Transcription
TECHNICAL BRIEFCloudSOC AUDIT (Shadow-IT)POC Master Document1. Introduction1.1ObjectivesThis Proof of Concept (POC) guide has been built by the SE Community for the SE Community with the aim to provide a single source ofcontent and guidance around the high-level architecture, system requirements, prerequisites, and implementation details in order toprepare and conduct POCs for Symantec’s CASB AUDIT (Shadow-IT) solutions, by describing common use cases encountering during POCs.1.2Definition of CASBCloud Access Security Brokers (CASBs) serve as a critical control point to ensure the secure and compliant use of cloud apps andservices. Cloud service providers typically maintain a shared responsibility policy for security—they guarantee the integrity of theirservice infrastructure, but the customer is responsible for securing actual app usage. In addition to the growing cloud security challengesorganizations face to safeguard data and protect against threats in the cloud, total volume of cloud app adoption is accelerating, withmost of it being done by business units and employees without approval or security oversight from the IT organization. As a result, CASBfunctionality has become so critical that by 2020 it is projected that 80% of enterprises will use a CASB solution. (Gartner)Symantec’s CASB solution is CloudSOC , a CASB solution that integrates seamlessly with Symantec DLP, Endpoint Security (SEP), SecureWeb Gateways (ProxySG, WSS), authentication (VIP), field- level Tokenization/Encryption (CDP), and file-level encryption (ICE). Together,these integrated solutions bridge the gaps between CASB and existing cloud and on-prem security solutions to protect customers appsand data, no matter where they or users reside.At the time of writing this Guide, the Symantec CASB portfolio consists of the following core featuresThis document will focus on Cloud App Visibility or what is also called the AUDIT feature in Symantec’s CloudSOC .
1.3Defintion of AUDITSymantec CloudSOC Audit discovers and monitors all the cloudapps being used in your organization and highlights any risks andcompliance issues they may pose by supporting the following: Uncover Shadow ITοο Gain visibility into all the cloud apps used within yourcompany and their detailed Business Readiness RatingsTM. Monitor Risk and Complianceοο Identify high-risk cloud apps and provide executive reportsregarding your organization’s risk profile tailored to yourunique security requirements. Make smart App Choicesοο Compare cloud apps side-by-side, consolidate on the mostsecure alternatives, and continuously monitor usage forcompliance enforcement and cost containment. Integrate with Web Security Leverage integrations with Symantec Secure Web Gateways,including ProxySG and Web Security Service (WSS) to uncoverShadow IT in SWG traffic and apply granular policy controls toShadow ITThe Audit application ingests logs from NG firewalls and othersecurity proxy devices to perform its Shadow IT analysis. Inorder to meet privacy needs and regulations, customers can alsoanonymize and compress log information with Symantec’s onprem virtual appliance SpanVA, prior to log streaming. Logs areprocessed and results are available in the CloudSOC Audit App.1.4Definition of Proof of ConceptA Proof of Concept (POC) is an installation of our solution in thecustomer’s test environment with the aim to both demonstratethe compatibility with the customer’s environment as well asproving that the solution will cover the customer’s business needsthat were previously discussed, either in the form of use cases orarchitectural requirements.All AUDIT related documentation can be found by selecting ‘Audit’or directly following this deep s/200664540-AuditAll sections below will provide deep links to related Tech Noteswhere applicable. You need to be signed in and have the on-linehelp opened for these links to work.3. AUDIT ArchitecturesTo perform a Shadow IT Audit we can offer several ways to meetthe customer’s requirements and currently installed base. Thissection provides a brief overview of them.3.1Cloud based Architecture2. Related DocumentationCloudSOC provides an always up-to-date knowledge base anddocumentation repository (Tech Notes) about all features andfunctions. They can be accessed directly from the CloudSOC GUI:Access logs will be directly uploaded to CloudSOC. If required PIIrelated information can be tokenized within CloudSOC and revealedeither by using roles based access control or a strict 4-eye-principleutilizing a DPO role (Data Protection Officer).Related Tech Notes:Tech Note--Managing Data Sources for the Elastica Audit App.pdfTech Note--Managing CloudSOC User Privacy Features.pdfPOC GUIDE: CLOUDSOC AUDIT SHADOW-IT02
