Fokus på intern it sikkerhed Et samarbejde mellem Udenrigsministeriet og Atos 23. September 2015 © Atos IT Solution and Services Agenda ▶ ▶ ▶ ▶ ▶ ▶ ▶ Introduktion Kort om UM UM Interne sikkerhedstiltag CyberArk EPV LogPoint CyberArk PTA Lesson Learned 23-09-2015 Bjørn Lysholm Jensen Udenrigsministeriet Ole Jepsen Atos © Atos IT Solution and Services UM IT- kort ▶ ▶ ▶ ▶ ▶ 3 Antal medarbejdere i UM: ca. 2400 Antal IT medarbejdere i UM: 56 753 servere (inkl. virtuelle) Ca. 5000 Arbejdsstationer (inkl. MPC’er) Lokationer – Ude tjenesten (94 lokaliteter) – Hjemme tjenesten (1 lokalitet) 23-09-2015 Bjørn Lysholm Jensen Udenrigsministeriet Ole Jepsen Atos © Atos IT Solution and Services Typiske interne sikkerhedstiltag ▶ Fysisk sikkerhed – Adgang til serverrum – Netværksadgang (fx 802.1x) ▶ Patch management – Sikkerhedsopdateringer – Systemopdatering ▶ Anti-virus – Daglige opdateringer – Håndtering af virus incident ▶ Backup – Daglig backup – Restore test ▶ Log Management – Opsamling af events – Analyse 4 23-09-2015 Bjørn Lysholm Jensen Udenrigsministeriet Ole Jepsen Atos © Atos IT Solution and Services Typiske interne sikkerhedstiltag forsat ▶ Overvågning – Hardware – Software ▶ Logisk adgangskontrol og Identity management – 2 Faktor (OTP token) – Rettighedsstyring (FIM og AD) ▶ Uddannelse – Security awareness ▶ Løbende kontrol og opfølgning 5 23-09-2015 Bjørn Lysholm Jensen Udenrigsministeriet Ole Jepsen Atos © Atos IT Solution and Services Fokus på .. CyberArk 6 23-09-2015 Bjørn Lysholm Jensen Udenrigsministeriet Ole Jepsen Atos © Atos IT Solution and Services CyberArk Komponenter UM Identity Management Management Portal/Web Access External Vendors Enterprise Password Vault Privileged Session Manager Application Identity Manager OnDemand Privileges Manager Ticketing Systems Privileged Threat Analytics Monitoring & SIEM Applications IT Personnel Master Policy Enterprise Directory and More Secure Digital Vault™ Auditors Developers & DBAs 7 23-09-2015 Any Device, Any Datacenter – On Premise, Hosted or In The Cloud Bjørn Lysholm Jensen Udenrigsministeriet Ole Jepsen Atos © Atos IT Solution and Services CyberArk UM ▶ DNA scan – Periodisk scan for ændring i AD ▶ Password skift ▶ Service konti – Policies med og uden automatisk password skift ▶ Privilegeret bruger ▶ Lokal administrator ▶ Kuvert bruger – Password til konti der ikke administreres af CyberArk ▶ Adgangskontrol – Brug af konto med årsagsforklaring (Reason) – Brug af konto med godkendelse (Dual controll) – Brug af konto med 2 faktor validering ▶ Integration til IdM (FIM) 8 23-09-2015 Bjørn Lysholm Jensen Udenrigsministeriet Ole Jepsen Atos © Atos IT Solution and Services CyberArk UM 1. Request workflow 2. Direct connection Oiue^$fgW Vault Portal Policy Manager System User Pass Unix root Oracle SYS gviNa9% Windows Administrator Tojsd$5fh z/OS DB2ADMIN y7qeF$1 Cisco enable X5$aq+p lm7yT5w IT Enterprise IT Environment 9 23-09-2015 Bjørn Lysholm Jensen Udenrigsministeriet Ole Jepsen Atos © Atos IT Solution and Services CyberArk UM Auditors IT IT Environment Vault (HA Cluster) Intra net Auditors/IT Auditors/IT 10 23-09-2015 IT Environment IT Environment DMZ DMZ Bjørn Lysholm Jensen Udenrigsministeriet Ole Jepsen Atos © Atos IT Solution and Services Fokus på .. LogPoint 11 23-09-2015 Bjørn Lysholm Jensen Udenrigsministeriet Ole Jepsen Atos © Atos IT Solution and Services Logpoint Fragmenterede overblik Samlet overblik IPS Firewall Server Logs 12 23-09-2015 Bjørn Lysholm Jensen Udenrigsministeriet Ole Jepsen Atos Vulnerability Management © Atos IT Solution and Services Logpoint Samlet overblik Web cache & proxy logs Web server activity logs Switch logs Content management logs IDS/IDP logs Router logs VA Scan logs VPN logs Windows logs Windows domain logins Firewall logs Wireless access logs Linux, Unix, Windows OS logs Database Logs Client & file server logs Mainframe logs San File Access Logs 13 23-09-2015 Bjørn Lysholm Jensen Udenrigsministeriet Ole Jepsen Atos VLAN Access & Control logs DHCP logs Oracle Financial Logs © Atos IT Solution and Services LogPoint Dashboards 14 23-09-2015 Bjørn Lysholm Jensen Udenrigsministeriet Ole Jepsen Atos © Atos IT Solution and Services Logpoint UM • Indsamling