Posts Tagged ‘PCI-DSS’
Real time credit card number leak detection and prevention in SSH
It has been a while since I wrote a blog on anything, but never the less there are couple of new and interesting topics that are worth blogging about. At least I hope.
In this blog post I would like to introduce my favorite new feature of the latest Shell Control Box release.
No matter how much time has passed, credit-card fraud or data leakage are still a hot topic. Detecting or better preventing any leak of such information is something PCI DSS requires. Protecting credit-card data is the key requirements of PCI. However realizing that in real life is not always that simple. One could easily find many solutions to monitor web, e-mail, IM, FTP traffic and although these might cover a large portion of user activities some painful covert-channels still remain.
Many organization decides to create a special DMZ or a separated network for their “PCI effected” infrastructure, this way limiting the scope of PCI compliance. The key issue with such infrastructures is how the perimeter could be protected. How could they make sure that no credit-card data leaves the PCI network? Most organization utilizes network separation with firewalls, strong authentication, DLP sensors, encryption, tokenization as a protection mechanism and for the most cases they do their job well.
Though, even in case of a properly sealed network administrative access for troubleshooting and maintenance work need to be available! Of course one can argue that it is only for a very limited number of people so it is less of a headache, but we should not forget that administrators or developers could be a potential risk in such situation. (Just recall the 2008 Lichtenstein bank account leak.) Privileged users have the access right, the knowledge to access and possibly steal or leak data. An SSH access to the database server by-passes most typical protections, like any built-in security in the applications, firewalls, or even network DLP sensors.
There are solutions like the Shell Control Box to control and record the activity of such privileged users while accessing the PCI servers. It is possible to control who and when can access the servers and in case of SSH it is possible to deny SCP or SFTP file-transfers or port-forwards which are usually not required for most maintenance work and would only act as a covert channel. Of course it is also possible to record and latter analyze what the users were doing, but such a control is only “post mortem”. (Never the less it is better to know at least about a leak than having it go unnoticed.)
Let’s see what could be done to mitigate the situation!
In the latest release of Shell Control Box 3 F4 we added the functionality of monitoring the SSH terminal traffic in real-time. The monitoring could be used – amongst other useful things – to detect credit card numbers as they appear on the screen of the user. Why is this important? With a careful configuration it is possible to lock down all access to servers, databases to just SSH terminal access. This way we only need to focus on this to spot possible attacks. (Remember, users are not able to copy files, or utilize any tunnel!) The real-time monitoring functionality could be used to close this last gap in the data protection mechanism.
This latest development of SCB makes it possible to look at the SSH terminal traffic and using a built-in terminal emulator track all data that appears on the user’s screen. (The terminal emulator is mandatory as looking at just the raw traffic, the terminal escape sequences would render the data-flow impossible to analyze.) As the actual terminal screen content is available through out the connection it is possible to look for any data that would be interesting from a monitoring perspective, like credit card numbers. Luckily credit card numbers have a well defined syntax, so distinguish between a random sequence of numbers and a valid credit card number is doable. SCB has a built-in detection engine that matches valid credit card numbers and counts all occurrences of unique numbers in a given session.
Checking the terminal screen is also very useful as this is exactly what the user is looking at. Even if the user jumps to other servers or logs into the SQL database the screen is always the same. It is possible to run detection no matter what application or what server is accessed as the terminal screen is checked always.
Different actions could be triggered when the number of matches reach a configured limit, like sending email and SNMP notifications or logging the event to a SIEM system for further correlation or reporting. (Of course the built-in reporting of SCB could also utilize that information as well!)
This detection is very useful, but would it be possible to prevent data leakage?
Of course detection is more than nothing, but prevention is the real deal. (It is always better to stop a robbery than just having a nice CCTV recording of the events!) Thanks to the architecture of SCB prevention is just as easy as monitoring. As the Shell Control Box is always in-line of the actual traffic the screen updates sent from the server is first checked and analyzed before forwarding the data to the client application for displaying it. This makes it possible to actively act (and not just passively react) in case a data leakage is detected. Besides notifications like triggers it is possible to terminate the connection before the actual data is forwarded to the client, therefore no sensitive data reaches the user and no leak occurs.
