You understand that that, if left unmonitored, encrypted channels like SSH, SFTP and RDP pose a risk to the organization and you want to do something about it
You worry that your SIEM, IDS and DLP solutions are blinded by encryption and you want to gain visibility into your encrypted traffic
You recognize that conventional “gateway” based PIM products don’t scale and are interested in a network-based PIM solution
You want to monitor and control all of your encrypted traffic, not just the human users
You want to learn why one of the world’s largest technology companies (and many others) have recently implemented advanced PIM solutions
You want a plug-and-play solution that is invisible to end users and easy to deploy – versus all of that gateway and agent-based nonsense
Direct Style Effect Systems -The Print[A] Example- A Comprehension Aid
Advanced Privileged Identity Management: Moving Beyond the Gateway Approach to PIM
1. Copyright 2014 SSH Communications SecurityCopyright 2014 SSH Communications Security
Advanced Privileged Identity
Management: Moving Beyond
the Gateway Approach to PIM
Jason Thompson
Director of Global Marketing
SSH Communications
Security
Jimmy Mills
Sr. Solutions Engineer
SSH Communications
Security
2. Copyright 2014 SSH Communications Security
SSH Communications Security
Quick Facts:
• Inventors of the SSH
protocol
• Listed: NASDAQ OMX
Helsinki (SSH1V)
• 3,000 customers including 6
of the 10 largest US banks
What We Do:
• Secure Shell Access
Controls & Key
Management
• Privileged Identity
Management
• Data-in-Transit Encryption
SSH COMMUNICATIONS SECURITY IS THE MARKET
LEADER IN DEVELOPING ADVANCED SECURITY
SOLUTIONS TO MEET TODAY’S BUSINESS, SECURITY
AND COMPLIANCE REQUIREMENTS IN ENCRYPTED
NETWORKS.
3. Copyright 2014 SSH Communications Security
Some of Our Customers
Energy &
Utilities
Government
Financial
Retail
Healthcare
4. Copyright 2014 SSH Communications Security
Problems We Solve
Access Controls
• Discover existing legacy keys and trust
relationships in the environment so you know
who has access to what
• Lock down the environment so that only the
key manager can access the server to
deploy, rotate and remove keys
• Continuously monitor the environment for
any new keys created outside of the key
manager and alert security operations if an
unauthorized key is found
• Automatically rotate keys to reduce the
likelihood that a compromised can be used
against you and to meet compliance
mandates
Privileged Identity Management
• Monitor encrypted traffic to ensure that
privileged identities aren't stealing data or
violating policy
• At the network level, control what identities
can do within authorized servers and
prevent workarounds that allow IT
administrators to bypass firewalls
• For audit and forensics, store a complete
history of privileged user activities and traffic
in a secure vault
• Enable layered security solutions such as
SIEM and DLP to extend the capabilities of
these deployments into your Secure Shell
environment
SSH COMMUNICATIONS SECURITY DELIVERS A CENTRALIZED, 360 DEGREE
SECURE SHELL MANAGEMENT PLATFORM INCLUDING ENCRYPTION, ACCESS
CONTROL AND PRIVILEGED IDENTITY MANAGEMENT
5. Copyright 2014 SSH Communications Security
Setting the Table
DOWNLOAD THE
FORRESTER
REPORT AT
SSH.COM
6. Copyright 2014 SSH Communications Security
Organizations Rely On SSH For
Numerous Processes
82% OF RESPONDENTS SAID THEIR ORGANIZATION
USES SSH & 68% CONSIDER SSH AS IMPORTANT OR
CRITICAL TO THE BUSINESS
7. Copyright 2014 SSH Communications Security
Lack of Visibility Creates a Security
and Compliance Challenge
• Many organizations said that
they are not monitoring &
logging SSH activities
• Only 44% indicated that they
have visibility into how many
SSH keys are deployed in
their environment, and what
those authorizations are used
for
• Based on real world experience,
most organizations only have
visibility into interactive user
activities*
(*Based on security audits performed by SSH
Communications Security)
8. Copyright 2014 SSH Communications Security
