Download pdf - ArcSight IdentityView

MODERN INSIDER THREAT DETECTION

Gab GennaiSenior Technology Consultant

ArcSight IdentityView – In a nutshell

THE MORE THINGS CHANGE…

www.arcsight.com

Privilege Escalation:Open the safe

Monetise:Leave with the cash

New School: RBS World Pay

Breach:Hack Perimeter Security

Privilege Escalation:Access Debit Card System

Monetise:ATM Network Fraud

Old School: Butch Cassidy and the Sundance Kid

Breach:Break into the building

RBS WORLD PAY

3 Chances to detect the fraud

– Perimeter (SQL Injection, Database Activity, Transaction Analysis)

Comprehensive View of Business Risk

ENTERPRISE THREAT AND RISK MANAGEMENT:

FW, IDS, AV, Proxy, VA

Internal Apps, DB, DLP, Email, Web, Badge

Customer Transactions, Web Logs,

Mainframe, CRM

Global Reporting by Lines of Business

Security Incidents High Risk Users Compromised Accounts

Security- DoS- SQL Injection- Malware- External Threats

Identity- Insider Threat- PII/IP Protection- Privileged Users- Internal Fraud

Fraud- 1st and 3rd Party- Online Banking- AML- Trading

WHY IDENTITYVIEW

– PII Protection

– Data Theft

– Contractors

– Privileged User Monitoring

Swiss Banks Achilles Heel Is Workers Selling Data

Former Boeing engineer convicted of spying for China

Five IRS Employees Charged With Snooping on Tax Returns

6

ASSET CONTEXT + IDENTITY CONTEXT

ArcSight ESM / IdentityView

NetworkDevices

ServersMobile DesktopSecurityDevices

PhysicalAccess

AppsDatabasesIdentitySources

Email

Contractor

DBA

HR User

Disgruntled

Developer

Notice Given

Former Employees

Privileged

New Hire

Classified

High-risk User Monitoring; Improved User Infrastructure; Activity Profiling

Identity ContextOracle / SUN

IBM

CA

Active Directory

Custom

Asset ContextAsset Criticality

Business Impact

Vulnerability

Attack History

7

IDENTITY CORRELATION

– Correlate common identifiers such as email address, badge ID, phone extension– Events occurring across devices that identify users by different attributes– Attribute the event to a unique “identity” allowing correlation across any type of device

rjackson

348924323

[email protected]

ronaldj

rjackson_dba

510-555-1212

Identifiers

Ronald

Jackson

Identity

mailto:[email protected]

8

PRIVILEGED (HIGH-RISK) USER MONITORING

Alert Fired• Inactive Contractor Account Detected

9

Problem: Outsourced IT operations = Hundreds of contractors managing critical applications

– Contracts end early– Orphaned accounts– Manual de-provisioning process – based on sponsor

INACTIVE CONTRACTOR ACCOUNT

Login Success:richardS

Active Identities List Expiration 2 Weeks

3.13.09 3:35:37randalla

3.13.09 3:32:45rjackson

Last UsedAccount

ArcSight ESM

Update Active

Accounts

[02.16.09 3:33:33] Account Expired richardS

2.2.09 3:33:33richardS

10

Problem: My auditor requires a report of all admin activity in my

– Legacy applications– Shared privileged (admin) accounts– No way to tie to actual user

PROBLEM: SHARED USER ACCOUNT ATTRIBUTION

Application Access: Source: 10.10.10.10

[02.5.2009 10:33:46] Login Success 10.10.10.10 fmadmin



?

?

11

IP Address Identity

10.12.23.7 haroldr

10.12.23.23 czfb12

10.12.22.35 bobc

192.168.10.6 katie

10.10.10.10 jimmyj

SOLUTION: SHARED USER ACCOUNT ATTRIBUTION



Check Identity Sessions



ArcSight ESM

IDENTITYVIEW: PRIVILEGED USER MONITORING

• Correlates IP addresses with user identity, across accounts

• Compares user activity to roles and rights to detect violations

• Profiles user behavior based on historical patterns

• Complete visibility

– Privileged or sensitive (high-risk) user monitoring

– Extend monitoring beyond identity management system

– Activity profiling

IdentityView Gives You:

IdentityView Key Features:

• Enhanced visibility of all activities and processes

• Improved control of your network, with less cost

• Increased compliance from comprehensive activity reporting

NEXT STEPS

Visit: The Cloud System Feature

Engage: See the HP Rep at rear of clinic

Seek more: Request follow up via Eval Form

Re-Live: www.hp.com.au/taw11post

HP TECHNOLOGY@WORK 2011THE INSTANT-ON ENTERPRISE IS HERE

QUESTIONS?

HP TECHNOLOGY@WORK 2011THE INSTANT-ON ENTERPRISE IS HERE