Apr 4 2014

Five Reasons Why You Should Monitor & Control [All of] Your Secure Shell Traffic

How many times have we heard “the perimeter isn’t secure”? In fact, with BYOD, cloud and the extended enterprise, it’s hard to define what the perimeter is anymore.  The concept of a porous perimeter that can’t be trusted is the foundation of the Zero Trust model of security and many organizations are adopting this approach. Here are five reasons why monitoring and controlling Secure Shell should be included in your organization's Zero Trust approach.

  1. Trust no one, monitor everything – With advanced security intelligence tools and layered defense systems, many organizations have fairly good visibility into the traffic moving across their networks, except for SSH, SFTP and RDP traffic. Since these encrypted channels provide access to the most critical systems, ensuring traffic is monitored in the same way other traffic is monitored makes a lot of sense.
  2. Traditional privileged identity management solutions are not enough for M2M – That jump server or gateway that everyone logs into and gains access to systems on the network does a fine job of capturing all of your interactive user sessions, or “carbon-based identities”. But what are you missing? All of those non-carbon based identities running around your network. These applications use Secure Shell to move data from and to different points in the network. Often times the payload includes highly valuable data such as credit card information, personal health records and more.
  3. There is a hole in your firewall … and you put it there – Firewalls are typically set up to allow Secure Shell traffic to flow freely into the organization. Why? Because the content is encrypted and the firewall can’t apply policy except on meta information if the connection is encrypted. This means many organizations are at risk – especially in extended enterprise environments – because malware can potentially make it past the perimeter and into the network.
  4. Context provides strong authentication – Authentication alone isn’t enough – its just means that someone knows a user name and password or has obtained a private key. What an identity is doing while inside your environment is the best way to determine if an identity has been compromised. For instance, if a key assigned to Bob in the SAP group is used to access ERP system information at 2 am on a Saturday, which may be considered anomalous behavior and needs to be investigated. On the M2M side, if an identity assigned to an application suddenly starts sending data via Secure Shell to a laptop inside the network, that may be an indication of malicious insider activity. Without network level visibility into this traffic, it may be difficult or impossible to be alerted to these types of potential exploits.
  5. Network based access controls stop exploit in their tracks – Advanced privileged identity management solutions don’t simply provide you with forensics data post-exploit, they also provide you with proactive capabilities to stop exploits in their tracks or, at the very least, mitigate the amount of damage that can be done. With a solution like CryptoAuditor, even if a malicious insider were able to brute force into your Secure Shell network, CryptoAuditor’s network based access controls would restrict the types of activities that identity could engage in while in the network. For instance, if a sys admin’s identity was compromised and that identity was authorized to access a given system, with CryptoAuditor’s access control capabilities you could prevent that identity from running a file transfer command thereby thwarting the attack.


Jason Thompson by Jason Thompson Former Vice President of Worldwide Marketing
Jason served as Vice President of Worldwide Marketing until October 2014.