Building a Security Operations Center Lessons Learned. active threat protection
|
|
- Dylan Floyd
- 8 years ago
- Views:
Transcription
1 Building a Security Operations Center Lessons Learned active threat protection Yves Beretta October 8, 2013
2 INTRODUCTION 10/10/2013 Building a Security Operations Center Lessons Learned Slide 2
3 Yves Beretta Profile 20 years of IT experience IT Management Operations Management Network Security Built and managed a Security Operations Center for the past 7 years 10/10/2013 Building a Security Operations Center Lessons Learned Slide 3
4 Why a Security Operations Center? Multiplicity and Volume of Cyber Security Threats Social engineering Advanced Persistent Threats (APT) Internal threats Bring Your Own Device (BYOD) - Cloud security - HTML5 Botnets Source: Check Point /Forbes Source: Symantec 10/10/2013 Building a Security Operations Center Lessons Learned Slide 4
5 Security Operations Center 101 Security focused Operational Centralized 24x7 10/10/2013 Building a Security Operations Center Lessons Learned Slide 5
6 SOC: Expectations Watch and protect the infrastructure Monitor Network Traffic, watching for anomalies Protect Users Internal and External Threat detection Alert and Escalate Internal and External Threat mitigation.and also Monitor Users Systems Configuration Data Loss Prevention Forensics Analysis Threat modeling 10/10/2013 Building a Security Operations Center Lessons Learned Slide 6
7 SOC: Functional Definition Network Traffic / Events Response IDS/IPS/ SIEM/NGFW 24x7 Orientation Security Analysis Aggregation/ Correlation Systems Goal #1: Real-time threat detection and mitigation 10/10/2013 Building a Security Operations Center Lessons Learned Slide 7
8 SOC: Key Components KEY COMPONENTS Technology People Process Monitoring, Analysis, Mitigation, Reporting (FW, NGFW, IDS, IPS, SIEM, Web Security Gateway, AV, etc) and its own network/air gap. Security Analyst, Senior Security Analyst, Team Lead/Manager Training, Monitoring, Analyzing, Mitigating, Alerting, Escalating 10/10/2013 Building a Security Operations Center Lessons Learned Slide 8
9 TECHNOLOGY 10/10/2013 Building a Security Operations Center Lessons Learned Slide 9
10 Technology: SOC Private Network Tap or port mirroring from: - Core managed switch - DMZ segment - All choke points Event Logging / SysLogging enabled and fetched to one central location Secure communication between IDS/IPS and Management Systems Lab (separate network, sandboxing, training) 10/10/2013 Building a Security Operations Center Lessons Learned Slide 10
11 Technology: Security Sensor Role - Capture and store Inbound & Outbound network traffic - Meta data and raw data - Rule-based notifications - Behaviour-based notifications Components - Secure OS. - Secure communication (e.g. SSH, stunnel) - SW suite (e.g. Snort, Suricata, EasyIDS or Security Onion[Bro, Snort, Sguil, ELSA, Snorby, etc]) - Packet Capture (e.g. tcpdump, sguil) 10/10/2013 Building a Security Operations Center Lessons Learned Slide 11
12 Technology : Security Sensor Placement Domain Controllers and Servers DMZ Switch Switch Corporate Network Internet Corporate Firewall Users Security Sensor 10/10/2013 Building a Security Operations Center Lessons Learned Slide 12
13 Technology : More Monitoring Domain Controllers Domain Controllersand and Servers Servers DMZ WIFI Access Point Remote Laptops/Devices Internet Switch DMZ Switch Primary Security Sensor Network Traffic Analysis (Logging, Replay, Intrusion, Detection, Flows) Secondary Security Sensor System/Configuration (Integrity, Log Analysis, Shipping) System/Configuration Integrity SIEM/Logging, Managed Systems, Flows, Configuration Verification Users 10/10/2013 Building a Security Operations Center Lessons Learned Slide 13
14 Technology: Management System Role - Visualize events - Monitor key infrastructure and security devices Components - Secure OS. - SW (e.g. LAMP, Splunk, Nagios) 10/10/2013 Building a Security Operations Center Lessons Learned Slide 14
15 Technology: Traffic Analysis Role - Analyze events - Qualify Threats Components - Secure OS - SW (Wireshark, tcpdump) Internal port scan 10/10/2013 Building a Security Operations Center Lessons Learned Slide 15
16 Technology: Dashboard & Traffic Analysis 10/10/2013 Building a Security Operations Center Lessons Learned Slide 16
17 Technology: Lab Role Run Malware Profile Malware Test new detection rules Training Components Secure VM Software (e.g. Cuckoo sandbox) 10/10/2013 Building a Security Operations Center Lessons Learned Slide 17
18 Technology: Events to Actionable Data 10/10/2013 Building a Security Operations Center Lessons Learned Slide 18
19 Technology: Physical Security SOC Access should be restricted (policy, badge) Two factor authentication when possible Access to the SOC should be monitored (logs) Activities within the SOC should be monitored (video) 10/10/2013 Building a Security Operations Center Lessons Learned Slide 19
20 Technology: Lessons Learned Technology = Enabler Control technology Technology does cost money Craft technology so that it follows process It 10/10/2013 Building a Security Operations Center Lessons Learned Slide 20
21 PEOPLE 10/10/2013 Building a Security Operations Center Lessons Learned Slide 21
22 People: Roles Manager/Security Expert Team Lead Senior Security Analyst Security Analyst Sensor on Network 10/10/2013 Building a Security Operations Center Lessons Learned Slide 22