3.2Hybrid ArchitectureIn this architecture an on-prem virtual appliance (SpanVA) is usedto locally collect the access logs and after processing transmittingthem to CloudSOC over a secure channel. SpanVA offers multiplecommunication options to local data stores and can act both asclient or server for various protocols. In addition SpanVA canbe used to perform local tokenization of PII with the advantagethat PII is never being transmitted to CloudSOC. The same4-eye-principle as mentioned above can be used to reveal useridentities utilizing a DPO role. SpanVA can be downloaded from thecustomer’s CloudSOC tenant under Settings - Elastica SpanVA:3.3On Premises ArchitectureExisting ProxySG customers can leverage the integration of AUDITinto the ProxySG/ASG/VSWG and Reporter/Management Centre.These components can source the complete catalogue of ratedcloud applications from the Symantec Global Intelligence Network(GIN) as part of the AUDIT subscription license and have beenenhanced to provide Shadow IT analysis and control.At the same time the customer can still use the cloud or hybridarchitecture in parallel as described above.In addition this architecture provides the following uniqueadvantages: No need to send access logs to CloudSOC Use Management Centre as a ‘single pane of glass’ for allanalysis and reporting including URL categories & risks, filereputation, AV & users Provides access to the raw access logs Control Shadow IT with enhanced policy options on ProxySGTo use this architecture a few firmware and license requirementsmust be met: ProxySG / ASG / VWSGοο SGOS 6.6 οο CASB AUDIT Subscriptionοο If URL Filtering is also used: Standard or AdvancedIntelligence Services (BCWF perpetual license is notsupported)Related Tech Note:Tech Note--Installing and Configuring SpanVA.pdf Reporterοο Starting with Version 10.1.4.2 Management Centerοο Starting with Version 1.7.1.2Related Tech Note:Tech Note--Using Elastica Audit App Feed in Blue Coat ProxySGPolicies.pdfPOC GUIDE: CLOUDSOC AUDIT SHADOW-IT03
3.4 Integration with Symantec CloudWeb Security Service (WSS)Select the vendor and check the available log formats:This integration allows new and existing WSS customers toautomatically stream their WSS access logs to CloudSOC toperform Shadow IT analysis in their tenant. It is extremely easyto set up and requires no additional resources from the customerside.Related WSS ol/Solutions/ManageWebApps/CASB/casb audit.htm4. POC PreparationBefore you engage in or commit to a POC, please engage with thecustomer to discuss the following points.Confirm Scope; Environment/BoundariesCheck for supported Vendors/LogsCheck if their Proxy/NGFW Firewall and their log formats aresupported by AUDIT. Since CloudSOC is updated very frequentlycheck directly in the GUI by creating a new ‘Data Source’ inAUDIT- Device Logs:POC GUIDE: CLOUDSOC AUDIT SHADOW-ITGet detailed instructions on required log fields and any vendorspecific special requirements from the applicable Tech ns/200664540AuditIn the unlikely event that the customer’s vendor or log formatis not listed, ‘Elastica Flex’ can be used which requires specialparser configuration and verification. Please engage with aSymantec specialist in this case.Agree on an AUDIT ArchitectureOnce vendor and log format support have been confirmed agree onone of the architectures discussed above.Document Business driversWhile there is always great interest in getting a free Shadow ITanalysis, it is important to discover any specific business driversearly on. This should ideally already have taken place in the demothat should have preceded the PoC where the advantages of AUDITwere presented.Define Success Criteria and POC GoalsIf business drivers are known define the success criteria forthe PoC in order to meet these drivers. Help the prospect tounderstand the business value of AUDIT by discussing the points insection 1.3.04
At this stage – without knowledge of the actual AUDIT results,prospects most likely want to have the following criteria includedwhich may vary on the architecture chosen: Easy set-up and integration Expressive reports Automated reporting Anonymization and 4-eye-principle RBAC Minimal overhead operationSee below table for a more detailed list of test cases to choose from:IDTest CaseDescriptionBenefit1.1Import Firewall or Proxylogs into CloudSOCProvide a data source for SaaS app usage analysis. This can bedone via browser upload, SCP/SFTP or Elastica’s on-prem virtualappliance (Elastica SpanVA)Ease and flexibility of deployment1.2Anonymize PII in logsbefore importUse the log anonymization option in the CloudSOC or the on-premvirtual appliance to clear user-identifiable information beforeprocessing.Meet specific compliance or contractualregulations concerning personal information1.3Inventory of all cloudapps that employees useUse Audit application to inventory all SaaS apps - includingunsanctioned apps (Shadow IT)Visibility into all cloud apps used. Discover thescale and impact of Shadow IT. Help in creating acloud app strategy for the organization based oncloud app usage and enterprise readiness of apps1.4Establish BusinessReadiness Rating and provide riskcategorization of cloudappsDetailed analysis of each cloud app reveals its Business ReadinessRating