Balabit is a regular sponsor of events organized around the Annual Sysadmin Appreciation Day, because we know how much our business and even our everyday lives depend on the people who keep our servers running. We know better than to get in their way when they have minutes to bring a crashed database server back to life, or mitigate a DDOS attack: tens of thousands of dollars can depend on their efficiency. But we also know that the same people hold the keys to the kingdom, and also that, to quote Bruce Schneier, “Only amateurs attack machines; professionals target people”. Sysadmin credentials are the most attractive targets for attackers, and most successful attacks at some point involve hijacking an administrative account. This is why we created a solution that secures these accounts, but does it without interfering with the time-critical tasks associated with their normal usage. But doing so is far from being a trivial task, and raises a number of difficult challenges.
If you think about it, there’s an industry where this challenge have already had to be solved: aviation. You do want to get a trustworthy recording of everything that happened in the cockpit for forensics investigations in case anything goes wrong, but you absolutely want to avoid being the way of pilots. How can we learn from the history of flight recorders, and how can we have the same quality, or even better recordings about what’s happened on our critical servers as what we have about our airliners?
The first thing to solve is to be invisible. Security is important, but it only plays a supporting role. If the admins have to use specialized client apps, jumphosts, clumsy browser-based terminals, or go through lengthy multi-factor authentication and complicated authorization processes, that means they will be less efficient in doing what they need to do: keeping our business-critical services running. To minimize impact and make deployment easy, our technology is completely transparent. By transparently intercepting and proxying administrative protocols such as SSH, RDP, Citrix ICA and others, we allow admins to keep using their original tools and remain efficient — and they really appreciate that.
The other important thing about these recordings, be that data from the cockpit or about remote logins to your core database server, is that you want them to be trustworthy. However, it’s an incredibly tricky thing to create monitoring tools that cannot be turned off even by those who manage the systems they are monitoring. That’s why we created a solution that is independent from both the clients and the servers, and does not require any additional agents to be installed anywhere — and therefore cannot be disabled neither by the attacker who hijacked the account nor a malicious insider who wants to erase his traces. On top of that, data integrity is ensured via the usage of strong cryptography to encrypt, sign and digitally timestamp every bit of collected information.
The last big question is about what we do with all that data, and that is where we need to go beyond aviation. Flight incidents are relatively infrequent, whereas our IT systems are constantly under attack. Airlines can afford spending months, sometimes years on reviewing all data and piecing together what happened, but few IT security incidents would justify such a large effort. And it would probably be great if flight systems could automatically detect if the pilot fell asleep or, God forbid, the plane’s been hijacked. Luckily, based on our digital recordings about the activities of the sysadmins, it becomes possible to build behavioral baselines, and automatically recognize in real-time if something suspicious is going on. Our analysis starts with the high-level basics about activity time, protocol details, IP addresses and other metadata: did anyone log in to dozens of servers at once from the other corner of the world in the middle of the night with an unusual client application? As a next step, we start looking into the contents of the sessions: the windows that appeared on the screen, the commands that were issued: did the network admin start to dump the database? And as a third layer, we perform a biometric authentication, analyzing keystroke dynamics and mouse movement patterns, both which serve as a pretty good data source that can be used to verify if the person using the account is indeed who he claims to be.
If you want to learn more and find out how we do this in real life, come and see us at booth #715 at Gartner IAM Summit in Las Vegas.