This is a follow-up on a previous blog post of mine. In my first post on Export Control Compliance I tried to explain what the ITAR is and why it’s important for defense contractors, manufactures and suppliers.
Knowing or learning about it is all fine and dandy, and registering with the State Department’s DDTC is even better, but what we have learned from conversations with current customers is that discovering high-risk, sensitive USML related content is something that many organizations in the defense and manufacturing industries have struggled with in the past.
Traditional, enterprise-class DLP and data discovery solutions are very complex to start and effectively use, are usually not flexible enough for large, complex IT infrastructures, and simply not cost-friendly on already small IT budgets.
The first step in maintaining compliance with ITAR is discovering where the USML related content exists. Next, you have to secure it. Failure to comply with ITAR can result in hefty fines and penalties, and in some cases imprisonment.
StealthSEEK offers a simple-to-deploy, easy-to-use DLP and data discovery platform for identifying articles and services, outlined in the United States Munitions List (USML), across your file systems, enabling compliance for the Defense Industry.
In addition to the already 450+ file types that StealthSEEK scans for and the custom criteria ability feature, we’ve added content scanning criteria, specific for ITAR compliance.
Discover how StealthSEEK can help your organization.
I was asked the other day by a colleague: “What is ITAR (International Traffic in Arms Regulations) and why is it important?” So my research commenced. My findings, plentiful to say the least, was that ITAR, along with the Export Administration Regulations (EAR), are two of the most important United States Government export control laws.
From the United States Department of State website, ITAR is a set of regulations responsible for the control of the permanent and temporary export and temporary import of defense articles and services. It is ruled by the Department of State and it implements the authority of the Arms Export Control Act (AECA), an act that provides the authority to control the export of defense articles and services, and charges the President to exercise this authority.
The list of defense articles and services that are pursuant to AECA are found on the United States Munitions List (USML). The list contains 20 categories ranging from Firearms, Close Assault Weapons and Combat Shotguns to Spacecraft Systems and Associated Equipment. All-in-all there is twenty categories, and a miscellaneous section, of the USML.
So we’ve got the what, but what about the why? Why are export control laws like ITAR important to understand and comply with? Well, the short answer is because there are penalties and fines for those companies that violate ITAR. According to the International Import-Export Institute at Dunlop-Stone University, the U.S. Government requires all manufacturers, exporters, and brokers of defense articles, defense services or related technical data to be ITAR compliant. There are numerous well-known instances of major corporations failing to comply with ITAR, or flat out violating the regulations.
Don’t get slapped with the tag of “not compliant.” Register with the State Department’s DDTC and stay ahead.
Learn how STEALTHbits Technologies enables Export Control Compliance through StealthSEEK™.
Wednesday, 09 January 2013 12:00
While researching data breach incidences within Universities and places of higher education, I stumbled upon the Privacy Rights Clearinghouse; an organization dedicated to consumer privacy and “raising awareness of how technology affects personal privacy”. According to the Privacy Rights Clearinghouse (www.privacyrights.org/data-breach/new), over 3,500 data breaches have been made public in US universities and educational institutions alone since 2005; equating to over 600,000,000 compromised records.
But why universities? Are hackers and data thieves targeting the science department’s proprietary research? Well, maybe sometimes, but in almost all instances, they’re stealing the same type of data; Student and Faculty Social Security Numbers, Birth Dates, Addresses, Bank Account Numbers, and other personally identifiable information (PII) that cost the universities, their staff, their students, and even their student’s families monetary loss, emotional stress, and daily disruptions.
The good news is that there are solutions like enterprise Data Loss Prevention (DLP) products designed to help mitigate these types of events. That said, however, the vast majority of the currently available products designed to thwart attacks on sensitive data are incredibility expensive, costly and difficult to implement and maintain, and are rarely found inside the walls of our educational institutions as a result.
The cost prohibitive nature of enterprise class DLP solutions coupled with the historically limited IT budgets and high administrative turnover found in educational institutions have made places of higher education a target for easy access to some of the most sensitive data that exists within any organization.
So what can educational institutions do to protect themselves against data breach without breaking the bank?
Our contention is that many of the data breach events that have occurred in recent times could have been prevented through simple, proactive identification of where data exists, who has access to data, and what type of data exists within the file systems of networked computers – workstations, laptops, and servers – otherwise known as “data-at-rest”. Had the universities that have been victim to data breach events known that sensitive, private student and faculty data existed and was unprotected, it’s a pretty safe assumption to say they wouldn’t have allowed it to remain in such a state. The fact of the matter is that they simply don’t know what they don’t know.
