See the unseen. CryptoAuditor SSH.COM. Control and audit encrypted 3rd party sessions. What is CryptoAuditor?

Transcription

1 SSH.COM CryptoAuditor What is CryptoAuditor? SSH.COM CryptoAuditor is a centrally managed virtual appliance for monitoring, controlling and auditing encrypted privileged access and data transfers. Control and audit encrypted 3rd party sessions. See the unseen.

2 2 SSH.COM Cloud and on-premise access for internals and vendors 57% 57% of organizations have more than 100 3rd party vendors with access to their systems. Do you know how many Nth parties can access your data?

3 SSH.COM 3 Solve the problem of 3rd party access. CUT THE COST AND RISK OF VENDOR ACCESS No hardware, no CAPEX. Cut OPEX with process-driven, unified, centralized management of internal and 3rd party privileged access to your digital core. Pay-as-you-use, either direct with SSH.COM or via AWS Marketplace for EC2 deployments > SIMPLIFY, TRANSPARENT AND NON-INVASIVE CryptoAuditor is your trusted audit point. Scalable deployment as virtual appliances at key locations in your enironment. No changes to network architecture, no new agents, no user training and no-disruption for end users. INTEGRATE WITH YOUR SIEM, DLP, UEBA, IPS/IDS... CryptoAuditor integrates with your event, analytics and perimiter security - and your existing multifactor authentication solution. You get an audit trail of encrypted traffic that runs through SSH, SFTP, RDP and HTTPS, with indexed logging and session video playback.

4 4 SSH.COM Your virtual audit point for 3rd party access. SSH.COM CryptoAuditor is a centrally managed virtual appliance for monitoring, controlling and auditing encrypted privileged access and data transfers. It s designed for deployment in front of server farms, databases and network entry points to solve the problem of poorly monitored privileged access, particularly remote vendor access. It terminates and re-opens privileged user sessions, and inspects and records sessions in real time before re-encrypting and pushing the session forward. Sessions are indexed and stored in an encrypted database for reporting, replay and forensic investigation. It s easy to run from the centralized console, and easy to deploy, with no hardware, no agents, no new clients, no user training, and no changes to workflows. It can be deployed in fully transparent mode with no changes to end-user access and login procedures. SSH.COM CrypoAuditor is cloud-ready, integrates with all major DLP, AV, IDS and SIEM systems, and is used by four of the world s five largest banks.

5 SSH.COM 5 Hardened sessions for the trusted vendors of Fortune 500 companies. Monitor insider and 3rd party access to your digital core Control remote access by vendors, consultants, home workers, and M2M and IoT connections Define privileged access and activities based on user identity Collect forensic evidence for investigations with every keystroke and every pixel Protect critical data and minimize credentials abuse by enabling two-factor authentication Address individual accountability even for shared accounts with AD/LDAP infrastructure View encrypted SSH, SFTP and Remote Desktop traffic at your boundary Prevent data theft with Data Loss Prevention (DLP) and analytics Record, store and index session audit trails for searches, replay and reporting, with support for 4-eyes review Integrate with existing firewalls, detect attacks earlier and resolve issues in real time

6 6 SSH.COM Hardened sessions Compliant session monitoring and auditing, contextual session control, support for four-eyes authorization and session video playback. Cloud and on-premise Rapid, scalable deployment. No changes to network architecture, no new agents, no disruption and no user training. Cost-effective No hardware, no CAPEX. Cut OPEX with process-driven, unified, centralized management of 3rd party and privileged access.

7 SSH.COM 7 Remote control. Rewind. Relax. SSH.COM CryptoAuditor is an intelligent proxy designed for deployment in front of server farms, databases and network entry points. Multiple deployment modes: Bastion (nontransparent), Router (Layer 3) and Bridge (Layer 2 with VLAN support). Distributed architecture with multiple Hound audit-points and shared vault storage. High-availability Hound clustering with configurable failure tolerance. Straightforward auditing of privileged activity, including session replay and video sessions. Monitor and record SSH, SFTP, RDP, SSL. Block SSH tunneling to mitigate the threat from user-created backdoors. Searchable database for quick and easy access to recorded session information. Real-time 4-eyes authorization for critical access scenarios. Identity-based policy control with integration to directory services to control privileged access and activities. Manage users and credentials via HTTP REST-based API. Certified compatibility with McAfee, RSA, IBM and VCE vblock. Integrations with SIEM, IDS, DLP, network AV etc. FIPS certified cryptography (certificate #1747). Directional control of SFTP. Allowing to upload but not download or reverse.

8 8 SSH.COM Compliance and forensics for regulated industries Does your board need evidence that 3rd party risk is being assessed, managed, and monitored? Are you mandated by GDPR, PCI-DSS, ISO 27001, or by health or communications authorities to secure your supply chain?

9 SSH.COM 9 Visibility to encrypted sessions missed by siems Can your SIEM, DLP or UEBA process encrypted session data? Does your IPS/IDS inspect encrypted traffic? Would you like to empower them to do their job?

