Building a Security Operations Center Lessons Learned. active threat protection

Save this PDF as:
 WORD  PNG  TXT  JPG

Size: px
Start display at page:

Download "Building a Security Operations Center Lessons Learned. active threat protection"

Transcription

1 Building a Security Operations Center Lessons Learned active threat protection Yves Beretta October 8, 2013

2 INTRODUCTION 10/10/2013 Building a Security Operations Center Lessons Learned Slide 2

3 Yves Beretta Profile 20 years of IT experience IT Management Operations Management Network Security Built and managed a Security Operations Center for the past 7 years 10/10/2013 Building a Security Operations Center Lessons Learned Slide 3

4 Why a Security Operations Center? Multiplicity and Volume of Cyber Security Threats Social engineering Advanced Persistent Threats (APT) Internal threats Bring Your Own Device (BYOD) - Cloud security - HTML5 Botnets Source: Check Point /Forbes Source: Symantec 10/10/2013 Building a Security Operations Center Lessons Learned Slide 4

5 Security Operations Center 101 Security focused Operational Centralized 24x7 10/10/2013 Building a Security Operations Center Lessons Learned Slide 5

6 SOC: Expectations Watch and protect the infrastructure Monitor Network Traffic, watching for anomalies Protect Users Internal and External Threat detection Alert and Escalate Internal and External Threat mitigation.and also Monitor Users Systems Configuration Data Loss Prevention Forensics Analysis Threat modeling 10/10/2013 Building a Security Operations Center Lessons Learned Slide 6

7 SOC: Functional Definition Network Traffic / Events Response IDS/IPS/ SIEM/NGFW 24x7 Orientation Security Analysis Aggregation/ Correlation Systems Goal #1: Real-time threat detection and mitigation 10/10/2013 Building a Security Operations Center Lessons Learned Slide 7

8 SOC: Key Components KEY COMPONENTS Technology People Process Monitoring, Analysis, Mitigation, Reporting (FW, NGFW, IDS, IPS, SIEM, Web Security Gateway, AV, etc) and its own network/air gap. Security Analyst, Senior Security Analyst, Team Lead/Manager Training, Monitoring, Analyzing, Mitigating, Alerting, Escalating 10/10/2013 Building a Security Operations Center Lessons Learned Slide 8

9 TECHNOLOGY 10/10/2013 Building a Security Operations Center Lessons Learned Slide 9

10 Technology: SOC Private Network Tap or port mirroring from: - Core managed switch - DMZ segment - All choke points Event Logging / SysLogging enabled and fetched to one central location Secure communication between IDS/IPS and Management Systems Lab (separate network, sandboxing, training) 10/10/2013 Building a Security Operations Center Lessons Learned Slide 10

11 Technology: Security Sensor Role - Capture and store Inbound & Outbound network traffic - Meta data and raw data - Rule-based notifications - Behaviour-based notifications Components - Secure OS. - Secure communication (e.g. SSH, stunnel) - SW suite (e.g. Snort, Suricata, EasyIDS or Security Onion[Bro, Snort, Sguil, ELSA, Snorby, etc]) - Packet Capture (e.g. tcpdump, sguil) 10/10/2013 Building a Security Operations Center Lessons Learned Slide 11

12 Technology : Security Sensor Placement Domain Controllers and Servers DMZ Switch Switch Corporate Network Internet Corporate Firewall Users Security Sensor 10/10/2013 Building a Security Operations Center Lessons Learned Slide 12

13 Technology : More Monitoring Domain Controllers Domain Controllersand and Servers Servers DMZ WIFI Access Point Remote Laptops/Devices Internet Switch DMZ Switch Primary Security Sensor Network Traffic Analysis (Logging, Replay, Intrusion, Detection, Flows) Secondary Security Sensor System/Configuration (Integrity, Log Analysis, Shipping) System/Configuration Integrity SIEM/Logging, Managed Systems, Flows, Configuration Verification Users 10/10/2013 Building a Security Operations Center Lessons Learned Slide 13

14 Technology: Management System Role - Visualize events - Monitor key infrastructure and security devices Components - Secure OS. - SW (e.g. LAMP, Splunk, Nagios) 10/10/2013 Building a Security Operations Center Lessons Learned Slide 14

15 Technology: Traffic Analysis Role - Analyze events - Qualify Threats Components - Secure OS - SW (Wireshark, tcpdump) Internal port scan 10/10/2013 Building a Security Operations Center Lessons Learned Slide 15

16 Technology: Dashboard & Traffic Analysis 10/10/2013 Building a Security Operations Center Lessons Learned Slide 16

17 Technology: Lab Role Run Malware Profile Malware Test new detection rules Training Components Secure VM Software (e.g. Cuckoo sandbox) 10/10/2013 Building a Security Operations Center Lessons Learned Slide 17

18 Technology: Events to Actionable Data 10/10/2013 Building a Security Operations Center Lessons Learned Slide 18

19 Technology: Physical Security SOC Access should be restricted (policy, badge) Two factor authentication when possible Access to the SOC should be monitored (logs) Activities within the SOC should be monitored (video) 10/10/2013 Building a Security Operations Center Lessons Learned Slide 19

20 Technology: Lessons Learned Technology = Enabler Control technology Technology does cost money Craft technology so that it follows process It 10/10/2013 Building a Security Operations Center Lessons Learned Slide 20

21 PEOPLE 10/10/2013 Building a Security Operations Center Lessons Learned Slide 21

22 People: Roles Manager/Security Expert Team Lead Senior Security Analyst Security Analyst Sensor on Network 10/10/2013 Building a Security Operations Center Lessons Learned Slide 22

23 People: Security Analyst Skills Computer/network security Network administration Analytical mindset Process oriented Attention to detail Ability to work shifts Ability to work in a fast-paced and deadline-driven environment Team player University/College graduate 10/10/2013 Building a Security Operations Center Lessons Learned Slide 23

24 People: Senior Security Analyst Skills: Security Analyst + the following Security certifications (ISC2, ISACA, CISCO, SANS, Offensive Security, EC-Council, etc.) Network Security Experience Demonstrable initiative to continuous improvement 10/10/2013 Building a Security Operations Center Lessons Learned Slide 24