23 People: Security Analyst Skills Computer/network security Network administration Analytical mindset Process oriented Attention to detail Ability to work shifts Ability to work in a fast-paced and deadline-driven environment Team player University/College graduate 10/10/2013 Building a Security Operations Center Lessons Learned Slide 23
24 People: Senior Security Analyst Skills: Security Analyst + the following Security certifications (ISC2, ISACA, CISCO, SANS, Offensive Security, EC-Council, etc.) Network Security Experience Demonstrable initiative to continuous improvement 10/10/2013 Building a Security Operations Center Lessons Learned Slide 24
25 People: Team Lead / Manager Skills: Senior Security Analyst + the following Security background Process focus Superior inter-personal skills Client centric 10/10/2013 Building a Security Operations Center Lessons Learned Slide 25
26 People: Hiring the Right Candidates Finding Candidates - Targeted schools with an InfoSec or a CSI program - Security groups (TASK, LinkedIn groups) - Personal network Selecting Candidates - Test network and InfoSec knowledge - Evaluate inter-personal skills - Evaluate communication (verbal and written) - Test resistance to pressure and stress! 10/10/2013 Building a Security Operations Center Lessons Learned Slide 26
27 People: Team Building Context: Critical Security Operations People need to rely on each other Team work and collaboration first Invest in the team 10/10/2013 Building a Security Operations Center Lessons Learned Slide 27
28 People: SOC in Action Qualified People Context Rule -based Detection Expertise Technology Web Traffic Monitoring THREAT DETECTION QUALIFICATION and ERADICATION EXEcutable Downloads DLP Experience Behaviour -based Detection Policies 10/10/2013 Building a Security Operations Center Lessons Learned Slide 28
29 People: Lessons Learned Hire on core requirements Then train on specific needs Re-train as often as needed Bet on a great team rather than on a champion Audit knowledge and adherence to policies 10/10/2013 Building a Security Operations Center Lessons Learned Slide 29
30 PROCESS 10/10/2013 Building a Security Operations Center Lessons Learned Slide 30
31 Process: OODA Loop Workflow OBSERVE ORIENT DECIDE ACT Client Query Implicit Guidance & Control (SOC Team Lead, Management) Client Security Posture Implicit Guidance & Control Unfolding Circumstances Client Culture Client Defense Template Decision (Hypothesis) Action Outside Information (Other Client Data) Unfolding Interaction With Environment Observations Previous Experience (History) New Information (Deep Dig) Effective Feedback leads to Appropriate Action Taken Alert Intercept Unfolding Interaction With Environment 10/10/2013 Building a Security Operations Center Lessons Learned Slide 31
32 Process: Training Threat Landscape and attacks Specific Tools Specific Process Safe Practice (Lab) Hands-on Practice (Shadowed) Include Quiz 10/10/2013 Building a Security Operations Center Lessons Learned Slide 32
33 Process: Scheduling Nights/days/weekends Busy vs non busy? Vacations/sick etc Overtime: pay 10/10/2013 Building a Security Operations Center Lessons Learned Slide 33
34 Process: Threat Qualification Network/machine/user behaviour Follow the evidence Context Sandboxing Inspect Meta Data Identify the initiator of the traffic Confirm protocol/nature of traffic If web traffic involved Check Referrer & User Agent Check Traffic before and after suspicious activity Inspect Raw Data External Malicious Intent Confirmed and/or Internal Host Compromised 10/10/2013 Building a Security Operations Center Lessons Learned Slide 34
35 Process: Spamming Machine Spamming Confirmation: Live TCP dump on port 25 Rule out mail server responding to spam If spamming confirmed, kill port 25 for that machine Deep dig (TCP, BW, and web traffic) to identify vector of infection and/or back channel(s) Kill back channel(s) Alert and requesting to pull the machine from network and AV scan it Lift the block on port 25 once the machine has been cleaned up 10/10/2013 Place a watch on that machine for another 24 hours Building a Security Operations Center Lessons Learned Slide 35
36 Process: Threat Mitigation Core Tools - FW blocks - NGFW blocks - IDS Rules in kill mode - Whitelisting tools - Blacklisting tools - Manual TCP kill 10/10/2013 Building a Security Operations Center Lessons Learned Slide 36
37 Process: Threat Mitigation Traffic blocked by FW/NGFW No Traffic blocked by IDS No IP/domain blacklisted No Manual TCP kills Yes Yes Yes Yes Confirmation Mitigation confirmed 10/10/2013 Building a Security Operations Center Lessons Learned Slide 37
38 Process: Incident Categorization Could be invented but. It already exists! US Federal Agency Incident Categories ( Category Name Description CAT 0 Exercise/Network Defense Testing This category is used during state, federal, national, international exercises and approved activity testing of internal/external network defenses or responses. CAT 1 Unauthorized Access In this category an individual gains logical or physical access without permission to a federal agency network, system, application, data, or other resource CAT 2 Denial of Service (DoS) An attack that successfully prevents or impairs the normal authorized functionality of networks, systems or applications by exhausting resources. This activity includes being the victim or participating in the DoS. CAT 3 Malicious Code Successful installation of malicious software (e.g., virus, worm, Trojan horse, or other code-based malicious entity) that infects an operating system or application. Agencies are NOT required to report malicious logic that has beensuccessfully quarantined by antivirus (AV) software. CAT 4 Improper Usage A person violates acceptable computing use policies. CAT 5 Scans/Probes/ Attempted Access This category includes any activity that seeks to access or identify a federal agency computer, open ports, protocols, service, or any combination for later exploit. This activity does not directly result in a compromise or denial of service. CAT 6 Investigation Unconfirmed incidents that are potentially malicious or anomalous activity deemed by the reporting entity to warrant further review. 10/10/2013 Building a Security Operations Center Lessons Learned Slide 38