summarizing 60 1.5Overview oforganization’s SaaSusage and Risk ProfileAudit Summary dashboard provides key metrics across differenttime horizons including a company-wide Audit ScoreSaaS usage adoption summary, trends, and riskimpact to the organization.1.6Executive SummaryViewsViews on Audit dashboard: Top risky apps and most used appsincluding top users and hosting locations of these appsAccess to key information provided right upfront1.7Monitor cloud app useover timeView historical usage over time e.g. last week(s), month(s) or year(s)Continuous Shadow IT Audit and risk assessmentto stay compliant.1.8Discover apps that arerisky and frequentlyusedFilter risky (high or medium risk) apps from the Services tab. Sort bytraffic, count of users or sessions.Uncover risky apps that can place company’s datasecurity and compliance in jeopardy1.9Apply predefinedand custom tags todiscovered cloud appsindividually or as a bulkFilter and report on apps based on predefined or custom criteriaEase of analysis and data modelling1.10Identify apps thatemployees have recentlyadopted which may beriskyFilter new services that have appeared in your environment in agiven time duration including any risky appsCatch apps just-in-time and take further action toeither monitor, sanction or define policies in theFW/proxy to block1.11Identify most usedapps that may not besanctionedSort services by count of users, traffic or sessions in the Service TabUnderstand cloud adoption in the enterprise anddetermine if they may be safe to use1.12Discover most activeusers in the enterpriseincluding ones that usethe most number ofservices, risky servicesor drive the most trafficSort users by count of services, traffic or sessions in the Users Tab.Inspect the usage of top users.Helps prioritize time and focus efforts1.13Discover apps thatfail to meet securityor compliancerequirementsFrom Audit preferences, set the importance of a criteria that yourequire to Must-Have. Filter on Knocked-out services to identifyapps that fail to meet your security requirements such as MFAHelp stay in regulatory compliancemetrics across seven dimensions. Apps categorized into high,medium or low risk categoriesPOC GUIDE: CLOUDSOC AUDIT SHADOW-ITRisk classification and enterprise readiness ofcloud apps05
IDTest CaseDescriptionBenefit1.14Discover appsthat are hostedin locations thatviolate regulatoryrequirementsFrom Destinations tab, identify any such locations from themap. Apply filter on the location and discover apps or users ofthese apps from respective tabs.Help stay in regulatory compliance.1.15Identify multipleapps across the samecategoryFilter respective category in the Service Tab such as FileSharing.Opportunities for streamlining and costreduction. Reduce cost to monitor and securemultiple apps.1.16Analytics andadvancedvisualizationMultiple pivot views or tabs (services, users, destinations),easy-to-use filters, time scale adjustments.Aid in deeper analysis.1.17Side by Sidecomparison of CloudAppsnt reportsUse “Compare Services” within Audit to compare key SaaSapps. This functionality aids in developing a cloud appstrategy.Helps organizations decide which apps can beused as alternatives to risky apps. Proactivelyengage business to develop strategy for secureadoption of Cloud Apps.1.18ComprehensiveShadow IT Audit riskassessment reportsGenerate Cloud Services Risk Assessment Reports from AuditSummary dashboard. Reports include executive summariesalong with a list of discovered services and recommendations.Many benefits, including cloud app licensemonitoring, deciding on geofencing policies,determining which apps should be encouragedand which should be eliminated.1.19Executive SummaryInfographicsGenerate summary infographics on-demand from AuditSummary dashboard.Simple one-page summaries for businessexecutives.1.20Automated ShadowIT ReportsDelivers periodic customized reports via email to criticalstakeholders in the organization containing tailoredinformation for their specific role (e.g. new services within last24 hrs, week etc.).Keep multiple stakeholders from differentdepartments informed on an on-going basis.1.21Predefined andcustom Tags andComments forServicesTag services with predefined and custom tags for easiersorting and overview. Apply comments on services.Work collaboratively on Shadow-IT analysis.Easier sorting and filtering.1.22Custom Graphs andReportingCreate custom graphs and reports that can be run andexternalized by a schedule.Zoom in on specific information and keepmultiple stakeholders from differentdepartments informed on an on-going basis.1.23Export data foroffline analysis andprocessingExport available on multiple pages in Audit.Benefits include using the data to set accesscontrols at the proxy/firewall through blockingof unsanctioned apps.1.24Enable ProxySG/ASGwith Audit App-FeedUse the complete catalogue of cloud services, their BRR or justspecific BRR attributes in granular access policies.Efficiently control shadow IT and leverageautomated updates to the