Posted by
John Mutch on Thu, May 10, 2012 @ 05:00 AM
This morning BeyondTrust announced that we have acquired eEye Digital Security, a well-respected leader in vulnerability and threat management. This is a very exciting move which will accelerate our existing company velocity in the security, compliance, and governance markets.
Register for a webcast to learn more about BeyondTrust's acquisition of eEye Digital Security.
When BeyondTrust and eEye began a technology partnership in late 2011, it was quickly apparent that the two companies were very like-minded in their approach to identifying and delivering on the market opportunities before them. We both have set new standards for security and compliance solutions for the mobile, cloud, and virtualization technologies that the Global 2000 is investigating heavily in today. We both also have a natural predisposition towards delivering complete solutions, which is increasingly more important to operators of dynamic networks. As our partnership progressed, it became clear to the leadership teams at both BeyondTrust and eEye that a more strategic combination of the two companies could provide immediate benefits to our customers and the market at large.
That brings us to today. The acquisition brings three key value points to the industry:
- Intelligent, context-aware security of systems, people, and data
- Integrated protection for both internal and external threats
- Comprehensive logging and reporting for security and compliance auditing purposes
The visions combines the strength of eEye's security intelligence with the security capability and compliance data from the BeyondTrust Privilege Identity Management product line, in what we are now referring to as "Context Aware Security Intelligence." This single pane of glass allows our customers to figure out "what's first, what's next" and most importantly, prioritize execution to reduce the risk profile of their IT Infrastructure. The result is an operational advantage, as it allows our customers to certify compliance initiatives in a more powerful way.
We plan to continue to invest heavily in our joint product lines - in fact, we'll devote over 25% of revenue to R&D, where we'll have over 120 people building great products and solutions for our customers.
I'm excited to have members of the eEye leadership team join my management team. I think this firmly emonstrates that this is a very complementary acquisition, where two very strong companies in their own right are coming together to build the next great software company.
Please join me May 15, 2012 at 11am PT for a public webinar where we'll discuss the combined company's vision, value proposition, and operational profile. You can register for that webcast here.
- John Mutch, CEO, BeyondTrust Software
An advanced persistent threat (APT) is an attack by which an unauthorized person gains
access to the network and stays there undetected for a long period of time. The intent of an advanced persistent threat is often to steal data than to damage the network. Sectors with high-value information, such as defense, manufacturing, financial, telecom verticals and increasingly social networking are the most common targets for APT attacks. The Stuxnet Worm is a good example of APT.
Advanced: sophisticated - hacker has the ability to evade detection and gain and maintain access to well protected networks and sensitive information
Persistent: continues to run until objectives are met - making it difficult to prevent access to your computer network once the threat actor has successfully gained access to your network
Threat: organized and well planned crime - hacker has not only the intent but also the capability to gain access to sensitive information stored electronically originated from the military sector and has been in play for decades.
APT captured media attention in the context of enterprise software, beyond being a mere security buzzword, after Google and Intel admitted to have been targeted by advanced persistent threats aimed at compromising sensitive corporate data and Google's threat to pull out of China in January 2010. EMC's announcement that RSA's SecurID information had been swiped via a sophisticated hack attack in March 2011 further cemented the concerns and need to protect against these sophisticated and organized cyber-attack to access and steal information from compromised systems. Other than Google and RSA, we have also seen Sony and Lockheed Martin be hit by security breaches using advanced persistent threats (APTs).
Following the SecureID hack, Computer World opined that organizations should be proactively prepared for advanced persistent threats or risk being the next RSA. Threat modeling of past attacks, hardening computers' security settings, implementing strong password policies, implementing application control whitelisting, implementing enterprise wide log management systems with comprehensive alerts and auditing, and most importantly implementing a least-privilege authentication and access control system and policies is critical in battling APT.
Although APT attacks are hard to identify, and combating the APT is a protracted event requiring a sustained effort to rid your networks of the threat, data theft can never be completely invisible. APT requires the victim organization to detect compromised systems, collect evidence, analyze data and remediate threats more rapidly, efficiently and effectively. Detecting anomalies in outbound data may be the best way for an administrator to recognize an APT attack.