39 Process: Alerting Confirm Policy states to Alert Select Template Provide - Origin - Destination - Description - Action taken - Recommendation Proof Alert Send Alert Acknowledgement? Escalate 10/10/2013 Building a Security Operations Center Lessons Learned Slide 39
40 Process: Incident Management Pre-incident Analysis and Incident Identification Incident Categorization Incident Handling (alerting, containment, recovery) Forensics Analysis Root Cause Analysis Threat Intelligence Integration 10/10/2013 Building a Security Operations Center Lessons Learned Slide 40
41 Process: Ticketing Keeps track of - Alerts - Client Requests (time to resolve/respond) - Change Requests (and approval) Enables - SLA measure - Stats & Reports 10/10/2013 Building a Security Operations Center Lessons Learned Slide 41
42 Process: Knowledge Sharing Essential to a SOC A SOC deals with a huge amount of heterogeneous information - Networks Topologies - IDS Configuration - Policies - Procedures - Threat Intelligence Knowledge Sharing - Requires a central repository, one or several DB - Custom application 10/10/2013 Building a Security Operations Center Lessons Learned Slide 42
43 Process: Lessons Learned Process helps reinforcing the right behaviour Ambiguity = potential error Revisit and improve regularly Communicate clearly on new/revised processes Audit process adherence 10/10/2013 Building a Security Operations Center Lessons Learned Slide 43
44 WHAT IS NEXT? 10/10/2013 Building a Security Operations Center Lessons Learned Slide 44
45 Talent Retention Monitor Intercept Alert & Escalate VA/PenTest Threat Modeling Cyber Security Research Continuous Monitoring Threat Intelligence Support Optimization Reporting Custom Request Process Automation Process Improvement Tools 10/10/2013 Building a Security Operations Center Lessons Learned Slide 45
46 Threat Intelligence - Collaboration with ISACs (Information Sharing and Analysis Center) - Collaboration with CERTs (Computer Emergency Readiness Team) - Clearing house - Threat research - Sandboxing - Threat modeling (Common Attack Pattern and Enumeration) 10/10/2013 Building a Security Operations Center Lessons Learned Slide 46
47 Threat Intelligence (continued) Sandboxing Illustrated 10/10/2013 Building a Security Operations Center Lessons Learned Slide 47
48 Compliance and Maturity Model Compliance contributes to - Maturing the processes - Predictable processes - A culture of control - Periodic Audits Acceptance 10/10/2013 Building a Security Operations Center Lessons Learned Slide 48
49 If Outsourcing a SOC? Questions to ask to your outsourced SOC provider: - What is the primary focus of the provider? - How is the SOC structured (people s perspective)? - What is the SOC employee turnover? - Could we have a copy of the SOC DR plan? - What is the SLA on Median Time to Alert? - How many sites are monitored? - Is the technology used tailored to Security Operations? - Could you provide a reference in a vertical similar to ours? - Could we have a copy of your latest Internal or external audit report? 10/10/2013 Building a Security Operations Center Lessons Learned Slide 49
50 EPILOGUE 10/10/2013 Building a Security Operations Center Lessons Learned Slide 50
51 Epilogue: a few DON Ts Assume about anything Underestimate the technology cost Resist to change Keep C players 10/10/2013 Building a Security Operations Center Lessons Learned Slide 51
52 Epilogue: DOs Think repeatable process Be persistent Be obsessive about the Client (Internal or External) Bet on people as the strength of a SOC, or when A Difference makes THE Difference Train and retrain Identify metrics as early as possible in the process Continuous Improvement: Audit Technology, People, Process 10/10/2013 Building a Security Operations Center Lessons Learned Slide 52
53 Thank you! active threat protection
IBM Security QRadar SIEM & Fortinet FortiGate / FortiAnalyzer
IBM Security QRadar SIEM & Fortinet / FortiAnalyzer Introducing new functionality for IBM QRadar Security Intelligence Platform: integration with Fortinet s firewalls and logs forwarded by FortiAnalyzer.
More informationConcierge SIEM Reporting Overview
Concierge SIEM Reporting Overview Table of Contents Introduction... 2 Inventory View... 3 Internal Traffic View (IP Flow Data)... 4 External Traffic View (HTTP, SSL and DNS)... 5 Risk View (IPS Alerts
More informationTHREAT VISIBILITY & VULNERABILITY ASSESSMENT
THREAT VISIBILITY & VULNERABILITY ASSESSMENT Date: April 15, 2015 IKANOW Analysts: Casey Pence IKANOW Platform Build: 1.34 11921 Freedom Drive, Reston, VA 20190 IKANOW.com TABLE OF CONTENTS 1 Key Findings
More informationManaged Intrusion, Detection, & Prevention Services (MIDPS) Why E-mail Sorting Solutions? Why ProtectPoint?
