Annotation: The final lecture gives the latest recommendations for the implementation of technical means of protecting confidential information, discusses in detail the characteristics and principles of operation of InfoWatch solutions.
InfoWatch Software Solutions
The purpose of this course is not a detailed acquaintance with the technical details of the InfoWatch products, so we will consider them from the technical marketing side. InfoWatch products are based on two fundamental technologies - content filtering and auditing user or administrator actions at the workplace. Also, an integral part of the InfoWatch integrated solution is a repository of information that has left the information system and a single internal security management console.
Content filtering of information traffic channels
The main distinguishing feature of InfoWatch content filtering is the use of a morphological core. Unlike traditional signature filtering, InfoWatch content filtering technology has two advantages - insensitivity to elementary coding (replacing one character with another) and higher performance. Since the core does not work with words, but with root forms, it automatically cuts off roots that contain mixed encodings. Also, working with roots, of which there are less than ten thousand in each language, and not with word forms, of which there are about a million in languages, allows you to show significant results on rather unproductive equipment.
User activity audit
To monitor user actions with documents on a workstation, InfoWatch offers several interceptors in one agent on a workstation - interceptors for file operations, printing operations, operations within applications, operations with attached devices.
Storage of information that has left the information system through all channels.
InfoWatch offers a repository for information that has left the information system. Documents passed through all channels leading outside the system - e-mail, Internet, printing and removable media, are stored in the *storage application (until 2007 - module Traffic Monitor Storage Server) indicating all the attributes - full name and position of the user, his electronic projections (IP address, account or postal address), date and time of the operation, name and attributes of documents. All information is available for analysis, including content analysis.
Related activities
The introduction of technical means of protecting confidential information seems to be ineffective without the use of other methods, primarily organizational ones. We have already discussed some of them above. Now let's take a closer look at other necessary actions.
Behavior patterns of offenders
By deploying a monitoring system for actions with confidential information, in addition to increasing functionality and analytical capabilities, you can develop in two more directions. The first is the integration of protection systems against internal and external threats. Incidents in recent years show that there is a distribution of roles between internal and external intruders, and the combination of information from monitoring systems of external and internal threats will make it possible to detect the facts of such combined attacks. One of the points of contact between external and internal security is the management of access rights, especially in the context of simulating an industrial need to increase the rights of disloyal employees and saboteurs. Any requests for access to resources outside of job duties must immediately include a mechanism for auditing actions with this information. It is even safer to solve problems that have suddenly arisen without opening access to resources.
Let's take an example from life. The system administrator received a request from the head of the marketing department to open access to the financial system. As a substantiation of the application, the task of the general director for marketing research of the processes of purchasing goods produced by the company was attached. Since the financial system is one of the most protected resources and the CEO gives permission to access it, the head of the information security department wrote an alternative solution on the application - not to give access, but to upload anonymized (without specifying clients) data to a special database for analysis. In response to the objections of the chief marketer that it was inconvenient for him to work this way, the director asked him a direct question: "Why do you need the names of clients - do you want to merge the database?" After that everyone went to work. Whether this was an attempt to leak information, we will never know, but whatever it was, the corporate financial system was protected.
Prevention of leaks during the preparation phase
Another direction in the development of a monitoring system for internal incidents with confidential information is the construction of a leak prevention system. The algorithm of operation of such a system is the same as in intrusion prevention solutions. First, a model of the intruder is built, and a "violation signature" is formed from it, that is, the sequence of actions of the intruder. If several user actions match the violation signature, the user's next step is predicted, if it also matches the signature, an alarm is generated. For example, a confidential document was opened, part of it was selected and copied to the clipboard, then a new document was created and the contents of the clipboard were copied into it. The system assumes that if a new document is saved further without the "confidential" label, this is an attempted abduction. The USB drive has not yet been inserted, the letter has not been generated, and the system informs the information security officer, who decides whether to stop the employee or track where the information goes. By the way, models (in other sources - "profiles") of the offender's behavior can be used not only by collecting information from software agents. If you analyze the nature of queries to the database, you can always identify an employee who is trying to get a specific piece of information in a series of consecutive queries to the database. It is necessary to immediately trace what he does with these requests, whether he saves them, whether he connects removable storage media, etc.
Organization of information storage
The principles of data anonymization and encryption are a prerequisite for organizing storage and processing, and remote access can be organized using a terminal protocol without leaving any information on the computer from which the request is made.