A less costly and more pragmatic approach for universities (or any organization with limited funds and resources to prevent data breach events) is to proactively identify where their risk is, consolidate their sensitive data, and lock it down tightly.
A great place to start is to locate file shares that are open to large audiences. These data repositories are notoriously difficult to control due to the number of people performing file transactions, the lack of assigned ownership and governance over the data that exists there, and the complicated weave of access rights that are just as difficult to understand as they are to assign.
After the areas of highest risk are identified, point-and-shoot, low-cost sensitive data identification solutions like StealthSEEK can begin to search for Social Security Numbers, Credit Cards, Bank Accounts, Health Records, and other sensitive and proprietary pieces of data that are buried deep within the files themselves.
As a last step, all documents containing sensitive data can be reviewed, consolidated, and locked down, limiting the number of people who have access to the most sensitive information and also who knows where that data lives.
Endpoint and Data-in-Motion DLP solutions are no doubt valuable assets for organizations that can afford them, but the true “blocking and tackling” of data loss prevention is knowing where sensitive data is and who has access to it, especially for the data that already exists within the environment.
I'm frequently asked why I think StealthAUDIT provides a better alternative to some other product on the market. The answer often comes down to the same core differentiators:
SMP takes a very different approach to other solutions on the market. While other products attempt to anticipate what reports you might need and package only those into a product set, the StealthAUDIT platform enables a flexible approach to answer virtually ANY question you have today or in the future.
The SMP includes hundreds of out-of-the-box reports based on a decade of experience working with organizations of all sizes. And it includes browse-able interfaces such as the Access Information Center (AIC) which provide easy answers to the top questions of Who has access and How they got access. But it’s also extremely extensible so you can accommodate custom reporting and analysis scenarios such as correlating data across multiple systems and identifying anomalies that exist outside of your unique security policies.
No other solution on the market can match the SMPs scalability and performance across large scale environments. Our 30+ data collectors enable the use of best-fit technology which is usually agentless while at the same time extremely efficient. Recent improvements that enable scheduling "run windows" and improved performance of our Active Directory data collection further separate SMP from the pack in terms of scalable, efficient data collection.
Thursday, 27 September 2012 13:43
This is reposted from an earlier post but seems as relevant as ever. If you're thinking about monitoring Active Directory events, you'll no doubt consider what's involved in leveraging native event logging and how that relates to tools that are designed for AD event monitoring. In that context, below, we describe a few of the steps involved in setting up native event logging for Active Directory.
Determine Which Events You Need
First, you need to understand which events you need to keep track of, and the associated event IDs. Complicating this task is that the event ID numbering is different between versions of Windows. For example, in Server 2008, four digit event IDs are introduced along with audit subcategories on the main audit categories. There are many events that look similar to each other, so you really need to know what you're looking at, and often a single act will generate numerous events in the log.
The subcategories can be useful because you can enable auditing on some events but not others, which is a step in the right direction for Microsoft auditing, albeit a baby step. For example, instead of treating all Account Management events the same, you can enable audit on Security group management but disable audit on Distribution group management. You have to use a command line tool to apply audit settings via subcategories and you don't get advanced filtering such as the ability to alert on changes to high-risk groups (something STEALTHbits can easily do), but it's better than the Server 2003 capabilities.
Complicating matters further is that there are Account Management audit events and Directory Service Access audit events which overlap. So, if both are enabled, you may see even more duplicate events with some confusion about where to find the best event data. And "before" and "after" values are written to different events. So, in some cases, you'll need to correlate multiple events in order to get the answers you seek.
Enable Auditing on Desired Objects
Once you have the set of events that you want enabled, you also have to enable auditing on the objects themselves. In other words, if you enable auditing on security groups, you still need to ensure that auditing is enabled on those security groups. Typically, enabling audit on directory objects is as simple as enabling "Audit Account Management" in the appropriate GPO but keep in mind that audit settings differ slightly in various versions of Windows, so if you have a mixed environment, be sure to consult each versions' documentation for appropriate audit settings. And be sure that the GPO is configured appropriately on each Active Directory Domain Controller.
Additionally, you can utilize ADSIEdit to apply a "don't audit" flag on attributes that you'd like to have filtered out of auditing. Note that this removes ALL auditing of that attribute for ALL objects. You cannot distinguish, for example, between administrative user accounts and other accounts (again, something that's easy for STEALTHbits).