Below The Surface: M2M Identities Are
Rapidly Growing
• Most organizations lack sufficient access controls,
continuous monitoring, DLP or forensics capabilities in M2M
networks
• In many cases, M2M authentications vastly
outnumber interactive authentication
• M2M connections can be hijacked by interactive users
• M2M connections often carry high value payloads such
as credit card numbers and personally identifiable information
• M2M encrypted communications are rarely monitored and the
encryption used to protect the data blinds ops & forensics
Interactive (Human) users
80%
of Identities
20%
of Identities
9. Copyright 2014 SSH Communications Security
M2M Transactions And Processes
Expected To Increase In 2014
• M2M enables a host of
business-critical processes
like billing, inventory
management, backups,
failover and disaster recovery
• 62% of US IT decision-makers
who said that securing M2M
transactions and processes
are important or very important
activities for their organization
expect their company’s use
of M2M transactions and
processes to increase in
2014
• The rise of big data drives
more M2M in the enterprise,
largely using Secure Shell to
secure communications
10. Copyright 2014 SSH Communications Security
Scanning and Auditing
SECURE SHELL IS WIDELY DEPLOYED, SEEN AS
IMPORTANT, YET SECURE SHELL MANAGEMENT IS
LACKING – FORRESTER
11. Copyright 2014 SSH Communications Security
What is Really Happening
Servers and
network devices
The Content Awareness Gap
• Encrypted M2M and P2M processes can be
exploited
• Privileged access is the leading vector for
insider and APT attacks
• Lack of Visibility, Awareness and Monitoring
External
users, hosted and
cloud
environments, BYOD
Workstation networks
IPS/DLP
$ cd /trans
$ cat t1101.dat
AMEX 1101922
VISA 38293928
Fj3()54kj(r¤/Diw
IR383EW/3#)k)”#(
#(¤¤#)”)mjvcmfis(3
4j348fR)#
What Layered Defenses See
SIEM
FW
12. Copyright 2014 SSH Communications Security
Major Incidents and Threats
• Feb 2014 / Careto (The Mask): “Extremely sophisticated” Advanced Persistent Threat identified
– Targets a long list of documents, encryption keys, SSH keys, VPN configurations, and RDP
files
– Campaign was active for ~7 years and directed towards government agencies, embassies,
diplomatic offices and energy companies
• Nov 2013 / Fokitor: Symantec researchers discovered a new backdoor
– Targets the Linux operating system and is capable of stealing login credentials from
secure shell (SSH) connections
– Attackers could have accessed the encryption key that secured the unnamed
organizations' internal communications
• June 2013 / Edward Snowden: Attack vector still unknown, however recent high level
statements show that keys were probably used to execute the attack
– U.S. National Security Agency (NSA) director Keith Alexander told the House Permanent
Select Committee on Intelligence that Snowden was able to gain access to NSA files that
he should not have had access to by fabricating digital keys
– An NSA employee resigned from the agency after admitting to federal investigators that he
gave former NSA analyst Edward Snowden a digital key that allowed him to gain access
to classified materials (AP)
• April 2013 / Insider Attack: A former Host Gator employee used an SSH key to gain unfettered
access to 2,700 servers, potentially putting thousands of their customers’ websites at risk
13. Copyright 2014 SSH Communications Security
Three Best Practices To Secure M2M
Kill your data to augment data security
Killing data removes value to the data through proper encryption. The SSH protocol can do this internally for
M2M transactions and process. Effective encryption will help prevent the repeat of a Snowden/NSA-type
of data breach.
Treat M2M identities like human user identities
The identity one machine uses to access another machine’s applications or data is an attractive target of
attack. The basic onboarding, off-boarding, audit and monitoring controls widely applied to identities
assigned to human users must also be applied to machine based identities.
