Fokus på intern it sikkerhed

Fokus på intern it
sikkerhed
Et samarbejde mellem
Udenrigsministeriet og Atos
23. September 2015
© Atos IT Solution and Services
Agenda
▶
▶
▶
▶
▶
▶
▶
Introduktion
Kort om UM
UM Interne sikkerhedstiltag
CyberArk EPV
LogPoint
CyberArk PTA
Lesson Learned
23-09-2015
Bjørn Lysholm Jensen Udenrigsministeriet
Ole Jepsen Atos
© Atos IT Solution and Services
UM IT- kort
▶
▶
▶
▶
▶
3
Antal medarbejdere i UM: ca. 2400
Antal IT medarbejdere i UM: 56
753 servere (inkl. virtuelle)
Ca. 5000 Arbejdsstationer (inkl. MPC’er)
Lokationer
– Ude tjenesten (94 lokaliteter)
– Hjemme tjenesten (1 lokalitet)
23-09-2015
Bjørn Lysholm Jensen Udenrigsministeriet
Ole Jepsen Atos
© Atos IT Solution and Services
Typiske interne sikkerhedstiltag
▶ Fysisk sikkerhed
– Adgang til serverrum
– Netværksadgang (fx 802.1x)
▶ Patch management
– Sikkerhedsopdateringer
– Systemopdatering
▶ Anti-virus
– Daglige opdateringer
– Håndtering af virus incident
▶ Backup
– Daglig backup
– Restore test
▶ Log Management
– Opsamling af events
– Analyse
4
23-09-2015
Bjørn Lysholm Jensen Udenrigsministeriet
Ole Jepsen Atos
© Atos IT Solution and Services
Typiske interne sikkerhedstiltag
forsat
▶ Overvågning
– Hardware
– Software
▶ Logisk adgangskontrol og Identity management
– 2 Faktor (OTP token)
– Rettighedsstyring (FIM og AD)
▶ Uddannelse
– Security awareness
▶ Løbende kontrol og opfølgning
5
23-09-2015
Bjørn Lysholm Jensen Udenrigsministeriet
Ole Jepsen Atos
© Atos IT Solution and Services
Fokus på ..
CyberArk
6
23-09-2015
Bjørn Lysholm Jensen Udenrigsministeriet
Ole Jepsen Atos
© Atos IT Solution and Services
CyberArk Komponenter
UM
Identity
Management
Management Portal/Web Access
External Vendors
Enterprise
Password
Vault
Privileged
Session
Manager
Application
Identity
Manager
OnDemand
Privileges
Manager
Ticketing
Systems
Privileged
Threat
Analytics
Monitoring & SIEM
Applications
IT Personnel
Master Policy
Enterprise
Directory and More
Secure Digital Vault™
Auditors
Developers & DBAs
7
23-09-2015
Any Device, Any Datacenter –
On Premise, Hosted or In The Cloud
Bjørn Lysholm Jensen Udenrigsministeriet
Ole Jepsen Atos
© Atos IT Solution and Services
CyberArk
UM
▶ DNA scan
– Periodisk scan for ændring i AD
▶ Password skift
▶ Service konti
– Policies med og uden automatisk password skift
▶ Privilegeret bruger
▶ Lokal administrator
▶ Kuvert bruger
– Password til konti der ikke administreres af CyberArk
▶ Adgangskontrol
– Brug af konto med årsagsforklaring (Reason)
– Brug af konto med godkendelse (Dual controll)
– Brug af konto med 2 faktor validering
▶ Integration til IdM (FIM)
8
23-09-2015
Bjørn Lysholm Jensen Udenrigsministeriet
Ole Jepsen Atos
© Atos IT Solution and Services
CyberArk
UM
1. Request workflow
2. Direct connection
Oiue^$fgW
Vault
Portal
Policy Manager
System
User
Pass
Unix
root
Oracle
SYS
gviNa9%
Windows
Administrator
Tojsd$5fh
z/OS
DB2ADMIN
y7qeF$1
Cisco
enable
X5$aq+p
lm7yT5w
IT
Enterprise IT Environment
9
23-09-2015
Bjørn Lysholm Jensen Udenrigsministeriet
Ole Jepsen Atos
© Atos IT Solution and Services
CyberArk
UM
Auditors
IT
IT Environment
Vault (HA Cluster)
Intra net
Auditors/IT
Auditors/IT
10
23-09-2015
IT
Environment
IT
Environment
DMZ
DMZ
Bjørn Lysholm Jensen Udenrigsministeriet
Ole Jepsen Atos
© Atos IT Solution and Services
Fokus på ..