Thanks to the persistent nature of APT attacks, traditional security controls do not deter these relentless hackers. A persistent attacker aims at another entry point to the organization - the insider. BeyondTrust, has been securing the perimeter within for over 25 years and gained the leadership position in management and access control for privileged credentials. BeyondTrust has been focused on the accidental and sometimes intentional threats posed by the insider and on Preventing Good People from doing Bad Things.
At BeyondTrust, we believe the first step towards cushioning damages that could be caused by advanced persistent threats, is to not give users access to any resource they don't require or use. Managing your privileged users' access and using appropriate delegation policies will significantly reduce the risk posed by APT to your organization.
In 2007, Google’s Street View project began to collect “payload data” including e-mail addresses, text messages, and passwords from unsecured Wi-Fi networks of potentially hundreds of millions of people. More than a dozen countries began investigations of Street View in 2010 and in the United States, the Justice Department, the Federal Trade Commission, state attorney generals and the F.C.C. began looking into the matter.
On April 13, 2012 The Federal Communications Commission released a report on Google’s Street View project after a 17-month investigation. The initial viewpoint was the data collection was a result of a “rogue” engineer operating on his own. That however, has been revealed to be false. According to the report, the engineer suggested it was entirely intentional: “We are logging user traffic along with sufficient data to precisely triangulate their position at a given time, along with information about what they were doing.”
Google responded in a blog saying, “The project leaders did not want, and had no intentions of using, payload data.” In addition, Google stressed that the engineer started the project on his “20 percent” time – time that Google gives to employees to work on their own initiatives.
So how did this happen? A Google executive says, “Quite simply, it was a mistake.” Marc Rotenberg, executive director of the Electronic Privacy Information Center says, “This is what happens in the absence of enforcement and the absence of regulation.”
Sometimes well-intentioned employees make poor judgment calls, putting their company in a compromising situation. Proper regulations, especially when employees are empowered to work on their own initiatives, can prevent media frenzy, or as in this particular case, an investigation for potentially breaking privacy laws.
According to a recent CDW poll, one in four organizations experienced data loss in the past two years. Imagine the amount of customer, student, employee and patient information lost because of those incidents, never mind the ones that go unreported.
Aligning with this shocking stat is that according to the same study, the number of people accessing business networks increased by 41 percent during the last two years. If we can learn anything from this stat, we must consider partners as potential insider threats too. Information assets are some of the most important ingredients to a corporation’s success, but also the hardest to effectively protect across the extended enterprise given the proliferation of distributed users’ communities, mobile devices, virtualized platforms and cloud computing.
While it is important to provide the information and access necessary for third-party resources to do their jobs, at the same time it’s irresponsible to allow vendors free reign over sensitive data or network assets. An all or nothing approach to granting users access doesn’t work here. Effective privileged identity management coupled with comprehensive knowledge of your partners’ and vendors’ security policies and practices is the best way to safeguard your company’s most valued assets.
A recent Ponemon Institute study discovered that organizations suffering a data loss in 2011 paid an average of $5.5 million per breach, which translates into $194 per record lost. Human nature is the weakest link when it comes to the intersection of people, processes and technology. You can't rely on everyone being a saint or competent all of the time. It's not just malicious employees’ intent on destroying information systems that can cause havoc, but also the negligent, misinformed, and downright nosey, who can compromise sensitive data. In most situations it's more often than not the case that such people have way too much privileged access - admin rights on the desktop, root password on server - for the role they are required to play.
In my discussions with IT teams, I am continually reminded that managing access to UNIX and Linux systems and doing so in a least cost manner is important for IT. IT must do more with less. There is a constant need to drive down the costs of operations and deliver more to the business. Failure to get UNIX and Linux access management under control can lead to compliance failures and leaves critical systems and data open to security breaches.
Recently one of our customers, a large service provider, shared the value that their company receives from their implementation of PowerBroker.