Obviously Shell Control Box provides a fine-grained configuration interface to tailor the policy on how to handle detected sensitive data and what actions should be taken. One can define different policies based on user groups, computer groups, time policies etc.
Credit card matching is just one example, but technically any other sensitive data could be detected and prevented from leaking. Right now only SSH terminal traffic could be monitored, but we are working on extending coverage to other protocols and other traffic types. Stay tuned!
Overall, I believe that this real-time monitoring and prevention functionality is a major step forward both for the Shell Control Box, but also how user activity could be tracked and controlled. Instead of just gathering gigabytes of recording and tons of logs, users activity could be tracked as it is happening. In many cases it is simply not enough to record activity and run latter forensics analysis, but information and notification is required instantly. Prevention on the other hand takes privileged account monitoring to a new level, similar how IDS systems evolved into IPS and into next generation firewalls latter.
BalaBit Announces New Release of its syslog-ng Store Box™ Log Management Appliance
The turn-key appliance for log management helps meet compliance requirements while lowers the operational risks and costs
New York – May 15, 2012 – BalaBit IT Security – also known as the “syslog-ng company” – today announced the general availability of syslog-ng Store Box™ 3.0, the latest long term supported version of its trusted log server appliance. This latest version includes new features such as real time message rate alerts and improved search and log message rewriting capabilities. The syslog-ng Store Box™ (SSB) is a high-reliability log management appliance to collect, classify, organize, and securely store log messages for enterprises having log infrastructure for compliance and maintenance reasons. As an “out-of-the-box” log server SSB consolidates enterprise-wide logging needs helping organizations to lower operational risks and costs.
Several laws, regulations and industrial standards – such as the Payment Card Industry Data Security Standard (PCI-DSS) – explicitly require central collection, periodic review, and long-time archiving of log messages at organizations. With syslog-ng Store Box™, computer security records are stored in sufficient detail, and provide a simple way to monitor and review these logs. Routine log reviews and continuous log analysis help to identify security incidents, policy violations, or other operational problems. Logs also often form the base of auditing and forensics analysis, product troubleshooting and support.
”The difference between today’s and tomorrow’s logging trends is that today organizations have to log for compliance purposes, while there are more and more cloud-based services handling a loads of data which require dramatically improved performance capabilities to ensure smooth business operation. BalaBit satisfies these upcoming market needs with its latest syslog-ng software developments: the High-Speed Reliable Logging™ (HSRL) technology, and the Reliable Log Transfer Protocol™ (RLTP) to help companies achieve “Zero Message Loss” and comply with even the most stringent regulations,” said Zoltán Györkő, Business Development Director at BalaBit IT Security. “The syslog-ng Store Box™ appliance is based on the proven syslog-ng technology and will contain HSRL and RLTP in the next updates. SSB 3 LTS is now satisfies today’s market needs and allows customers to build an efficient log management system for reviewing and auditing the logs of over 40 platforms, as an out of box solution” Györkő added.
Key new features of syslog-ng Store Box™ 3.0 LTS:
• Real-time message rate alerts can be received to detect the following abnormalities in SSB: in case one of the clients/sites sending logs is not detectable or one of the clients/sites is sending too many logs, probably unnecessarily, or when syslog-ng inside SSB has stopped working or has been misconfigured.
• Extended searching capabilities helps to search even for wildcards and Boolean expressions.
• Improved log message rewriting enables to rewrite parts of the messages using rewrite rules. Several built-in and all dynamic parts of the message can be rewritten and new fields can be added using this feature.
• A switch to 64-bit architecture is used to power SSB in order to expose the capabilities of the underlying hardware to the fullest.
About syslog-ng Store Box™
The syslog-ng Store Box (SSB) is a high-reliability and high-performance log management appliance to collect, classify, organize, and securely store log messages for enterprises who operate log management infrastructure. Featuring a powerful web-based search interface and customizable reporting and statistics engine, SSB facilitates easier log review and auditing. SSB offers customizable user role separation and strong encryption methods to prevent unauthorized access to sensitive data. It features fine-tuned access control to log messages and automatic data archiving and backup, helping your organization to fulfill compliance requirements such as SOX, Basel II, HIPAA, COBIT or PCI-DSS. For more information, please visit syslog-ng Store Box website.