Managed Intrusion, Detection, & Prevention Services (MIDPS) Why E-mail Sorting Solutions? Why ProtectPoint? Why? Focused on Managed Intrusion Security Superior-Architected Hardened Technology Security
More informationSecure Cloud-Ready Data Centers Juniper Networks
Secure Cloud-Ready Data Centers Juniper Networks JUNIPER SECURITY LEADERSHIP A $1B BUSINESS Market Leadership Data Center with High- End Firewall #1 at 42% Secure Mobility with SSL VPN #1 at 25% Security
More informationIncident Reporting Guidelines for Constituents (Public)
Incident Reporting Guidelines for Constituents (Public) Version 3.0-2016.01.19 (Final) Procedure (PRO 301) Department: GOVCERT.LU Classification: PUBLIC Contents 1 Introduction 3 1.1 Overview.................................................
More informationEnd-user Security Analytics Strengthens Protection with ArcSight
Case Study for XY Bank End-user Security Analytics Strengthens Protection with ArcSight INTRODUCTION Detect and respond to advanced persistent threats (APT) in real-time with Nexthink End-user Security
More informationPART D NETWORK SERVICES
CONTENTS 1 ABOUT THIS PART... 2 2 PUBLIC NETWORK... 2 Internet... 2 3 PRIVATE NETWORK... 3 Global WAN services... 3 4 SECURITY SERVICES... 3 Firewall... 4 Intrusion Prevention (Network)... 5 SSL/IPSEC
More informationMissing the Obvious: Network Security Monitoring for ICS
Missing the Obvious: Network Security Monitoring for ICS If ICS are so vulnerable, why haven t we seen more attacks? We aren t looking! Two Key Reasons Intent Visibility Intent Why are targeted attacks
More informationChapter 9 Firewalls and Intrusion Prevention Systems
Chapter 9 Firewalls and Intrusion Prevention Systems connectivity is essential However it creates a threat Effective means of protecting LANs Inserted between the premises network and the to establish
More information74% 96 Action Items. Compliance
Compliance Report PCI DSS 2.0 Generated by Check Point Compliance Blade, on July 02, 2013 11:12 AM 1 74% Compliance 96 Action Items Upcoming 0 items About PCI DSS 2.0 PCI-DSS is a legal obligation mandated
More informationAnalyzing HTTP/HTTPS Traffic Logs
Advanced Threat Protection Automatic Traffic Log Analysis APTs, advanced malware and zero-day attacks are designed to evade conventional perimeter security defenses. Today, there is wide agreement that
More informationUnified Security, ATP and more
SYMANTEC Unified Security, ATP and more TAKE THE NEXT STEP Martin Werner PreSales Consultant, Symantec Switzerland AG MEET SWISS INFOSEC! 27.01.2016 Unified Security 2 Symantec Enterprise Security Users
More informationAdvanced Visibility. Moving Beyond a Log Centric View. Matthew Gardiner, RSA & Richard Nichols, RSA
Advanced Visibility Moving Beyond a Log Centric View Matthew Gardiner, RSA & Richard Nichols, RSA 1 Security is getting measurability worse Percent of breaches where time to compromise (red)/time to Discovery
More informationAPPLICATION PROGRAMMING INTERFACE
DATA SHEET Advanced Threat Protection INTRODUCTION Customers can use Seculert s Application Programming Interface (API) to integrate their existing security devices and applications with Seculert. With
More informationCyber Incident Response
State Capitol P.O. Box 2062 Albany, NY 12220-0062 www.its.ny.gov New York State Information Technology Standard IT Standard: Cyber Incident Response No: NYS-S13-005 Updated: 03/20/2015 Issued By: NYS ITS
More informationO N L I N E I N C I D E N T R E S P O N S E C O M M U N I T Y
Automate Response Congratulations on selecting IncidentResponse.com to retrieve your custom incident response workflow guide. This guide has been created especially for you for use in within your security
More informationEnvironment. Attacks against physical integrity that can modify or destroy the information, Unauthorized use of information.
Cyber Security. Environment, Solutions and Case study. Special Telecommunications Service David Gabriel, Buciu Adrian Contact: gdavid13@sts.ro adibuciu@sts.ro Environment Network/services can be damaged
More informationCS 356 Lecture 17 and 18 Intrusion Detection. Spring 2013
CS 356 Lecture 17 and 18 Intrusion Detection Spring 2013 Review Chapter 1: Basic Concepts and Terminology Chapter 2: Basic Cryptographic Tools Chapter 3 User Authentication Chapter 4 Access Control Lists
More informationGuidelines for Website Security and Security Counter Measures for e-e Governance Project
and Security Counter Measures for e-e Governance Project Mr. Lalthlamuana PIO, DoICT Background (1/8) Nature of Cyber Space Proliferation of Information Technology Rapid Growth in Internet Increasing Online
More informationBusiness white paper. Missioncritical. defense. Creating a coordinated response to application security attacks
Business white paper Missioncritical defense Creating a coordinated response to application security attacks Table of contents 3 Your business is under persistent attack 4 Respond to those attacks seamlessly
More informationCyber Security Metrics Dashboards & Analytics
Cyber Security Metrics Dashboards & Analytics Feb, 2014 Robert J. Michalsky Principal, Cyber Security NJVC, LLC Proprietary Data UNCLASSIFIED Agenda Healthcare Sector Threats Recent History Security Metrics
More informationSANS Top 20 Critical Controls for Effective Cyber Defense
