Compliance says that we need to log everything within scope, we must then review the reports of the logs. Can we really be trusted to look at all of these reports, and if so can we really get anything constructive out of them?
I believe the answer is NO, and I don’t believe anybody or even a team can look through hundreds of pages of reports daily and be able to categorically say there were no breaches in compliance.
I’m not saying we shouldn’t worry about being compliant and I’m certainly not saying we shouldn’t monitor what is happening on the network. What I’m saying is SIEM reporting doesn’t work, it never has and unless there is a new breed of super auditors it never will.
So what can we do to ensure we are compliant?
Well there are a number steps we can take to ensure that we are compliant here are my top 10
- Create a useable and understandable security policy based on compliance and business needs
- Ensure that all employees and third parties, read, understand and agree to the security policy
- Enforce the policy, there is no point in having a policy if it’s not enforced
- Create a system of least privileged access
- Use workflow to ensure only authorised and approved access to critical data systems
- Monitor and record all sessions related to privileged data and critical systems
- Notify all users connecting to the monitored systems that they are recorded and possibly watched ("Four Eyes" principle) in real time
- Systematically audit the connections of critical systems
- In case of a breach use the recording to understand if the breach was accidental or malicious
- Learn from any breaches and strengthen the policy and if needed reduce access further
How can we put all this together without rebuilding the network?
The good news is that Wallix can help you become compliant and secure in a matter of hours. WAB gives you the ability to remove access to privileged data, record sessions, manage accounts and passwords, audit users, control access to specific applications and provide a message or warning at the start of each connection that the session is being monitored.
I’m pretty sure our Admins won’t like that, what would convince them?
This solution isn’t there to stop them working, they can use their own tools such as Putty, WinSCP and home grown products. It is there to help with their day to day regimes, it can help protect them with the recordings they can show exactly what work was done during change requests and emergency work. They no longer need to remember IP addresses or passwords the WAB provides a point for single sign on and remote admin credentials for servers, network devices, data bases and applications to name but a few.
What about staff turnover, do I need to train new staff?
The Wallix AdminBastion (WAB) is simple to administer most users will have only 2 tabs “Preferences” and “Authorizations”:
Preferences is for changing passwords and email etc.
Authorizations allows the user to simply click on the device/s that they wish to connect to.
When an employee or contractor leaves there is just one place to disable there account therefore the Ex-Employee threat is reduced to a single point of audit
Ahh but auditing, can it help me with audits?
Simple, the WAB is a single source of authentication, the WAB connects to the remote devices and provides the credentials needed to authenticate and establish the session. The WAB provides a full audit trail of the username, the remote account, the duration and protocol used. And as the user authenticated with their own account generic accounts can be used once more on the remote devices, this helps with cleaning up of unused or old system accounts
This all sounds very complex, do I need agents on every device?
WAB uses NO AGENTS, it’s a bastion and therefore only connections established through it are recorded and monitored, this helps reduce scope for compliance and issues with privacy regarding personal email and internet use.
Sounds too good to be true? I thought so, and now I work for the company.