Supporting Resources
• The syslog-ng Store Box Product Description
• The syslog-ng Store Box – trusted Log Server Application (video)
• The syslog-ng Store Box Administrator Guide
• Technical Blog Post About Improved Log Message Rewriting in SSB 3.0
About BalaBit
BalaBit IT Security is an innovative information security company, a global leader in the development of privileged activity monitoring, trusted logging and proxy-based gateway technologies to help protect customers against internal and external threats and meet security and compliance regulations. As an active member of the open source community, we provide solutions to a uniquely wide range of both open source and proprietary platforms, even for the most complex and heterogeneous IT systems across physical, virtual and cloud environments.
BalaBit is also known as “the syslog-ng company”, based on the company’s flagship product, the open source log server application, which is used by more than 650 000 companies worldwide and became the globally acknowledged de-facto industry standard.
BalaBit, the second fastest-growing IT Security company in the Central European region according to Deloitte Technology Fast 50 (2010) list, has local offices in France, Germany, Italy, Russia, and in the USA, and cooperates with partners worldwide. Our R&D and global support centers are located in Hungary, Europe.
For more information, visit www.balabit.com.
###
The syslog-ng™, syslog-ng Store Box™, High-Speed Reliable Logging™, Reliable Log Transfer Protocol™ and BalaBit™ names are registered trademarks of BalaBit. All other product names mentioned herein are the trademarks of their respective owners.
For more information, please contact:
Andrea Ipolyi
PR manager
BalaBit IT Security
phone: +36 20 390 4139
e-mail: andrea.ipolyi@balabit.com
blog: http://andrea.blogs.balabit.com
Walter Caon
BalaBit USA
410 Park Avenue 15th Floor Suite 1500
New York, 10022
phone: +1 917 546 6715
e-mail: walterc@us.balabit.com
BalaBit’s New syslog-ng Premium Edition 4 F2 Helps to Avoid Losing Any Evidence From Your IT System
• BalaBit unveiled Reliable Log Transfer Protocol (RLTP)TM technology to help companies achieve “Zero Message Loss” and comply with even the most stringent regulations
• The syslog-ng trusted logging solution became the de-facto industry standard for logging within the last decade and is now used by 650 000 companies world-wide
New York, February 29, 2012 – BalaBit IT Security – also known as the “syslog-ng company” – today announced its Reliable Log Transfer Protocol (RLTP)TM technology as part of the latest version of syslog-ng Premium Edition 4 F2 log server. The new version builds on the previously released High-Speed Reliable Logging (HSRL)TM syslog-ng software, the logging tool with the highest performance ever measured and documented. The syslog-ng log server collects and classifies log messages from a wide variety of devices and applications and can transfer them to a high-performance log server in an encrypted and reliable channel where messages can be processed further and stored in secure, encrypted files or databases. The new transport protocol prevents message loss during connection breaks, ensuring companies can comply with even the most stringent regulations such as PCI-DSS or HIPAA.
Organizations spend a huge part of their budgets on IT security solutions (SIEM, ISD, IPS, IDM, DLP) to be secure and compliant, so they are motivated to protect their investment by optimizing these IT tools. The basis for evaluating and analyzing their IT security operations are the logs containing the details about what is happening in the IT system. For instance, banks need to do forensics on a daily basis for fraud detection purposes, as security incidents, initiated from both external and internal sources, should be investigated. Telco companies also cannot afford losing any evidence kept in log files. In addition, most compliance regulations require the collection of logs in a closed system.
Supporting Quote
”As IT security analysis are only as good as the data collected from network devices and applications, the importance of accurate collection and storage of log messages cannot be overemphasized. There are many cases in which log messages could be lost, such as an application crash, restart, the disk where we store logs is full or not available, or during a network failure. The new syslog-ng Premium Edition 4 F2 ensures Zero Message Loss through the Reliable Log Transfer Protocol (RLTP)TM technology so that valuable information is protected” – said Zoltán Györkő, Business Development Director at BalaBit IT Security.
