This is a multi-part series to help customers explore a technology to automatically detect specific activity on their Centrify enabled systems. Part 1 focuses on the business problem of why organizations would want to correlate Centrify audit information. Part 2 shows how to integrate Centrify Server Suite with a SIEM.
- This posting is provided "AS IS" with no warranties, and confers no rights.
- Splunk is a registered trademark of it’s respective owners.
- The versions of software used in this guide work together. There is no guarantee that future versions of the software released by the vendors will be compatible for this integration. Its always best practice to test new versions of software.
The Business Problem:
The current cyber threat landscape has forced businesses to change their behavior and expend more resources to prevent cyber-attacks. They must complete security audits on a routine basis(i.e. PCI DSS, SOX, HIPPA, and more), and not passing an audit can result in fines. A data breach can be devastating, and bad publicity resulting from a security incident can significantly reduce a business’s market value. There are many organizations that have endured a data breach and had to deal with breach remediation costs, reduction in stock price, loss of customer trust, and damage to their brand. For those organizations, the total financial loss resulting from a breach is enormous and continues for an extended period of time. Board rooms today focus, more than ever, on how their organizations can improve their security posture. Their goals are to implement controls that prevent data breaches and pass security audits to safeguard customer and employee data. I recently have had numerous security discussions where the sole driver for the discussion was that the board did not want to see their company’s name in the newspaper.
A breach within a large organization can have far reaching impacts into the economy and society. One method industry and government has devised to force organizations to stay vigilant is a security audit. Security audits exist to help enforce security best practices. The higher the risk of the business or organization, the stricter the audit and compliance requirements are. Most security audits are validating a wide breadth of security controls. Here is a nice summary of all the audit framework controls created by the SANS institute: https://www.sans.org/security-resources/posters/20-critical-security-controls/55/download
In general, there are a couple key capabilities that are asked for as the common denominator. The first is centered around prevention and strong access control. Many of the critical security controls provide guidance for access control whether it’s for the device, network, software/hardware, administrator privileges, and so on. This is because prevention is the most direct method to ensure that someone without explicit access does not gain access to a critical system. There are many security products in the market today that provide prevention based security. Centrify has a host of capabilities in this area ranging from privileged access control, to mobile device/app management, to multifactor authentication for on premise and web based applications. However, in the real world, preventative measures can’t be used alone because strict preventative policies can prevent legitimate access and this can negatively affect the business’s bottom line and stifle innovation and growth. For example, if system admins don’t have access to fix a revenue generating web application during a critical window of time (holiday season), there could be significantly less revenue. Or, if the security in place is too difficult to use, people will find a way around it (i.e. post-it notes, cameras on phones, sharing passwords, etc) or stop trying to use the resource entirely. This leads to the second key control, which is the ability to detect specific events on systems of interest. If you can’t prevent unwanted activities from occurring, then you must be able to detect those activities so the organization can act quickly on them. Many organizations find out about a breach from a 3rd party, which is usually the worst-case scenario.
Detection involves looking through audit logs on a periodic basis and making sure there is nothing nefarious occurring. Most products provide security audit logging that can be reviewed by security administrators to “detect” of something of interest occurred. This is valuable information for security practitioner, however, most customers I talk to don’t have the time and resources to review/detect these audit logs. For example, Centrify provides a full audit trail across *nix and Windows systems as well as session based video recordings showing the full context of what a user does on a system. This is not enough for most customers, because they need some additional tools to automatically notify them when to go look at the audit videos. There are numerous ways to do this specifically with Centrify, but the industry needs a common method to aggregate audit logs from all their security tools into one place where they can be automatically monitored. Without this capability, organizations are vulnerable to nefarious acts because they are not preventing or detecting everything they could be.
The result is that when there is a security incident, the organization does not know until weeks or months after it occurs, and in some cases, the organization never finds out or gets notified by an outside party. This results in serious consequences for the business, it’s customers, and in some cases, society in general.
An Alternative Approach
So how can we approach this problem. A solution that is becoming very popular is a Security Incident Event Management tool, or a SIEM. SIEM products provide many of the features required for log management but add event-reduction, alerting and real-time analysis capabilities. They provide the layer of technology that allows one to say with confidence that not only are logs being gathered but they are also being reviewed. A SIEM also enables the import of data that isn't necessarily event-driven (such as vulnerability scanning reports) - hence the "Information" portion of SIEM.
If implemented properly, a SIEM can collect the relevant “events” in the entire IT environment and display it on a single pane of glass so you can make better decisions and understand when your environment may be under stress, or under attack. With the event-reduction, alerting, and real time analysis provided by a SIEM, it’s much more feasible to detect unwanted activity across your environment. Using this capability, organizations can use their SIEM is to automatically alert them to an event and tell them exactly where to look to get additional information (context) from the audit log at that location. Instead of using skilled people’s time to complete the mind numbing task of reviewing security/audit trails every 2 weeks (i.e. looking for a needle in a haystack), organizations can configure their SIEM to tell security engineers exactly where to go investigate a problem. Then they can make use of all the useful audit trail logs and session based video recordings for incident response. This frees up more time to respond quickly to an incident and deploys skilled individuals to the right places to determine how threats can be prevented in the future so you do not have to rely on detection. It’s a much more efficient model.
Centrify makes it easy for customers to integrate important Centrify events into a SIEM so the events can normalized for analysis and used for automated alerting. There are numerous SIEM integrations that are supported and Centrify’s session based audits give you a video and detailed audit log so you can see the full context of what happened on a system of interest. A video summary of the capability can be found here. With this information, security teams can easily report specific things about their environment to the CIO/CISO. For example, “Mr./Mrs. CISO, here is a list of all the users that have authenticated through Centrify to my HR system, it looks normal except there was a spike on Saturday. We investigated this further and it was because of benefits enrollment.” Or, “Mr./Mrs. CISO, here are the most privileged accounts in our biggest revenue generating application. We must add multifactor authentication to these accounts because of the high risk. Can we put this in the budget?” Insights like these are easier to find with a SIEM and integration with other security tools help CIOs and CISOs sleep better at night knowing they will be alerted if needed. This can also enable more funding for the security team because the SIEM integration provides relevant data to back up the risks that the team is concerned with.
SIEMs are a fast growing area of the cyber security market and provide value by helping customers automate the process of looking at audit logs and alerting. In the next part of this blog, I am going to show you how you can setup SIEM integration with Centrify Server Suite. Centrify Server Suite is a privileged identity management product that enforces least privilege and privileged access control for server level access and privileged commands on *nix and Windows systems. Being able to send Centrify Server Suite’s audit trail events, and corresponding session recordings, to a SIEM and leveraging these events for alerting is critical for privileged accounts because they pose a major risk to enterprises.