Date post: | 26-May-2015 |
Category: |
Technology |
Upload: | hp-enterprise |
View: | 2,717 times |
Download: | 6 times |
MODERN INSIDER THREAT DETECTION
Gab GennaiSenior Technology Consultant
ArcSight IdentityView – In a nutshell
THE MORE THINGS CHANGE…
www.arcsight.com
Privilege Escalation:Open the safe
Monetise:Leave with the cash
New School: RBS World Pay
Breach:Hack Perimeter Security
Privilege Escalation:Access Debit Card System
Monetise:ATM Network Fraud
Old School: Butch Cassidy and the Sundance Kid
Breach:Break into the building
RBS WORLD PAY
3 Chances to detect the fraud
– Perimeter (SQL Injection, Database Activity, Transaction Analysis)
Comprehensive View of Business Risk
ENTERPRISE THREAT AND RISK MANAGEMENT:
FW, IDS, AV, Proxy, VA
Internal Apps, DB, DLP, Email, Web, Badge
Customer Transactions, Web Logs,
Mainframe, CRM
Global Reporting by Lines of Business
Security Incidents High Risk Users Compromised Accounts
Security- DoS- SQL Injection- Malware- External Threats
Identity- Insider Threat- PII/IP Protection- Privileged Users- Internal Fraud
Fraud- 1st and 3rd Party- Online Banking- AML- Trading
WHY IDENTITYVIEW
– PII Protection
– Data Theft
– Contractors
– Privileged User Monitoring
Swiss Banks Achilles Heel Is Workers Selling Data
Former Boeing engineer convicted of spying for China
Five IRS Employees Charged With Snooping on Tax Returns
6
ASSET CONTEXT + IDENTITY CONTEXT
ArcSight ESM / IdentityView
NetworkDevices
ServersMobile DesktopSecurityDevices
PhysicalAccess
AppsDatabasesIdentitySources
Contractor
DBA
HR User
Disgruntled
Developer
Notice Given
Former Employees
Privileged
New Hire
Classified
High-risk User Monitoring; Improved User Infrastructure; Activity Profiling
Identity ContextOracle / SUN
IBM
CA
Active Directory
Custom
Asset ContextAsset Criticality
Business Impact
Vulnerability
Attack History
7
IDENTITY CORRELATION
– Correlate common identifiers such as email address, badge ID, phone extension– Events occurring across devices that identify users by different attributes– Attribute the event to a unique “identity” allowing correlation across any type of device
rjackson
348924323
ronaldj
rjackson_dba
510-555-1212
Identifiers
Ronald
Jackson
Identity
8
PRIVILEGED (HIGH-RISK) USER MONITORING
Alert Fired• Inactive Contractor Account Detected
9
Problem: Outsourced IT operations = Hundreds of contractors managing critical applications
– Contracts end early– Orphaned accounts– Manual de-provisioning process – based on sponsor
INACTIVE CONTRACTOR ACCOUNT
Login Success:richardS
Active Identities List Expiration 2 Weeks
3.13.09 3:35:37randalla
3.13.09 3:32:45rjackson
Last UsedAccount
ArcSight ESM
Update Active
Accounts
[02.16.09 3:33:33] Account Expired richardS
2.2.09 3:33:33richardS
10
Problem: My auditor requires a report of all admin activity in my
– Legacy applications– Shared privileged (admin) accounts– No way to tie to actual user
PROBLEM: SHARED USER ACCOUNT ATTRIBUTION
Application Access: Source: 10.10.10.10
[02.5.2009 10:33:46] Login Success 10.10.10.10 fmadmin
Application Access: Source: 192.168.10.6
[02.5.2009 11:21:51] Login Success 192.168.10.6 fmadmin
?
?
11
IP Address Identity
10.12.23.7 haroldr
10.12.23.23 czfb12
10.12.22.35 bobc
192.168.10.6 katie
10.10.10.10 jimmyj
SOLUTION: SHARED USER ACCOUNT ATTRIBUTION
Application Access: Source: 10.10.10.10
[02.5.2009 10:33:46] Login Success 10.10.10.10 fmadmin
Check Identity Sessions
Application Access: Source: 192.168.10.6
[02.5.2009 11:21:51] Login Success 192.168.10.6 fmadmin
ArcSight ESM
IDENTITYVIEW: PRIVILEGED USER MONITORING
• Correlates IP addresses with user identity, across accounts
• Compares user activity to roles and rights to detect violations
• Profiles user behavior based on historical patterns
• Complete visibility
– Privileged or sensitive (high-risk) user monitoring
– Extend monitoring beyond identity management system
– Activity profiling
IdentityView Gives You:
IdentityView Key Features:
• Enhanced visibility of all activities and processes
• Improved control of your network, with less cost
• Increased compliance from comprehensive activity reporting
NEXT STEPS
Visit: The Cloud System Feature
Engage: See the HP Rep at rear of clinic
Seek more: Request follow up via Eval Form
Re-Live: www.hp.com.au/taw11post
HP TECHNOLOGY@WORK 2011THE INSTANT-ON ENTERPRISE IS HERE
QUESTIONS?
HP TECHNOLOGY@WORK 2011THE INSTANT-ON ENTERPRISE IS HERE