Embed Size (px)
DESCRIPTION
rcSight IdentityView is a user activity monitoring application built on the ArcSight SIEM platform. It monitors user activity across all accounts, applications, and systems. This enables organizations to understand who is on the network, what data they see, and which actions they take with that data. The result is greater security, better access governance, and faster forensic investigations.Technologies demonstrated: - HP's Security Management Solution
Citation preview
MODERN INSIDER THREAT DETECTION
Gab GennaiSenior Technology Consultant
ArcSight IdentityView – In a nutshell
THE MORE THINGS CHANGE…
www.arcsight.com
Privilege Escalation:Open the safe
Monetise:Leave with the cash
New School: RBS World Pay
Breach:Hack Perimeter Security
Privilege Escalation:Access Debit Card System
Monetise:ATM Network Fraud
Old School: Butch Cassidy and the Sundance Kid
Breach:Break into the building
RBS WORLD PAY
3 Chances to detect the fraud
– Perimeter (SQL Injection, Database Activity, Transaction Analysis)
Comprehensive View of Business Risk
ENTERPRISE THREAT AND RISK MANAGEMENT:
FW, IDS, AV, Proxy, VA
Internal Apps, DB, DLP, Email, Web, Badge
Customer Transactions, Web Logs,
Mainframe, CRM
Global Reporting by Lines of Business
Security Incidents High Risk Users Compromised Accounts
Security- DoS- SQL Injection- Malware- External Threats
Identity- Insider Threat- PII/IP Protection- Privileged Users- Internal Fraud
Fraud- 1st and 3rd Party- Online Banking- AML- Trading
WHY IDENTITYVIEW
– PII Protection
– Data Theft
– Contractors
– Privileged User Monitoring
Swiss Banks Achilles Heel Is Workers Selling Data
Former Boeing engineer convicted of spying for China
Five IRS Employees Charged With Snooping on Tax Returns
6
ASSET CONTEXT + IDENTITY CONTEXT
ArcSight ESM / IdentityView
NetworkDevices
ServersMobile DesktopSecurityDevices
PhysicalAccess
AppsDatabasesIdentitySources
Contractor
DBA
HR User
Disgruntled
Developer
Notice Given
Former Employees
Privileged
New Hire
Classified
High-risk User Monitoring; Improved User Infrastructure; Activity Profiling
Identity ContextOracle / SUN
IBM
CA
Active Directory
Custom
Asset ContextAsset Criticality
Business Impact
Vulnerability
Attack History
7
IDENTITY CORRELATION
– Correlate common identifiers such as email address, badge ID, phone extension– Events occurring across devices that identify users by different attributes– Attribute the event to a unique “identity” allowing correlation across any type of device
rjackson
348924323
ronaldj
rjackson_dba
510-555-1212
Identifiers
Ronald
Jackson
Identity
8
PRIVILEGED (HIGH-RISK) USER MONITORING
Alert Fired• Inactive Contractor Account Detected
9
Problem: Outsourced IT operations = Hundreds of contractors managing critical applications
– Contracts end early– Orphaned accounts– Manual de-provisioning process – based on sponsor
INACTIVE CONTRACTOR ACCOUNT
Login Success:richardS
Active Identities List Expiration 2 Weeks
3.13.09 3:35:37randalla
3.13.09 3:32:45rjackson
Last UsedAccount
ArcSight ESM
Update Active
Accounts
[02.16.09 3:33:33] Account Expired richardS
2.2.09 3:33:33richardS
10
Problem: My auditor requires a report of all admin activity in my
– Legacy applications– Shared privileged (admin) accounts– No way to tie to actual user
PROBLEM: SHARED USER ACCOUNT ATTRIBUTION
Application Access: Source: 10.10.10.10
[02.5.2009 10:33:46] Login Success 10.10.10.10 fmadmin
Application Access: Source: 192.168.10.6
[02.5.2009 11:21:51] Login Success 192.168.10.6 fmadmin
?
?
11
IP Address Identity
10.12.23.7 haroldr
10.12.23.23 czfb12
10.12.22.35 bobc
192.168.10.6 katie
10.10.10.10 jimmyj
SOLUTION: SHARED USER ACCOUNT ATTRIBUTION
Application Access: Source: 10.10.10.10
[02.5.2009 10:33:46] Login Success 10.10.10.10 fmadmin
Check Identity Sessions
Application Access: Source: 192.168.10.6
[02.5.2009 11:21:51] Login Success 192.168.10.6 fmadmin
ArcSight ESM
IDENTITYVIEW: PRIVILEGED USER MONITORING
• Correlates IP addresses with user identity, across accounts
• Compares user activity to roles and rights to detect violations
• Profiles user behavior based on historical patterns
• Complete visibility
– Privileged or sensitive (high-risk) user monitoring
– Extend monitoring beyond identity management system
– Activity profiling
IdentityView Gives You:
IdentityView Key Features:
• Enhanced visibility of all activities and processes
• Improved control of your network, with less cost
• Increased compliance from comprehensive activity reporting
NEXT STEPS
Visit: The Cloud System Feature
Engage: See the HP Rep at rear of clinic
Seek more: Request follow up via Eval Form
Re-Live: www.hp.com.au/taw11post
HP TECHNOLOGY@WORK 2011THE INSTANT-ON ENTERPRISE IS HERE
QUESTIONS?
HP TECHNOLOGY@WORK 2011THE INSTANT-ON ENTERPRISE IS HERE