Integration with authentication systems
Sooner or later, the customer will have to use a confidential document monitoring system to resolve personnel issues - for example, dismissal of employees based on the facts documented by this system, or even legal prosecution of leakers. However, all that the monitoring system can give is the violator's electronic identifier - IP address, account, email address, etc. In order to legally charge an employee, you need to link this identifier to a person. Here, a new market opens up for the integrator - the introduction of authentication systems - from simple tokens to advanced biometrics and RFID - identifiers.
Sometimes events happen that require us to answer a question. "who did this?" This can happen "rarely, but aptly", so you should prepare in advance to answer the question.
Almost everywhere, there are design departments, accounting departments, developers, and other categories of employees working together on groups of documents stored in a public (Shared) folder on a file server or on one of the workstations. It may happen that someone deletes an important document or directory from this folder, as a result of which the work of the whole team may be lost. In this case, the system administrator faces several questions:
When and what time did the problem occur?
What is the closest backup to that time to restore data from?
Maybe there was a system failure that could happen again?
Windows has a system audit, which allows you to track and log information about when, by whom and with what program documents were deleted. By default, Auditing is not enabled - tracking itself requires a certain percentage of the system's capacity, and if you record everything in a row, the load will become too large. Moreover, not all user actions may be of interest to us, so the Audit policies allow us to enable tracking only those events that are really important to us.
The Audit system is built into all operating systems MicrosoftWindowsNT: Windows XP/Vista/7, Windows Server 2000/2003/2008. Unfortunately, on Windows Home systems, auditing is deeply hidden and too difficult to configure.
What needs to be configured?
To enable auditing, log in with administrator rights to a computer that provides access to shared documents and run the command start→Run→gpedit.msc. In the Computer Configuration section, expand the folder Windows Settings→ Security settings→ Local Policies→ Audit Policies:
Double click on a policy Audit object access (Audit of access to objects) and select checkbox success. This setting turns on the mechanism for tracking successful file and registry access. Indeed, we are only interested in successful attempts to delete files or folders. Enable Auditing only on computers that directly store monitored objects.
Simply enabling the Audit policy is not enough, we also need to specify which folders we want to access. Usually such objects are folders of common (shared) documents and folders with production programs or databases (accounting, warehouse, etc.) - that is, resources that several people work with.
It is impossible to guess in advance who exactly will delete the file, so tracking is indicated for Everyone (Everyone). Successful attempts to delete monitored objects by any user will be logged. Call the properties of the required folder (if there are several such folders, then all of them in turn) and on the tab Security → Advanced → Auditing add subject tracking Everyone (All), his successful access attempts Delete and Delete Subfolders and Files:
A lot of events can be logged, so you should also adjust the log size security(Safety) to which they will be written. For
this run the command start→
Run→
eventvwr.
msc.
In the window that appears, call the properties of the Security log and specify the following parameters:
Maximum Log Size = 65536 KB(for workstations) or 262144 KB(for servers)
Overwrite events as needed.
In fact, these figures are not guaranteed to be accurate, but are selected empirically for each specific case.
Windows 2003/ XP)?
Click start→ Run→ eventvwr.msc Security (Security). view→ filter
- Event Source:Security;
- Category: Object Access;
- Event Types: Success Audit;
- Event ID: 560;
Review the list of filtered events, paying attention to the following fields within each entry:
- ObjectName. Name of the searched folder or file;
- ImagefileName. The name of the program that deleted the file;
- accesses. The set of requested rights.
The program can request several types of access from the system at once - for example, Delete+ Synchronize or Delete+ read_ control. Right for us is Delete.
So, who deleted the documents (Windows 2008/ Vista)?
Click start→ Run→ eventvwr.msc and open the log Security (Security). The log may be filled with events that are not directly related to the problem. By right-clicking on the Security log, select the command view→ filter and filter the view by the following criteria:
- Event Source: Security;
- Category: Object Access;
- Event Types: Success Audit;
- Event ID: 4663;
Don't rush to interpret all deletions as malicious. This function is often used during the normal operation of programs - for example, executing the command Save(Save), package programs Microsoftoffice First, a new temporary file is created, the document is saved into it, and then the previous version of the file is deleted. Likewise, many database applications first create a temporary lock file on startup. (. lck), then delete it when exiting the program.
