nowell shalom saas security platform

20
NOWELL 1 Shalom Insider Risk SaaS Security Platform August 2009

Post on 19-Oct-2014

663 views

Category:

Documents


0 download

DESCRIPTION

 

TRANSCRIPT

Page 1: Nowell Shalom SaaS Security Platform

NOWELL

1

Shalom Insider Risk SaaS Security Platform August 2009

Page 2: Nowell Shalom SaaS Security Platform

NOWELL

2

Executive Summary: Insider Risk Security Software-as-a-Service through Anomaly

Detection and Intelligent Authentication Nowell Shalom Security Platform is a cloud based information security software service that defeats Insider Threats from fraudulent insiders and impostors stealing information and committing fraud inside the corporate network. In summary it prevents:

Insider Threats

Identity Theft and Identity Phishing

Internal Fraud

Shalom Security Platform looks out for suspicious activity by computer users, which is always a key indicator of a possible insider security breach [Anomaly Detection]. If a user exhibits suspicious behavior, they are reported and questioned for identity verification [Authentication]. Users who authenticate successfully, by providing correct answers are granted access, however those who fail to do so are immediately denied access across the network. Shalom can be configured to only monitor for suspicious insider activity providing reports to serve as an effective starting point for internal audit. With Shalom, fraudulent internals are detected and ID Theft intruders prevented. Shalom also helps meet regulations outlined by FFIEC InfoSec, Sarbanes-Oxley, Gramm Leach Bliley, VISA-CISP, FISMA, NIST 800-53, BASEL II, HIPAA and others. Shalom helps to strictly enforce existing information security policies.

Page 3: Nowell Shalom SaaS Security Platform

NOWELL

3

The Problem: What Is the Insider Threat? What Is Computer Identity Theft? The Insider Threat refers to when internal associates of an organization use their access to information for the wrong reasons. Insider threats are very damaging because the internal employee has detailed insider knowledge about their organization, and they are many times trusted by their employers. Since the internal employee is granted such liberty to carry out their jobs, financial theft by fraudulent internals often results in financial losses that are very great. For example, in financial sectors, bad internals often try to steal money or transfer funds from finance accounts using methods specific to their organization. Other times, internals steal sensitive customer information and later use it for fraudulent purposes like Identity Theft. Internals may also choose to steal and divulge sensitive intellectual property, classified information or trade secrets to unauthorized 3

rd parties for profit.

Security industry statistics state that financial loss from insider threats is greater: 48.5% of financial losses from major business organizations are caused by theft from fraudulent insiders or employees

1.

External theft by outsiders results in 31.7%. This shows that losses from insider threats in many organizations are very significant

2.

Malicious internals often use the computer system to execute fraudulent activity. Shalom detects and helps prevent frivolous internals from stealing or misusing computer systems or corporate sensitive information. Nowell Shalom effectively contains the Insider Threat. Identity Theft or Identity Phishing is another big security problem facing organizations. Often thieves or computer hackers steal user logon information in order to gain access to computer systems. Hacker thieves steal identities: user names, smart card PIN#’S, and computer passwords in order to log into computer systems using stolen computer identities. Once logged in, the thief is under disguise, impersonating a legitimate user. Shalom has the ability to detect and prevent hackers who are logged in using stolen identities. Shalom helps to enhance the internal security posture of organizations. It helps to detect fraudulent insiders and intruders using stolen identities. Shalom detects suspicious or fraudulent user behavior inside computer systems. Security tools like Shalom help organizations reduce theft, fraud, and misuse of information systems by internals.

Dr. Peter Stephenson, Chief Technology Editor, SC Magazine Review: “"it can be a significant arrow in the insider threat protection quiver"

Mr. Earl Greer, Federal Computer Week Review “"… adds significant protection against insider threats, and it aids in complying with security regulations"

1

2

Page 4: Nowell Shalom SaaS Security Platform

NOWELL

4

Jean, Merchandise Logistics Analyst, plans to access customer bank account data from the database—without proper authorization.

Normally she does not need to access this data, it is beyond her job responsibility.

In executing plan, she accesses the database from a colleague’s workstation using her account at a very suspicious time 2 AM, on a Saturday.