WHITEPAPER SANS Top 20 Critical Controls for Cyber Defense SANS Top 20 Critical Controls for Effective Cyber Defense JANUARY 2014 SANS Top 20 Critical Controls for Effective Cyber Defense Summary In a
More informationCaretower s SIEM Managed Security Services
Caretower s SIEM Managed Security Services Enterprise Security Manager MSS -TRUE 24/7 Service I.T. Security Specialists Caretower s SIEM Managed Security Services 1 Challenges & Solution Challenges During
More informationHow To Manage Security On A Networked Computer System
Unified Security Reduce the Cost of Compliance Introduction In an effort to achieve a consistent and reliable security program, many organizations have adopted the standard as a key compliance strategy
More informationEffective Methods to Detect Current Security Threats
terreactive AG. Swiss Cyber Storm 2015. Effective Methods to Detect Current Security Threats Taking your IT security to the next level, you have to consider a paradigm shift. In the past companies mostly
More informationREVOLUTIONIZING ADVANCED THREAT PROTECTION
REVOLUTIONIZING ADVANCED THREAT PROTECTION A NEW, MODERN APPROACH Blue Coat Advanced Threat Protection Group GRANT ASPLUND Senior Technology Evangelist 1 WHY DO I STAND ON MY DESK? "...I stand upon my
More informationHow To Protect A Network From Attack From A Hacker (Hbss)
Leveraging Network Vulnerability Assessment with Incident Response Processes and Procedures DAVID COLE, DIRECTOR IS AUDITS, U.S. HOUSE OF REPRESENTATIVES Assessment Planning Assessment Execution Assessment
More informationSourceFireNext-Generation IPS
D Ů V Ě Ř U J T E S I L N Ý M SourceFireNext-Generation IPS Petr Salač CCNP Security, CCNP, CICSP, CCSI #33835 petr.salac@alefnula.com Our Customers Biggest Security Challenges Maintaining security posture
More informationWAN security threat landscape and best mitigation practices. Rex Stover Vice President, Americas, Enterprise & ICP Sales
WAN security threat landscape and best mitigation practices. Rex Stover Vice President, Americas, Enterprise & ICP Sales The Cost of Cybercrime Sony $171m PlayStation 3 data breach (April 2011) $3 trillion
More informationCALNET 3 Category 7 Network Based Management Security. Table of Contents
State of California IFB STPD 12-001-B CALNET 3 Category 7 Network Based Security Table of Contents 7.2.1.4.a DDoS Detection and Mitigation Features... 1 7.2.2.3 Email Monitoring Service Features... 2 7.2.3.2
More informationIntelligence Driven Security
Intelligence Driven Security RSA Advanced Cyber Defense Workshop Shane Harsch Senior Solutions Principal, RSA 1 Agenda Approach & Activities Operations Intelligence Infrastructure Reporting & Top Findings
More informationCyber Security in Taiwan's Government Institutions: From APT To. Investigation Policies
Cyber Security in Taiwan's Government Institutions: From APT To Investigation Policies Ching-Yu, Hung Investigation Bureau, Ministry of Justice, Taiwan, R.O.C. Abstract In this article, we introduce some
More informationAutomate PCI Compliance Monitoring, Investigation & Reporting
Automate PCI Compliance Monitoring, Investigation & Reporting Reducing Business Risk Standards and compliance are all about implementing procedures and technologies that reduce business risk and efficiently
More informationFirst Line of Defense
First Line of Defense SecureWatch ANALYTICS FIRST LINE OF DEFENSE OVERVIEW KEY BENEFITS Comprehensive Visibility Gain comprehensive visibility into DDoS attacks and cyber-threats with easily accessible
More informationTRIPWIRE NERC SOLUTION SUITE
CONFIDENCE: SECURED SOLUTION BRIEF TRIPWIRE NERC SOLUTION SUITE TAILORED SUITE OF PRODUCTS AND SERVICES TO AUTOMATE NERC CIP COMPLIANCE u u We ve been able to stay focused on our mission of delivering
More informationRSA Security Analytics
RSA Security Analytics This is what SIEM was Meant to Be 1 The Original Intent of SIEM Single compliance & security interface Compliance yes, but security? Analyze & prioritize alerts across various sources
More informationNorth American Electric Reliability Corporation (NERC) Cyber Security Standard
North American Electric Reliability Corporation (NERC) Cyber Security Standard Symantec Managed Security Services Support for CIP Compliance Overviewview The North American Electric Reliability Corporation
More informationA Case for Managed Security
A Case for Managed Security By Christopher Harper Managing Director, Security Superior Managed IT & Security Services 1. INTRODUCTION Most firms believe security breaches happen because of one key malfunction
More informationAchieving Actionable Situational Awareness... McAfee ESM. Ad Quist, Sales Engineer NEEUR
Achieving Actionable Situational Awareness... McAfee ESM Ad Quist, Sales Engineer NEEUR The Old SECURITY Model Is BROKEN 2 Advanced Targeted Attacks The Reality ADVANCED TARGETED ATTACKS COMPROMISE TO
More informationSession 334 Incident Management. Jeff Roth, CISA, CGEIT, CISSP
Session 334 Incident Management Jeff Roth, CISA, CGEIT, CISSP SPEAKER BIOGRAPHY Jeff Roth, CISA, CGEIT Jeff Roth has over 25 years experience in IT audit, security, risk management and IT Governance experience
More informationINCIDENT RESPONSE CHECKLIST
INCIDENT RESPONSE CHECKLIST The purpose of this checklist is to provide clients of Kivu Consulting, Inc. with guidance in the initial stages of an actual or possible data breach. Clients are encouraged
More informationEffective Methods to Detect Current Security Threats
