Date post: | 18-Dec-2015 |
Category: |
Documents |
Upload: | gyles-mccarthy |
View: | 218 times |
Download: | 1 times |
Control and Monitor Privileged Access to your Windows ServersControl and Monitor Privileged Access to your Windows Servers
Jörn Dierks, Götz WaleckiJörn Dierks, Götz Walecki
Agenda
• The need to monitor IT-based change• Typical approaches to monitoring systems• How NetIQ approaches change monitoring• How NetIQ compares to alternative
approaches• Demo• Questions
CardSystems' Data Left UnsecuredKim Zetter | Wired Magazine | 22 June 2005
MasterCard International announced last Friday that intruders had accessed the data from CardSystems Solutions, a payment processing company based in Arizona, after placing a malicious script on the company's network.
"Had they been following the rules and requirements, they would not have been compromised," Jones said.
Dai Nippon Printing reports client data theftReuters | 12 March 2007
TOKYO, March 12 (Reuters) - Japan's Dai Nippon Printing Co. said on Monday a former contract worker stole nearly 9 million pieces of private data on customers from 43 clients including Toyota Motor Corp.
Dai Nippon, one of Japan's largest commercial printing companies, said the confidential information included names, addresses and credit card numbers intended for use in direct mailing and other printing services.
Dai Nippon said the employee stole client data between May 2001 and March 2006 by copying information on to floppy disks and other recording media.
TJX thieves had time to steal, trip upBy Mark Jewell | AP | 13 April 2007
TJX warned in its recent regulatory filing against expecting too much from its investigation. "We believe that we may never be able to identify much of the information believed stolen" aside from the 45.7 million cards it knows about so far, the filing said.
The way TJX detected the breach — by finding what the company calls "suspicious software" on its computer systems — is an indication not only of the hackers' skill in avoiding detection for so long but also holes in TJX's security, experts say.
The Need to Monitor IT-based Change Hard Lessons Learned
5 Years Undetected | Theft by insider5 Years Undetected | Theft by insider
8 Months Undetected | Internet-based theft8 Months Undetected | Internet-based theft
17 Months Undetected | Theft via wireless access17 Months Undetected | Theft via wireless access
These breaches occurred over long periods of time and took different threat vectors
These breaches occurred over long periods of time and took different threat vectors
Typical Approaches to Monitoring Change
Approach How it works
Native Object-Level File Auditing
Auditing initially set at the system policy level, and then individual folders and files need to be configured to be audited.
File Integrity Checkers Checker computes a checksum (hash) for every monitored file, and compares each subsequent run to the previous baseline.
Kernel ShimsVendor software applied to core operating system files, (i.e., the kernel), which then monitors core system instructions to identify events
How NetIQ Approaches ChangeNetIQ Change Guardian for Windows
• What is it?– Detects the activities of, and changes
implemented by, privileged-level users across your Windows Servers
– A module of Security Manager that delivers real-time and historic audit of Windows servers
• Why is it important?– Delivers a high fidelity of change and
activity information WITHOUT requiring native auditing across:
• Files & Folders [Create, Delete, Move to Recycle Bin, Rename, Move, Change Permissions, Change Ownership, Read]
• Shares [Create, Delete, Modify]• Registry Keys [Create Key, Delete Key, Create
Value, Delete Value, Modify Value]• Processes [Started, Terminated]
Change Guardian for WindowsOverview
• Windows Monitoring– Monitors system changes without Windows auditing enabled
via File System Filter Driver– Monitors Files, Registry Keys, Processes and File Shares
• Event Notification Details:– Before and After values are supplied for each change– Changes are identified as Managed/Unmanaged – Similar changes are consolidated before being sent
• Managed/Unmanaged Forensic Reports• Rules Configuration
– Alert escalation based on rule– Enterprise rule deployment– Synchronization with Active Directory
Change Guardian for WindowsComponents
• File System Filter Driver – A kernel level driver that passively monitors messages in the OS based on filter rules– “A file system filter driver intercepts requests targeted at a file
system or another file system filter driver. By intercepting the request before it reaches its intended target, the filter driver can extend functionality provided by the original target of the request.” (MSDN)
• Configuration Wizard – The console for configuring and deploying filters that the File System Filter Driver will use to collect change information.
• NetIQ Security Manager – CGW leverages Security Manager enterprise level three tier architecture to provide storage, secure communications and reporting.
