Identify Vulnerabilities. Enforce Policies. Detect Anomalies.

Analyst Coverage

“Cybercriminals are known to steal SSH keys or manipulate which keys are trusted to gain access to source code and other valuable intellectual property” Read More

“Advanced threat detection provides an important layer of protection but is not a substitute for securing keys and certificates that can provide an attacker trusted status that evades detection.” Read More

"Basically, the enterprise is a sitting duck."

"PKi is under attack...Advanced and persistent adversaries go for keys" Read More

"When there are many hundreds of certificates from a variety of certificate authorities, the only ecumenical [universal], nonproprietary provider of a certificate management solution is Venafi. Other CA management systems are biased toward the particular CA by, for example, only supporting renewals from that specific CA." Read More

"No CISO could consider having tens of thousands of unknown network ports open and have no way to control them. But that’s the alarming reality today with regards the trust established by keys and certificates..." Read More

"Organizations with roughly 200 or more documented X.509 certificates in use are high-risk candidates for unplanned expiry and having certificates that have been purchased but not deployed." Read More

"Technology critical to cloud computing is in clear and present danger...attacks on Secure Shell (SSH) keys present the most alarming threat arising from failure to control trust." Read More

“Certificates can no longer be blindly trusted” Read More

“Just because something is digitally signed doesn't mean it can be trusted.”

“Enterprise awareness of attacks on keys and certificates is in its infancy; most don’t understand how to detect or respond to an attack.” Read More

TrustAuthority SSH

According to Ponemon Institute, more than 50% of organizations do not have centralized Secure Shell (SSH) key security. 74% do not enforce SSH security policies at all or rely on a documented manual process. Moreover, 51% of organizations surveyed have been compromised in the last 2 years as a result of SSH key misuse.

SSH allows systems administrators to have elevated privileges, bypassing authentication mechanisms on the host. By using a stolen SSH private key, an adversary can gain rogue root access to an enterprise network, bypassing all the security controls put in place. Because organizations have no SSH security policies, SSH oversight, or ability to respond to an SSH-based attack, cyber-criminals are using SSH as an attack vector at an ever-increasing rate.

Venafi TrustAuthority, part of Venafi Trust Protection Platform, quickly establishes a comprehensive inventory of an organization’s SSH environment via agentless and agent-based technologies. TrustAuthority maps trust relationships between hosts and users, identifying keys that do not meet corporate standards and enforcing policies. As a result, organizations can establish a baseline of SSH key usage. Real-time monitoring enables organizations to detect any changes to authorized key lists, key additions and deletions, and other configuration changes, and notify systems administrators for remediation. The result is increased visibility into the SSH inventory and a reduced risk exposure to vulnerabilities. Specifically, organizations:

  • Increase threat intelligence
  • Reduce their attack surface
  • Gain insight and control over the entire inventory of SSH keys
  • Achieve compliance and audit success

What It Does

TrustAuthority identifies SSH keys and continuously monitors these keys to detect anomalies. By mapping the trust relationship between hosts and users (via agentless and agent-based technologies), TrustAuthority establishes a baseline of normal SSH key usage in the enterprise network. In real-time, the policy framework helps identify SSH key changes that include key deletions and additions and configuration changes, and then notifies the appropriate systems administrator to take action. TrustAuthority includes full audit logging and reporting for any action performed in the console.

Discovery and Monitoring

Agentless and agent-based technologies are used to quickly establish a clear understanding of the SSH key inventory in an enterprise network. Once a baseline—which is derived from the policies configured in TrustAuthority—is established, TrustAuthority maps the trust relationships between hosts and users so that it is easy to identify any orphaned or rogue SSH keys.

Anomaly Detection

TrustAuthority continuously monitors the SSH inventory in real-time for any SSH key anomalies. These anomalies may include SSH key changes such as key deletions and additions and configuration changes. Any changes that do not match the baseline configuration are immediately reported so that a systems administrator can take action.