• Easily show auditors that we meet compliance requirements (PCI and SOX)
• Centralized control, logging
• Lower costs of administration
• Overall, PBUL provides more flexible security and better empowerment of users/UNIX administrators
Here at BeyondTrust, customers are a key part of our product development process. We worked with several customers on the integration of Microsoft Active Directory to simplify management of privileged access policies. You can now centrally manage your Linux and UNIX users, groups and computers including privileged access with Microsoft Active Directory. This centralized approach to managing privileged access significantly reduces operational complexity and costs, protects critical assets from misuse of privileged access and demonstrates compliance.
PowerBroker Servers Enterprise Solution offers precision control over Linux/UNIX privileged access. You can create and manage privileged users, roles and access policies through Microsoft Active Directory and deploy privileged access policies through Group Policy. You can also monitor and record privileged access down to the keystroke level.
Managing your privileged users' access and using appropriate delegation policies is simplerand more powerful with PowerBroker Servers Enterprise and Microsoft Active Directory.
Let’s take a look at a few of the breaches being reported this week alone – all at the hand of insiders.
The Utah Department of Health reported that about 780,000 claims had been accessed by a hacker. Then they added that 280,000 people’s social security numbers were stolen and 500,000 people had less-sensitive personal data such as name, date of birth and address, compromised. How did this happen? Through a weak password. In this case, the affected server had a configuration error at the authentication level, essentially meaning that the server was put into production without the proper procedure, leaving the weak password protection vulnerable to an attacker.
South London Healthcare NHS is blaming the loss of two unencrypted USB sticks containing patient data on lack of staff training. These USB drives are reported to contain the personal data of 600 maternity patients and the medical and personal data of 33 children. Organizations have a responsibility to meet certain compliance standards and to properly train their employees on procedures and measures to protect sensitive information.
Emory Healthcare, Inc. recently announced it lost 10 computer disks containing information, including patient social Security numbers of about 315,000 surgical patients. The disks went missing from a storage location and while no other information has been provided, it would appear that an inside mistake led to the theft or misplacement of these drives.
And lastly, South Carolina Department of Health and Human Services discovered that a Medicaid employee inappropriately transferred personal information for 228,435 Medicaid beneficiaries to their personal email account. If employees are over-privileged situations like this are far more likely to occur.
What these four stories have in common is a reminder that insider threats pose a risk to companies of all shapes and sizes and that all organizations can benefit from implementing privileged access polices.
Those of you who follow my blogs know that sudo – and the issues it presents IT
organizations – is one of my favorite discussion topics. I suppose that’s because there is no shortage of stories that surface on a regular basis on the problems that can arise with sudo, and I feel compelled to remind our blog readers that the ease of deploying sudo coupled with the speed in which it can quickly spin out of control makes for a risky combination. Just last week I talked to yet another customer who lamented the security and compliance challenges of sudo: he had just discovered that IT admins were adding privileges for their friends to sudoer files across the organization. Not that hard to do when there is a sudoer file on every server, each managed locally, independently, often by multiple administrators.
Centralization truly is a cornerstone for control. Dorothy’s blog from April 2nd introduced BeyondTrust's latest new product, PowerBroker Servers Enterprise 7.0, and captured how PowerBroker's centralized approach and granular privileged access control protects against intentional or accidental misuse of privilege that would otherwise allow employees, or hackers through advanced persistent threat (APT) attacks, to execute privileged commands.
In the case of sudo, local sudoer files create a plethora of opportunities for misuse of privilege. Besides the common problem of ad hoc administration of the individual files documenting user privileges, there is also the issue of local, unencrypted logs. Such logs can easily be tampered with by the local user, eliminating any evidence of damage done through privileged access – intentional or not. As Dorothy pointed out, managing privileged access on all your Linux and UNIX systems, whether physical, virtual, or deployed in the cloud, is critical to ensuring only valid users run privileged commands on your servers.
PBSE provides the means for controlling privileged access on Linux and UNIX systems through:
- Centralized policy files for managing user privileges, implemented through a simple-to-use graphical interface
- Active Directory integration for centralized user management
- Out-of-the-box reports on all privileged activity as well as regulation-specific compliance reports
There’s no doubt about it: a centralized approach to managing privileged access is proven to significantly reduce operational complexity and costs, protect critical assets from misuse of privileged access, and demonstrate compliance.