9
Change Guardian for Windows Architecture
Monitored Server
CG Programmable Provider Plugin
SM Agent
SM Central Computer
LM Config LM SummaryDaily Log DBsEvents
OnePoint
Alerts
SM Configuration Wizard
CG PagesConfig
Co
nfig
Config
Eve
nts
Da
ta
SM Analysis Console
CG Reports
Data
CG Service- Poll Change Administrator- Expand SM Computer Groups
Config
File System Filter Driver
File System Registry Process
Config Registry
Change
IOCTL
Co
nfig
Eve
nts C
onf
ig
Advantages of a File System Filter Driver
• Based on supported API from Microsoft– Uses an industry supported file system filter driver (FSFD) that
removes unnecessary risks to system availability– FSFD approach drastically reduces server utilization and improves
system performance
• CGW is notified of an event as it is in progress– Able to produce the values of the change both before and after
the change occurs– Real Time Monitoring
• Who did it, increased fidelity• Events can be consolidated before sending
– Noise Reduction
• Does not require native auditing
Configuration
• Single Wizard allows you to create filters for:– Files, File Shares, Registry Keys and Processes
• Rules can be restricted by:– Users / Groups (local or domain level)– Computer– Time
• Filter Deployment wizard– Synchronizes with Active Directory to maintain group
membership– Publishes rules to the enterprise– Automatically determines which rules apply to a computer
Leveraging NetIQ Security Manager
• Events are consolidated into the Log Manager along with the rest of your data
• Events are normalized to IDMEF format • Secure fault tolerant communication• Enterprise Deployment Wizard• Forensic and Trend Reporting• Event Correlation
Native Object-Level File Auditing
• Definition – Auditing set at the system policy level via object access, for folders and files that need to be audited
• How CGW compares:– Clearly states what has occurred on the system– Provides before and after values for events– Consolidates events to reduce noise– Central configuration of auditing for the enterprise– Better visibility into the details of the change– Lightweight solution
Native Object AccessExample: Native events when writing to a file with Notepad
Object Open: Object Server: Security Object Type: File Object Name: C:\test\test.txt New Handle ID: 120 Operation ID: {0,33974} Process ID: 2152772960 Primary User Name:
Administrator Primary Domain: DOMAIN Primary Logon ID:
(0x0,0x19E5) Client User Name: - Client Domain: - Client Logon ID: -
Accesses READ_CONTROL
SYNCHRONIZE ReadData (or ListDirectory) WriteData (or AddFile) AppendData (or
AddSubdirectory or CreatePipeInstance)
ReadEA WriteEA ReadAttributes WriteAttributes Privileges -
File Integrity Checkers
• Definition - Checker computes and stores a checksum (hash) and META information for every monitored file, and compares each subsequent run to the previous baseline.
• How CGW compares:– Does not require cache of file data to deliver before and
after values– Changes are tracked in real time instead of a scheduled
audit– Enterprise rules based configuration
Kernel Shims
• Definition - Vendor software applied to core operating system files, (i.e., the kernel), which then monitors core system instructions to identify events
• How CGW compares:– CGW is based on a supported API from Microsoft– CGW is completely passive in how it monitors changes– Dramatically reduced risk of Blue Screening
Additional Features
• Managed / Unmanaged event classification– Specify AD users authorized to make changes– Integration to Change Administrator, automatically turns
on monitoring for connected sessions
• Alert Escalation– Based on rule definition– Automated response
Why NetIQ Change Guardian for Windows?
• Provides powerful, real-time change monitoring
– Detects changes across files and directories, shares, registry entries, and system processes
• Eliminates the need for native object-level auditing
– Uses an industry supported file system filter driver (FSFD) that removes unnecessary risks to system availability
– FSFD approach drastically reduces server utilization and improves system performance
• Validates and enforces change control processes
– Categorizes changes as “managed” versus “unmanaged”
– Identifies where change controls may have been circumvented
• Centrally records and audits all changes
– Consolidates and archives change events from across the enterprise for subsequent analysis
– Enables detailed reporting and analysis to identify trends and perform in-depth root-cause analysis
• Delivers comprehensive change reporting
– Captures pre- and post-change values
– Provides change reports based on one or more users or computers
• Works with a broader solution for Windows change control
– Extends the award-winning NetIQ Security Manager platform
– Augments NetIQ Change Administrator for Windows, dynamically monitoring administrative sessions and enhancing administrator activity reporting
DemoDemo
Change Guardian for WindowsChange Guardian for Windows
Thank you!Thank you!
Q & AQ & A