In practice, I had to deal with malicious user actions. For example, a conflict employee of a certain company, upon leaving his place of work, decided to destroy all the results of his work by deleting the files and folders to which he was related. Events of this kind are clearly visible - they generate tens, hundreds of entries per second in the security log. Of course, recovering documents from ShadowCopies(Shadow Copies) or an automatically created daily archive is not difficult, but at the same time I could answer the questions “Who did this?” and “When did this happen?”.
The need to implement systems for auditing user actions in organizations of any level is convinced by studies of companies involved in the analysis of information security.
A study by Kaspersky Lab, for example, showed that two-thirds of IS incidents (67%) are caused, among other things, by the actions of poorly informed or inattentive employees. At the same time, according to ESET research, 84% of companies underestimate the risks caused by the human factor.
Protection against threats associated with the user "from the inside" requires more effort than protection against external threats. To counter "malware" from the outside, including viruses and targeted attacks on the organization's network, it is enough to introduce an appropriate software or software and hardware system. Keeping an organization safe from an internal attacker will require more investment in security infrastructure and deep analysis. Analytical work includes identifying the types of threats that are most critical for business, as well as compiling "portraits of violators", that is, determining how much damage a user can cause, based on their competencies and powers.
The audit of user actions is inextricably linked not only with the understanding of what kind of “gaps” in the information security system must be quickly closed, but also with the issue of business sustainability as a whole. Companies configured for continuous operation should take into account that with the complication and increase in the processes of informatization and business automation, the number of internal threats is only growing.
In addition to tracking the actions of an ordinary employee, it is necessary to audit the operations of "superusers" - employees with privileged rights and, accordingly, more opportunities to accidentally or intentionally implement the threat of information leakage. These users include system administrators, database administrators, and internal software developers. Here you can also add involved IT specialists and employees responsible for information security.
The introduction of a system for monitoring user actions in a company allows you to record and quickly respond to the activity of employees. Important: the audit system must have the property of inclusiveness. This means that information about the activities of an ordinary employee, system administrator or top manager needs to be analyzed at the level of the operating system, the use of business applications, at the level of network devices, database accesses, external media connections, and so on.
Modern integrated audit systems allow you to control all stages of user actions from startup to shutdown of the PC (terminal workstation). True, in practice they try to avoid total control. If all operations are recorded in the audit logs, the load on the organization's information system infrastructure increases many times over: workstations hang, servers and channels work under full load. Paranoia about information security can harm a business by significantly slowing down workflows.
A competent information security specialist first of all determines:
- what data in the company is the most valuable, since most internal threats will be associated with it;
- who and at what level can have access to valuable data, that is, outlines the circle of potential violators;
- the extent to which the current protection measures are able to withstand the intentional and/or accidental actions of users.
For example, information security specialists from the financial sector consider the threat of leakage of payment data and abuse of access to be the most dangerous. In the industrial and transport sectors, know-how leaks and disloyal employee behavior are the most feared. Similar concerns are in the IT sector and the telecommunications business, where the most critical threats are the leakage of proprietary developments, trade secrets and payment information.
THE MOST LIKELY "TYPICAL" VIOLATORS OF ANALYTICS ARE ASSOCIATED AS THE FOLLOWING:
- Top management: the choice is obvious - the widest possible powers, access to the most valuable information. At the same time, those responsible for security often turn a blind eye to violations of information security rules by such figures.
- Disloyal employees : to determine the degree of loyalty, the information security specialists of the company should analyze the actions of an individual employee.
- Administrators: Privileged and empowered professionals with deep knowledge of the IT field are tempted to gain unauthorized access to sensitive information;
- Contractor employees / outsourcing : like administrators, "outside" experts, having wide knowledge, can implement various threats while being "inside" the customer's information system.
Determining the most significant information and the most likely intruders helps to build a system of not total, but selective control of users. This "unloads" the information system and saves information security specialists from redundant work.
In addition to selective monitoring, the architecture of audit systems plays a significant role in speeding up the system, improving the quality of analysis and reducing the load on the infrastructure. Modern systems for auditing user actions have a distributed structure. Sensor agents are installed on end workstations and servers, which analyze events of a certain type and transmit data to consolidation and storage centers. Systems for analyzing recorded information, according to the parameters laid down in the system, find in the audit logs facts of suspicious or anomalous activity that cannot be immediately attributed to an attempt to implement a threat. These facts are passed to the response system, which notifies the security administrator of the violation.