IT security tends to focus on securing the network from external attacks, but little attention is given to malicious activity and human error within the company. According to InformationWeek’s 2012 Strategic Survey, company employees pose just as much of a threat as cyber thieves.
How can this be addressed?
A recent article by Dark Reading titled, How To Prevent Data Leaks From Happening To Your Organization, highlights that the most difficult element of defense is the human factor – implementing policies and training to educate employees on proper handling of sensitive data. The article lays out some strategies that can be integrated to keep essential information from getting out.
Email and web security gateways can be a beneficial tool to sit in-line and act as a relay, inspecting not only internal data traffic, but also outbound traffic that employees generate. This outgoing information can be inspected for terms sensitive to the company, and specific data types, raising red flags when prospective threats occur. Secondly, behavioral anomaly detection systems can be put into place to create a baseline of normal network activity, and report on activity that deviates from that baseline. The drawback is that this will only report, and it is up to security staff to investigate. These strategies are proven effective, but further policies can be employed to maintain data security and integrity within a network.
The article neglects to mention the implementation of privilege identity management as a viable solution to insider threat problems. Creating an internal perimeter with privileged access policies can significantly reduce dangers of theft or accidental disclosure. To counter misuse of privileges, enterprises must mitigate insider threats and clarify rank vs. privilege, supporting a least privilege environment.
Human nature is the weakest link when it comes to the intersection of people, processes and technology. In most situations it's more often than not the case that people have way too much privileged access - admin rights on the desktop, root password on server - for the role they are required to play.
A new study says that people are more likely to file a lawsuit against a company that experienced a data breach if that breach was the result of unauthorized disclosure or disposal of data than if the breach happened due to an outside hack. The study, titled Empirical Analysis of Data Breach Litigation, says “plaintiffs respond more to the careless or negligent handling by a firm of their personal information than to a firm’s inability to withstand a cyber-attack.”
As this research indicates, people are less tolerant or forgiving of missteps or carelessness with the handling of sensitive information internally, which should be a red flag to any company that has yet to institute identity and access management policies. Human nature is capricious and mistakes are inevitable – it’s unfortunate, but because these are indisputable characteristics of people companies are liable for taking the proper precautions to protect sensitive data.
The study also showed the chance of a lawsuit was 9.7 percent higher if the breach exposed financial information, while breaches involving social security numbers were negatively correlated with lawsuits, though the effect was relatively small at 2.4 percent. Any medical data or credit card data had no effect on the probability of litigation.
Regardless of what type of information your company has, be it sensitive customer data, or your own intellectual property, having the right insider threat protection policies can be the difference between forgiveness and a lawsuit.
An article was published last month indicating a malware-infected computer at Connecticut
College was the cause of the breach of 18,000 social security numbers of teachers, employees, and student workers. According to the report, "a computer in the CCSU business office was infected in December, and sat on the system for eight days before it was detected and removed." By now we all know that data breaches are bad. We understand the ramifications of lost/manipulated/stolen data. We know they should be avoided at all costs. So why do they keep happening?
Maybe it's because IT organizations aren't treating the root cause of the problem. Since we led with the Connecticut College incident, let's use it as an example. I'm sure there were extensive firewalls protecting the sensitive information of those 18,000 people. I have no doubt that a lot of thought and planning went into the anti-malware software that was supposedly protecting the corporate network. But what happens when that's not enough? Firewalls and anti-malware software are just Band-Aids when it comes to treating IT security as a whole. While they help by placing a barrier between the outside world and the goings on of the corporate network, they don't actually treat or solve the cause of why the breaches are occurring in the first place.
Unmanaged and unaudited administrative credentials and root access are at the cause of data breaches. Bottom line. These credentials can be hijacked by malware and allow hacks to occur in otherwise secure corporate networks. To properly treat the problems that cause data breaches, these credentials MUST be managed. Users must have access to tasks necessary for job functionality, but not too many that they can access anything at any time. When this kind of freedom is allowed your users, malware can take hold and your data becomes insecure. Fortunately, BeyondTrust can help. Click here for more information on ways to manage administrative credentials the right way and reduce the threat of malware in your organization.