catalogue of servicesand their ratings.1.25Evaluate cloudapp that you areconsidering ofadopting“Find Services” under Audit and research and compare withother apps.Dramatically reduce cloud service provider (CSP)vendor evaluation time.1.26Central managementof multiple virtual onprem appliancesMonitor status and utilization from a central point.Automatically distribute upgrades to multiple on-premappliances.Ease administrative burden in large scaledeployments.1.27Detect anomaloususer behavior andcorrelate betweenmultiple appsApply a threat score to user accounts based on staticthresholds and behavioral analysis.Pinpoint existing risks such as account take-overor data exfiltration.Define Key Stakeholders and technical Decision-MakerAn AUDIT PoC involves several groups within an enterprise. Among all of them make these definitions. While the driver will usually be partof the security department, the people providing/uploading the logs and setting up SpanVA will usually be part of IT operations. In someinstances a workers council or DPO might also need to be involved.POC GUIDE: CLOUDSOC AUDIT SHADOW-IT06
Determine Timescale: Clear Start & End Dates7.In order to get results that represent normal cloud app usage thetime frame covered by the logs should be at least one week but notto exceed four weeks.Short review by yourself and clarification of some unclearresults with the prospect8.Result review and documentation9.POC review meeting with the prospectProcess some Sample LogsExperience has shown that processing some sample logs beforethe start of the POC makes it a much better experience for you andthe prospect. This specifically holds true if logs won’t be providedfrom ProxySG. Ask the prospect to provide one or two small logfiles that you can run in your CloudSOC tenant.Make sure that the logs process without any error and allinformation shows up in the AUDIT screen. Here a list of items tocheck even if logs are processed successfully: Up- and downloaded bytes Correct identification of users / IP addresses Destinations Platforms BrowsersIf needed ask the prospect to make changes to the logs so that allneeded information will be present for the upcoming POC.This step not needed for the WSS integration.Establish MilestonesTypical milestones in an AUDIT POC would be:1.Preparation call and documentation of outcome. Thecall should cover all of what has been discussed above(architecture, vendor, time frame, stakeholders, etc.)2.Process sample logs3.Request & creation of the prospect’s CloudSOC tenantfollowing Symantec’s eval process4.Quick webex with prospect to perform tenant baseconfiguration & GUI walk through5. Selected MilestoneDetailsThis section provides more details about some of the milestonesmentioned above. Result Review & Documentation will be dealtwith later in this document.5.1 CloudSOC Tenant Creation andActivationThe prospect’s tenant is requested based on the Symantecevaluation guidelines by a Symantec SE. The following informationmust be provided do so: Customer Domain (e.g. company.com) CloudSOC tenant geo location (US or EU) Contact details of the prospect’s CloudSOC system admin(name, email) Approximate number of usersOnce the tenant is created the prospects admin (from above)will receive an email from ‘noreply@elastica.net’ to activate hisaccount by setting his/her password.Ask the admin to inform you when this has been performed andproceed to the next milestone.5.2Tenant basic ConfigurationEngage on a Webex with the prospect to perform basicconfiguration tasks.Set the time zone:a. Set time-zone (Settings - General)b. Create additional administrative accounts and RBAC ifneeded (Users)c. Adjust ‘Privacy Settings’ (Settings - Privacy)5.Prospect’s preparations including:a. Changes to log files, if neededb. Installation and integration of SpanVAc. Changes to firmware releases for on-prem architecture6.Uploading logs and verification of correct parsingPOC GUIDE: CLOUDSOC AUDIT SHADOW-IT07
Adjust Privacy Settings (for anonymization):As highlighted above, search for the lines starting with ‘Found newfile’ and ‘Uploading file’.In CloudSOC correct upload and processing of sample logs can beverified under Audit - Device Logs:Related Tech Note: Tech Note--Managing CloudSOC User PrivacyFeatures.pdfAdd additional administrators and create ‘Access Profiles’ (RBAC)and DPO account if needed:Note: Log files arriving in CloudSOC will be queued forprocessing while PoC tenants might get lesser priority than thoseof paying customers. For this reason you should allow up to 4hours (Web Upload) or even 8 hours (SpanVA Upload) until thestatus turns ‘green’.Related Tech Note: Tech Note--Using CloudSOC Access Profiles.pdfNote that any new user added needs to activate hi
Once vendor and log format support have been confirmed agree on one of the architectures discussed above. Document Business drivers While there is always great interest in getting a free Shadow IT analysis, it is important to discover any specific business drivers early on.