25 People: Team Lead / Manager Skills: Senior Security Analyst + the following Security background Process focus Superior inter-personal skills Client centric 10/10/2013 Building a Security Operations Center Lessons Learned Slide 25

26 People: Hiring the Right Candidates Finding Candidates - Targeted schools with an InfoSec or a CSI program - Security groups (TASK, LinkedIn groups) - Personal network Selecting Candidates - Test network and InfoSec knowledge - Evaluate inter-personal skills - Evaluate communication (verbal and written) - Test resistance to pressure and stress! 10/10/2013 Building a Security Operations Center Lessons Learned Slide 26

27 People: Team Building Context: Critical Security Operations People need to rely on each other Team work and collaboration first Invest in the team 10/10/2013 Building a Security Operations Center Lessons Learned Slide 27

28 People: SOC in Action Qualified People Context Rule -based Detection Expertise Technology Web Traffic Monitoring THREAT DETECTION QUALIFICATION and ERADICATION EXEcutable Downloads DLP Experience Behaviour -based Detection Policies 10/10/2013 Building a Security Operations Center Lessons Learned Slide 28

29 People: Lessons Learned Hire on core requirements Then train on specific needs Re-train as often as needed Bet on a great team rather than on a champion Audit knowledge and adherence to policies 10/10/2013 Building a Security Operations Center Lessons Learned Slide 29

30 PROCESS 10/10/2013 Building a Security Operations Center Lessons Learned Slide 30

31 Process: OODA Loop Workflow OBSERVE ORIENT DECIDE ACT Client Query Implicit Guidance & Control (SOC Team Lead, Management) Client Security Posture Implicit Guidance & Control Unfolding Circumstances Client Culture Client Defense Template Decision (Hypothesis) Action Outside Information (Other Client Data) Unfolding Interaction With Environment Observations Previous Experience (History) New Information (Deep Dig) Effective Feedback leads to Appropriate Action Taken Alert Intercept Unfolding Interaction With Environment 10/10/2013 Building a Security Operations Center Lessons Learned Slide 31

32 Process: Training Threat Landscape and attacks Specific Tools Specific Process Safe Practice (Lab) Hands-on Practice (Shadowed) Include Quiz 10/10/2013 Building a Security Operations Center Lessons Learned Slide 32

33 Process: Scheduling Nights/days/weekends Busy vs non busy? Vacations/sick etc Overtime: pay 10/10/2013 Building a Security Operations Center Lessons Learned Slide 33

34 Process: Threat Qualification Network/machine/user behaviour Follow the evidence Context Sandboxing Inspect Meta Data Identify the initiator of the traffic Confirm protocol/nature of traffic If web traffic involved Check Referrer & User Agent Check Traffic before and after suspicious activity Inspect Raw Data External Malicious Intent Confirmed and/or Internal Host Compromised 10/10/2013 Building a Security Operations Center Lessons Learned Slide 34

35 Process: Spamming Machine Spamming Confirmation: Live TCP dump on port 25 Rule out mail server responding to spam If spamming confirmed, kill port 25 for that machine Deep dig (TCP, BW, and web traffic) to identify vector of infection and/or back channel(s) Kill back channel(s) Alert and requesting to pull the machine from network and AV scan it Lift the block on port 25 once the machine has been cleaned up 10/10/2013 Place a watch on that machine for another 24 hours Building a Security Operations Center Lessons Learned Slide 35

36 Process: Threat Mitigation Core Tools - FW blocks - NGFW blocks - IDS Rules in kill mode - Whitelisting tools - Blacklisting tools - Manual TCP kill 10/10/2013 Building a Security Operations Center Lessons Learned Slide 36

37 Process: Threat Mitigation Traffic blocked by FW/NGFW No Traffic blocked by IDS No IP/domain blacklisted No Manual TCP kills Yes Yes Yes Yes Confirmation Mitigation confirmed 10/10/2013 Building a Security Operations Center Lessons Learned Slide 37

38 Process: Incident Categorization Could be invented but. It already exists! US Federal Agency Incident Categories ( Category Name Description CAT 0 Exercise/Network Defense Testing This category is used during state, federal, national, international exercises and approved activity testing of internal/external network defenses or responses. CAT 1 Unauthorized Access In this category an individual gains logical or physical access without permission to a federal agency network, system, application, data, or other resource CAT 2 Denial of Service (DoS) An attack that successfully prevents or impairs the normal authorized functionality of networks, systems or applications by exhausting resources. This activity includes being the victim or participating in the DoS. CAT 3 Malicious Code Successful installation of malicious software (e.g., virus, worm, Trojan horse, or other code-based malicious entity) that infects an operating system or application. Agencies are NOT required to report malicious logic that has beensuccessfully quarantined by antivirus (AV) software. CAT 4 Improper Usage A person violates acceptable computing use policies. CAT 5 Scans/Probes/ Attempted Access This category includes any activity that seeks to access or identify a federal agency computer, open ports, protocols, service, or any combination for later exploit. This activity does not directly result in a compromise or denial of service. CAT 6 Investigation Unconfirmed incidents that are potentially malicious or anomalous activity deemed by the reporting entity to warrant further review. 10/10/2013 Building a Security Operations Center Lessons Learned Slide 38

39 Process: Alerting Confirm Policy states to Alert Select Template Provide - Origin - Destination - Description - Action taken - Recommendation Proof Alert Send Alert Acknowledgement? Escalate 10/10/2013 Building a Security Operations Center Lessons Learned Slide 39

40 Process: Incident Management Pre-incident Analysis and Incident Identification Incident Categorization Incident Handling (alerting, containment, recovery) Forensics Analysis Root Cause Analysis Threat Intelligence Integration 10/10/2013 Building a Security Operations Center Lessons Learned Slide 40

41 Process: Ticketing Keeps track of - Alerts - Client Requests (time to resolve/respond) - Change Requests (and approval) Enables - SLA measure - Stats & Reports 10/10/2013 Building a Security Operations Center Lessons Learned Slide 41

42 Process: Knowledge Sharing Essential to a SOC A SOC deals with a huge amount of heterogeneous information - Networks Topologies - IDS Configuration - Policies - Procedures - Threat Intelligence Knowledge Sharing - Requires a central repository, one or several DB - Custom application 10/10/2013 Building a Security Operations Center Lessons Learned Slide 42