terreactive AG. Swiss Cyber Storm 2015. Effective Methods to Detect Current Security Threats Enrico Petrov Director Managed Security Services terreactive October 21 st, 2015 terreactive Background. About
More informationSecurity strategies to stay off the Børsen front page
Security strategies to stay off the Børsen front page Steve Durkin, Channel Director for Europe, Q1 Labs, an IBM Company 1 2012 IBM Corporation Given the dynamic nature of the challenge, measuring the
More informationBUILDING A SECURITY OPERATION CENTER (SOC) ACI-BIT Vancouver, BC. Los Angeles World Airports
BUILDING A SECURITY OPERATION CENTER (SOC) ACI-BIT Vancouver, BC. Los Angeles World Airports Building a Security Operation Center Agenda: Auditing Your Network Environment Selecting Effective Security
More informationEffective Defense in Depth Strategies
Honeywell.com 2014 Honeywell Users Group Asia Pacific Effective Defense in Depth Strategies for Industrial Systems 1 Document control number Honeywell Proprietary Honeywell.com Chee Ban, Ngai About the
More informationConsensus Policy Resource Community. Lab Security Policy
Lab Security Policy Free Use Disclaimer: This policy was created by or for the SANS Institute for the Internet community. All or parts of this policy can be freely used for your organization. There is
More informationSIEM Implementation Approach Discussion. April 2012
SIEM Implementation Approach Discussion April 2012 Agenda What are we trying to solve? Summary Observations from the Security Assessments related to Logging & Monitoring Problem Statement Solution Conceptual
More informationINTRUSION DETECTION SYSTEM (IDS) by Kilausuria Abdullah (GCIH) Cyberspace Security Lab, MIMOS Berhad
INTRUSION DETECTION SYSTEM (IDS) by Kilausuria Abdullah (GCIH) Cyberspace Security Lab, MIMOS Berhad OUTLINE Security incident Attack scenario Intrusion detection system Issues and challenges Conclusion
More informationPassive Logging. Intrusion Detection System (IDS): Software that automates this process
Passive Logging Intrusion Detection: Monitor events, analyze for signs of incidents Look for violations or imminent violations of security policies accepted use policies standard security practices Intrusion
More informationDescription of Actual State Sensor Types for the Software Asset Management (SWAM) Capability. 7 Jul 2014
Description of Actual State Sensor Types for the Software Asset Management (SWAM) Capability 7 Jul 2014 1 Purpose This document is intended to provide insight on the types of tools and technologies that
More informationPalo Alto Networks and Splunk: Combining Next-generation Solutions to Defeat Advanced Threats
Palo Alto Networks and Splunk: Combining Next-generation Solutions to Defeat Advanced Threats Executive Summary Palo Alto Networks strategic partnership with Splunk brings the power of our next generation
More informationINTRUSION DETECTION SYSTEMS and Network Security
INTRUSION DETECTION SYSTEMS and Network Security Intrusion Detection System IDS A layered network security approach starts with : A well secured system which starts with: Up-to-date application and OS
More informationMonitoring for network security and management. Cyber Solutions Inc.
Monitoring for network security and management Cyber Solutions Inc. Why monitoring? Health check of networked node Usage and load evaluation for optimizing the configuration Illegal access detection for
More informationCS 356 Lecture 19 and 20 Firewalls and Intrusion Prevention. Spring 2013
CS 356 Lecture 19 and 20 Firewalls and Intrusion Prevention Spring 2013 Review Chapter 1: Basic Concepts and Terminology Chapter 2: Basic Cryptographic Tools Chapter 3 User Authentication Chapter 4 Access
More informationEXTENDING NETWORK SECURITY: TAKING A THREAT CENTRIC APPROACH TO SECURITY
EXTENDING NETWORK SECURITY: TAKING A THREAT CENTRIC APPROACH TO SECURITY Dean Frye Sourcefire Session ID: SEC-W05 Session Classification: Intermediate Industrialisation of Threat Factories Goal: Glory,
More informationCyber Security. BDS PhantomWorks. Boeing Energy. Copyright 2011 Boeing. All rights reserved.
Cyber Security Automation of energy systems provides attack surfaces that previously did not exist Cyber attacks have matured from teenage hackers to organized crime to nation states Centralized control
More informationTop 3 Issues and Questions (in Network Monitoring!) Developing a Network Monitoring Architecture! infotex. Dan Hadaway CRISC Managing Partner, infotex
Top Three Issues and Questions in Network Monitoring Dan Hadaway and Sean Waugh of Auditors now know why we can t monitor event logs, but guess what, they don t care!! So let s open the hood of the managed
More informationCisco IPS Tuning Overview
Cisco IPS Tuning Overview Overview Increasingly sophisticated attacks on business networks can impede business productivity, obstruct access to applications and resources, and significantly disrupt communications.
More informationNetworking for Caribbean Development
Networking for Caribbean Development BELIZE NOV 2 NOV 6, 2015 w w w. c a r i b n o g. o r g N E T W O R K I N G F O R C A R I B B E A N D E V E L O P M E N T BELIZE NOV 2 NOV 6, 2015 w w w. c a r i b n
More informationCyber Security for NERC CIP Version 5 Compliance
GE Measurement & Control Cyber Security for NERC CIP Version 5 Compliance imagination at work Contents Cyber Security for NERC CIP Compliance... 5 Sabotage Reporting... 6 Security Management Controls...