af logs fra: – Domain Controller – File server – Exchange – CyberArk – Andre centrale enheder • Samlet overblik af hændelser på tværs af systemer – Opsætning af søge templates – Alarmer på kritiske hændelser – Rapportering 15 23-09-2015 Bjørn Lysholm Jensen Udenrigsministeriet Ole Jepsen Atos © Atos IT Solution and Services Fokus på .. PTA 16 23-09-2015 Bjørn Lysholm Jensen Udenrigsministeriet Ole Jepsen Atos © Atos IT Solution and Services Privileged Threat Analytics Introduktion Privilegeret Threat Analytics registrerer unormal privilegeret konto adfærd. PTA detektere og identificere uregelmæssigheder mens de sker, ved i realtid at sammenholde aktuelle privilegeret aktivitet med historisk aktivitet. Det gør muligt for et incident response team til at reagere og afværge angrebet før der er sket alvorlig skade. 17 23-09-2015 Bjørn Lysholm Jensen Udenrigsministeriet Ole Jepsen Atos © Atos IT Solution and Services Privileged Threat Analytics Hvorfor? ▶ Identificer igangværende avancerede angreb – Målrettede analyse af privilegeret konto aktivitet – Alarmer baseret på realtid data ▶ Bedre forståelse af det aktuelle trusselsniveau – Real-time baseret detektering – Korrelation af begivenheder – Klassificering af trusseler af sværhedsgrad ▶ Forbedre effektiviteten SIEM system – SIEM er centreret om sikkerhedsspørgsmål rapporteret fra mange kilder Privilegeret Threat Analytics er fokuseret på at identificere mistænkelige privilegeret brugeraktivitet – Komplementerende, ikke alternativt til SIEM 18 23-09-2015 Bjørn Lysholm Jensen Udenrigsministeriet Ole Jepsen Atos © Atos IT Solution and Services Privileged Threat Analytics Overblik 19 23-09-2015 Bjørn Lysholm Jensen Udenrigsministeriet Ole Jepsen Atos © Atos IT Solution and Services Privileged Threat Analytics Dashboard 20 23-09-2015 Bjørn Lysholm Jensen Udenrigsministeriet Ole Jepsen Atos © Atos IT Solution and Services Privileged Threat Analytics UM Fordele ▶ Evne til at opdage og alarmere på skadelig adfærd – Reducerer tidshorisonten for hackerens mulighed – Muliggør en hurtig og præcis indsats for at stoppe angreb ▶ En løsning til at opdage både eksterne og interne trusler ▶ Ingen afhængighed af signatur, sandboxing eller andre metoder, der kræver forudgående kendskab til angrebet ▶ Tilpasser sig over tid til ændringer i brugeradfærden ▶ Forbedrer effektiviteten af SIEM, at fokusere på den aktivitet, der virkelig betyder noget – Reducerer falske positiver ▶ Pragmatisk tilgang til analyse – De "rigtige" data vs. "alle" de data 21 23-09-2015 Bjørn Lysholm Jensen Udenrigsministeriet Ole Jepsen Atos © Atos IT Solution and Services Lesson Learned ▶ ▶ ▶ ▶ ▶ Start småt Tænk stort og i sammenhængende løsninger Fase opdelt implementering med “mange” små leverancer Bruge live POC til at afdække ukendte og komplekse aspekter Organisatorisk implementering • Sikkerhed er ikke sexet, kræver ledelsesopbakning • Dedikeret system ejer • Begrænset antal af administratorer ▶ Husk undtagelserne 22 23-09-2015 Bjørn Lysholm Jensen Udenrigsministeriet Ole Jepsen Atos © Atos IT Solution and Services Spørgsmål ? 23 23-09-2015 Bjørn Lysholm Jensen Udenrigsministeriet Ole Jepsen Atos © Atos IT Solution and Services Tak for opmærksomheden Bjørn Lysholm Jensen [email protected] Ole Jepsen [email protected] Atos, the Atos logo, Atos Consulting, Atos Worldline, Atos Sphere, Atos Cloud and Atos Worldgrid are registered trademarks of Atos SE. April 2015 © 2015 Atos Consulting. Confidential information owned by Atos, to be used by the recipient only. This document, or any part of it, may not be reproduced, copied, circulated and/or distributed nor quoted without prior written approval from Atos. 23-09-2015 © For internal use BACKUP Slides 25 23-09-2015 Bjørn Lysholm Jensen Udenrigsministeriet Ole Jepsen Atos © Atos IT Solution and Services Automatically Discover Privileged Accounts Unix/Linux Servers Vmware ESX/ESXi Linux virtual images Windows virtual images Windows Servers Windows Services Scheduled Tasks IIS Pools Windows Desktops & Laptops Where do all the privileged and superuser accounts exist? 