She uses an unfamiliar client application to query the database.

Shalom detects this event because Jean is behaving very suspiciously—in a highly anomalous manner.

Shalom will report the suspicious occurrence, application and network access in real time.

Optionally, Shalom may authenticate.

Security Administrator receives an incident report, via the Security Console Manager stating that a user named Jean is behaving suspiciously, accessing a database, at an odd time and from an unusual workstation.

Administrator begins investigation into suspicious incident.

Potential Insider Threat by authorized user Jean was detected by Shalom.

Reduce Risks of Insider Threats and Internal Fraud

Page 5: Nowell Shalom SaaS Security Platform

NOWELL

5

Identity Theft and Phishing Prevention

Threats addressed: 1. Compromised accounts via stolen passwords and smart cards. 2. Intrusions by hackers impersonating legitimate insiders. 3. Anomalous user behavior is detected and reported.

Shalom Learns About Bill

Shalom Service Prevents An Intruder Using Bill’s Account

Shalom interviews Bill through dialogue.

Shalom also masters behavioral patterns specific to Bill.

An intruder steals Bill’s password and logs in.

Shalom detects suspicious behavior, very much unlike Bill.

Shalom authenticates intruder by questioning.

The intruder fails, so Shalom ejects the intruder and keeps him locked out site-wide.

Page 6: Nowell Shalom SaaS Security Platform

NOWELL

6

Reduce Insider Security Risk Profile

Threats Addressed:

1. Malicious insider activity and identity theft. 2. Enterprise is in compliance with security regulations:

VISA-CISP and GLB that call for security measures to protect customer financial data.

John Smith.

Comptroller, CPA accountant.

Top tier financial firm.

Tampers with customer records at the start of each quarter.

Abuses access rights to customer data.

John logs in at 2 a.m., on a Sunday, erratically looking up archived customer data.

Odd day, odd time, odd activity.

Shalom detects this suspicious behavior, quickly reports then questions for identity verification.

Pass or fail, incident is reported.

Administrator further investigates for unauthorized insider activity.

Insider threat contained.

Page 7: Nowell Shalom SaaS Security Platform

NOWELL

7

Financial Fraud Detection

Mr. Julian is a retail bank teller

Plans to commit wire fraud by transferring cash from bank systems to his personal bank account.

Friday, 8:21 p.m., Julian executes plan.

With a stolen bank manager’s account, he accesses the records and executes the electronic cash transfer.

Shalom detects suspicious behavior and silently reports him without any questioning or lock out.

8.22 p.m., Arthur the security analyst receives a report from Shalom about the anomalous activity.

A lead is generated for Arthur to investigate further.

Audit team closes out the internal wire fraud investigation

Threats addressed:

1. Insider fraud and accounting misconduct. 2. Illegally accessed computer accounts are found and reported. 3. Enterprise is SOX compliant with respect to internal controls to curb

insider fraud and ensure data integrity.

Page 8: Nowell Shalom SaaS Security Platform

NOWELL

8

Insider Risk SaaS Security Platform Suspicious behavior by authorized users is an indicator of internal security breaches. Malicious internals within an organization tend to exhibit very suspicious, unusual behavior on computer systems that raises red flags. Also, identity thieves also tend to behave in a manner that differs very much from the real, authentic user. For example, if a user is accessing information that he does not need to know about, that is an example of suspicious or anomalous behavior. Shalom has the ability to detect such unusual anomalies in user and host behavior and sees such deviations as suspicious. Shalom employs artificial intelligence to track suspicious behavior. Shalom client software is installed on each host on the network, with a hosted server that resides in the cloud

3 that helps manage the client software. The security platform is offered as a secure service over the

internet for ease of deployment, reduced costs, less complexity, security, and in support of globally interconnected and distributed information systems. In securing each computer, Shalom briefly interviews each user once, collecting personal information for later authentication. Next, it continuously learns computer behavior patterns for each user in the network. After a time period

4, each time a user logs on, Shalom looks out for suspicious behavior—

behavior that is very different from how the user normally behaves. If Shalom detects very suspicious behavior by a user:

It first reports their suspicious activity.