Configure Event Log Settings
The third step is to configure log settings. You need to set appropriate access permissions so that advanced users looking to cover their tracks cannot clear logs which may hold vital evidence. If the log security policy is not enabled, all authenticated users would have access to write & clear application logs. System and Security logs can be cleared by system software or administrators.
You also need to set maximum log size and retention rules. These settings enable you to control how large the log files will grow and what happens when they reach their maximum. This is critical because logs need to be efficiently handled by log collection systems.
There's no ON switch for Windows auditing. There's a number of steps and methods by which to implement auditing. There is even a TechNet article on the complexity of determining the effective audit policy in Windows 2008. The author makes the point that "you should not trust any of the Group Policy reporting tools when it comes to audit settings." If you love Windows event logs and have a complete mastery of how they work (you know who you are), that's great. If not, I would think twice before making a decision to rely on Windows event logging. I certainly wouldn't go down that path with the expectation that it's the easy way. It's clearly not.
It’s no secret that over the past decade, Active Directory has grown out of control across many organizations. It’s partly due to organizational mergers or disparate Active Directory domains that sprouted up over time, but you may find yourself looking at dozens or even hundreds of Active Directory domains and realize that it's time to consolidate. And it probably feels overpowering. But despite the effort in front of you, there’s an easy way and a right way.
Domain consolidation is not a simple task. Whether you're moving from one platform to another, trying to implement a new security model, or just consolidating domains for improved management and reduced cost, there are numerous steps, lots of unknowns and an overwhelming feeling that you might be missing something. Sound familiar?
According to Gartner analyst Andrew Walls, “The allure of a single AD forest with a simple domain design is not fool’s gold. There are real benefits to be found in a consolidated AD environment. A shared AD infrastructure enables user mobility, common user provisioning processes, consolidated reporting, unified management of machines, etc.”
Walls goes on to discuss the politics, cost justification, and complexity of these projects noting that “An AD consolidation has to unite and rationalize the ID formats, password policy objects, user groups, group policy objects, schema designs and application integration methods that have grown and spread through all of the existing AD environments. At times, this can feel like spring cleaning at the Aegean stables. Of course, if you miss something, users will not be able to log in, or find their file shares, or access applications. No pressure.”
Walls offers advice on how to avoid some of the pain. “You fight proliferation of AD at every turn and realize that consolidation is not a onetime event. The optimal design for AD is a single domain within a single forest. Any deviation from this approach should be justified on the basis of operational requirements that a unified model cannot possibly support.”
What does this mean for you? Well, the most significant take-away from Walls’ advise is that it’s not a onetime event. AD Unification is an ongoing effort. You don’t simply move objects from point-A to point-B and then pack it in for the day. The easy way fails to meet the core objectives of an improved security model, simplified management, reduced cost, and a common provisioning process (think integration with Identity Management solutions).
If take everything from three source domains and simply move it all to a target domain, you haven’t achieved any of the objectives other than now having a single Active Directory. There’s a good chance that your security model will remain fragmented, management will become more difficult, and your user provisioning processes will require additional logic to accommodate for the new mess. On a positive note, if this model is your intent, there are numerous solutions on the market that will help.
STEALTHbits, of course, embraces the right way. “Control through Visibility” is about improving your security posture and your ability to manage IT by increasing your visibility into the critical infrastructure.
Offering a multi-step strategy toward a CLEAN domain consolidation, STEALTHbits’ Active Directory Unification solutions assess which objects should or shouldn’t be consolidated, how the source environments map to the target environment (especially in terms of the security model), and automate the transformation in a way that eliminates the need for SID history, doesn’t break user access, and improves manageability. This applies primarily to servers, GPOs, AD schema, naming conventions, and security groups. (User accounts and workstations can generally be moved as-is once the appropriate group memberships and GPO policies have been evaluated.)
STEALTHbits’ Active Directory Unification doesn’t eliminate the need for some form of migration tool to do the Point-A to Point-B moves, but it provides an invaluable ability to streamline what gets moved and how those objects are transformed to meet the target domain security model and related requirements. Throughout the process and moving into the future, the solution identifies and eliminates high-risk and toxic conditions across the Active Directory environments and can evaluate needs and suggest improvements over time – such as security group permission changes or new security groups that enforce a least privilege model or eliminate Segregation of Duties issues based on actual activity in the environment. These intelligence features simply aren’t available in migration tools. This type of analysis requires an enterprise class data collection and analysis platform such as the StealthAUDIT Management Platform (SMP).
Please let us know if you’d like more information on how the STEALTHbits’ Active Directory Unification can help with your Active Directory consolidation effort.