10 10 SSH.COM FEATURES AND BENEFITS Multiple deployment modes: Bridge, Router, Bastion High-availability clustering for Hounds, and con gu- rable failure-tolerance policy Transparent network appliance Session replay, including video sessions Searchable database Encrypted storage with audit zones Monitors and records SSH, SFTP, RDP Customizable auditing policies Real-time 4-eyes authorization. HTTP REST API for requesting connection authorization from third-party solutions. Identity-based policy control with integration to directory services Distributed architecture with multiple freelydistribut- able Hound audit-points, and shared Vault storage. Integrates with SIEM, IDS, DLP, Network AV Public and Private Cloud Instance Amazon Machine Image (AMI) available in AWS Marketplace OpenStack (on KVM hypervisor) Fits into diverse network topologies including VLAN-based audit and policy control. Minimal downtime in event of a single Hound node failure. If a single Hound node fails, the system can recover and continue relaying new connections. No need to retrain users to have them use another SSH client or portal, or provide them with new SSH keys. Straightforward audit of privileged activity. Quick and easy access to recorded session information. Audited activity is secured from unauthorized access. Separate audit zones enable access on a need to know basis. Audit high value, privileged access. Comply with security mandates. Focus on high value targets, activities. Extra security layer for accessing critical servers. Control which users can access which servers and what activities they can perform. Adapts easily to changes in network topologies and business processes, enabling fast deployment and low Total Cost of Ownership. Certi ed compatibility with major vendors such as McAfee, RSA, IBM and VCE vblock. Virtual Appliance Supported platforms: VMware ESXi and MS Hyper-V For evaluation purposes Oracle VirtualBox and VMware Workstation (no production use support) PERFORMANCE 930 Mbit/s (unaudited passthrough) Throughput 400 Mbit/s (single encrypted SFTP connection) Simultaneous connections: 3000 SSH or 300 RDP or 300 SSL/TLS Connections New connections per second: 3 SSH or 3 RDP or 10 SSL/TLS * Setup used in the performance test: HP DL320e Gen8 server running VMware ESXi 5.5, CryptoAuditor VM (4 CPUs, 12 GB RAM) THIRD-PARTY APPLICATION SUPPORT SIEM & Syslog IDS DLP and Network AV IBMSecurityQRadarSIEM McAfeeEnterpriseSecurityManager SplunkEnterprise RSASecurityAnalytics HPArcSightLogger Rsyslog Syslog-ng RSASecurityAnalytics RSADataLossPreventionSuite SymantecCloudProtectionEngine McAfeeWebGateway F-SecureInternetGateKeeper * DLP and network AV integration support through the standard ICAP protocol ssh, PrivX, Tectia, Universal SSH Key Manager and CryptoAuditor are registered trademarks or trademarks of SSH Communications Security Corporation and are protected by the relevant jurisdiction-specific and international copyright laws and treaties. Other names and marks are the property of their respective owners. Copyright 2018 SSH Communications Security Corporation. All rights reserved.

11 SSH.COM 11 DEPLOYMENT AND SYSTEM ADMINISTRATION High Availability Operation VLAN Management Administration HTTP REST-based API Active-Passive redundancy (Hound) * VMware (and hardware appliance) in production use Transparent bridge and router modes Non-transparent bastion mode SOCKS proxy functionality for HTTP/HTTPS auditing Supported in bridge mode Web-based admin UI (current version of Mozilla Firefox for optimal experience) Dedicated management interface CLI On device management accounts AD/LDAP-based management accounts Customizable role-based administration and audit rights Managing users and credentials AUDITING, END-USER AUTHENTICATION & AUTHORIZATION Inspected Protocols SSH(v2),SCP,SFTP,RDP SupportedprotocolscanbeauditedalsorecursivelyinSSHtunnels Audit Levels Optionsbetween Metadataonly,and Fullchannels Monitoring and Policy Control End-User Authentication & Authorization Shared account management Other Rulesbyprotocol,address,port,VLAN,orusergroup Easy-to-useruleveri cationtool Flexibleusercredentialmanagement(throughHTTPREST-basedAPI) OndevicepasswordorSSHpublickey Passthroughpasswordorkeyboard-interactive AD/LDAP-compliantdirectories RADIUS RSASecurID/OTP X.509certi cate(sshonly),withpiv/cacsmartcardsupport HTTPRESTAPIforuserauthorization 4-eyesauthorization.Alertsvia ;connectionaccept/rejectintheweb-based admin UI SecurepasswordandSSH-keysafe OCR-basedcontentrecognitionforRDP(LatinandCyrillic) Indexing-enabledfreetextcontentsearching SECURITY Encryption Data Integrity Compliancy System Security KeyExchange:Di e-hellman,rsa HostKey:RSA,DSA Connection:AES-CTR/CBC(128-,192-,256-bit),3DES-CBC,Blow sh,rc4 HMACSHA-1(160-bit,96-bit) HMACMD5(128-bit,96-bit) FIPS140-2compliantoperationthroughcerti edopenssllibrary AllcommunicationbetweenHoundandVaultsecuredbyTLS AllinformationstoredintheVaultis encryptedwith128-bitaes Nouserpasswordscapturedandstored The information in this document is provided as is without any warranty, express or implied, including without any warranties of merchantability, fitness for a particular purpose and any warranty or condition of non-infringement. SSH Communications Security products are warranted according to the terms and conditions of the agreements under which they are provided. SSH Communications Security may make changes to specifications and product descriptions at any time, without notice.

12 SSH Communications Security, Inc. Max-Planck-Str Aschheim info.de@ssh.com