- orgCloud security privacy- org
Cloud security privacy- org
 
Identity and Security in the Cloud
Identity and Security in the CloudIdentity and Security in the Cloud
Identity and Security in the Cloud
 
Preparing for the Cybersecurity Renaissance
Preparing for the Cybersecurity RenaissancePreparing for the Cybersecurity Renaissance
Preparing for the Cybersecurity Renaissance
 
Securing your digital world - Cybersecurity for SBEs
Securing your digital world - Cybersecurity for SBEsSecuring your digital world - Cybersecurity for SBEs
Securing your digital world - Cybersecurity for SBEs
 
Securing your digital world cybersecurity for sb es
Securing your digital world cybersecurity for sb esSecuring your digital world cybersecurity for sb es
Securing your digital world cybersecurity for sb es
 
Ethical hacking and social engineering
Ethical hacking and social engineeringEthical hacking and social engineering
Ethical hacking and social engineering
 
Security Operation Center Fundamental
Security Operation Center FundamentalSecurity Operation Center Fundamental
Security Operation Center Fundamental
 

Último

What Goes Wrong with Language Definitions and How to Improve the Situation
What Goes Wrong with Language Definitions and How to Improve the SituationWhat Goes Wrong with Language Definitions and How to Improve the Situation
What Goes Wrong with Language Definitions and How to Improve the Situation
Juha-Pekka Tolvanen
 
%+27788225528 love spells in Colorado Springs Psychic Readings, Attraction sp...
%+27788225528 love spells in Colorado Springs Psychic Readings, Attraction sp...%+27788225528 love spells in Colorado Springs Psychic Readings, Attraction sp...
%+27788225528 love spells in Colorado Springs Psychic Readings, Attraction sp...
masabamasaba
 
%+27788225528 love spells in Atlanta Psychic Readings, Attraction spells,Brin...
%+27788225528 love spells in Atlanta Psychic Readings, Attraction spells,Brin...%+27788225528 love spells in Atlanta Psychic Readings, Attraction spells,Brin...
%+27788225528 love spells in Atlanta Psychic Readings, Attraction spells,Brin...
masabamasaba
 
%+27788225528 love spells in Boston Psychic Readings, Attraction spells,Bring...
%+27788225528 love spells in Boston Psychic Readings, Attraction spells,Bring...%+27788225528 love spells in Boston Psychic Readings, Attraction spells,Bring...
%+27788225528 love spells in Boston Psychic Readings, Attraction spells,Bring...
masabamasaba
 
%+27788225528 love spells in Huntington Beach Psychic Readings, Attraction sp...
%+27788225528 love spells in Huntington Beach Psychic Readings, Attraction sp...%+27788225528 love spells in Huntington Beach Psychic Readings, Attraction sp...
%+27788225528 love spells in Huntington Beach Psychic Readings, Attraction sp...
masabamasaba
 
Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...
Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...
Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...
Steffen Staab
 
The title is not connected to what is inside
The title is not connected to what is insideThe title is not connected to what is inside
The title is not connected to what is inside
shinachiaurasa2
 
%+27788225528 love spells in new york Psychic Readings, Attraction spells,Bri...
%+27788225528 love spells in new york Psychic Readings, Attraction spells,Bri...%+27788225528 love spells in new york Psychic Readings, Attraction spells,Bri...
%+27788225528 love spells in new york Psychic Readings, Attraction spells,Bri...
masabamasaba
 

Último (20)

What Goes Wrong with Language Definitions and How to Improve the Situation
What Goes Wrong with Language Definitions and How to Improve the SituationWhat Goes Wrong with Language Definitions and How to Improve the Situation
What Goes Wrong with Language Definitions and How to Improve the Situation
 
WSO2CON 2024 - WSO2's Digital Transformation Journey with Choreo: A Platforml...
WSO2CON 2024 - WSO2's Digital Transformation Journey with Choreo: A Platforml...WSO2CON 2024 - WSO2's Digital Transformation Journey with Choreo: A Platforml...
WSO2CON 2024 - WSO2's Digital Transformation Journey with Choreo: A Platforml...
 