More informationUnit 3 Research Project. Eddie S. Jackson. Kaplan University. IT540: Management of Information Security. Kenneth L. Flick, Ph.D.
Running head: UNIT 3 RESEARCH PROJECT 1 Unit 3 Research Project Eddie S. Jackson Kaplan University IT540: Management of Information Security Kenneth L. Flick, Ph.D. 10/07/2014 UNIT 3 RESEARCH PROJECT 2
More informationHigh End Information Security Services
High End Information Security Services Welcome Trion Logics Security Solutions was established after understanding the market's need for a high end - End to end security integration and consulting company.
More informationAlienVault. Unified Security Management (USM) 5.x Policy Management Fundamentals
AlienVault Unified Security Management (USM) 5.x Policy Management Fundamentals USM 5.x Policy Management Fundamentals Copyright 2015 AlienVault, Inc. All rights reserved. The AlienVault Logo, AlienVault,
More informationASSUMING A STATE OF COMPROMISE: EFFECTIVE DETECTION OF SECURITY BREACHES
ASSUMING A STATE OF COMPROMISE: EFFECTIVE DETECTION OF SECURITY BREACHES Leonard Levy PricewaterhouseCoopers LLP Session ID: SEC-W03 Session Classification: Intermediate Agenda The opportunity Assuming
More informationEnterprise Organizations Need Contextual- security Analytics Date: October 2014 Author: Jon Oltsik, Senior Principal Analyst
ESG Brief Enterprise Organizations Need Contextual- security Analytics Date: October 2014 Author: Jon Oltsik, Senior Principal Analyst Abstract: Large organizations have spent millions of dollars on security
More informationNetwork Security Monitoring
CEENET/GEANT Security Workshop Sofia, 2014 Network Security Monitoring An Introduction to the world of Intrusion Detection Systems Irvin Homem irvin@dsv.su.se Stockholm University Who am I? Of Indian and
More informationSecurity Incident Management Essentials Compiled as a service to the community by Internet2, EDUCAUSE, and REN-ISAC
Compiled as a service to the community by Internet2, EDUCAUSE, and REN-ISAC Background and Overview The Computer Security Incidents Internet2 (CSI2) working group organizes activities to better identify
More informationRSA Security Anatomy of an Attack Lessons learned
RSA Security Anatomy of an Attack Lessons learned Malcolm Dundas Account Executive John Hurley Senior Technology Consultant 1 Agenda Advanced Enterprise/ Threats The RSA Breach A chronology of the attack
More informationLOG INTELLIGENCE FOR SECURITY AND COMPLIANCE
PRODUCT BRIEF uugiven today s environment of sophisticated security threats, big data security intelligence solutions and regulatory compliance demands, the need for a log intelligence solution has become
More informationNetwork Instruments white paper
Network Instruments white paper USING A NETWORK ANALYZER AS A SECURITY TOOL Network Analyzers are designed to watch the network, identify issues and alert administrators of problem scenarios. These features
More information24/7 Visibility into Advanced Malware on Networks and Endpoints
WHITEPAPER DATA SHEET 24/7 Visibility into Advanced Malware on Networks and Endpoints Leveraging threat intelligence to detect malware and exploitable vulnerabilities Oct. 24, 2014 Table of Contents Introduction
More informationNetwork Intrusion Analysis (Hands-on)
Network Intrusion Analysis (Hands-on) TCP/IP protocol suite is the core of the Internet and it is vital to understand how it works together, its strengths and weaknesses and how it can be used to detect
More informationWHITE PAPER SPLUNK SOFTWARE AS A SIEM
SPLUNK SOFTWARE AS A SIEM Improve your security posture by using Splunk as your SIEM HIGHLIGHTS Splunk software can be used to operate security operations centers (SOC) of any size (large, med, small)
More informationInternational Journal of Enterprise Computing and Business Systems ISSN (Online) : 2230-8849
WINDOWS-BASED APPLICATION AWARE NETWORK INTERCEPTOR Ms. Shalvi Dave [1], Mr. Jimit Mahadevia [2], Prof. Bhushan Trivedi [3] [1] Asst.Prof., MCA Department, IITE, Ahmedabad, INDIA [2] Chief Architect, Elitecore
More informationDDoS ATTACKS: MOTIVES, MECHANISMS AND MITIGATION
DDoS ATTACKS: MOTIVES, MECHANISMS AND MITIGATION Stephen Gates Chief Security Evangelist Corero Network Security Session ID: SEC-W04 Session Classification: Intermediate Recent Headlines Are Denial of
More informationIncident categories. Version 2.0-04.02.2013 (final version) Procedure (PRO 303)
Version 2.0-04.02.2013 (final version) Procedure (PRO 303) Classification: PUBLIC / Department: GOVCERT.LU Table Contents Table Contents... 2 1 Introduction... 3 1.1 Overview... 3 1.2 Purpose... 3 1.3
More informationMcAfee Network Security Platform Administration Course
McAfee Network Security Platform Administration Course Intel Security Education Services Administration Course The McAfee Network Security Platform Administration course from McAfee Education Services
More informationOperationalizing Information Security: Top 10 SIEM Implementer s Checklist
Operationalizing Information Security: Top 10 SIEM Implementer s Checklist www.accelops.com Table of Contents Executive Summary.................................................................... 3 SIEM
More informationEnabling Security Operations with RSA envision. August, 2009
Enabling Security Operations with RSA envision August, 2009 Agenda What is security operations? How does RSA envision help with security operations? How does RSA envision fit with other EMC products? If