43 Process: Lessons Learned Process helps reinforcing the right behaviour Ambiguity = potential error Revisit and improve regularly Communicate clearly on new/revised processes Audit process adherence 10/10/2013 Building a Security Operations Center Lessons Learned Slide 43

44 WHAT IS NEXT? 10/10/2013 Building a Security Operations Center Lessons Learned Slide 44

45 Talent Retention Monitor Intercept Alert & Escalate VA/PenTest Threat Modeling Cyber Security Research Continuous Monitoring Threat Intelligence Support Optimization Reporting Custom Request Process Automation Process Improvement Tools 10/10/2013 Building a Security Operations Center Lessons Learned Slide 45

46 Threat Intelligence - Collaboration with ISACs (Information Sharing and Analysis Center) - Collaboration with CERTs (Computer Emergency Readiness Team) - Clearing house - Threat research - Sandboxing - Threat modeling (Common Attack Pattern and Enumeration) 10/10/2013 Building a Security Operations Center Lessons Learned Slide 46

47 Threat Intelligence (continued) Sandboxing Illustrated 10/10/2013 Building a Security Operations Center Lessons Learned Slide 47

48 Compliance and Maturity Model Compliance contributes to - Maturing the processes - Predictable processes - A culture of control - Periodic Audits Acceptance 10/10/2013 Building a Security Operations Center Lessons Learned Slide 48

49 If Outsourcing a SOC? Questions to ask to your outsourced SOC provider: - What is the primary focus of the provider? - How is the SOC structured (people s perspective)? - What is the SOC employee turnover? - Could we have a copy of the SOC DR plan? - What is the SLA on Median Time to Alert? - How many sites are monitored? - Is the technology used tailored to Security Operations? - Could you provide a reference in a vertical similar to ours? - Could we have a copy of your latest Internal or external audit report? 10/10/2013 Building a Security Operations Center Lessons Learned Slide 49

50 EPILOGUE 10/10/2013 Building a Security Operations Center Lessons Learned Slide 50

51 Epilogue: a few DON Ts Assume about anything Underestimate the technology cost Resist to change Keep C players 10/10/2013 Building a Security Operations Center Lessons Learned Slide 51

52 Epilogue: DOs Think repeatable process Be persistent Be obsessive about the Client (Internal or External) Bet on people as the strength of a SOC, or when A Difference makes THE Difference Train and retrain Identify metrics as early as possible in the process Continuous Improvement: Audit Technology, People, Process 10/10/2013 Building a Security Operations Center Lessons Learned Slide 52

53 Thank you! active threat protection

IBM Security QRadar SIEM & Fortinet FortiGate / FortiAnalyzer

IBM Security QRadar SIEM & Fortinet FortiGate / FortiAnalyzer IBM Security QRadar SIEM & Fortinet / FortiAnalyzer Introducing new functionality for IBM QRadar Security Intelligence Platform: integration with Fortinet s firewalls and logs forwarded by FortiAnalyzer.

More information

Concierge SIEM Reporting Overview

Concierge SIEM Reporting Overview Concierge SIEM Reporting Overview Table of Contents Introduction... 2 Inventory View... 3 Internal Traffic View (IP Flow Data)... 4 External Traffic View (HTTP, SSL and DNS)... 5 Risk View (IPS Alerts

More information

THREAT VISIBILITY & VULNERABILITY ASSESSMENT

THREAT VISIBILITY & VULNERABILITY ASSESSMENT THREAT VISIBILITY & VULNERABILITY ASSESSMENT Date: April 15, 2015 IKANOW Analysts: Casey Pence IKANOW Platform Build: 1.34 11921 Freedom Drive, Reston, VA 20190 IKANOW.com TABLE OF CONTENTS 1 Key Findings

More information

Incident Reporting Guidelines for Constituents (Public)

Incident Reporting Guidelines for Constituents (Public) Incident Reporting Guidelines for Constituents (Public) Version 3.0-2016.01.19 (Final) Procedure (PRO 301) Department: GOVCERT.LU Classification: PUBLIC Contents 1 Introduction 3 1.1 Overview.................................................

More information

Managed Intrusion, Detection, & Prevention Services (MIDPS) Why E-mail Sorting Solutions? Why ProtectPoint?

Managed Intrusion, Detection, & Prevention Services (MIDPS) Why E-mail Sorting Solutions? Why ProtectPoint? Managed Intrusion, Detection, & Prevention Services (MIDPS) Why E-mail Sorting Solutions? Why ProtectPoint? Why? Focused on Managed Intrusion Security Superior-Architected Hardened Technology Security

More information

Secure Cloud-Ready Data Centers Juniper Networks

Secure Cloud-Ready Data Centers Juniper Networks Secure Cloud-Ready Data Centers Juniper Networks JUNIPER SECURITY LEADERSHIP A $1B BUSINESS Market Leadership Data Center with High- End Firewall #1 at 42% Secure Mobility with SSL VPN #1 at 25% Security

More information

PART D NETWORK SERVICES

PART D NETWORK SERVICES CONTENTS 1 ABOUT THIS PART... 2 2 PUBLIC NETWORK... 2 Internet... 2 3 PRIVATE NETWORK... 3 Global WAN services... 3 4 SECURITY SERVICES... 3 Firewall... 4 Intrusion Prevention (Network)... 5 SSL/IPSEC

More information

Analyzing HTTP/HTTPS Traffic Logs

Analyzing HTTP/HTTPS Traffic Logs Advanced Threat Protection Automatic Traffic Log Analysis APTs, advanced malware and zero-day attacks are designed to evade conventional perimeter security defenses. Today, there is wide agreement that

More information

Chapter 9 Firewalls and Intrusion Prevention Systems

Chapter 9 Firewalls and Intrusion Prevention Systems Chapter 9 Firewalls and Intrusion Prevention Systems connectivity is essential However it creates a threat Effective means of protecting LANs Inserted between the premises network and the to establish

More information

Cyber Incident Response

Cyber Incident Response State Capitol P.O. Box 2062 Albany, NY 12220-0062 www.its.ny.gov New York State Information Technology Standard IT Standard: Cyber Incident Response No: NYS-S13-005 Updated: 03/20/2015 Issued By: NYS ITS