Shalom will ask the user few questions for authentication.

If the user answers correctly, they are granted access to the system, but they are still reported.

If the user fails, this indicates a potential security breach, so Shalom denies access to the user and reports to administrators immediately.

The Shalom hosted server logs all security incidents accessible using the Shalom Security Management Interface for further investigations.

Optionally, Shalom can be configured to only report suspicious insider activity without any authentication or lock out.

3 Cloud here refers to the general network. Nowell offers a comprehensive service in which Nowell

can host the server and server software at a secure collocated hosting environment. Other customers may

choose to host the server component within their own infrastructure. 4 Initial profiling lasts for about a week (40 hrs), but never stops.

Page 9: Nowell Shalom SaaS Security Platform
Page 10: Nowell Shalom SaaS Security Platform

First Shalom Interviews Each User – Authentication Enrollment

First, Shalom interviews each user, collecting personal information (e.g. “year of birth”, etc). This information is later used to authenticate users by questioning for identity verification if they behave suspiciously. Information collected varies from user to user, strengthening the security authentication.

When Shalom encounters each user, it prompts them to complete this one time interview.

Over a few minutes, users freely interact using their keyboard in an intelligent conversational style manner. Shalom learns various things specific to that user.

Shalom Looks Out For Highly Suspicious and Anomalous User Activity (Anomaly Detection)

Shalom profiles how users behave and constantly looks out for suspicious user activity. Shalom can detect when a user is behaving suspiciously or is logged in with someone else’s account by observing differences in their behavior. Shalom detects user anomalies with respect to what they do (applications launched, commands executed, user network activity, etc), where they do it from (host, geo-location), and when (day-type, time) they do it.

5

For example, consider Mark, an office assistant. Between 9 a.m. and 5.p.m., as part of his daily routine, he typically uses PowerPoint and Word to proof read financial reports for his boss. Now, if all of a sudden, Mark logs in at 1 a.m., runs an “ftp” command to copy files (which he has access to), such an unusual activity will be seen as suspicious and would trigger Shalom. Here’s another example. Let’s assume a user, Pete, always works with his laptop 5 days a week, M-F, excluding weekends. If all of a sudden, Pete appears to be working on Amy’s desktop, on a weekend, and at 3 a.m., such a drastic change in behavior would also trigger Shalom. Shalom also tracks anomalous network resource behavior by users. Let’s assume another user, Jason prints documents using his local office networked printer on a regular basis. If Jason is found to be printing documents using a printer located in another part of the office network, Shalom will be able to track that suspicious anomaly because he is sending data to a part of the network that he typically does not access on a regular basis. Finally, Shalom profiles the remote network behavior of each user and looks out for highly suspicious remote network

6 activity. For example, consider John, who typically accesses

remote network shares A, B, and C for his data entry work during normal business hours. If all of a sudden, John now accesses remote network share Z, which holds credit card numbers, such an activity would trigger a Shalom investigation.

Page 11: Nowell Shalom SaaS Security Platform

Regardless of who logs into any Shalom secured endpoint, whether an impostor, an intruder, or an insider with malicious intent, Shalom is constantly on the look out for very suspicious user activity, taking into account all possible behavior variables. After Shalom finishes learning about a user’s behavior, it then begins to look out for unusual behavior anomalies and it authenticates suspicious persons by questioning. Optionally, Shalom can be configured to silently report suspicious insider activity without any questioning or lock out. When Shalom completes mastering a user’s behavior, it then looks out for highly suspicious behavior, behavior that is highly deviant from how the user is known to normally behave, similar to our previous examples. If Shalom detects very suspicious behavior, it first reports then interrogates the user for identity verification. The diagram below illustrates how Shalom identifies suspicious behavior by Anomaly Detection Shalom “Moving Window” Anomaly Detection: Circle of Normal Events (as time progresses to eternity)

Shalom emulates this Anomaly Detection method for each user and each host in real time – any behavior that’s outside the circle is often “suspicious” because it is highly unusual and might indicate a potential internal security breach

Authenticates Users for Identity Verification If They Behave Suspiciously (Multi-Factor Authentication)

If Shalom observes a user behaving suspiciously— in a highly unusual manner— it authenticates the user to verify their identity. In the authentication, random questions are asked based on what was learned earlier in the initial interview. The questions asked are few, specific and therefore require specific answers. These questions are structured in such a way that only the real, actual account owner can give

Page 12: Nowell Shalom SaaS Security Platform

correct answers since only they know what was said in the interview. For the person to be granted continued access to the system, they must supply correct answers to the questions asked by Shalom. The interrogated suspect has a time period to answer each question.