%in kaalfontein+277-882-255-28 abortion pills for sale in kaalfontein
%in kaalfontein+277-882-255-28 abortion pills for sale in kaalfontein%in kaalfontein+277-882-255-28 abortion pills for sale in kaalfontein
%in kaalfontein+277-882-255-28 abortion pills for sale in kaalfontein
 
%+27788225528 love spells in Colorado Springs Psychic Readings, Attraction sp...
%+27788225528 love spells in Colorado Springs Psychic Readings, Attraction sp...%+27788225528 love spells in Colorado Springs Psychic Readings, Attraction sp...
%+27788225528 love spells in Colorado Springs Psychic Readings, Attraction sp...
 
%+27788225528 love spells in Atlanta Psychic Readings, Attraction spells,Brin...
%+27788225528 love spells in Atlanta Psychic Readings, Attraction spells,Brin...%+27788225528 love spells in Atlanta Psychic Readings, Attraction spells,Brin...
%+27788225528 love spells in Atlanta Psychic Readings, Attraction spells,Brin...
 
Crypto Cloud Review - How To Earn Up To $500 Per DAY Of Bitcoin 100% On AutoP...
Crypto Cloud Review - How To Earn Up To $500 Per DAY Of Bitcoin 100% On AutoP...Crypto Cloud Review - How To Earn Up To $500 Per DAY Of Bitcoin 100% On AutoP...
Crypto Cloud Review - How To Earn Up To $500 Per DAY Of Bitcoin 100% On AutoP...
 
%+27788225528 love spells in Boston Psychic Readings, Attraction spells,Bring...
%+27788225528 love spells in Boston Psychic Readings, Attraction spells,Bring...%+27788225528 love spells in Boston Psychic Readings, Attraction spells,Bring...
%+27788225528 love spells in Boston Psychic Readings, Attraction spells,Bring...
 
%+27788225528 love spells in Huntington Beach Psychic Readings, Attraction sp...
%+27788225528 love spells in Huntington Beach Psychic Readings, Attraction sp...%+27788225528 love spells in Huntington Beach Psychic Readings, Attraction sp...
%+27788225528 love spells in Huntington Beach Psychic Readings, Attraction sp...
 
Payment Gateway Testing Simplified_ A Step-by-Step Guide for Beginners.pdf
Payment Gateway Testing Simplified_ A Step-by-Step Guide for Beginners.pdfPayment Gateway Testing Simplified_ A Step-by-Step Guide for Beginners.pdf
Payment Gateway Testing Simplified_ A Step-by-Step Guide for Beginners.pdf
 
%in tembisa+277-882-255-28 abortion pills for sale in tembisa
%in tembisa+277-882-255-28 abortion pills for sale in tembisa%in tembisa+277-882-255-28 abortion pills for sale in tembisa
%in tembisa+277-882-255-28 abortion pills for sale in tembisa
 
WSO2CON 2024 - Building the API First Enterprise – Running an API Program, fr...
WSO2CON 2024 - Building the API First Enterprise – Running an API Program, fr...WSO2CON 2024 - Building the API First Enterprise – Running an API Program, fr...
WSO2CON 2024 - Building the API First Enterprise – Running an API Program, fr...
 
Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...
Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...
Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...
 
Devoxx UK 2024 - Going serverless with Quarkus, GraalVM native images and AWS...
Devoxx UK 2024 - Going serverless with Quarkus, GraalVM native images and AWS...Devoxx UK 2024 - Going serverless with Quarkus, GraalVM native images and AWS...
Devoxx UK 2024 - Going serverless with Quarkus, GraalVM native images and AWS...
 
The title is not connected to what is inside
The title is not connected to what is insideThe title is not connected to what is inside
The title is not connected to what is inside
 
%in ivory park+277-882-255-28 abortion pills for sale in ivory park
%in ivory park+277-882-255-28 abortion pills for sale in ivory park %in ivory park+277-882-255-28 abortion pills for sale in ivory park
%in ivory park+277-882-255-28 abortion pills for sale in ivory park
 
%+27788225528 love spells in new york Psychic Readings, Attraction spells,Bri...
%+27788225528 love spells in new york Psychic Readings, Attraction spells,Bri...%+27788225528 love spells in new york Psychic Readings, Attraction spells,Bri...
%+27788225528 love spells in new york Psychic Readings, Attraction spells,Bri...
 