More informationExtreme Networks: A SOLUTION WHITE PAPER
Extreme Networks: The Purview Solution Integration with SIEM Integrating Application Management and Business Analytics into other IT management systems A SOLUTION WHITE PAPER WHITE PAPER Introduction Purview
More informationTake the Red Pill: Becoming One with Your Computing Environment using Security Intelligence
Take the Red Pill: Becoming One with Your Computing Environment using Security Intelligence Chris Poulin Security Strategist, IBM Reboot Privacy & Security Conference 2013 1 2012 IBM Corporation Securing
More informationEffective IDS/IPS Network Security in a Dynamic World with Next-Generation Intrusion Detection & Prevention
Effective IDS/IPS Network Security in a Dynamic World with Next-Generation Intrusion Detection & Prevention Your Security Challenges Defending the Dynamic Network! Dynamic threats 䕬 䕬 䕬 䕬 Many threats
More informationLogRhythm and NERC CIP Compliance
LogRhythm and NERC CIP Compliance The North American Electric Reliability Corporation (NERC) is a nonprofit corporation designed to ensure that the bulk electric system in North America is reliable, adequate
More informationSecurity workshop Protection against botnets. Belnet Aris Adamantiadis Brussels 18 th April 2013
Security workshop Belnet Aris Adamantiadis Brussels 18 th April 2013 Agenda What is a botnet? Symptoms How does it work? Life cycle How to fight against botnets? Proactive and reactive NIDS 2 What is a
More informationLogRhythm and PCI Compliance
LogRhythm and PCI Compliance The Payment Card Industry (PCI) Data Security Standard (DSS) was developed to encourage and enhance cardholder data security and facilitate the broad adoption of consistent
More informationState of SIEM Challenges, Myths & technology Landscape 4/21/2013 1
State of SIEM Challenges, Myths & technology Landscape 4/21/2013 1 Introduction What s in a name? SIEM? SEM? SIM? Technology Drivers Challenges & Technology Overview Deciding what s right for you Worst
More informationSIEM Optimization 101. ReliaQuest E-Book Fully Integrated and Optimized IT Security
SIEM Optimization 101 ReliaQuest E-Book Fully Integrated and Optimized IT Security Introduction SIEM solutions are effective security measures that mitigate security breaches and increase the awareness
More informationNetwork- vs. Host-based Intrusion Detection
Network- vs. Host-based Intrusion Detection A Guide to Intrusion Detection Technology 6600 Peachtree-Dunwoody Road 300 Embassy Row Atlanta, GA 30348 Tel: 678.443.6000 Toll-free: 800.776.2362 Fax: 678.443.6477
More informationFirst Line of Defense
First Line of Defense SecureWatch ANALYTICS FIRST LINE OF DEFENSE OVERVIEW KEY BENEFITS Comprehensive Visibility Powerful web-based security analytics portal with easy-to-read security dashboards Proactive
More informationNetwork Security Demonstration - Snort based IDS Integration -
Network Security Demonstration - Snort based IDS Integration - Hyuk Lim (hlim@gist.ac.kr) with TJ Ha, CW Jeong, J Narantuya, JW Kim Wireless Communications and Networking Lab School of Information and
More informationSymantec Cyber Threat Analysis Program Program Overview. Symantec Cyber Threat Analysis Program Team
Symantec Cyber Threat Analysis Program Symantec Cyber Threat Analysis Program Team White Paper: Symantec Security Intelligence Services Symantec Cyber Threat Analysis Program Contents Overview...............................................................................................
More informationInformation Technology Policy
Information Technology Policy Security Information and Event Management Policy ITP Number Effective Date ITP-SEC021 October 10, 2006 Category Supersedes Recommended Policy Contact Scheduled Review RA-ITCentral@pa.gov
More informationModular Network Security. Tyler Carter, McAfee Network Security
Modular Network Security Tyler Carter, McAfee Network Security Surviving Today s IT Challenges DDos BOTS PCI SOX / J-SOX Data Exfiltration Shady RAT Malware Microsoft Patches Web Attacks No Single Solution
More informationSecurity Controls Implementation Plan
GIAC Enterprises Security Controls Implementation Plan Group Discussion and Written Project John Hally, Erik Couture 08/07/2011 Table of Contents Executive Summary 3 Introduction 3 Security Controls Implementation
More informationNetwork/Internet Forensic and Intrusion Log Analysis
Course Introduction Enterprises all over the globe are compromised remotely by malicious hackers each day. Credit card numbers, proprietary information, account usernames and passwords, and a wealth of
More informationENABLING FAST RESPONSES THREAT MONITORING
ENABLING FAST RESPONSES TO Security INCIDENTS WITH THREAT MONITORING Executive Summary As threats evolve and the effectiveness of signaturebased web security declines, IT departments need to play a bigger,
More informationCourse Title: Penetration Testing: Security Analysis
Course Title: Penetration Testing: Security Analysis Page 1 of 9 Course Description: The Security Analyst Series from EC-Council Press is comprised of five books covering a broad base of topics in advanced
More informationCybercrime myths, challenges and how to protect our business. Vladimir Kantchev Managing Partner Service Centrix
Cybercrime myths, challenges and how to protect our business Vladimir Kantchev Managing Partner Service Centrix Agenda Cybercrime today Sources and destinations of the attacks Breach techniques How to
More information