Tracking the user to support the security teams

One of the big focus points for security today is Security Intelligence. IBM, HP, Symantec and others are all looking to profile users, apps, servers and even M2M communications in order to detect early signs of Advanced Persistent Threats (APTs).

According to Facey, this plays to Bomgar’s existing strengths: “Whenever someone has authenticated on the Bomgar system, what they do next is authenticated in text and video. Everything is recorded. This system was originally designed around remote access so, for example, people connecting in to fix or repair a server where you wanted to see what they were doing.”

Those recordings are important because they record the remote screens that the user is working on so that it is possible to replay what they did in order to see how a breach occurred or to investigate anomalous behaviour. However, there is a serious issue here from a privacy and security perspective. If user interaction is being tracked by capturing the screens, anything that they do involving passwords can also be captured.

It is not unreasonable that customers could deploy the Bomgar solution in a supply chain environment to provide remote access to customers and suppliers. Facey admits that this is something customers are already doing. As a result it is reasonable that a customer logged into the system to look up stock levels might go on and place an order. If part of that process includes making an online payment, then their banking and payment details could be captured.

Facey’s response was: “We use white lists and black lists to control what is and isn’t captured. If this was part of a system where a customer was placing an order after browsing an online catalogue, we could block the recording of the payment part of the order.”

The other part of supporting security is data retention and the ability to query the data. Security teams are increasingly looking to track user, application, server and network behaviour in real-time to identify anomalies. Even those organisations not doing real-time data capture are beginning to realise that they need to keep access and profile data in order to deal with the forensic response to a data breach and to satisfy regulators.

Facey said: “Data captured by Bomgar is stored by up to 90 days on the Bomgar appliance for instant access and can be exported after that. There is a built-in degree of reporting in the product so you can query the data. We can integrate with third-party Security Information and Event Management (SIEM) systems but we  don’t want to turn ourselves into one.”

That’s a perfectly reasonable response and integration with other vendors should give Bomgar a much higher profile in the security market. What will be interesting is who Bomgar sees as the primary companies to integrate with and whether it writes the integration elements as part of the next release of their software.

Conclusion

This is an interesting announcement from Bomgar as they are taking their expertise of remote management and extending that to the cloud. In doing so they have delivered something that most companies will see as having a wider application than just cloud access security.

LEAVE A REPLY

Please enter your comment!
Please enter your name here