%in Rustenburg+277-882-255-28 abortion pills for sale in Rustenburg
%in Rustenburg+277-882-255-28 abortion pills for sale in Rustenburg%in Rustenburg+277-882-255-28 abortion pills for sale in Rustenburg
%in Rustenburg+277-882-255-28 abortion pills for sale in Rustenburg
 
MarTech Trend 2024 Book : Marketing Technology Trends (2024 Edition) How Data...
MarTech Trend 2024 Book : Marketing Technology Trends (2024 Edition) How Data...MarTech Trend 2024 Book : Marketing Technology Trends (2024 Edition) How Data...
MarTech Trend 2024 Book : Marketing Technology Trends (2024 Edition) How Data...
 
8257 interfacing 2 in microprocessor for btech students
8257 interfacing 2 in microprocessor for btech students8257 interfacing 2 in microprocessor for btech students
8257 interfacing 2 in microprocessor for btech students
 
Direct Style Effect Systems - The Print[A] Example - A Comprehension Aid
Direct Style Effect Systems - The Print[A] Example - A Comprehension AidDirect Style Effect Systems - The Print[A] Example - A Comprehension Aid
Direct Style Effect Systems - The Print[A] Example - A Comprehension Aid
 

Advanced Privileged Identity Management: Moving Beyond the Gateway Approach to PIM

