Upload
others
View
9
Download
0
Embed Size (px)
Citation preview
Arbeitskreis:Sharepoint Firewall
Martin DombrowskiSecurity Engineer Central & Eastern Europe
Agenda
Sensibilisierung
Imperva, was machen die?
Sharepoint Firewall
- CONFIDENTIAL -
- CONFIDENTIAL -
Stolen credit card market
CONFIDENTIA4
Forums....
Invites &payed
trust-service
CONFIDENTIA5
TreuhandService
payed registration
Bedrohungslage
A 15-year-old boy has been arrested for hacking into 259 companies during a 90-day spree. In other words, during the last quarter he successfully attacked an average of the last quarter he successfully attacked an average of three websites per day.
...wie einfach es doch sein kann
CONFIDENTIA
Havij
9
CONFIDENTIA10
- CONFIDENTIAL -
Special agent David Shaver, who works for the Army’s Computer Crime Investigative Unit, said that on one of two laptops that Manning used he found a folder called “blue,” in which he found a zip file containing 10,000 diplomatic cables in HTML format, and an Excel spreadsheet with three tabs.
Special agent David Shaver, who works for the Army’s Computer Crime Investigative Unit, said that on one of two laptops that Manning used he found a folder called “blue,” in which he found a zip file containing 10,000 diplomatic cables in HTML format, and an Excel spreadsheet with three tabs.
Shaver discovered Wget scripts on Manning’s computer that pointed to a Microsoft SharePoint server holding the Gitmodocuments. He ran the scripts to download the documents, then downloaded the ones that WikiLeaks had published and found they were the same, Shaver testified.
Shaver discovered Wget scripts on Manning’s computer that pointed to a Microsoft SharePoint server holding the Gitmodocuments. He ran the scripts to download the documents, then downloaded the ones that WikiLeaks had published and found they were the same, Shaver testified.
- CONFIDENTIAL -
In Recent Events …
• Saudi AramcoMalicious Insider, 30,000 computers hacked.full service disruption.
13
13
• Global Payments Compromised Insider, causes 1.5M payment cards compromised.
The 1 Percent To Be Really Concerned About
“Less “Less than than 1%1% of your of your employees may employees may be be
malicious insidersmalicious insiders, but , but malicious insidersmalicious insiders, but , but 100%100% of your employees of your employees have the potential to be have the potential to be
compromised insiderscompromised insiders.”.”
Source: http://edocumentsciences.com/defend-against-compromised-insiders
Multimillion dollar
datacenter
Where Do They Attack?
Desktop and the
user
Well Not well Both access
15
Well protected
Not well protected
Both access the same data
Security neu ausbalancieren…
16
Imperva Überblick
Our mission.
Protect the data that drives business
Our market segment.
Enterprise Data Security
Our global business.
• Founded in 2002;
Global operations; HQ in Redwood Shores, CA• Global operations; HQ in Redwood Shores, CA
• 375+ employees
• Customers in 50+ countries
Our customers.
1,700+ direct; Thousands cloud-based
• 4 of the top 5 global financial data service firms
• 4 of the top 5 global telecommunications firms
• 4 of the top 5 global computer hardware companies
• 3 of the top 5 US commercial banks
• 150+ government agencies and departments
17
UsageAttack
Imperva Data Security in 60 secondsImperva Data Security in 60 seconds
UsageAudit
Access Control
RightsManagement
AttackProtection
ReputationControls
Virtual Patching
Wer hält Sharepoint für sicher? Wer hält Sharepoint für sicher?
Wie kommt Sharepoint ins Unternehmen?Wie kommt Sharepoint ins Unternehmen?
Stellen Sie sich selbst die Frage!Stellen Sie sich selbst die Frage!
Wie kommt Sharepoint ins Unternehmen?Wie kommt Sharepoint ins Unternehmen?
Wer ist der Treiber?Wer ist der Treiber?
ITIT--Security?!?Security?!?
- CONFIDENTIAL -
SharePoint security and control challengesSharePoint security and control challenges
� Permissions
+ Managing rights day-to-day
+ Reviewing user rights
+ Identifying data owners
� Activity trail
+ Demonstrating compliance with regulations
+ Conducting forensic investigations+ Conducting forensic investigations
� Threats to data
+ Preventing unauthorized access to data
+ Defending against Web-based attacks
� Data management
+ Dealing with unstructured data volume & growth
+ Identifying stale and orphan data
SecureSphere for SharePointSecureSphere for SharePoint
� User rights management
+ Aggregate and visualize rights
+ Identify excessive and dormant rights
+ Streamline rights reviews
+ Identify data owners
� Activity monitoring
+ Monitor file & list access in real-time
+ Find unused data
� Policy based threat protection
+ Defend against file, Web and database threats
+ Alert and block in real-time
Complementary to native SharePoint capabilities
� Unique SecureSphere security and control for SharePoint
+ Security:– Web application protection
– Database protection
– File access control policies
+ Permissions management:+ Permissions management:– Centralized visibility
– Permissions review support
+ Activity monitoring:– Centralized visibility
+ Data owner identification
+ Security analytics and reporting
Addresses all major SharePoint deployment types
� Internal Portal
+ Uses include SharePoint as file repository
+ Only accessible by internal users
� External Portal
Company Intranet
� External Portal
+ Uses include SharePoint as file repository
+ Accessible from the internet – For customers, partners or the public
� Internet Website
+ SharePoint as the website infrastructure
+ Not used as file repository
23
Public website
Client access
Layers of SharePoint ProtectionLayers of SharePoint Protection
XSS
Web-ApplicationFirewall
Activity Monitoring &User Rights Management
Excessive
Administrators
DB Activity Monitoring& Access Control
Unauthorized
Changes
Audit
- -
Enterprise Users
The Internet
SQL
Injection
XSS
IIS Web
Servers
Application
Servers
MS SQL
Databases
Excessive
Rights
Audit
Unauthorized
Access
DeploymentDeployment
DeploymentDeployment
Use Case: User Rights ManagementUse Case: User Rights Management
User Rights ManagementUser Rights Management
� Aggregate user rights across sites
� Identify data owners
� Detect excessive rights, reduce access to � Detect excessive rights, reduce access to business-need-to-know
� Formalize and automate rights review cycle
Data Owner IdentificationData Owner Identification
Data ownership• Top users are either owners or can identify them• Go-to people key for business-based decision making• Save data owners information for decision making
Finding Excessive PermissionsFinding Excessive Permissions
Why does G&A have access?