More information

74% 96 Action Items. Compliance

74% 96 Action Items. Compliance Compliance Report PCI DSS 2.0 Generated by Check Point Compliance Blade, on July 02, 2013 11:12 AM 1 74% Compliance 96 Action Items Upcoming 0 items About PCI DSS 2.0 PCI-DSS is a legal obligation mandated

More information

End-user Security Analytics Strengthens Protection with ArcSight

End-user Security Analytics Strengthens Protection with ArcSight Case Study for XY Bank End-user Security Analytics Strengthens Protection with ArcSight INTRODUCTION Detect and respond to advanced persistent threats (APT) in real-time with Nexthink End-user Security

More information

O N L I N E I N C I D E N T R E S P O N S E C O M M U N I T Y

O N L I N E I N C I D E N T R E S P O N S E C O M M U N I T Y Automate Response Congratulations on selecting IncidentResponse.com to retrieve your custom incident response workflow guide. This guide has been created especially for you for use in within your security

More information

Missing the Obvious: Network Security Monitoring for ICS

Missing the Obvious: Network Security Monitoring for ICS Missing the Obvious: Network Security Monitoring for ICS If ICS are so vulnerable, why haven t we seen more attacks? We aren t looking! Two Key Reasons Intent Visibility Intent Why are targeted attacks

More information

APPLICATION PROGRAMMING INTERFACE

APPLICATION PROGRAMMING INTERFACE DATA SHEET Advanced Threat Protection INTRODUCTION Customers can use Seculert s Application Programming Interface (API) to integrate their existing security devices and applications with Seculert. With

More information

Unified Security, ATP and more

Unified Security, ATP and more SYMANTEC Unified Security, ATP and more TAKE THE NEXT STEP Martin Werner PreSales Consultant, Symantec Switzerland AG MEET SWISS INFOSEC! 27.01.2016 Unified Security 2 Symantec Enterprise Security Users

More information

Advanced Visibility. Moving Beyond a Log Centric View. Matthew Gardiner, RSA & Richard Nichols, RSA

Advanced Visibility. Moving Beyond a Log Centric View. Matthew Gardiner, RSA & Richard Nichols, RSA Advanced Visibility Moving Beyond a Log Centric View Matthew Gardiner, RSA & Richard Nichols, RSA 1 Security is getting measurability worse Percent of breaches where time to compromise (red)/time to Discovery

More information

Environment. Attacks against physical integrity that can modify or destroy the information, Unauthorized use of information.

Environment. Attacks against physical integrity that can modify or destroy the information, Unauthorized use of information. Cyber Security. Environment, Solutions and Case study. Special Telecommunications Service David Gabriel, Buciu Adrian Contact: gdavid13@sts.ro adibuciu@sts.ro Environment Network/services can be damaged

More information

Making sense out of the Security Operations

Making sense out of the Security Operations Gaweł Mikołajczyk gmikolaj@cisco.com Making sense out of the Security Operations Cisco Public 1 CONFidence 2012 https://www.youtube.com/watch?v=ebi1xlmg5xe Cisco Public 2 CONFidence 2016 Network Security

More information

Guidelines for Website Security and Security Counter Measures for e-e Governance Project

Guidelines for Website Security and Security Counter Measures for e-e Governance Project and Security Counter Measures for e-e Governance Project Mr. Lalthlamuana PIO, DoICT Background (1/8) Nature of Cyber Space Proliferation of Information Technology Rapid Growth in Internet Increasing Online

More information

Unified Security Management

Unified Security Management Unified Security Reduce the Cost of Compliance Introduction In an effort to achieve a consistent and reliable security program, many organizations have adopted the standard as a key compliance strategy

More information

A Case for Managed Security

A Case for Managed Security A Case for Managed Security By Christopher Harper Managing Director, Security Superior Managed IT & Security Services 1. INTRODUCTION Most firms believe security breaches happen because of one key malfunction

More information

Business white paper. Missioncritical. defense. Creating a coordinated response to application security attacks

Business white paper. Missioncritical. defense. Creating a coordinated response to application security attacks Business white paper Missioncritical defense Creating a coordinated response to application security attacks Table of contents 3 Your business is under persistent attack 4 Respond to those attacks seamlessly

More information

SANS Top 20 Critical Controls for Effective Cyber Defense

SANS Top 20 Critical Controls for Effective Cyber Defense WHITEPAPER SANS Top 20 Critical Controls for Cyber Defense SANS Top 20 Critical Controls for Effective Cyber Defense JANUARY 2014 SANS Top 20 Critical Controls for Effective Cyber Defense Summary In a

More information

Detect, Prevent and Remediate the Cyber attack Nelson Yuen

Detect, Prevent and Remediate the Cyber attack Nelson Yuen Detect, Prevent and Remediate the Cyber attack Nelson Yuen Senior Systems Engineer Overview of the Local Security Landscape IP camera footages broadcasted live online In September, 2014, more than 1,000

More information

RSA Security Analytics

RSA Security Analytics RSA Security Analytics This is what SIEM was Meant to Be 1 The Original Intent of SIEM Single compliance & security interface Compliance yes, but security? Analyze & prioritize alerts across various sources

More information

Leveraging Network Vulnerability Assessment with Incident Response Processes and Procedures

Leveraging Network Vulnerability Assessment with Incident Response Processes and Procedures Leveraging Network Vulnerability Assessment with Incident Response Processes and Procedures DAVID COLE, DIRECTOR IS AUDITS, U.S. HOUSE OF REPRESENTATIVES Assessment Planning Assessment Execution Assessment

More information

Caretower s SIEM Managed Security Services

Caretower s SIEM Managed Security Services Caretower s SIEM Managed Security Services Enterprise Security Manager MSS -TRUE 24/7 Service I.T. Security Specialists Caretower s SIEM Managed Security Services 1 Challenges & Solution Challenges During

More information

North American Electric Reliability Corporation (NERC) Cyber Security Standard

North American Electric Reliability Corporation (NERC) Cyber Security Standard North American Electric Reliability Corporation (NERC) Cyber Security Standard Symantec Managed Security Services Support for CIP Compliance Overviewview The North American Electric Reliability Corporation