  • 1. Copyright 2014 SSH Communications SecurityCopyright 2014 SSH Communications Security Advanced Privileged Identity Management: Moving Beyond the Gateway Approach to PIM Jason Thompson Director of Global Marketing SSH Communications Security Jimmy Mills Sr. Solutions Engineer SSH Communications Security
  • 2. Copyright 2014 SSH Communications Security SSH Communications Security Quick Facts: • Inventors of the SSH protocol • Listed: NASDAQ OMX Helsinki (SSH1V) • 3,000 customers including 6 of the 10 largest US banks What We Do: • Secure Shell Access Controls & Key Management • Privileged Identity Management • Data-in-Transit Encryption SSH COMMUNICATIONS SECURITY IS THE MARKET LEADER IN DEVELOPING ADVANCED SECURITY SOLUTIONS TO MEET TODAY’S BUSINESS, SECURITY AND COMPLIANCE REQUIREMENTS IN ENCRYPTED NETWORKS.
  • 3. Copyright 2014 SSH Communications Security Some of Our Customers Energy & Utilities Government Financial Retail Healthcare
  • 4. Copyright 2014 SSH Communications Security Problems We Solve Access Controls • Discover existing legacy keys and trust relationships in the environment so you know who has access to what • Lock down the environment so that only the key manager can access the server to deploy, rotate and remove keys • Continuously monitor the environment for any new keys created outside of the key manager and alert security operations if an unauthorized key is found • Automatically rotate keys to reduce the likelihood that a compromised can be used against you and to meet compliance mandates Privileged Identity Management • Monitor encrypted traffic to ensure that privileged identities aren't stealing data or violating policy • At the network level, control what identities can do within authorized servers and prevent workarounds that allow IT administrators to bypass firewalls • For audit and forensics, store a complete history of privileged user activities and traffic in a secure vault • Enable layered security solutions such as SIEM and DLP to extend the capabilities of these deployments into your Secure Shell environment SSH COMMUNICATIONS SECURITY DELIVERS A CENTRALIZED, 360 DEGREE SECURE SHELL MANAGEMENT PLATFORM INCLUDING ENCRYPTION, ACCESS CONTROL AND PRIVILEGED IDENTITY MANAGEMENT
  • 5. Copyright 2014 SSH Communications Security Setting the Table DOWNLOAD THE FORRESTER REPORT AT SSH.COM
  • 6. Copyright 2014 SSH Communications Security Organizations Rely On SSH For Numerous Processes 82% OF RESPONDENTS SAID THEIR ORGANIZATION USES SSH & 68% CONSIDER SSH AS IMPORTANT OR CRITICAL TO THE BUSINESS
  • 7. Copyright 2014 SSH Communications Security Lack of Visibility Creates a Security and Compliance Challenge • Many organizations said that they are not monitoring & logging SSH activities • Only 44% indicated that they have visibility into how many SSH keys are deployed in their environment, and what those authorizations are used for • Based on real world experience, most organizations only have visibility into interactive user activities* (*Based on security audits performed by SSH Communications Security)
  • 8. Copyright 2014 SSH Communications Security Below The Surface: M2M Identities Are Rapidly Growing • Most organizations lack sufficient access controls, continuous monitoring, DLP or forensics capabilities in M2M networks • In many cases, M2M authentications vastly outnumber interactive authentication • M2M connections can be hijacked by interactive users • M2M connections often carry high value payloads such as credit card numbers and personally identifiable information • M2M encrypted communications are rarely monitored and the encryption used to protect the data blinds ops & forensics Interactive (Human) users 80% of Identities 20% of Identities
  • 9. Copyright 2014 SSH Communications Security M2M Transactions And Processes Expected To Increase In 2014 • M2M enables a host of business-critical processes like billing, inventory management, backups, failover and disaster recovery • 62% of US IT decision-makers who said that securing M2M transactions and processes are important or very important activities for their organization expect their company’s use of M2M transactions and processes to increase in 2014 • The rise of big data drives more M2M in the enterprise, largely using Secure Shell to secure communications
  • 10. Copyright 2014 SSH Communications Security Scanning and Auditing SECURE SHELL IS WIDELY DEPLOYED, SEEN AS IMPORTANT, YET SECURE SHELL MANAGEMENT IS LACKING – FORRESTER
  • 11. Copyright 2014 SSH Communications Security What is Really Happening Servers and network devices The Content Awareness Gap • Encrypted M2M and P2M processes can be exploited • Privileged access is the leading vector for insider and APT attacks • Lack of Visibility, Awareness and Monitoring External users, hosted and cloud environments, BYOD Workstation networks IPS/DLP $ cd /trans $ cat t1101.dat AMEX 1101922 VISA 38293928 Fj3()54kj(r¤/Diw IR383EW/3#)k)”#( #(¤¤#)”)mjvcmfis(3 4j348fR)# What Layered Defenses See SIEM FW
  • 12. Copyright 2014 SSH Communications Security Major Incidents and Threats • Feb 2014 / Careto (The Mask): “Extremely sophisticated” Advanced Persistent Threat identified – Targets a long list of documents, encryption keys, SSH keys, VPN configurations, and RDP files – Campaign was active for ~7 years and directed towards government agencies, embassies, diplomatic offices and energy companies • Nov 2013 / Fokitor: Symantec researchers discovered a new backdoor – Targets the Linux operating system and is capable of stealing login credentials from secure shell (SSH) connections – Attackers could have accessed the encryption key that secured the unnamed organizations' internal communications • June 2013 / Edward Snowden: Attack vector still unknown, however recent high level statements show that keys were probably used to execute the attack – U.S. National Security Agency (NSA) director Keith Alexander told the House Permanent Select Committee on Intelligence that Snowden was able to gain access to NSA files that he should not have had access to by fabricating digital keys – An NSA employee resigned from the agency after admitting to federal investigators that he gave former NSA analyst Edward Snowden a digital key that allowed him to gain access to classified materials (AP) • April 2013 / Insider Attack: A former Host Gator employee used an SSH key to gain unfettered access to 2,700 servers, potentially putting thousands of their customers’ websites at risk
  • 13. Copyright 2014 SSH Communications Security Three Best Practices To Secure M2M Kill your data to augment data security Killing data removes value to the data through proper encryption. The SSH protocol can do this internally for M2M transactions and process. Effective encryption will help prevent the repeat of a Snowden/NSA-type of data breach. Treat M2M identities like human user identities The identity one machine uses to access another machine’s applications or data is an attractive target of attack. The basic onboarding, off-boarding, audit and monitoring controls widely applied to identities assigned to human users must also be applied to machine based identities. Centralize SSH management Centralization helps security and makes it easier to meet compliance, frees up staff time, improves visibility and allows for faster response time to policy violations & exploits. Compliance is the biggest driver of security spend. Most companies have compliance mandates such as PCI or HIPAA. In a post-Snowden world, look for auditors to ask about Secure Shell identity and access management. You have to do it anyway; let’s make it easy. FEW BUSINESS LEADERS TODAY MAKE THE ASSOCIATION BETWEEN M2M SECURITY AND SSH MANAGEMENT WITH DATA SECURITY AND COMPLIANCE. IT’S TIME TO CHANGE THAT PERCEPTION WITHIN ORGANIZATIONS – FORRESTER
  • 14. Copyright 2014 SSH Communications Security Conventional vs. Advanced PIM Advanced • Monitors 100% of network traffic, human or machine • Content-aware, provides context as to what the user is doing • Proactive data loss prevention capabilities, integrates into DLP, IDS, SIEM – stop attackers in their tracks • Advanced search capabilities, video replay and vault enables fast and easy forensics • Applies policy with centrally controlled, role based access controls • Can be deployed as a gateway and/or as an inline appliance • An SSH firewall, stop PI’s from creating work-arounds by denying sub-channels • Can be deployed inside the perimeter or in tandem with the firewall as a perimeter security solution Conventional • Primarily designed to identify privileged “human” users • Lacks content-awareness capabilities • Passive “wait until your breached” approach • Basic recording with limited search capabilities • Primarily used as in a gateway or jump host set up • Can’t apply policy and provides limited to no access controls • Typically deployed inside the perimeter
  • 15. Copyright 2014 SSH Communications Security Success Proves Need • Top 10 global technology company selects CryptoAuditor to deliver inline, transparent monitoring of Secure Shell tunnels in order to prevent unauthorized transfer of high value intellectual property. • Major European securities depository selects CryptoAuditor to monitor and control external application developers and administrators working in their data centers • One of Europe’s largest cloud and IT services providers selects CryptoAuditor to monitor, enforce policy and control access to 30,000+ hosts
  • 16. Copyright 2014 SSH Communications SecurityCopyright 2014 SSH Communications Security Thank You