LogPoint
11
23-09-2015
Bjørn Lysholm Jensen Udenrigsministeriet
Ole Jepsen Atos
© Atos IT Solution and Services
Logpoint
Fragmenterede
overblik
Samlet
overblik
IPS
Firewall
Server
Logs
12
23-09-2015
Bjørn Lysholm Jensen Udenrigsministeriet
Ole Jepsen Atos
Vulnerability
Management
© Atos IT Solution and Services
Logpoint
Samlet overblik
Web cache &
proxy logs
Web server
activity logs
Switch logs
Content
management logs
IDS/IDP logs
Router logs
VA Scan logs
VPN logs
Windows logs
Windows
domain logins
Firewall logs
Wireless
access logs
Linux, Unix,
Windows OS
logs
Database
Logs
Client & file
server logs
Mainframe
logs
San File
Access Logs
13
23-09-2015
Bjørn Lysholm Jensen Udenrigsministeriet
Ole Jepsen Atos
VLAN
Access &
Control logs
DHCP logs
Oracle Financial
Logs
© Atos IT Solution and Services
LogPoint
Dashboards
14
23-09-2015
Bjørn Lysholm Jensen Udenrigsministeriet
Ole Jepsen Atos
© Atos IT Solution and Services
Logpoint
UM
• Indsamling af logs fra:
– Domain Controller
– File server
– Exchange
– CyberArk
– Andre centrale enheder
• Samlet overblik af hændelser på tværs af systemer
– Opsætning af søge templates
– Alarmer på kritiske hændelser
– Rapportering
15
23-09-2015
Bjørn Lysholm Jensen Udenrigsministeriet
Ole Jepsen Atos
© Atos IT Solution and Services
Fokus på ..
PTA
16
23-09-2015
Bjørn Lysholm Jensen Udenrigsministeriet
Ole Jepsen Atos
© Atos IT Solution and Services
Privileged Threat Analytics
Introduktion
Privilegeret Threat Analytics registrerer unormal
privilegeret konto adfærd.
PTA detektere og identificere uregelmæssigheder mens
de sker, ved i realtid at sammenholde aktuelle
privilegeret aktivitet med historisk aktivitet.
Det gør muligt for et incident response team til at
reagere og afværge angrebet før der er sket alvorlig
skade.
17
23-09-2015
Bjørn Lysholm Jensen Udenrigsministeriet
Ole Jepsen Atos
© Atos IT Solution and Services
Privileged Threat Analytics
Hvorfor?