Reporting and Auditing

Automated reporting on all SSH key discovery data includes an entitlement report, an authorized users report, a server summary, and more. TrustAuthority also provides detailed reports on all logged SSH key events and actions, enabling organizations to validate that they are meeting internal and external compliance requirements.

Notifications and Escalations

Proactive event notifications alert systems administrators to specific key events and actions, ensuring organizations can quickly remediate any anomaly detected and remain in compliance with internal and regulatory policies.

Support for an Extensive Ecosystem

TrustAuthority can discover Attachmate, OpenSSH, and SSH Communications SSH keys (including RSA1, RSA, and DSA SSH keys) and SSH servers, and identify trust relationships with other systems acting as SSH clients. It can also identify keys that do not meet corporate encryption standards and locate lost, orphaned, or unused keys.

Why It's Important

TrustAuthority helps organizations secure their SSH key inventory, identity vulnerabilities, and remediate those vulnerabilities. Organizations can reduce the risk exposure of a data breach by:

  • Gaining insight into the SSH inventory
  • Applying policies to SSH keys
  • Understanding how keys are used
  • Mapping the trust relationships between keys and users

Increase Threat Intelligence

Cyber-criminals take advantage of the trust SSH establishes, stealing high-value keys and inserting keys to elevate their privileges in the network. Without visibility into how SSH keys are used within the network, an enterprise cannot detect these threats and defend against attacks on keys. TrustAuthority first establishes a baseline of SSH key usage. It then enables organizations to discover rogue keys that have potentially been injected into the network or changes to SSH key configurations that do not comply with policy and may indicate malicious activity. With TrustAuthority, organizations can:

  • Discover keys that use weak encryption, rendering them vulnerable to well-known exploits
  • Discover mismanaged and rogue keys that expose organizations to unauthorized access
  • Establish a baseline of SSH key usage

Reduce Incident Detection Time

The longer it takes for an organization to respond to a breach using compromised or rogue SSH keys, the more data the organization loses. The organization suffers untold cost through the loss of intellectual property and brand damage. According to the Ponemon Institute, it takes every organization an average of 32 days to respond to a breach. Through real-time monitoring, TrustAuthority enables organizations to discover SSH key anomalies that do not comply with baseline settings, thereby quickly detecting a compromised SSH key. TrustAuthority drastically reduces the time it takes organizations to respond to a breach related to compromised SSH keys.

  • Detect anomalies such as key deletions and addition and configuration changes
  • Monitor SSH key usage

Achieve Compliance and Audit Success

SSH is used for privileged administrative and application access accounts, which are governed by regulations such as Sarbanes-Oxley, Payment Card Industry Data Security Standard (PCI-DSS), and Basel III. TrustAuthority provides an up-to-date inventory of all SSH key pairs and tracks whether they meet the internal and regulatory compliance requirements necessary to achieve audit success.

  • Map trust relationships among hosts, users, and user groups
  • Log SSH key events for auditing and reporting

How It Works

Agentless and Agent-Based Discovery

High-performance network and agent-based discoveries identify where all the supported SSH keys and SSH servers are deployed across the enterprise.

Identifying and Controlling Trust Relationships

After TrustAuthority identifies the SSH servers, systems administrators can run agent-based discovery on the SSH servers to identify the trust relationships with other systems acting as SSH clients. Administrators deploy the agent on the clients to determine the full key dependencies and trust relationships.

Trust Map

TrustAuthority correlates all agentless and agent-based discovery results to create a comprehensive inventory of SSH keys and their corresponding configuration information. It also maps all the keys and trust relationships, enabling organizations to implement consistent security policies and ensure systems availability. As a result, systems administrators have a clear trust map of all hosts, users, and user groups that are authorized to use the respective SSH keys.

Generate SSH Reports

Using data from agentless and agent-based discoveries, TrustAuthority can generate reports that inventory all SSH servers, map trust relationships between hosts and users, identify keys that do not meet internal and external compliance standards, send alerts about any SSH key configuration changes, and identify lost, orphaned, or unused keys.