Identifies Suspicious Insiders and Reports In Real Time

If the user passes, by answering the authentication questions correctly, Shalom grants access to the user, but still reports their suspicious behavior to administrators immediately. Shalom reports the users’ exact anomaly, including their suspicious activity (triggered application, command, or script), date and time of breach, location of the attack, and suspiciously accessed network shares, databases, and ports. These reports can then be reviewed to investigate for unauthorized insider activity. Questioning and reporting suspicious users at the very moment they behave suspiciously disrupts, deters, and discourages malicious insiders, as they’ll know they’ve been caught and reported. Shalom also adapts using a moving window method. Over time, this continuous, adaptive profiling perfects Shalom’s accuracy in detecting future attacks. On the other hand, if the suspect fails the authentication by not being able to supply correct answers to the questions, this indicates an impostor, so Shalom denies them access and immediately locks them out.

Shalom Denies Access ONLY If the User Fails the Authentication

After a failed test, which possibly confirms an impostor, Shalom rapidly performs the following actions:

Suspends the intruders’ activity. Immediately, denies further access to the suspect user.

All Shalom agents across the network keep the compromised account locked out.

Notifies administrators after a failed test confirming the attempted, but contained attack.

Reports the intruders’ exact anomaly including what happened, where and when it happened, and who did it.

The flagged account is now under investigation and will be closely monitored. The next time a person logs into that account, they will be required to repeat the authentication by providing correct answers, or they will be denied further access to the network.

After authentication, a detailed security report is sent to information security administrators notifying them about the incident. Administrators are able to further investigate passed interrogations for possible unauthorized actions by insiders. If a user fails the authentication, they will be denied access to the computer network until cleared by administrators

7 or until the legitimate user self-releases the account

by authenticating successfully. Recommended actions an administrator may take include:

Investigate passed authentication for possible unauthorized actions by insiders.

Reset or renew compromised passwords, smart cards for users who failed the interrogation since such accounts are considered compromised, cracked or impersonated.

Review audit log files and surveillance tapes to spot the person who staged the attack.

7

Page 13: Nowell Shalom SaaS Security Platform

Take further actions to find and contain the attacker.

Shalom Also Finds and Reports Phony Backdoor Computer Accounts In some cases, the malicious insider aware of audited systems does not perform attack using their own accounts. Sometimes, they go as far as creating and using phony backdoor accounts that have admin level privileges. Since Shalom lives within the system, if Shalom encounters any new user (legitimate or illegitimate), it prompts them to complete the interview. At this point, perpetrators using newly created backdoor accounts are detected and immediately reported. Without reaching any conclusions, Shalom reports the name of the backdoor account, how they entered the network, from where and at exactly what time. IT administrators can then investigate and destroy backdoor accounts using Active Directory, LDAP, or whatever user management tool is used.

Shalom Detects Suspicious Programs and Locks out Hackers On The Unix Shell8 Within the data center, hackers typically penetrate UNIX databases by either exploiting system vulnerabilities or hijacking in-built passive UNIX accounts like “ftp-user”, “smmsp”, “nobody”, etc. Using hijacked accounts, they log into the shell, then execute their pre-built automated scripts. If intruders log in at odd times, or execute very odd scripts, Shalom finds their exact shell, suspends their activities, authenticates them, and then locks them out if they fail to get passed the authentication or run away. Shalom also secures X-windows and multi-user Microsoft Terminal services that house many users logged in at the same time.

8 Some features mentioned here such as shell-related features are only available on Linux and

UNIX based OSes

Page 14: Nowell Shalom SaaS Security Platform

Capable of Securing Multiple Users at the Same Time

Secured computer serving multiple users simultaneously.

