Arbeitskreis:Sharepoint Firewall

Martin DombrowskiSecurity Engineer Central & Eastern Europe

martin.dombrowski@imperva.com

Agenda

Sensibilisierung

Imperva, was machen die?

Sharepoint Firewall

- CONFIDENTIAL -

- CONFIDENTIAL -

Stolen credit card market

CONFIDENTIA4

Forums....

Invites &payed

trust-service

CONFIDENTIA5

TreuhandService

payed registration

Bedrohungslage

A 15-year-old boy has been arrested for hacking into 259 companies during a 90-day spree. In other words, during the last quarter he successfully attacked an average of the last quarter he successfully attacked an average of three websites per day.

...wie einfach es doch sein kann

CONFIDENTIA

Havij

9

CONFIDENTIA10

- CONFIDENTIAL -

Special agent David Shaver, who works for the Army’s Computer Crime Investigative Unit, said that on one of two laptops that Manning used he found a folder called “blue,” in which he found a zip file containing 10,000 diplomatic cables in HTML format, and an Excel spreadsheet with three tabs.

Special agent David Shaver, who works for the Army’s Computer Crime Investigative Unit, said that on one of two laptops that Manning used he found a folder called “blue,” in which he found a zip file containing 10,000 diplomatic cables in HTML format, and an Excel spreadsheet with three tabs.

Shaver discovered Wget scripts on Manning’s computer that pointed to a Microsoft SharePoint server holding the Gitmodocuments. He ran the scripts to download the documents, then downloaded the ones that WikiLeaks had published and found they were the same, Shaver testified.

Shaver discovered Wget scripts on Manning’s computer that pointed to a Microsoft SharePoint server holding the Gitmodocuments. He ran the scripts to download the documents, then downloaded the ones that WikiLeaks had published and found they were the same, Shaver testified.

- CONFIDENTIAL -

In Recent Events …

• Saudi AramcoMalicious Insider, 30,000 computers hacked.full service disruption.

13

13

• Global Payments Compromised Insider, causes 1.5M payment cards compromised.

The 1 Percent To Be Really Concerned About

“Less “Less than than 1%1% of your of your employees may employees may be be

malicious insidersmalicious insiders, but , but malicious insidersmalicious insiders, but , but 100%100% of your employees of your employees have the potential to be have the potential to be

compromised insiderscompromised insiders.”.”

Source: http://edocumentsciences.com/defend-against-compromised-insiders

Multimillion dollar

datacenter

Where Do They Attack?

Desktop and the

user

Well Not well Both access

15

Well protected

Not well protected

Both access the same data

Security neu ausbalancieren…

16

Imperva Überblick

Our mission.

Protect the data that drives business

Our market segment.

Enterprise Data Security

Our global business.

• Founded in 2002;

Global operations; HQ in Redwood Shores, CA• Global operations; HQ in Redwood Shores, CA

• 375+ employees

• Customers in 50+ countries

Our customers.

1,700+ direct; Thousands cloud-based

• 4 of the top 5 global financial data service firms

• 4 of the top 5 global telecommunications firms

• 4 of the top 5 global computer hardware companies

• 3 of the top 5 US commercial banks

• 150+ government agencies and departments

17

UsageAttack

Imperva Data Security in 60 secondsImperva Data Security in 60 seconds

UsageAudit

Access Control

RightsManagement

AttackProtection

ReputationControls

Virtual Patching

Wer hält Sharepoint für sicher? Wer hält Sharepoint für sicher?

Wie kommt Sharepoint ins Unternehmen?Wie kommt Sharepoint ins Unternehmen?

Stellen Sie sich selbst die Frage!Stellen Sie sich selbst die Frage!

Wie kommt Sharepoint ins Unternehmen?Wie kommt Sharepoint ins Unternehmen?

Wer ist der Treiber?Wer ist der Treiber?

ITIT--Security?!?Security?!?

- CONFIDENTIAL -

SharePoint security and control challengesSharePoint security and control challenges

� Permissions

+ Managing rights day-to-day

+ Reviewing user rights

+ Identifying data owners

� Activity trail

+ Demonstrating compliance with regulations

+ Conducting forensic investigations+ Conducting forensic investigations

� Threats to data

+ Preventing unauthorized access to data

+ Defending against Web-based attacks

� Data management

+ Dealing with unstructured data volume & growth

+ Identifying stale and orphan data

SecureSphere for SharePointSecureSphere for SharePoint

� User rights management

+ Aggregate and visualize rights

+ Identify excessive and dormant rights

+ Streamline rights reviews

+ Identify data owners

� Activity monitoring

+ Monitor file & list access in real-time

+ Find unused data

� Policy based threat protection

+ Defend against file, Web and database threats

+ Alert and block in real-time

Complementary to native SharePoint capabilities

� Unique SecureSphere security and control for SharePoint

+ Security:– Web application protection

– Database protection

– File access control policies

+ Permissions management:+ Permissions management:– Centralized visibility

– Permissions review support

+ Activity monitoring:– Centralized visibility

+ Data owner identification

+ Security analytics and reporting

Addresses all major SharePoint deployment types

� Internal Portal

+ Uses include SharePoint as file repository

+ Only accessible by internal users

� External Portal

Company Intranet

� External Portal

+ Uses include SharePoint as file repository

+ Accessible from the internet – For customers, partners or the public

� Internet Website

+ SharePoint as the website infrastructure

+ Not used as file repository

23

Public website

Client access

Layers of SharePoint ProtectionLayers of SharePoint Protection

XSS

Web-ApplicationFirewall

Activity Monitoring &User Rights Management

Excessive

Administrators

DB Activity Monitoring& Access Control

Unauthorized

Changes

Audit

- -

Enterprise Users

The Internet

SQL

Injection

XSS

IIS Web

Servers

Application

Servers

MS SQL

Databases

Excessive

Rights

Audit

Unauthorized

Access

DeploymentDeployment

DeploymentDeployment

Use Case: User Rights ManagementUse Case: User Rights Management

User Rights ManagementUser Rights Management

� Aggregate user rights across sites

� Identify data owners

� Detect excessive rights, reduce access to � Detect excessive rights, reduce access to business-need-to-know

� Formalize and automate rights review cycle

Data Owner IdentificationData Owner Identification

Data ownership• Top users are either owners or can identify them• Go-to people key for business-based decision making• Save data owners information for decision making

Finding Excessive PermissionsFinding Excessive Permissions

Why does G&A have access?