▶ Identificer igangværende avancerede angreb
– Målrettede analyse af privilegeret konto aktivitet
– Alarmer baseret på realtid data
▶ Bedre forståelse af det aktuelle trusselsniveau
– Real-time baseret detektering
– Korrelation af begivenheder
– Klassificering af trusseler af sværhedsgrad
▶ Forbedre effektiviteten SIEM system
– SIEM er centreret om sikkerhedsspørgsmål rapporteret fra
mange kilder
Privilegeret Threat Analytics er fokuseret på at identificere
mistænkelige privilegeret brugeraktivitet
– Komplementerende, ikke alternativt til SIEM
18
23-09-2015
Bjørn Lysholm Jensen Udenrigsministeriet
Ole Jepsen Atos
© Atos IT Solution and Services
Privileged Threat Analytics
Overblik
19
23-09-2015
Bjørn Lysholm Jensen Udenrigsministeriet
Ole Jepsen Atos
© Atos IT Solution and Services
Privileged Threat Analytics
Dashboard
20
23-09-2015
Bjørn Lysholm Jensen Udenrigsministeriet
Ole Jepsen Atos
© Atos IT Solution and Services
Privileged Threat Analytics
UM Fordele
▶ Evne til at opdage og alarmere på skadelig adfærd
– Reducerer tidshorisonten for hackerens mulighed
– Muliggør en hurtig og præcis indsats for at stoppe angreb
▶ En løsning til at opdage både eksterne og interne trusler
▶ Ingen afhængighed af signatur, sandboxing eller andre metoder, der kræver
forudgående kendskab til angrebet
▶ Tilpasser sig over tid til ændringer i brugeradfærden
▶ Forbedrer effektiviteten af SIEM, at fokusere på den aktivitet, der virkelig
betyder noget
– Reducerer falske positiver
▶ Pragmatisk tilgang til analyse
– De "rigtige" data vs. "alle" de data
21
23-09-2015
Bjørn Lysholm Jensen Udenrigsministeriet
Ole Jepsen Atos
© Atos IT Solution and Services
Lesson Learned
▶
▶
▶
▶
▶
Start småt
Tænk stort og i sammenhængende løsninger
Fase opdelt implementering med “mange” små leverancer
Bruge live POC til at afdække ukendte og komplekse aspekter
Organisatorisk implementering
• Sikkerhed er ikke sexet, kræver ledelsesopbakning
• Dedikeret system ejer
• Begrænset antal af administratorer
▶ Husk undtagelserne
22
23-09-2015
Bjørn Lysholm Jensen Udenrigsministeriet
Ole Jepsen Atos
© Atos IT Solution and Services
Spørgsmål ?
23
23-09-2015
Bjørn Lysholm Jensen Udenrigsministeriet
Ole Jepsen Atos
© Atos IT Solution and Services
Tak for opmærksomheden
Bjørn Lysholm Jensen
[email protected]
Ole Jepsen
[email protected]
Atos, the Atos logo, Atos Consulting, Atos Worldline, Atos Sphere,
Atos Cloud and Atos Worldgrid are registered trademarks of Atos SE.
April 2015
© 2015 Atos Consulting. Confidential information owned by Atos, to
be used by the recipient only. This document, or any part of it,
may not be reproduced, copied, circulated and/or distributed nor
quoted without prior written approval from Atos.
23-09-2015
© For internal use
BACKUP Slides
25
23-09-2015
Bjørn Lysholm Jensen Udenrigsministeriet
Ole Jepsen Atos
© Atos IT Solution and Services
Automatically Discover
Privileged Accounts
Unix/Linux Servers
Vmware ESX/ESXi
Linux virtual images
Windows virtual images
Windows Servers
Windows Services
Scheduled Tasks
IIS Pools
Windows
Desktops & Laptops
Where do all the privileged and superuser accounts exist?
23-09-2015
27
Bjørn Lysholm Jensen Udenrigsministeriet
Ole Jepsen Atos
© Atos IT Solution and Services
CyberArk
UM
1. Master/exception policy definition
2. Initial load & reset
Automatic Detection, Bulk upload, Manual
3. Request workflow
Dual control,
Integration with ticketing systems,
One-time passwords, exclusivity, groups
4. Direct connection to device
5. Auditor access
gviNa9%
X5$aq+p
lm7yT5w
Oiue^$fgW
Tojsd$5fh
y7qeF$1
Vault
Policy
Policy
Security/
Risk Management
Portal
Policy Manager
System
User
Pass
Unix
root
tops3cr3t
Oracle
SYS
tops3cr3t
Windows
Administrator
tops3cr3t
z/OS