One Shalom agent is required to secure multiple users simultaneously logged in.

Page 15: Nowell Shalom SaaS Security Platform

Shalom Security Platform Architecture Drawing

Hosted server in the cloud manages Shalom agents on desktops, laptops, and servers.

Shalom security agents are installed at each endpoint.

Page 16: Nowell Shalom SaaS Security Platform

Benefits Of Shalom Security Platform

Shalom Defeats & Deters the Insider Threat

In their quest to steal data, if internal users behave suspiciously, Shalom detects, reports, and authenticates them by interrogation. Although the authorized insider may pass the questioning, they are discouraged from following through because they’ll know that they’ve been caught and reported. Authenticating suspicious insiders by asking questions will serve as a preventive deterrent to the Insider Threat and Internal Fraud. On the other hand, denying access to intruders who fail to authenticate, Shalom ensures that only authorized and authentic users access your network. Shalom also helps to enforce “Separation of Duties“ among users—which is a good deterrent to insider threat.

Prevents Identity Theft: Intruders Using Stolen Identity, Password or Smart Access Card Shalom provides a last line of defense against intruders impersonating legitimate insiders. A team of security agents will lock out intruders and stop malicious insiders at the very moment they behave suspiciously. If an intruder succeeds in penetrating higher security layers such as firewalls, password authenticators, smart cards, or even security cameras, after a failed authentication, Shalom ejects and denies them access, providing a last line of defense on the inside.

Reports Suspicious Computer Accounts and Suspicious Automated Scripts

When Shalom encounters a new computer account, it first reports then prompts the user to complete the one time interview. At this point, perpetrators using newly created backdoor accounts are authenticated and immediately reported. Shalom reports the name of the backdoor account, how they entered the network, from where and at exactly what time. Shalom also reports newly implanted automated scripts that execute at suspicious times, transferring data to unfamiliar networks. Intended for Windows servers, this feature is called SYSTEM anomaly reporting.

Detects Impostors Using Intelligent Multifactor Authentication

In the interview, users are free to share whatever they wish with Shalom and are not forced to answer a predefined set of questions. The interview is completely encrypted using DOD and NIST Certified AES 256 Bit Cryptography and kept private. Even the security administrators don’t know what their users tell Shalom. All they get are the results of the interrogative authentication, pass or fail. Passwords, PINS and smart cards are single identity verifiers that are all prone to theft. With Shalom this is not the case. Shalom’s ability to learn multiple specifics and question randomly makes it very difficult for impostors to get passed a Shalom authentication.

Provides Enterprise Class Reporting Using Industry Reporting Standards

Shalom reports via email, cell-phone SMS, and also logs all security events on the hosted cloud server accessible using the security admin tool GUI. These reports can be sorted, saved and archived for later

Page 17: Nowell Shalom SaaS Security Platform

use. The reports can also be converted into industry standard reporting file formats such as CSV for better integration, compatibility and exchange between disparate reporting applications. These incident reports always state the suspicious event (what), the offending computer account (who), date, time (when) and corrective actions taken (pass, fail, lock out, etc). The security tool also provides information on exactly who's logged in at any given location at any given time in the network.

Uses A “Moving Window” Method To Detect When Users Change Behavior Shalom addresses changes in user behavior like a moving window that captures normal user behavior over time. Older behavior is eventually removed and only the more current, normal user behavior is retained for anomaly detection. For example, lets assume an accountant, Martha, uses Excel and a legacy application for her accounting work. Now Martha receives a promotion, becomes an auditor and now uses a Web based auditing tool, so her computer behavior changes. Shalom detects this change, adapts automatically so that her old behavior as an accountant is eventually dropped from her base profile. This moving window concept applies to all variables (application use, time, network, etc) profiled. This adjusting capability ensures that Shalom always detects suspicious activity even when legitimate users change job functions.

Increased Security Awareness and Instant User Adoption

Intelligent interview based interaction with Shalom during the interview makes Shalom easy to use and adopt with minimal employee training.

Optionally, Shalom could guide users by asking random questions to help users quickly complete the interview.