What departments have access?
Who are the users?
Focus on access to HIPAA regulated data
Who are the users? What type of access do they have?
How did they get the access?
Automatic Identification of Excessive RightsAutomatic Identification of Excessive Rights
Should “Everyone” have access to sensitive data?• “Everyone” group literally means all users
Are there any direct user permissions?
What rights are not used?• Users with access they appear not to need
Are there any direct user permissions?• What will happen when that user changes position?
Identifying Dormant UsersIdentifying Dormant Users
Are there dormant users?
Focus on users that are dormant for over 6 month
Who are they and when did they last access?
Reviewing User Rights with Data OwnersReviewing User Rights with Data Owners
Create permission reports for data owners
Allow data owners to
Log decisions for future audit
Allow data owners to manage their permissions
Create a baseline: review only changed permissions
Use Case: Activity Monitoring & AlertingUse Case: Activity Monitoring & Alerting
Activity Monitoring & AlertingActivity Monitoring & Alerting
� Full audit trail
+ Audit all access activity
+ No performance impact
� Analytics and reporting
+ Automatic reports to data owners+ Automatic reports to data owners
+ Forensics for incidents
+ Compliance reporting
� Access control
+ Add an additional layer to native access controls
+ Alert/Block access that violates corporate policies
Who WhereWhen
Full Audit TrailFull Audit Trail
What
Broad visibility: All folders, lists and files
Minimal impact• Doesn’t degrade performance
Detailed Analytics for ForensicsDetailed Analytics for Forensics
Focus on access to financial data
What are the primary departments accessing this data?
Why are G&A accessing financial data?
Who accessed this data?When & what did they access?
Who owns this data?
SecureSphere’s Customizable ReportingSecureSphere’s Customizable Reporting
Fully customizable• Content, format, schedule, etc.
Flexible• Graphs for executives• Details for operational staff
RealReal--time Enforcement: Possible Data Leakage time Enforcement: Possible Data Leakage
Out-of-the-box policy as part of ADC Insights
Is someone accessing large amounts of data?
Alert when a user reads 100 files within the same hour
RealReal--time Enforcement: Possible Data Leakage time Enforcement: Possible Data Leakage
See triggered alerts
Drill down for details on “who, what , when,
where”
Following an alert:• Send emails automatically• Create security events in SIEM tools
Use Case: Policy Based Threat ProtectionUse Case: Policy Based Threat Protection
Policy based threat protectionPolicy based threat protection
� Web Application Firewall
+ Attack protection
+ Reputation controls
� Database protection� Database protection
+ Fully audit SQL Server local activities
+ Block unapproved database changes
� ADC Insights for SharePoint
+ Out-of-the-box security and compliance
+ Always up-to-date
Attack ProtectionAttack Protection
WAF Policies customized for SharePoint based sites
Are external users accessing admin pages?
Repeated failed login attempts?
OOTB Security Policies
Database ProtectionDatabase Protection
� SecureSphere can block all unapproved database changes
Microsoft Support: “Database modifications may results in a unsupported database state”http://support.microsoft.com/kb/841057
� SecureSphere audits all administrative database activity
Gartner (Securing SharePoint, February 2009): “Fully audit all SQL Server administrative activities”Security Considerations and Best Practices for Securing SharePoint
Fragen?
Supplemental Slides
SecureSphere value-add over native SharePoint (details)
Capability SecureSphere forSharePoint
Native SharePoint
Web application firewall (WAF) & ADC Insights for SharePoint
• Market leading WAF with XSS and SQLi protection
• OOTB security policies
• N/A
Database Firewall (DBF) • Protects against unauthorized DB access
• Comprehensive audit trail
• N/A
File access control policies • Alerts or blocks on policy violation • N/AFile access control policies • Alerts or blocks on policy violation• Detects anomalous access activity
• N/A
Permissions management • Centralizes permissions visibility• Identifies excessive access rights• Streamlines permissions reviews
• No centralized view• Cannot identify excessive rights• No support for reviews
Activity monitoring • Centralizes activity monitoring• Can limit audit to specific areas of
interest
• Siloed – can only monitor site collections
• Very limited ability to narrow audit scope
Data owner identification • Helps identify owners • N/A
Security analytics & reporting
• Comprehensive audit analytics• Enterprise-class reporting
• Requires export, via Excel, to third-party analytics and reporting system
Supported SharePoint platforms
� Microsoft SharePoint 2007
� Microsoft SharePoint 2010
Licensing
Appliance licenses:• Base level of users
X & V2500250, 500 users included
User Add-ons:• Increased user capacity
250 1,000 5,000 10,000 50,000500
Higher-end appliances:• More users included • Greater throughput X & V4500
1000 users included
X6500users included (TBD)
Includes: � File and list activity Monitoring for SharePoint
� User Rights Management for SharePoint files and lists
� Web Application Firewall for SharePoint web servers
� Database Firewall for SharePoint’s MS SQL database
� ADC Insights for SharePoint