DB2ADMIN
tops3cr3t
Cisco
enable
tops3cr3t
Request access to
Windows
Administrator On
prod.dom.us
IT
Request to view Reports
Enterprise IT Environment
Auditors
23-09-2015
28
Bjørn Lysholm Jensen Udenrigsministeriet
Ole Jepsen Atos
© Atos IT Solution and Services
PRIVILEGED SESSION MANAGER
23-09-2015
29
Bjørn Lysholm Jensen Udenrigsministeriet
Ole Jepsen Atos
© Atos IT Solution and Services
Privileged Session Manager
Control, Isolate and Monitor Privileged Activity
Establish a single point of control for privileged
sessions
Isolate malware from the target system
Monitor and record command level activity
Scalable, low impact architecture
23-09-2015
30
Bjørn Lysholm Jensen Udenrigsministeriet
Ole Jepsen Atos
© Atos IT Solution and Services
Privileged Account Security for Remote Vendors
Corporate Network
Windows Servers
Toad
HTTPS
UNIX
Servers
& DBs
Firewall
Remote
Vendors
Routers and Switches
Vault
23-09-2015
31
Bjørn Lysholm Jensen Udenrigsministeriet
Ole Jepsen Atos
IT/ Auditors/Security Operations
© Atos IT Solution and Services
Application Identity Management
23-09-2015
32
Bjørn Lysholm Jensen Udenrigsministeriet
Ole Jepsen Atos
© Atos IT Solution and Services
Eliminating Hard Coded Passwords
Configuration Files
& Databases
Web Config files
INI/text files
Application Databases
J2EE Application Servers
Application Servers
Also in registry, FTP credentials and more
Service
Accounts
▪ Windows service
▪ IIS Directory Security
▪ Scheduled tasks
▪ COM+
Hard-Coded,
Embedded
Credentials
▪ IIS application pool
▪ Registry
IIS for Windows® Server
Third Party
Applications
33
23-09-2015
Bjørn Lysholm Jensen Udenrigsministeriet
Ole Jepsen Atos
© Atos IT Solution and Services
CyberArk Application Identity Manager
Accounts
Receivable
Websphere
UserName = GetUserName()
Password = GetPassword()
Host = GetHost()
UserName
= “app”
ConnectDatabase(Host,
Password
= “y7qeF$1”
UserName,
Password)
Host = “10.10.3.56”
ConnectDatabase(Host,
UserName, Password)
CRM
Weblogic
Human
Resources
IIS /.NET
 Secure & reset application
credentials with no
downtime
or restart
 Secure local caching for
business continuity & high
performance
 Avoid code changes &
overhead upon application
password or machine
address change
 Strong authentication by:

Online
Booking
System


Legacy/ Homegrown

Machine address
OS user
Application path
Signature/hash
Secure, manage and eliminate
hard-coded privileged accounts from applications
23-09-2015
34
Bjørn Lysholm Jensen Udenrigsministeriet
Ole Jepsen Atos
© Atos IT Solution and Services
How Does it Work?
Collect
Collecting privileged accounts
activity
Ongoing Profiling
Profiling normal behavior
Detect
Detecting abnormal privileged
accounts activity
23-09-2015
35
Bjørn Lysholm Jensen Udenrigsministeriet
Ole Jepsen Atos
© Atos IT Solution and Services
Privileged Threat Analytics Dashboard
23-09-2015
36
Bjørn Lysholm Jensen Udenrigsministeriet
Ole Jepsen Atos
© Atos IT Solution and Services
SIEM Architecture
ESCM : Secure
Multiuser
Environment
CTAS
Collectors - Normalization
Log Sources
23-09-2015
24. september 2015
Analysis
Correlate
Search
Data
Enrichment
Active
Response
Archive
Local
CTAS
Reporting
SIEM Log
server
SIEM Log
server
SIEM Log
server
Centralized
Management
SIEM servers
Compliance
Security
Forensics
SAN-NAS
Bjørn Lysholm Jensen Udenrigsministeriet
Ole Jepsen Atos
Custom
© Atos IT Solution and Services
37
CyberArk
UM
1. Request workflow
2. Direct connection
Oiue^$fgW
Vault
Portal
Policy Manager
System
User
Pass
Unix
root
Oracle
SYS
gviNa9%
Windows
Administrator
Tojsd$5fh
z/OS
DB2ADMIN
y7qeF$1
Cisco
enable
X5$aq+p
lm7yT5w
IT
Enterprise IT Environment
23-09-2015
38
Bjørn Lysholm Jensen Udenrigsministeriet
Ole Jepsen Atos
© Atos IT Solution and Services