The curse of IT security is the potential for unwanted events to happen. Unlike an ideal system, where real events and permitted events exactly overlap, a typical system behaves differently. Users of systems may have logical options or possibilities beyond those they are actually authorized to command or call up. Write permissions assigned to system administrators on a server, for example, do not authorize them to overwrite any data, though they actually have this possibility.
“If you look at all those factors that affect the risk of an IT system then we can clearly see that the greatest risk that's posessed on the IT system is sourcing from human factor.”
Márton Illés, CTO, Balabit IT Security
The reason access-control measures cannot ensure a sufficient level of security is that policies governing whether a given event is allowed or not are created years before actual decision points occur, and with insufficient context information about the scenario or context on hand. Such pre-made uninformed decisions backing access-control prove to be far too strict or, on the contrary, far too permissive in most of the cases. Perfect security could only be achieved at the price of a level of rigour which would block processes, while, on the other hand, serving processes at the maximum level would yield an unacceptable low level of security. The two drawbacks usually appear hand-in-hand: rules and policies lower efficiency, but not enough to yield the expected level of security.
Experts tend to try to work around these drawbacks and flaws using monitoring tools. The costly apparatus of observation adds the possibility of intelligent human consideration in decisions to the security system built out of a dense network of rules. However, allocating limited resources capable of observation remains a concern.
Numerous surveys highlight the vast majority of damage that IT networks suffer is directly caused by human activity. Actually, real internal users are responsible for most damage. Continuing investigations into permission levels reveal privileged users cause the most damage.
Most important potential threats are, therefore, humans. Humans have a degree of freedom which cannot be constrained by simple rules.
Resources for user monitoring are limited, and once we can no longer monitor everything, a good idea is to focus on the more risky segments. But how? - you may ask. Balabit's Monitoring Funnel is the concept of a toolset that concentrates information originating from monitoring in several steps in order to maximize efficiency of analysis.
The first step consists of preliminary filtering of log entries with the syslog-ng log management tool and storing only relevant ones.
In the second step, only data relevant from security perspective (usually logs describing user activity) are forwarded to analysis.
The third step focuses on privileged users' sessions in critical systems using our PAAM (Privileged Account Activity Monitoring) tool, Shell Control Box.
Beyond monitoring, events posing the highest risks in the sessions being considered can also be administered with the preventative rules of SCB's corresponding features.
Finally, sessions entailing extreme risk can be monitored real-time by a supervisor, using SCB's 4-eyes authorization feature.