One of the most important things you can do to improve the security posture of your IT infrastructure is to provide in-depth monitoring of Active Directory. STEALTHbits provides numerous solutions to assist with monitoring numerous Active Directory security events. With deep visibility into administrative changes such as user account creations, group changes, and changes to Group Policy Objects (GPOs), STEALTHbits enables a complete audit trail with real-time alerts when high-risk activity takes place. The StealthINTERCEPT line also serves as a firewall around Active Directory effectively blocking certain activity and preventing unwanted changes to the Active Directory OU structure, GPO objects, and other high-risk AD objects. If you delgate permissions to Active Directory administrators that may have more permissions than the require to do their jobs, then Active Directory Monitoring should be at the top of your list. Let us know if you'd like to learn more.
Monday, 24 September 2012 10:05
You may have heard us discuss Active Directory domain consolidations or domain migrations in the past but there's been significant recent progress in how we approach large consolidation projects. We call it Active Directory Unification and we've built new out of the box intelligence into our existing product set. It's not just about getting from point A to point B. When you're going domain consolidation ratio is in the neighborhood of 100:1 (or even 10:1), you'd better make sure you have deep visibility into what you migrate. One Active Directory domain is trouble enough. You don't want a decade's worth of unused groups, improper permissions, stale objects, and other junk - for EACH domain - being moved into your target Active Directory environment. Whether the goal is an improved security model, simplified management, reduced cost, regulatory compliance, or something else, let us tell you about how STEALTHbits is helping organizations with large scale Active Directory domain consolidations.
Tuesday, 28 August 2012 10:23
GPOs are a bit of a strange beast. They exist in two worlds - the file system, and active directory - and they affect many more. Sort of like a platypus - a poisonous mammal that lays eggs and has a duck-bill, a beaver tail, and the feet of an otter - the GPO has the characteristics of both files and AD objects while affecting security, the registry, applications, and many other parts of your forest. And that makes it a tricky object to get a handle on.
The AD portion of the GPO tracks version information, and also where the GPO is applied in Active Directory. So it's very important to keep track of the AD portion, where changing where a GPO is applied is the same as adding and deleting its setting from your deployment.
The File portion of the GPO records all of the GPO's settings. That is, all of the specifics about what a GPO affects from the password settings to rights assignments to application deployment is stored in a series of files (multiple settings files per GPO is common) on the file system, in the SYSVOL folder of each domain controller. Tracking this is just as important as the AD portion, if not more so, and you don't have a functional GPO without both.
So, you're an administrator and you want to see who is making changes to your GPOs, and what those changes are. To do that, you need technology that sees into both AD and the filesystem. And if you want to prevent administrators from making changes to your GPOs, you need to secure Active Directory and the SYSVOL folder, and lock it down so that even your domain admins can't make changes unless they're approved. That's some tricky business.
Thankfully, STEALTHbits has the technology you need. Change detection, before-and-after values for changes, and precise lockdown rules that affect both AD and the filesystem - all in StealthINTERCEPT. We give you visibility into where GPOs are applied, what settings are being changed (including the old and new value of all changes) and who is making the changes. And we can pro-actively prevent unwanted change before it occurs with our Lockdown technology, giving you complete control of your GPOs wherever and however they are applied in your environment.
Information security is complex to say the least. It can feel overwhelming for security professionals as we get our heads around all of the issues and approaches to protecting data. Many of the frameworks out there (NIST, ISO, COBIT/COSO, etc.) may help as part of a long term strategic approach, but they don’t make life much easier in the short term. It’s often a six month project just to figure out what they’re talking about.
The SANS Institute has developed a “Top 20” to address this challenge. The idea was to define the 20 most critical controls so that organizations can focus their efforts on 20 things that can have real impact for info-security in a short timeframe. They are a subset of the overall information security picture and they’re intended to be free of FUD, vendor-speak, and specific solution approaches.
Of the SANS Top 20 Security Controls, Dan Mintz, former CIO at the US Dept of Transportation, commented:
“What excites me is this approach allows often resource-constrained organizations to both focus on the most critical priorities and to implement solutions that are both practical and important.”
The controls cover a wide variety of topics from perimeter defense to account monitoring and data loss prevention. STEALTHbits’ flexible StealthAUDIT platform addresses many of the control areas in the SANS Top 20 with a single install. We recently produced a short document outlining our ability to respond to the 20 controls painting a broad picture of where we fit and where we don’t.
For more information on the SANS Top 20 Critical Security Controls, please visit the SANS website.