What departments have access?

Who are the users?

Focus on access to HIPAA regulated data

Who are the users? What type of access do they have?

How did they get the access?

Automatic Identification of Excessive RightsAutomatic Identification of Excessive Rights

Should “Everyone” have access to sensitive data?• “Everyone” group literally means all users

Are there any direct user permissions?

What rights are not used?• Users with access they appear not to need

Are there any direct user permissions?• What will happen when that user changes position?

Identifying Dormant UsersIdentifying Dormant Users

Are there dormant users?

Focus on users that are dormant for over 6 month

Who are they and when did they last access?

Reviewing User Rights with Data OwnersReviewing User Rights with Data Owners

Create permission reports for data owners

Allow data owners to

Log decisions for future audit

Allow data owners to manage their permissions

Create a baseline: review only changed permissions

Use Case: Activity Monitoring & AlertingUse Case: Activity Monitoring & Alerting

Activity Monitoring & AlertingActivity Monitoring & Alerting

� Full audit trail

+ Audit all access activity

+ No performance impact

� Analytics and reporting

+ Automatic reports to data owners+ Automatic reports to data owners

+ Forensics for incidents

+ Compliance reporting

� Access control

+ Add an additional layer to native access controls

+ Alert/Block access that violates corporate policies

Who WhereWhen

Full Audit TrailFull Audit Trail

What

Broad visibility: All folders, lists and files

Minimal impact• Doesn’t degrade performance

Detailed Analytics for ForensicsDetailed Analytics for Forensics

Focus on access to financial data

What are the primary departments accessing this data?

Why are G&A accessing financial data?

Who accessed this data?When & what did they access?

Who owns this data?

SecureSphere’s Customizable ReportingSecureSphere’s Customizable Reporting

Fully customizable• Content, format, schedule, etc.

Flexible• Graphs for executives• Details for operational staff

RealReal--time Enforcement: Possible Data Leakage time Enforcement: Possible Data Leakage

Out-of-the-box policy as part of ADC Insights

Is someone accessing large amounts of data?

Alert when a user reads 100 files within the same hour

RealReal--time Enforcement: Possible Data Leakage time Enforcement: Possible Data Leakage

See triggered alerts

Drill down for details on “who, what , when,

where”

Following an alert:• Send emails automatically• Create security events in SIEM tools

Use Case: Policy Based Threat ProtectionUse Case: Policy Based Threat Protection

Policy based threat protectionPolicy based threat protection

� Web Application Firewall

+ Attack protection

+ Reputation controls

� Database protection� Database protection

+ Fully audit SQL Server local activities

+ Block unapproved database changes

� ADC Insights for SharePoint

+ Out-of-the-box security and compliance

+ Always up-to-date

Attack ProtectionAttack Protection

WAF Policies customized for SharePoint based sites

Are external users accessing admin pages?

Repeated failed login attempts?

OOTB Security Policies

Database ProtectionDatabase Protection

� SecureSphere can block all unapproved database changes

Microsoft Support: “Database modifications may results in a unsupported database state”http://support.microsoft.com/kb/841057

� SecureSphere audits all administrative database activity

Gartner (Securing SharePoint, February 2009): “Fully audit all SQL Server administrative activities”Security Considerations and Best Practices for Securing SharePoint

Fragen?

Supplemental Slides

SecureSphere value-add over native SharePoint (details)

Capability SecureSphere forSharePoint

Native SharePoint

Web application firewall (WAF) & ADC Insights for SharePoint

• Market leading WAF with XSS and SQLi protection

• OOTB security policies

• N/A

Database Firewall (DBF) • Protects against unauthorized DB access

• Comprehensive audit trail

• N/A

File access control policies • Alerts or blocks on policy violation • N/AFile access control policies • Alerts or blocks on policy violation• Detects anomalous access activity

• N/A

Permissions management • Centralizes permissions visibility• Identifies excessive access rights• Streamlines permissions reviews

• No centralized view• Cannot identify excessive rights• No support for reviews

Activity monitoring • Centralizes activity monitoring• Can limit audit to specific areas of

interest

• Siloed – can only monitor site collections

• Very limited ability to narrow audit scope

Data owner identification • Helps identify owners • N/A

Security analytics & reporting

• Comprehensive audit analytics• Enterprise-class reporting

• Requires export, via Excel, to third-party analytics and reporting system

Supported SharePoint platforms

� Microsoft SharePoint 2007

� Microsoft SharePoint 2010

Licensing

Appliance licenses:• Base level of users

X & V2500250, 500 users included

User Add-ons:• Increased user capacity

250 1,000 5,000 10,000 50,000500

Higher-end appliances:• More users included • Greater throughput X & V4500

1000 users included

X6500users included (TBD)

Includes: � File and list activity Monitoring for SharePoint

� User Rights Management for SharePoint files and lists

� Web Application Firewall for SharePoint web servers

� Database Firewall for SharePoint’s MS SQL database

� ADC Insights for SharePoint