According to Ponemon Institute, more than 50% of organizations do not have centralized Secure Shell (SSH) key security. 74% do not enforce SSH security policies at all or rely on a documented manual process. Moreover, 51% of organizations surveyed have been compromised in the last 2 years as a result of SSH key misuse.
SSH allows systems administrators to have elevated privileges, bypassing authentication mechanisms on the host. By using a stolen SSH private key, an adversary can gain rogue root access to an enterprise network, bypassing all the security controls put in place. Because organizations have no SSH security policies, SSH oversight, or ability to respond to an SSH-based attack, cyber-criminals are using SSH as an attack vector at an ever-increasing rate.
Venafi TrustAuthority, part of Venafi Trust Protection Platform, quickly establishes a comprehensive inventory of an organization’s SSH environment via agentless and agent-based technologies. TrustAuthority maps trust relationships between hosts and users, identifying keys that do not meet corporate standards and enforcing policies. As a result, organizations can establish a baseline of SSH key usage. Real-time monitoring enables organizations to detect any changes to authorized key lists, key additions and deletions, and other configuration changes, and notify systems administrators for remediation. The result is increased visibility into the SSH inventory and a reduced risk exposure to vulnerabilities. Specifically, organizations:
- Increase threat intelligence
- Reduce their attack surface
- Gain insight and control over the entire inventory of SSH keys
- Achieve compliance and audit success
What It Does
TrustAuthority identifies SSH keys and continuously monitors these keys to detect anomalies. By mapping the trust relationship between hosts and users (via agentless and agent-based technologies), TrustAuthority establishes a baseline of normal SSH key usage in the enterprise network. In real-time, the policy framework helps identify SSH key changes that include key deletions and additions and configuration changes, and then notifies the appropriate systems administrator to take action. TrustAuthority includes full audit logging and reporting for any action performed in the console.
Discovery and Monitoring
Agentless and agent-based technologies are used to quickly establish a clear understanding of the SSH key inventory in an enterprise network. Once a baseline—which is derived from the policies configured in TrustAuthority—is established, TrustAuthority maps the trust relationships between hosts and users so that it is easy to identify any orphaned or rogue SSH keys.
TrustAuthority continuously monitors the SSH inventory in real-time for any SSH key anomalies. These anomalies may include SSH key changes such as key deletions and additions and configuration changes. Any changes that do not match the baseline configuration are immediately reported so that a systems administrator can take action.
Reporting and Auditing
Automated reporting on all SSH key discovery data includes an entitlement report, an authorized users report, a server summary, and more. TrustAuthority also provides detailed reports on all logged SSH key events and actions, enabling organizations to validate that they are meeting internal and external compliance requirements.
Notifications and Escalations
Proactive event notifications alert systems administrators to specific key events and actions, ensuring organizations can quickly remediate any anomaly detected and remain in compliance with internal and regulatory policies.
Support for an Extensive Ecosystem
TrustAuthority can discover Attachmate, OpenSSH, and SSH Communications SSH keys (including RSA1, RSA, and DSA SSH keys) and SSH servers, and identify trust relationships with other systems acting as SSH clients. It can also identify keys that do not meet corporate encryption standards and locate lost, orphaned, or unused keys.
Why It's Important
TrustAuthority helps organizations secure their SSH key inventory, identity vulnerabilities, and remediate those vulnerabilities. Organizations can reduce the risk exposure of a data breach by:
- Gaining insight into the SSH inventory
- Applying policies to SSH keys
- Understanding how keys are used
- Mapping the trust relationships between keys and users
Increase Threat Intelligence
Cyber-criminals take advantage of the trust SSH establishes, stealing high-value keys and inserting keys to elevate their privileges in the network. Without visibility into how SSH keys are used within the network, an enterprise cannot detect these threats and defend against attacks on keys. TrustAuthority first establishes a baseline of SSH key usage. It then enables organizations to discover rogue keys that have potentially been injected into the network or changes to SSH key configurations that do not comply with policy and may indicate malicious activity. With TrustAuthority, organizations can:
- Discover keys that use weak encryption, rendering them vulnerable to well-known exploits
- Discover mismanaged and rogue keys that expose organizations to unauthorized access
- Establish a baseline of SSH key usage
Reduce Incident Detection Time
The longer it takes for an organization to respond to a breach using compromised or rogue SSH keys, the more data the organization loses. The organization suffers untold cost through the loss of intellectual property and brand damage. According to the Ponemon Institute, it takes every organization an average of 32 days to respond to a breach. Through real-time monitoring, TrustAuthority enables organizations to discover SSH key anomalies that do not comply with baseline settings, thereby quickly detecting a compromised SSH key. TrustAuthority drastically reduces the time it takes organizations to respond to a breach related to compromised SSH keys.
- Detect anomalies such as key deletions and addition and configuration changes
- Monitor SSH key usage
Achieve Compliance and Audit Success
SSH is used for privileged administrative and application access accounts, which are governed by regulations such as Sarbanes-Oxley, Payment Card Industry Data Security Standard (PCI-DSS), and Basel III. TrustAuthority provides an up-to-date inventory of all SSH key pairs and tracks whether they meet the internal and regulatory compliance requirements necessary to achieve audit success.
- Map trust relationships among hosts, users, and user groups
- Log SSH key events for auditing and reporting
How It Works
Agentless and Agent-Based Discovery
High-performance network and agent-based discoveries identify where all the supported SSH keys and SSH servers are deployed across the enterprise.
Identifying and Controlling Trust Relationships
After TrustAuthority identifies the SSH servers, systems administrators can run agent-based discovery on the SSH servers to identify the trust relationships with other systems acting as SSH clients. Administrators deploy the agent on the clients to determine the full key dependencies and trust relationships.
TrustAuthority correlates all agentless and agent-based discovery results to create a comprehensive inventory of SSH keys and their corresponding configuration information. It also maps all the keys and trust relationships, enabling organizations to implement consistent security policies and ensure systems availability. As a result, systems administrators have a clear trust map of all hosts, users, and user groups that are authorized to use the respective SSH keys.
Generate SSH Reports
Using data from agentless and agent-based discoveries, TrustAuthority can generate reports that inventory all SSH servers, map trust relationships between hosts and users, identify keys that do not meet internal and external compliance standards, send alerts about any SSH key configuration changes, and identify lost, orphaned, or unused keys.