Belnet events management
Download as PPT, PDF0 likes519 views
The document discusses how to effectively handle security incidents. It recommends implementing continuous event management with tools, procedures, and integration across systems to gain visibility into the network. A four-step process of collection, normalization, indexing, and storage is proposed to analyze security data. The presentation also outlines establishing procedures for change management, incident response, and prevention through security awareness.
![Thank You! [email_address] http://blog.rootshell.be twitter.com/xme](https://image.slidesharecdn.com/belneteventsmanagement-100507072516-phpapp01/85/Belnet-events-management-25-320.jpg)
Belnet events management
- 1. Events Management or How to Survive Security Incidents Belnet Security Conference May 2010
- 2. Agenda Today's Situation How to implement a solution How to handle security incidents Examples & tools Q & A
- 3. About Xavier Mertens Senior Security Consultant @ C-CURE CISSP, CISA Security Blogger BruCON Volunteer More info? Maltego!
- 4. Introduction Some scenarios Present Source: Real-time alerts Action: Immediate investigation Past (during last week or month) Source: Reporting Action: Adapt procedures & infrastructure Investigations (smoke signal) Source: Specific Request Action: Forensics
- 5. Today's Issues Technical Networks are complex Based on non-heterogeneous components (firewalls, IDS, proxies, etc) Millions of daily events Lot of consoles/tools Protocols & applications
- 6. Today's Issues (next) Economical ” Time is Money” Investigations must be performed in real-time Downtime may have a huge business impact Reduced staff & budgets Happy Shareholders
- 7. Today's Issues (next) Legal Compliance requirements PCI-DSS, SOX, HIPAA, etc Initiated by the group or business Local laws Due diligence & due care Security policies must be enforced!
- 8. Current Situation Organizations are using good security perimeters based on proven solutions But without a clear view and control of the infrastructure Attacks become more and more sophisticated and frequent Not prepared to deal with security incidents
- 9. Requirements To handle security incidents properly organization must rely on: Tools Procedures Upstream Downstream Continuous (!) Event Management != Big Brother
- 10. Visibility More integration, more sources, more chances to detect a problem Integration of external source of information could help the detection of incidents Automatic vulnerability scans Import of vulnerabilities database Awareness
- 11. Know your Network Inventory Devices Protocols Users Behavior Bandwidth Usage EPS (Events per Second)
- 12. Procedures Boring but required! Back to the Basics: Input Change management Output Incident management Process Input Output
- 13. Change Management New devices are connected Old devices are decommissioned Users provisioning New applications are deployed Security perimeter? Still valid?
- 14. Incident Management Business first! (MTTR) Avoid decisions made urgently Keywords Understand Protect Recover Investigate
- 15. Prevention Recurrent process! Security lifecycle Require time Informations Forums Blogs Conferences
- 16. A Security Incident? Definitions An event is “ an observable change to the normal behavior of a system, environment, process, workflow or person (components). ” Incident is “ a series of events that adversely affects the information assets of an organization ” Examples? Read the press! ;-) You will face one!
- 17. Security Convergence Physical Security + Logical Security Example Geolocalization Users authentication + badge control
- 18. A Four-Steps Process Collection Normalization Index Storage
- 19. Three Actions Real-time alerts Reports ” Forensics” or ”smoke signals”
- 20. Architecture Devices Systems Applications Collectors Indexer Store Alerts Reports Search Long Term Storage
- 21. Need of a SOC? Yes but ... SOC or SPoC Directly depending on your organization size Starting with a dedicated person is enough Investments (time & money) Roles: Alerts, Reports, Investigate
- 22. Communication Mandatory step in the process Do not lie! Be transparant Online reputation Must be properly managed Think about shareholders The press Customers
- 23. Examples To follow... Apache Google Splunk To avoid... The ”Belgian Juweler”
- 24. Examples & Tools OSSEC OSSIM Apache mod_dlp Ngrep for basic DLP
- 25. Thank You! [email_address] http://blog.rootshell.be twitter.com/xme
Editor's Notes
- #2: Time: 35 minutes Q&A: 5 minutes Hello and good morning. Be patient, the lunch is coming just after my presentation…
- #3: I’ll speak about “events”. Events are normal. All your devices generate tons of events per day. But some of them may containt critical information and lead to “incident”. After an overview of the situation today in most organizations, I’ll review how to implement (basically) an event management solution. Then you’ll be able to handle security incidents. Finally, I’ll give some tips or tools to increase the detection of security incidents on your network. Of course, I’d like to make this talk interactive. Feel free to raise your hand and ask your questions.
- #4: Well about me? I’m working for C-CURE, a consultancy company focusing on security. (based in Mechelen). Involved in several types of projects Certifications Security blogger BTW, did you know that this year will be the 2 nd edition of BruCON (24-25 sep) Otherwise, maltego me! ;-)
- #5: Events are your source to investigate security issues. If we check on a timeline, events can be processed at different times: Present: “quicker is better”: generate an alert when a threat is detected on the network. Ex: Access denied for user root on server console Past: “does miss anything” : review the users management procedure once a week or moth Investigations: “looking for smoke signals”
- #6: - Technical = “bits & bytes” - Complexity comes from the business (company takeover) or the requirements (security, performance, availability) Millions of events = impossible to review manually and even => human processing leads to errors! (We are “only” poor humans) Protocols & applications -> web 2.0
- #7: “ Business is business”, organization are make to earn money. Problems detected as soon as possible -> less impact
- #8: Local law: specific data retention requirements Due diligence: ensure that risks are identified and managed Due care: “to keep in working conditions”
- #12: Inventory: avoid rogue devices!
- #15: - Understand extent and source of incident – Protect sensitive data contained on systems – Protect systems/networks and their ability to continue operating as intended and recover systems – Collect information to understand what happened Without such happened. information, you may inadvertently take actions that can further damage your systems – Support legal investigations, forensics pp g g ,
- #22: Investment : like an insurance, could be helpful “one day” SPoC = Security Point of Contact