More information

IMS-ISA Incident Response Guideline

IMS-ISA Incident Response Guideline THE UNIVERSITY OF TEXAS HEALTH SCIENCE CENTER AT SAN ANTONIO IMS-ISA Incident Response Guideline Incident Response Information Security and Assurance 12/31/2009 This document serves as a guideline for

More information

Intelligence Driven Security

Intelligence Driven Security Intelligence Driven Security RSA Advanced Cyber Defense Workshop Shane Harsch Senior Solutions Principal, RSA 1 Agenda Approach & Activities Operations Intelligence Infrastructure Reporting & Top Findings

More information

Cyber Security Metrics Dashboards & Analytics

Cyber Security Metrics Dashboards & Analytics Cyber Security Metrics Dashboards & Analytics Feb, 2014 Robert J. Michalsky Principal, Cyber Security NJVC, LLC Proprietary Data UNCLASSIFIED Agenda Healthcare Sector Threats Recent History Security Metrics

More information

INCIDENT RESPONSE CHECKLIST

INCIDENT RESPONSE CHECKLIST INCIDENT RESPONSE CHECKLIST The purpose of this checklist is to provide clients of Kivu Consulting, Inc. with guidance in the initial stages of an actual or possible data breach. Clients are encouraged

More information

CS 356 Lecture 17 and 18 Intrusion Detection. Spring 2013

CS 356 Lecture 17 and 18 Intrusion Detection. Spring 2013 CS 356 Lecture 17 and 18 Intrusion Detection Spring 2013 Review Chapter 1: Basic Concepts and Terminology Chapter 2: Basic Cryptographic Tools Chapter 3 User Authentication Chapter 4 Access Control Lists

More information

CALNET 3 Category 7 Network Based Management Security. Table of Contents

CALNET 3 Category 7 Network Based Management Security. Table of Contents State of California IFB STPD 12-001-B CALNET 3 Category 7 Network Based Security Table of Contents 7.2.1.4.a DDoS Detection and Mitigation Features... 1 7.2.2.3 Email Monitoring Service Features... 2 7.2.3.2

More information

Session 334 Incident Management. Jeff Roth, CISA, CGEIT, CISSP

Session 334 Incident Management. Jeff Roth, CISA, CGEIT, CISSP Session 334 Incident Management Jeff Roth, CISA, CGEIT, CISSP SPEAKER BIOGRAPHY Jeff Roth, CISA, CGEIT Jeff Roth has over 25 years experience in IT audit, security, risk management and IT Governance experience

More information

SourceFireNext-Generation IPS

SourceFireNext-Generation IPS D Ů V Ě Ř U J T E S I L N Ý M SourceFireNext-Generation IPS Petr Salač CCNP Security, CCNP, CICSP, CCSI #33835 petr.salac@alefnula.com Our Customers Biggest Security Challenges Maintaining security posture

More information

Cyber Security in Taiwan's Government Institutions: From APT To. Investigation Policies

Cyber Security in Taiwan's Government Institutions: From APT To. Investigation Policies Cyber Security in Taiwan's Government Institutions: From APT To Investigation Policies Ching-Yu, Hung Investigation Bureau, Ministry of Justice, Taiwan, R.O.C. Abstract In this article, we introduce some

More information

Effective Methods to Detect Current Security Threats

Effective Methods to Detect Current Security Threats terreactive AG. Swiss Cyber Storm 2015. Effective Methods to Detect Current Security Threats Taking your IT security to the next level, you have to consider a paradigm shift. In the past companies mostly

More information

Achieving Actionable Situational Awareness... McAfee ESM. Ad Quist, Sales Engineer NEEUR

Achieving Actionable Situational Awareness... McAfee ESM. Ad Quist, Sales Engineer NEEUR Achieving Actionable Situational Awareness... McAfee ESM Ad Quist, Sales Engineer NEEUR The Old SECURITY Model Is BROKEN 2 Advanced Targeted Attacks The Reality ADVANCED TARGETED ATTACKS COMPROMISE TO

More information

TRIPWIRE NERC SOLUTION SUITE

TRIPWIRE NERC SOLUTION SUITE CONFIDENCE: SECURED SOLUTION BRIEF TRIPWIRE NERC SOLUTION SUITE TAILORED SUITE OF PRODUCTS AND SERVICES TO AUTOMATE NERC CIP COMPLIANCE u u We ve been able to stay focused on our mission of delivering

More information

REVOLUTIONIZING ADVANCED THREAT PROTECTION

REVOLUTIONIZING ADVANCED THREAT PROTECTION REVOLUTIONIZING ADVANCED THREAT PROTECTION A NEW, MODERN APPROACH Blue Coat Advanced Threat Protection Group GRANT ASPLUND Senior Technology Evangelist 1 WHY DO I STAND ON MY DESK? "...I stand upon my

More information

BUILDING A SECURITY OPERATION CENTER (SOC) ACI-BIT Vancouver, BC. Los Angeles World Airports

BUILDING A SECURITY OPERATION CENTER (SOC) ACI-BIT Vancouver, BC. Los Angeles World Airports BUILDING A SECURITY OPERATION CENTER (SOC) ACI-BIT Vancouver, BC. Los Angeles World Airports Building a Security Operation Center Agenda: Auditing Your Network Environment Selecting Effective Security

More information

Top 3 Issues and Questions (in Network Monitoring!) Developing a Network Monitoring Architecture! infotex. Dan Hadaway CRISC Managing Partner, infotex

Top 3 Issues and Questions (in Network Monitoring!) Developing a Network Monitoring Architecture! infotex. Dan Hadaway CRISC Managing Partner, infotex Top Three Issues and Questions in Network Monitoring Dan Hadaway and Sean Waugh of Auditors now know why we can t monitor event logs, but guess what, they don t care!! So let s open the hood of the managed

More information

Monitoring for network security and management. Cyber Solutions Inc.