Key new features of syslog-ng Premium Edition 4 F2
- Ensures Zero Message Loss
o By using Reliable Log Transfer Protocol (RLTP)TM on client, relay and server side it prevents message loss during connection breaks. The new RLTPTM transfer protocol detects the last received message on the receiving end and than starts resending messages from that point.
o The Reliable Disk-based Buffering prevents log message loss when unexpected events happen causing extended connection breakdown. It is capable of storing a copy of log messages as a backup until the destination computer has acknowledged receipt of messages. It provides a slower, but reliable disk-buffer option.
o Flow control is be used to control and optimize the log traffic from end to end. Flow control dynamically handles the peak message rate and together with RLTPTM ensures that all log messages sent by the client arrive to the server.
- Native collection and processing of log messages from SQL databases enabling users to easily manage log messages from a wide variety of enterprise software and custom applications.
- AIX 7.1 platform is now supported
About syslog-ng log server
BalaBit has been developing the open source syslog-ng trusted logging tool for more than 14 years. During this time it became the de facto industry standard for logging and is used by 650 000 companies world-wide, such as Boeing, Credigen Bank, Data Path, Fiducia IT AG, NASA and Svenska Handelsbanken. The syslog-ng project is a continuous community effort to create the best system logging and log processing tool. The project is an advocate and early adopter of open standards, including the syslog RFCs developed by the IETF and the Common Event Expression (CEE) message-description standard of the MITRE Corporation.
The syslog-ng Premium Edition application builds on the core of the popular open source version, offering advanced features like encrypted and time stamped log files, disk-based buffering, direct database access, and agents for the Microsoft Windows and IBM System i platforms. It allows system administrators and security experts to build a trusted, centralized logging infrastructure for reviewing and auditing the log messages of over 40 platforms. The syslog-ng solution incorporates the functions of clients, relays, and servers into a trusted, multi-platform logging infrastructure. It collects and classifies the log messages of operating systems and applications and transfers them to the high-performance log server in an encrypted and reliable channel where the messages can be processed further and stored in secure, encrypted files or databases. Supporting reliable transport protocols, message buffering, and client-side failover, syslog-ng minimizes the risk of message loss, thus suiting compliance requirements, such as PCI-DSS.
Supporting materials
• Secure, Encrypted Log Transfer and Storage – syslog-ng Product Sheet
• Figure: Zero Message Loss with syslog-ng Premium Edition 4 F2
• What is New in syslog-ng Premium Edition 4 F2
• The syslog-ng Premium Edition 4 F2 Administrator Guide
• Return of Investment Calculator: Compare the TCO of syslog-ng Premium Edition and syslog-ng Open Source Edition
Trademarks
The syslog-ng, Reliable Log Transfer Protocol (RLTP) and High-Speed Reliable Logging (HSRL) are trademarks of BalaBit IT Security. Other names may be trademarks of their respective owners.
About BalaBit
BalaBit IT Security is an innovative information security company, a global leader in development of privileged activity monitoring, trusted logging and proxy-based gateway technologies to help protect customers against internal and external threats and meet security and compliance regulations. As an active member of the open source community, we provide solutions to a uniquely wide range of both open source and proprietary platforms, even for the most complex and heterogeneous IT systems across physical, virtual and cloud environments.
BalaBit is also known as “the syslog-ng company”, based on the company’s flagship product, the open source log server application, which is used by more than 650 000 companies worldwide and became the globally acknowledged de-facto industry standard.
BalaBit, the second fastest-growing IT Security company in the Central European region according to Deloitte Technology Fast 50 (2010) list, has local offices in France, Germany, Italy, Russia, and in the USA, and cooperates with partners worldwide. Our R&D and global support centers are located in Hungary, Europe.
For more information visit www.balabit.com.
Press contact
Andrea Ipolyi
PR manager
BalaBit IT Security
phone: +36 20 390 4139
e-mail: andrea.ipolyi@balabit.com
blog: http://andrea.blogs.balabit.com/
Walter Caon
BalaBit USA
410 Park Avenue 15th Floor Suite 1500
New York, 10022
phone: +1 917 546 6715
e-mail: walterc@us.balabit.com
RECENT POST
In February, we visited the RSA Conference ... [Read More]
As you know I like syslog-ng but also my hobby ... [Read More]
Even if the overwhelming majority of syslog users ... [Read More]
Twitter
LinkedIn