If the audit system is able to cope with the violation on its own (usually, such IS systems provide a signature method for responding to a threat), then the violation is stopped automatically, and all the necessary information about the intruder, his actions and the threat object falls into a special database. In this case, the Security Administrator Console notifies you that the threat has been neutralized.
If the system does not contain methods for automatically responding to suspicious activity, then all information to neutralize the threat or to analyze its consequences is transferred to the IS administrator console for manual operations.
IN THE MONITORING SYSTEM OF ANY ORGANIZATION, OPERATIONS SHOULD BE CONFIGURED:
Auditing the use of workstations, servers, as well as the time (by hours and days of the week) of user activity on them. In this way, the expediency of using information resources is established.
Viktor Chutov
Project Manager INFORMSVYAZ HOLDING
Prerequisites for the implementation of the system
The first open global study of internal information security threats conducted in 2007 by Infowatch (based on the results of 2006) showed that internal threats are no less common (56.5%) than external ones (malware, spam, hackers, etc.). .d.). At the same time, in the overwhelming majority (77%), the reason for the implementation of an internal threat is the negligence of the users themselves (failure to comply with job instructions or neglect of elementary means of protecting information).
Dynamics of changes in the situation in the period 2006-2008 reflected in fig. one.
The relative decrease in the share of leaks due to negligence is due to the partial implementation of information leak prevention systems (including a system for monitoring user actions), which provide a fairly high degree of protection against accidental leaks. In addition, it is due to the absolute increase in the number of deliberate thefts of personal data.
Despite the change in statistics, it is still safe to say that the priority is to combat unintentional information leaks, since it is easier, cheaper to counteract such leaks, and as a result, most of the incidents are covered.
At the same time, the negligence of employees, according to the analysis of the results of research by Infowatch and Perimetrix for 2004-2008, ranks second among the most dangerous threats (summary research results are presented in Fig. 2), and its relevance continues to grow along with the improvement of software and hardware automated systems (AS) of enterprises.
Thus, the introduction of systems to eliminate the possibility of an employee’s negative impact on IS in the enterprise’s AS (including monitoring programs), provide IS employees with evidence base and materials for investigating an incident, will eliminate the threat of leakage due to negligence, significantly reduce accidental leaks, as well as somewhat reduce intentional. Ultimately, this measure should make it possible to significantly reduce the implementation of threats from insiders.
Modern AS for auditing user actions. Advantages and disadvantages
Automated systems for auditing (monitoring) user actions (ASADP) AS, often referred to as monitoring software products, are designed to be used by AS security administrators (the organization's information security service) to ensure its observability - "properties of a computer system that allows you to record user activity, as well as uniquely set identifiers users involved in certain events in order to prevent violations of security policies and / or ensure accountability for certain actions.
The AS observability property, depending on the quality of its implementation, makes it possible, to some extent, to control the observance by the employees of the organization of its security policy and the established rules for safe work on computers.
The use of monitoring software products, including in real time, is designed to:
- determine (localize) all cases of attempts of unauthorized access to confidential information with the exact indication of the time and network workplace from which such an attempt was made;
- detect facts of unauthorized software installation;
- determine all cases of unauthorized use of additional hardware (for example, modems, printers, etc.) by analyzing the facts of launching unauthorized specialized applications;
- determine all cases of typing critical words and phrases on the keyboard, preparing critical documents, the transfer of which to third parties will lead to material damage;
- control access to servers and personal computers;
- control contacts when surfing the Internet;
- conduct research related to determining the accuracy, efficiency and adequacy of personnel response to external influences;
- determine the workload of the computer workplaces of the organization (by time of day, by day of the week, etc.) for the purpose of scientific organization of the work of users;
- control the use of personal computers during non-working hours and identify the purpose of such use;
- receive the necessary reliable information, on the basis of which decisions are made to adjust and improve the organization's information security policy, etc.
The implementation of these functions is achieved by introducing agent modules (sensors) on workstations and AS servers with further status polling or receiving reports from them. Reports are processed in the Security Administrator Console. Some systems are equipped with intermediate servers (consolidation points) that process their own areas and security groups.
The system analysis of the solutions presented on the market (StatWin, Tivoli Configuration Manager, Tivoli Remote Control, OpenView Operations, "Uryadnik/Enterprise Guard", Insider) made it possible to identify a number of specific properties that, if added to a promising ASADP, will increase its performance indicators compared to the studied samples. .