Monitoring for network security and management. Cyber Solutions Inc. Monitoring for network security and management Cyber Solutions Inc. Why monitoring? Health check of networked node Usage and load evaluation for optimizing the configuration Illegal access detection for

More information

WAN security threat landscape and best mitigation practices. Rex Stover Vice President, Americas, Enterprise & ICP Sales

WAN security threat landscape and best mitigation practices. Rex Stover Vice President, Americas, Enterprise & ICP Sales WAN security threat landscape and best mitigation practices. Rex Stover Vice President, Americas, Enterprise & ICP Sales The Cost of Cybercrime Sony $171m PlayStation 3 data breach (April 2011) $3 trillion

More information

Incident categories. Version 2.0-04.02.2013 (final version) Procedure (PRO 303)

Incident categories. Version 2.0-04.02.2013 (final version) Procedure (PRO 303) Version 2.0-04.02.2013 (final version) Procedure (PRO 303) Classification: PUBLIC / Department: GOVCERT.LU Table Contents Table Contents... 2 1 Introduction... 3 1.1 Overview... 3 1.2 Purpose... 3 1.3

More information

Cyber Security for NERC CIP Version 5 Compliance

Cyber Security for NERC CIP Version 5 Compliance GE Measurement & Control Cyber Security for NERC CIP Version 5 Compliance imagination at work Contents Cyber Security for NERC CIP Compliance... 5 Sabotage Reporting... 6 Security Management Controls...

More information

Description of Actual State Sensor Types for the Software Asset Management (SWAM) Capability. 7 Jul 2014

Description of Actual State Sensor Types for the Software Asset Management (SWAM) Capability. 7 Jul 2014 Description of Actual State Sensor Types for the Software Asset Management (SWAM) Capability 7 Jul 2014 1 Purpose This document is intended to provide insight on the types of tools and technologies that

More information

Effective Defense in Depth Strategies

Effective Defense in Depth Strategies Honeywell.com 2014 Honeywell Users Group Asia Pacific Effective Defense in Depth Strategies for Industrial Systems 1 Document control number Honeywell Proprietary Honeywell.com Chee Ban, Ngai About the

More information

AlienVault. Unified Security Management (USM) 5.x Policy Management Fundamentals

AlienVault. Unified Security Management (USM) 5.x Policy Management Fundamentals AlienVault Unified Security Management (USM) 5.x Policy Management Fundamentals USM 5.x Policy Management Fundamentals Copyright 2015 AlienVault, Inc. All rights reserved. The AlienVault Logo, AlienVault,

More information

First Line of Defense

First Line of Defense First Line of Defense SecureWatch ANALYTICS FIRST LINE OF DEFENSE OVERVIEW KEY BENEFITS Comprehensive Visibility Gain comprehensive visibility into DDoS attacks and cyber-threats with easily accessible

More information

INTRUSION DETECTION SYSTEMS and Network Security

INTRUSION DETECTION SYSTEMS and Network Security INTRUSION DETECTION SYSTEMS and Network Security Intrusion Detection System IDS A layered network security approach starts with : A well secured system which starts with: Up-to-date application and OS

More information

Passive Logging. Intrusion Detection System (IDS): Software that automates this process

Passive Logging. Intrusion Detection System (IDS): Software that automates this process Passive Logging Intrusion Detection: Monitor events, analyze for signs of incidents Look for violations or imminent violations of security policies accepted use policies standard security practices Intrusion

More information

Automate PCI Compliance Monitoring, Investigation & Reporting

Automate PCI Compliance Monitoring, Investigation & Reporting Automate PCI Compliance Monitoring, Investigation & Reporting Reducing Business Risk Standards and compliance are all about implementing procedures and technologies that reduce business risk and efficiently

More information

Security strategies to stay off the Børsen front page

Security strategies to stay off the Børsen front page Security strategies to stay off the Børsen front page Steve Durkin, Channel Director for Europe, Q1 Labs, an IBM Company 1 2012 IBM Corporation Given the dynamic nature of the challenge, measuring the

More information

Cisco IPS Tuning Overview

Cisco IPS Tuning Overview Cisco IPS Tuning Overview Overview Increasingly sophisticated attacks on business networks can impede business productivity, obstruct access to applications and resources, and significantly disrupt communications.

More information

Effective Methods to Detect Current Security Threats

Effective Methods to Detect Current Security Threats terreactive AG. Swiss Cyber Storm 2015. Effective Methods to Detect Current Security Threats Enrico Petrov Director Managed Security Services terreactive October 21 st, 2015 terreactive Background. About

More information

CS 356 Lecture 19 and 20 Firewalls and Intrusion Prevention. Spring 2013

CS 356 Lecture 19 and 20 Firewalls and Intrusion Prevention. Spring 2013 CS 356 Lecture 19 and 20 Firewalls and Intrusion Prevention Spring 2013 Review Chapter 1: Basic Concepts and Terminology Chapter 2: Basic Cryptographic Tools Chapter 3 User Authentication Chapter 4 Access

More information

Consensus Policy Resource Community. Lab Security Policy

Consensus Policy Resource Community. Lab Security Policy Lab Security Policy Free Use Disclaimer: This policy was created by or for the SANS Institute for the Internet community. All or parts of this policy can be freely used for your organization. There is

More information

Networking for Caribbean Development

Networking for Caribbean Development Networking for Caribbean Development BELIZE NOV 2 NOV 6, 2015 w w w. c a r i b n o g. o r g N E T W O R K I N G F O R C A R I B B E A N D E V E L O P M E N T BELIZE NOV 2 NOV 6, 2015 w w w. c a r i b n

More information

Network Instruments white paper

Network Instruments white paper Network Instruments white paper USING A NETWORK ANALYZER AS A SECURITY TOOL Network Analyzers are designed to watch the network, identify issues and alert administrators of problem scenarios. These features

More information

SIEM Implementation Approach Discussion. April 2012

SIEM Implementation Approach Discussion. April 2012 SIEM Implementation Approach Discussion April 2012 Agenda What are we trying to solve? Summary Observations from the Security Assessments related to Logging & Monitoring Problem Statement Solution Conceptual

More information

CIP R1.5 Spring CIP Audit Workshop. April 14, 2016 Scott Pelfrey, CISA, CISSP, GISP, MBA Senior Technical Auditor

CIP R1.5 Spring CIP Audit Workshop. April 14, 2016 Scott Pelfrey, CISA, CISSP, GISP, MBA Senior Technical Auditor CIP-005-5 R1.5 Spring CIP Audit Workshop April 14, 2016 Scott Pelfrey, CISA, CISSP, GISP, MBA Senior Technical Auditor CIP-005-5 Part 1.5 Learning Objectives Terminology Discussion of IPS/IDS & firewall