Centralize SSH management
Centralization helps security and makes it easier to meet compliance, frees up staff time, improves visibility
and allows for faster response time to policy violations & exploits. Compliance is the biggest driver of security
spend. Most companies have compliance mandates such as PCI or HIPAA. In a post-Snowden world, look
for auditors to ask about Secure Shell identity and access management. You have to do it anyway; let’s
make it easy.
FEW BUSINESS LEADERS TODAY MAKE THE ASSOCIATION BETWEEN M2M
SECURITY AND SSH MANAGEMENT WITH DATA SECURITY AND COMPLIANCE.
IT’S TIME TO CHANGE THAT PERCEPTION WITHIN ORGANIZATIONS –
FORRESTER
14. Copyright 2014 SSH Communications Security
Conventional vs. Advanced PIM
Advanced
• Monitors 100% of network traffic, human
or machine
• Content-aware, provides context as to
what the user is doing
• Proactive data loss prevention
capabilities, integrates into DLP, IDS, SIEM
– stop attackers in their tracks
• Advanced search capabilities, video replay
and vault enables fast and easy forensics
• Applies policy with centrally controlled,
role based access controls
• Can be deployed as a gateway and/or as
an inline appliance
• An SSH firewall, stop PI’s from creating
work-arounds by denying sub-channels
• Can be deployed inside the perimeter or in
tandem with the firewall as a perimeter
security solution
Conventional
• Primarily designed to identify privileged
“human” users
• Lacks content-awareness capabilities
• Passive “wait until your breached” approach
• Basic recording with limited search
capabilities
• Primarily used as in a gateway or jump host
set up
• Can’t apply policy and provides limited to no
access controls
• Typically deployed inside the perimeter
15. Copyright 2014 SSH Communications Security
Success Proves Need
• Top 10 global technology company selects
CryptoAuditor to deliver inline, transparent
monitoring of Secure Shell tunnels in order to
prevent unauthorized transfer of high value
intellectual property.
• Major European securities depository selects
CryptoAuditor to monitor and control external
application developers and administrators working in
their data centers
• One of Europe’s largest cloud and IT services
providers selects CryptoAuditor to monitor, enforce
policy and control access to 30,000+ hosts
Our solution to solve the challenge is called CryptoAuditor.The connections are intercepted by the inline network appliance. As we act on the network traffic level, either as a router or bridge, we are able to intercept the connection completely transparently to the end users and applications. No need to install any agents anywhere.The data capture module, CryptoAuditor Hound, acts as a friendly man-in-the-middle and intercepts the encrypted, takes off the encryption, and places in full control and auditing.All the audits are sent to centralized audit trail storage, called CryptoAuditor Vault, that also acts the centralized management and reporting point.All the modules are available as virtual and hardware appliances and can be setup in high availability mode. As the data capture model is distrubuted, you can place the data captuyre modules freely around your environment, what ever fits your needs and network topologies.So, as mentioned before, we can capture encrypted SSH, SFTP and RDP connections and the audit trails are sent to centralized repository. All the audit trails can be replayed later on, or even wathced real time. You can see the connections exactly as they happened.Further more, all the connections and their content is indexed as soon as they arrive to the Vault. This enables you to get real-time visibility to the content of the connections, run manual searches based on keywords and create automated reports based on your search criteria. This functionality is also available on Graphical connections such as RDP. For those we use OCR, optical character recognition, to identify text patterns out of the graphical connection stream.Because we are able to index the content in real-time, this enables you also to integrate this to your existing security infrastructure such as Data loss and intrusion prevention tools or to your SIEM architecture. By being able to provide visibility and control to encrypted connections, you can take full advantage of your existing solutions by integrating them with CryptoAuditor.Finally, the deployment of the solution is minimally invasive to your environment: no changes required to user experience, processes, no need to install any agents or other applications.