23-09-2015 27 Bjørn Lysholm Jensen Udenrigsministeriet Ole Jepsen Atos © Atos IT Solution and Services CyberArk UM 1. Master/exception policy definition 2. Initial load & reset Automatic Detection, Bulk upload, Manual 3. Request workflow Dual control, Integration with ticketing systems, One-time passwords, exclusivity, groups 4. Direct connection to device 5. Auditor access gviNa9% X5$aq+p lm7yT5w Oiue^$fgW Tojsd$5fh y7qeF$1 Vault Policy Policy Security/ Risk Management Portal Policy Manager System User Pass Unix root tops3cr3t Oracle SYS tops3cr3t Windows Administrator tops3cr3t z/OS DB2ADMIN tops3cr3t Cisco enable tops3cr3t Request access to Windows Administrator On prod.dom.us IT Request to view Reports Enterprise IT Environment Auditors 23-09-2015 28 Bjørn Lysholm Jensen Udenrigsministeriet Ole Jepsen Atos © Atos IT Solution and Services PRIVILEGED SESSION MANAGER 23-09-2015 29 Bjørn Lysholm Jensen Udenrigsministeriet Ole Jepsen Atos © Atos IT Solution and Services Privileged Session Manager Control, Isolate and Monitor Privileged Activity Establish a single point of control for privileged sessions Isolate malware from the target system Monitor and record command level activity Scalable, low impact architecture 23-09-2015 30 Bjørn Lysholm Jensen Udenrigsministeriet Ole Jepsen Atos © Atos IT Solution and Services Privileged Account Security for Remote Vendors Corporate Network Windows Servers Toad HTTPS UNIX Servers & DBs Firewall Remote Vendors Routers and Switches Vault 23-09-2015 31 Bjørn Lysholm Jensen Udenrigsministeriet Ole Jepsen Atos IT/ Auditors/Security Operations © Atos IT Solution and Services Application Identity Management 23-09-2015 32 Bjørn Lysholm Jensen Udenrigsministeriet Ole Jepsen Atos © Atos IT Solution and Services Eliminating Hard Coded Passwords Configuration Files & Databases Web Config files INI/text files Application Databases J2EE Application Servers Application Servers Also in registry, FTP credentials and more Service Accounts ▪ Windows service ▪ IIS Directory Security ▪ Scheduled tasks ▪ COM+ Hard-Coded, Embedded Credentials ▪ IIS application pool ▪ Registry IIS for Windows® Server Third Party Applications 33 23-09-2015 Bjørn Lysholm Jensen Udenrigsministeriet Ole Jepsen Atos © Atos IT Solution and Services CyberArk Application Identity Manager Accounts Receivable Websphere UserName = GetUserName() Password = GetPassword() Host = GetHost() UserName = “app” ConnectDatabase(Host, Password = “y7qeF$1” UserName, Password) Host = “10.10.3.56” ConnectDatabase(Host, UserName, Password) CRM Weblogic Human Resources IIS /.NET Secure & reset application credentials with no downtime or restart Secure local caching for business continuity & high performance Avoid code changes & overhead upon application password or machine address change Strong authentication by: Online Booking System Legacy/ Homegrown Machine address OS user Application path Signature/hash Secure, manage and eliminate hard-coded privileged accounts from applications 23-09-2015 34 Bjørn Lysholm Jensen Udenrigsministeriet Ole Jepsen Atos © Atos IT Solution and Services How Does it Work? Collect Collecting privileged accounts activity Ongoing Profiling Profiling normal behavior Detect Detecting abnormal privileged accounts activity 23-09-2015 35 Bjørn Lysholm Jensen Udenrigsministeriet Ole Jepsen Atos © Atos IT Solution and Services Privileged Threat Analytics Dashboard 23-09-2015 36 Bjørn Lysholm Jensen Udenrigsministeriet Ole Jepsen Atos © Atos IT Solution and Services SIEM Architecture ESCM : Secure Multiuser Environment CTAS Collectors - Normalization Log Sources 23-09-2015 24. september 2015 Analysis Correlate Search Data Enrichment Active Response Archive Local CTAS Reporting SIEM Log server SIEM Log server SIEM Log server Centralized Management SIEM servers Compliance Security Forensics SAN-NAS Bjørn Lysholm Jensen Udenrigsministeriet Ole Jepsen Atos Custom © Atos IT Solution and Services 37 CyberArk UM 1. Request workflow 2. Direct connection Oiue^$fgW Vault Portal Policy Manager System User Pass Unix root Oracle SYS gviNa9% Windows Administrator Tojsd$5fh z/OS DB2ADMIN y7qeF$1 Cisco enable X5$aq+p lm7yT5w IT Enterprise IT Environment 23-09-2015 38 Bjørn Lysholm Jensen Udenrigsministeriet Ole Jepsen Atos © Atos IT Solution and Services
© Copyright 2024