Business Overview
Client is a global healthcare company that provides medical technologies and services for global healthcare customers. Headquartered in the United Kingdom, the company is a world leader in healthcare technologies and solutions.
Challenges
Privileged Account Monitoring
With over 4000 servers being used for various applications and processes, the company was unable to monitor activities carried out by high privileged accounts. With various security policies set in place, monitoring for privileged accounts and privileged account owners, there existed no technological solution within their existing security portfolio that would allow for data driven threat and risk assessments and monitoring of their infrastructure and sensitive information.
Data Egress of Classified Information
As a pioneer in the medical technologies space, the client has a large number of highly sensitive and proprietary design documents and sketches. Classified data specification is stored in the clients existing document management solution. These documents are stored in a common, central repository along with general unclassified documents. The security team was not able to identify users who may be downloading classified documents that do not meet their classification.
Rogue Access Privileges
Access Outlier Analysis
Detection of outlier access privileges held by user accounts, shared and service accounts using peer group comparison analytics.
Securonix was implemented to extract all privileged accounts and correlate them to identities through its identity analytics module. The system then ingested all entitlements for these accounts and identities, providing automated reports that show the access outliers in their environment allowing the security team to mitigate access risk by providing visibility into accounts where some access needed to be removed, certified or excluded.
Securonix Implementation Scope
Privileged Account Monitoring
Inactive Unix Account Cleanup
The client required an automated process that would detect inactivity of Unix accounts and flag for the suspension or removal of such accounts after a stated period of inactivity. Securonix was setup to detect inactivity of these accounts according to the customer’s policies and create alerts that would allow the security team to remove these accounts and privileges.
Service Account Monitoring
By policy, Windows Service Accounts are not allowed to perform interactive logon capability for a period of more than 14 days from the time they are provisioned. The client needed the ability to detect interactive logon activities that were happening past the set time frame and provide alerts on these activities.
Monitoring High Privileged Account Interactive Logins on Service Account
According to the customers policy, Windows Service Accounts are not allowed to perform interactive logon ability for a period of more than 14 days. The goal was to identify Unix and Windows non personal accounts as well as High Privileged Accounts with the ability to establish interactive logon sessions that are granted Administrative Access on servers that host critical systems or SOX L1 regulated applications and flag them for remediation.
Non Admin Accounts Present in Admin Groups
The client defined a goal to be able to identify Non ‘Admin’ accounts that are present in admin groups within the different directory services in the organization. According to the customer’s policy, users should never use their primary identity account present in admin or high privileged groups. Securonix Privileged Account Intelligence was used to detect such cases and flag them for remediation.
Terminated Users Access Privileges Cleanup
The objective was to create the capability to allow the customer to rapidly detect accounts and entitlements that are not deleted from the organizations directories within 48 hours of a user’s termination. Securonix was used to detect the termination flags in the company’s HR system and immediately identify events where employees were terminated while leaving their access entitlements intact.
Continuous Provisioning Control Violation
Detect accounts with privileged entitlements or accounts in privileged groups that are created directly on the Windows or Unix directory services thus circumventing the company’s IDM system. This was done by comparing account creation events to trace or evidence of creation in the IDM activity logs.
Smart Card Enforcement Violation
The client has strict rules and policies governing physical access through smart cards. The policy states that privileged accounts not having smart card authentication should not be seen logging in to systems. The capability was needed to detect such events and create the relevant flags and alerts.
Real time Fire call account Monitoring
Identify Fire call accounts that have been used on High Privileged Accounts on Windows/Unix Servers that do not show correlated check out activity in the vault(CyberArk).
Data Egress of Classified Information
- Real time behavior based analysis of document checkout of type of document from the document management system
- Real time fraud analysis to identify frequent checkout of a single document type
- Real time peer based activity analysis to identify users checking out documents not accessed by their peers
- Identify documents sent outside the customer’s environment after document downloaded from document management system – analysis using Palo Alto FireWall logs
- Identify documents sent out via a DLP egress point after it had been checked out from document management system having the same file name
- Identify document sent out via DLP egress point after it had been checked out from document management system depending on the file size of document checked out
- Monitor DLP egress activity after document type checkout from document management system
Rogue Access Privileges
Spread across the globe in over 100 countries with IT privileges spread across multiple Active Directory Domain Controllers, this healthcare solution provider is unable to identify the access privileges that are required by its employees and contractors to perform their duties. With a complex Active Directory that has multiple nesting of permission groups and privileges, it is difficult for them to identify and cleanup rogue access permissions associated with user accounts, service accounts and shared accounts.
Even though the client has a very mature information security practice, as well as corporate awareness, traditional tools that they were using could not provide the capabilities for detecting rogue access permissions, risk assignment to access permissions and assignment of an identity perspective to each risk associated to the organization.
Provide Privileged Group Data Owners With a Clear Certification Process
The objective was to allow corporate data and application owners from multiple domains in the company to log into Securonix in order to review high risk users and privileges. This was done on a complex environment using Active Directory Authentication transactions that were run across multiple domain controllers with no trusted connection between the different domains.
Business Impact
Privileged Account Monitoring
The organization now has the ability enforce all of their existing security policies and detect the riskiest violators of their security policies. The Securonix platform provides the customer with the ability to enforce security policies and take immediate action on violations as opposed to their previous manual quarterly process. Privileged account monitoring has allowed the customer to implement security policies and have effective monitoring controls to detect violators in real time for previously non existing policies. The Securonix solution also included detection and monitoring capabilities for new risk vectors in their infrastructure and critical applications.
Data Egress of Classified Information
The client now has the ability to monitor data egress of their classified information. By introducing a behavior and peer based analytics approach to analyze risk, the client is now able to monitor risk and detect advanced persistent threats as they evolve. The Securonix Investigation Workbench was configured to allow the security and forensics team to investigate events from different dimensions, allowing them to visualize and understand the true threat scape posed by Advanced Persistent Threats (APTs). By implementing behavioral and peer based approach to risks, the client has detected risky events and security violations on their classified data and were able to mitigate the threats before damage was incurred.
Rogue Access Cleanup
For the first time the client has the ability to provide the data owners with the identity of the riskiest access privileges present in the groups that they own. They have the ability to identify rogue access permissions held by user accounts and non-personal accounts. The client’s security team now has the ability to detect derived permission and unauthorized permissions held by user accounts and service accounts when they are in nested directory groups. By risk scoring the rogue access privileges, the client has the ability to prioritize access cleanup during their quarterly access certification process.
View the original content and more from this author here: http://ift.tt/1BYkDCJ
from cyber security caucus http://ift.tt/1GZTE94
via IFTTT
No comments:
Post a Comment