More information

INTRUSION DETECTION SYSTEM (IDS) by Kilausuria Abdullah (GCIH) Cyberspace Security Lab, MIMOS Berhad

INTRUSION DETECTION SYSTEM (IDS) by Kilausuria Abdullah (GCIH) Cyberspace Security Lab, MIMOS Berhad INTRUSION DETECTION SYSTEM (IDS) by Kilausuria Abdullah (GCIH) Cyberspace Security Lab, MIMOS Berhad OUTLINE Security incident Attack scenario Intrusion detection system Issues and challenges Conclusion

More information

Security Incident Management Essentials Compiled as a service to the community by Internet2, EDUCAUSE, and REN-ISAC

Security Incident Management Essentials Compiled as a service to the community by Internet2, EDUCAUSE, and REN-ISAC Compiled as a service to the community by Internet2, EDUCAUSE, and REN-ISAC Background and Overview The Computer Security Incidents Internet2 (CSI2) working group organizes activities to better identify

More information

RSA Security Anatomy of an Attack Lessons learned

RSA Security Anatomy of an Attack Lessons learned RSA Security Anatomy of an Attack Lessons learned Malcolm Dundas Account Executive John Hurley Senior Technology Consultant 1 Agenda Advanced Enterprise/ Threats The RSA Breach A chronology of the attack

More information

LogRhythm and NERC CIP Compliance

LogRhythm and NERC CIP Compliance LogRhythm and NERC CIP Compliance The North American Electric Reliability Corporation (NERC) is a nonprofit corporation designed to ensure that the bulk electric system in North America is reliable, adequate

More information

24/7 Visibility into Advanced Malware on Networks and Endpoints

24/7 Visibility into Advanced Malware on Networks and Endpoints WHITEPAPER DATA SHEET 24/7 Visibility into Advanced Malware on Networks and Endpoints Leveraging threat intelligence to detect malware and exploitable vulnerabilities Oct. 24, 2014 Table of Contents Introduction

More information

International Journal of Enterprise Computing and Business Systems ISSN (Online) : 2230-8849

International Journal of Enterprise Computing and Business Systems ISSN (Online) : 2230-8849 WINDOWS-BASED APPLICATION AWARE NETWORK INTERCEPTOR Ms. Shalvi Dave [1], Mr. Jimit Mahadevia [2], Prof. Bhushan Trivedi [3] [1] Asst.Prof., MCA Department, IITE, Ahmedabad, INDIA [2] Chief Architect, Elitecore

More information

Unit 3 Research Project. Eddie S. Jackson. Kaplan University. IT540: Management of Information Security. Kenneth L. Flick, Ph.D.

Unit 3 Research Project. Eddie S. Jackson. Kaplan University. IT540: Management of Information Security. Kenneth L. Flick, Ph.D. Running head: UNIT 3 RESEARCH PROJECT 1 Unit 3 Research Project Eddie S. Jackson Kaplan University IT540: Management of Information Security Kenneth L. Flick, Ph.D. 10/07/2014 UNIT 3 RESEARCH PROJECT 2

More information

Cyber Security. BDS PhantomWorks. Boeing Energy. Copyright 2011 Boeing. All rights reserved.

Cyber Security. BDS PhantomWorks. Boeing Energy. Copyright 2011 Boeing. All rights reserved. Cyber Security Automation of energy systems provides attack surfaces that previously did not exist Cyber attacks have matured from teenage hackers to organized crime to nation states Centralized control

More information

Intel Security Certified Product Specialist Security Information Event Management (SIEM)

Intel Security Certified Product Specialist Security Information Event Management (SIEM) Intel Security Certified Product Specialist Security Information Event Management (SIEM) Why Get Intel Security Certified? As technology and security threats continue to evolve, organizations are looking

More information

Network Security Monitoring

Network Security Monitoring CEENET/GEANT Security Workshop Sofia, 2014 Network Security Monitoring An Introduction to the world of Intrusion Detection Systems Irvin Homem irvin@dsv.su.se Stockholm University Who am I? Of Indian and

More information

DDoS ATTACKS: MOTIVES, MECHANISMS AND MITIGATION

DDoS ATTACKS: MOTIVES, MECHANISMS AND MITIGATION DDoS ATTACKS: MOTIVES, MECHANISMS AND MITIGATION Stephen Gates Chief Security Evangelist Corero Network Security Session ID: SEC-W04 Session Classification: Intermediate Recent Headlines Are Denial of

More information

EXTENDING NETWORK SECURITY: TAKING A THREAT CENTRIC APPROACH TO SECURITY

EXTENDING NETWORK SECURITY: TAKING A THREAT CENTRIC APPROACH TO SECURITY EXTENDING NETWORK SECURITY: TAKING A THREAT CENTRIC APPROACH TO SECURITY Dean Frye Sourcefire Session ID: SEC-W05 Session Classification: Intermediate Industrialisation of Threat Factories Goal: Glory,

More information

GE Oil & Gas. Cyber Security for NERC CIP Versions 5 & 6 Compliance

GE Oil & Gas. Cyber Security for NERC CIP Versions 5 & 6 Compliance GE Oil & Gas Cyber Security for NERC CIP Versions 5 & 6 Compliance Cyber Security for NERC CIP Versions 5 & 6 Compliance 2 Contents Cyber Security for NERC CIP Compliance... 5 Sabotage Reporting... 6 Security

More information

Network Intrusion Analysis (Hands-on)

Network Intrusion Analysis (Hands-on) Network Intrusion Analysis (Hands-on) TCP/IP protocol suite is the core of the Internet and it is vital to understand how it works together, its strengths and weaknesses and how it can be used to detect

More information

WHITE PAPER SPLUNK SOFTWARE AS A SIEM

WHITE PAPER SPLUNK SOFTWARE AS A SIEM SPLUNK SOFTWARE AS A SIEM Improve your security posture by using Splunk as your SIEM HIGHLIGHTS Splunk software can be used to operate security operations centers (SOC) of any size (large, med, small)

More information

Security Toolsets for ISP Defense

Security Toolsets for ISP Defense Security Toolsets for ISP Defense Backbone Practices Authored by Timothy A Battles (AT&T IP Network Security) What s our goal? To provide protection against anomalous traffic for our network and it s customers.