Easy To Deploy and Manage Across Large Networks Using Administration Tool

With tools like SMS or GHOST, Shalom can be pushed across large networks.

No tedious policies have to be written or maintained. Shalom works on it’s own taking corrective action without any human intervention.

Shalom is configurable. Optionally, Shalom can be configured to only report suspicious insider activity and profile bits can be set per site.

Shalom is managed centrally by a secure, very easy-to-use intuitive graphical user interface.

Page 18: Nowell Shalom SaaS Security Platform

Shalom Security Platform Administration Interface

Page 19: Nowell Shalom SaaS Security Platform

Secures Multiple Users At The Same Time Using The Cyclone Server

One Shalom agent is needed to secure multiple users logged on to the same computer, as is the case with Microsoft Terminal services and UNIX.

Shalom, through the central Cyclone server secures systems distributed over a network. This allows a user’s identity to be preserved and maintained even if the user switches computers, or logs into other computers.

All Data and Communications Encrypted Using AES 256 Bit (Rijndael) Encryption

All security information gathered from users being secured is completely hidden and stored away in a central location tightly encrypted using AES 256 bit dynamic strong encryption. The Advanced Encryption Standard (Rijndael) is the encryption standard adopted by the United States Government. The 256 bit method is further approved by the National Security Agency for protecting TOP SECRET electronic information. In addition, all network data communications, data-in-transit, and data-at-rest in Shalom Agent, Server and the Security Admin GUI are strongly encrypted and packet-authenticated. Also, all actions taken on the security tool such as releasing locked out accounts, deleting incident reports, etc., are always logged for auditing administrator actions.

Internal Risk Management Controls Help Prevent Internal Fraud

The Shalom Security Administration tool helps to prevent fraud caused by insiders. The administration tool offers a display dash board for the disclosure of risk patterns that may be indicators of potential fraudulent internal activity. Loss prevention specialists can correlate this information with financial systems to detect fraud and assess internal risk posture. Graphs and charts are also available for summarized reporting.

Enforces Enterprise Regulations: SOX, GLBA, Visa-CISP, FISMA, FFIEC, and HIPAA That All Call for Internal Security Controls

Insiders are sometimes the root-cause of stolen company information. Such sensitive information could be customer personal information, banking data, credit cardholder data, intellectual property, patient health records, or even classified information. By denying access to intruders, you reduce the threat of impostors accessing your sensitive data from inside the network. However, in the case of passed interrogations, suspicious and possible unauthorized insider activity is always reported so malicious insiders are contained in real time. Insider counter-espionage safeguards must be implemented to fully protect the confidentiality, integrity, and privacy of corporate data, thus enforcing enterprise regulations that all call for proactive internal controls.

Page 20: Nowell Shalom SaaS Security Platform

Reasons Why You Should Adopt and Invest in Nowell’s Shalom Security Platform

1. Detect and Deter Insider Threats and Internal Fraud in Real Time. 2. Prevent Identity Theft: Deny access to stolen User ID, passwords or smart cards. 3. Provide Authentication, which prevents infiltrators and assures authorized access. 4. Internal Security Management features help to greatly reduce and deter internal fraud. 5. Provide a metric on the state of your internal security posture. 6. Strictly enforce “Separation of Duties” within the business network. 7. Enforce US and International infosecurity regulations: FFIEC, SOX, GLB, VISA-CISP, FISMA, BASEL

II, NIST SP’s and HIPAA. 8. Add real-time user-based and host-based anomaly detection and multifactor authentication to

your enterprise, strengthening your internal security posture. 9. Adequately secure a computer network against internal security lapses. 10. Stop insecure computing practices like identity sharing, unattended network access.

All at an affordable price. To purchase, contact one of our business development specialists.

Website: http://www.nowellgroup.com E-mail: [email protected]

About Nowell, Inc Nowell software focuses on preventing insider threats, identity theft and fraud by detecting high risk suspicious behavior. Our software, which is delivered as a secure service via the cloud, addresses identity theft, internal fraud, and insider risk. Nowell’s products offer proactive internal risk management controls that enforce compliance with regulations such as FFIEC Security, FISMA, SOX, PCI Security Standard, HIPAA, and GLBA