Notas do Editor

  1. Our solution to solve the challenge is called CryptoAuditor.The connections are intercepted by the inline network appliance. As we act on the network traffic level, either as a router or bridge, we are able to intercept the connection completely transparently to the end users and applications. No need to install any agents anywhere.The data capture module, CryptoAuditor Hound, acts as a friendly man-in-the-middle and intercepts the encrypted, takes off the encryption, and places in full control and auditing.All the audits are sent to centralized audit trail storage, called CryptoAuditor Vault, that also acts the centralized management and reporting point.All the modules are available as virtual and hardware appliances and can be setup in high availability mode. As the data capture model is distrubuted, you can place the data captuyre modules freely around your environment, what ever fits your needs and network topologies.So, as mentioned before, we can capture encrypted SSH, SFTP and RDP connections and the audit trails are sent to centralized repository. All the audit trails can be replayed later on, or even wathced real time. You can see the connections exactly as they happened.Further more, all the connections and their content is indexed as soon as they arrive to the Vault. This enables you to get real-time visibility to the content of the connections, run manual searches based on keywords and create automated reports based on your search criteria. This functionality is also available on Graphical connections such as RDP. For those we use OCR, optical character recognition, to identify text patterns out of the graphical connection stream.Because we are able to index the content in real-time, this enables you also to integrate this to your existing security infrastructure such as Data loss and intrusion prevention tools or to your SIEM architecture. By being able to provide visibility and control to encrypted connections, you can take full advantage of your existing solutions by integrating them with CryptoAuditor.Finally, the deployment of the solution is minimally invasive to your environment: no changes required to user experience, processes, no need to install any agents or other applications.