In the general case, along with a fairly wide functionality and a large package of options, existing systems can be used to track the activities of only individual AS users on the basis of a mandatory cyclic poll (scan) of all specified AS elements (and, first of all, AWP users).
At the same time, the distribution and scale of modern automated systems, which include a fairly large number of workstations, technologies and software, greatly complicates the process of monitoring user work, and each of the network devices is capable of generating thousands of audit messages, reaching quite large amounts of information that require maintaining huge, often duplicating databases. These tools, among other things, consume significant network and hardware resources, load a common AS. They turn out to be inflexible to the reconfiguration of hardware and software of computer networks, are not able to adapt to unknown types of violations and network attacks, and the effectiveness of their detection of security policy violations will largely depend on the frequency of scanning the AS elements by the security administrator.
One of the ways to increase the efficiency of these systems is to directly increase the frequency of scanning. This will inevitably lead to a decrease in the efficiency of performing those main tasks for which, in fact, this AS is intended, due to a significant increase in the computational load both on the administrator's workstation and on the computers of user workstations, as well as with the growth of traffic in the local network of the AS.
In addition to the problems associated with the analysis of a large amount of data, existing monitoring systems have serious limitations on the efficiency and accuracy of decisions made, caused by the human factor, which is determined by the physical capabilities of the administrator as a human operator.
The presence in the existing monitoring systems of the possibility of real-time notification of obvious unauthorized actions of users does not fundamentally solve the problem as a whole, since it allows tracking only previously known types of violations (signature method), and is not able to provide counteraction to new types of violations.
The development and use of extensive methods of information security in information security systems, which provide for an increase in the level of its protection due to the additional "selection" of the computing resource from the AS, reduces the capabilities of the AS to solve the tasks for which it is intended, and / or increases its cost. The failure of such an approach in the rapidly developing IT-technologies market is quite obvious.
Automated system of audit (monitoring) of user actions. Promising Properties
From the results of the analysis given earlier, there is an obvious need to impart the following properties to promising monitoring systems:
- automation, excluding routine "manual" operations;
- combinations of centralization (based on the automated workplace of the security administrator) with control at the level of individual elements (intelligent computer programs) of the system for monitoring the work of AS users;
- scalability, which allows increasing the capacity of monitoring systems and expanding their capabilities without a significant increase in the computing resources necessary for their effective functioning;
- adaptability to changes in the composition and characteristics of nuclear power plants, as well as to the emergence of new types of security policy violations.
The generalized structure of ASADP AS, which has the noted distinctive features, which can be implemented in AS for various purposes and accessories, is shown in fig. 3.
The above structure includes the following main components:
- software components-sensors placed on some AS elements (on user workstations, servers, network equipment, information security tools), which are used to record and process audit data in real time;
- log files containing intermediate information about user experience;
- data processing and decision-making components that receive information from sensors through log files, analyze it and make decisions on further actions (for example, on entering some information into the database, notifying officials, creating reports, etc.);
- an audit database (DB) containing information about all registered events, on the basis of which reports are created and the state of the AU is monitored for any given period of time;
- components for generating reports and certificates based on information recorded in the audit database and filtering records (by date, by user identifiers, by workstation, by security events, etc.);
- security administrator interface component, which is used to manage the work of ASADPS with its workstation, view and print information, create various types of queries to the database and generate reports, which allows real-time monitoring of the current activities of AS users and assessing the current level of security of various resources;
- additional components, in particular, software components for configuring the system, installing and placing sensors, archiving and encrypting information, etc.
Information processing in ASADP AS includes the following stages:
- fixation by sensors of registration information;
- collection of information from individual sensors;
- exchange of information between the corresponding agents of the system;
- processing, analysis and correlation of registered events;
- presentation of the processed information to the security administrator in a normalized form (in the form of reports, diagrams, etc.).
In order to minimize the required computing resources, increase the secrecy and reliability of the system, information can be stored on various elements of the AS.
Based on the task of giving ASADP AS fundamentally new (compared to existing systems for auditing the work of AS users) automation properties, a combination of centralization and decentralization, scalability and adaptability, one of the possible strategies for its construction is the modern technology of intelligent multi-agent systems, implemented through the development of an integrated community agents of various types (intelligent autonomous programs that implement certain functions of detecting and counteracting user actions that contradict the security policy) and organizing their interaction.