More information

McAfee Network Security Platform Administration Course

McAfee Network Security Platform Administration Course McAfee Network Security Platform Administration Course Intel Security Education Services Administration Course The McAfee Network Security Platform Administration course from McAfee Education Services

More information

Enabling Security Operations with RSA envision. August, 2009

Enabling Security Operations with RSA envision. August, 2009 Enabling Security Operations with RSA envision August, 2009 Agenda What is security operations? How does RSA envision help with security operations? How does RSA envision fit with other EMC products? If

More information

Enterprise Organizations Need Contextual- security Analytics Date: October 2014 Author: Jon Oltsik, Senior Principal Analyst

Enterprise Organizations Need Contextual- security Analytics Date: October 2014 Author: Jon Oltsik, Senior Principal Analyst ESG Brief Enterprise Organizations Need Contextual- security Analytics Date: October 2014 Author: Jon Oltsik, Senior Principal Analyst Abstract: Large organizations have spent millions of dollars on security

More information

Take the Red Pill: Becoming One with Your Computing Environment using Security Intelligence

Take the Red Pill: Becoming One with Your Computing Environment using Security Intelligence Take the Red Pill: Becoming One with Your Computing Environment using Security Intelligence Chris Poulin Security Strategist, IBM Reboot Privacy & Security Conference 2013 1 2012 IBM Corporation Securing

More information

Operationalizing Information Security: Top 10 SIEM Implementer s Checklist

Operationalizing Information Security: Top 10 SIEM Implementer s Checklist Operationalizing Information Security: Top 10 SIEM Implementer s Checklist www.accelops.com Table of Contents Executive Summary.................................................................... 3 SIEM

More information

Security workshop Protection against botnets. Belnet Aris Adamantiadis Brussels 18 th April 2013

Security workshop Protection against botnets. Belnet Aris Adamantiadis Brussels 18 th April 2013 Security workshop Belnet Aris Adamantiadis Brussels 18 th April 2013 Agenda What is a botnet? Symptoms How does it work? Life cycle How to fight against botnets? Proactive and reactive NIDS 2 What is a

More information

Extreme Networks: A SOLUTION WHITE PAPER

Extreme Networks: A SOLUTION WHITE PAPER Extreme Networks: The Purview Solution Integration with SIEM Integrating Application Management and Business Analytics into other IT management systems A SOLUTION WHITE PAPER WHITE PAPER Introduction Purview

More information

Network Security Demonstration - Snort based IDS Integration -

Network Security Demonstration - Snort based IDS Integration - Network Security Demonstration - Snort based IDS Integration - Hyuk Lim (hlim@gist.ac.kr) with TJ Ha, CW Jeong, J Narantuya, JW Kim Wireless Communications and Networking Lab School of Information and

More information

Architecture Overview

Architecture Overview Architecture Overview Design Fundamentals The networks discussed in this paper have some common design fundamentals, including segmentation into modules, which enables network traffic to be isolated and

More information

ASSUMING A STATE OF COMPROMISE: EFFECTIVE DETECTION OF SECURITY BREACHES

ASSUMING A STATE OF COMPROMISE: EFFECTIVE DETECTION OF SECURITY BREACHES ASSUMING A STATE OF COMPROMISE: EFFECTIVE DETECTION OF SECURITY BREACHES Leonard Levy PricewaterhouseCoopers LLP Session ID: SEC-W03 Session Classification: Intermediate Agenda The opportunity Assuming

More information

Network as a Sensor and Enforcer Leverage the Network to Protect Against and Mitigate Threats

Network as a Sensor and Enforcer Leverage the Network to Protect Against and Mitigate Threats Network as a Sensor and Enforcer Leverage the Network to Protect Against and Mitigate Threats Dragan Novaković Consulting Systems Engineer Security November 2015. New Networks Mean New Security Challenges

More information

ENABLING FAST RESPONSES THREAT MONITORING

ENABLING FAST RESPONSES THREAT MONITORING ENABLING FAST RESPONSES TO Security INCIDENTS WITH THREAT MONITORING Executive Summary As threats evolve and the effectiveness of signaturebased web security declines, IT departments need to play a bigger,

More information

Critical Controls for Cyber Security. www.infogistic.com

Critical Controls for Cyber Security. www.infogistic.com Critical Controls for Cyber Security www.infogistic.com Understanding Risk Asset Threat Vulnerability Managing Risks Systematic Approach for Managing Risks Identify, characterize threats Assess the vulnerability

More information

LogRhythm and PCI Compliance

LogRhythm and PCI Compliance LogRhythm and PCI Compliance The Payment Card Industry (PCI) Data Security Standard (DSS) was developed to encourage and enhance cardholder data security and facilitate the broad adoption of consistent

More information

Incident Categories (Public) Version 3.0-2016.01.19 (Final)

Incident Categories (Public) Version 3.0-2016.01.19 (Final) Incident Categories (Public) Version 3.0-2016.01.19 (Final) Procedures (PRO 303) Department: GOVCERT.LU Classification: PUBLIC Contents 1 Introduction 3 1.1 Overview.................................................

More information

Symantec Advanced Threat Protection: Network

Symantec Advanced Threat Protection: Network Symantec Advanced Threat Protection: Network DR150218C April 2015 Miercom www.miercom.com Contents 1.0 Executive Summary... 3 2.0 Overview... 4 2.1 Products Tested... 4 2.2. Malware Samples... 5 3.0 How

More information

Effective IDS/IPS Network Security in a Dynamic World with Next-Generation Intrusion Detection & Prevention

Effective IDS/IPS Network Security in a Dynamic World with Next-Generation Intrusion Detection & Prevention Effective IDS/IPS Network Security in a Dynamic World with Next-Generation Intrusion Detection & Prevention Your Security Challenges Defending the Dynamic Network! Dynamic threats 䕬 䕬 䕬 䕬 Many threats

More information

Cisco Advanced Services for Network Security

Cisco Advanced Services for Network Security Data Sheet Cisco Advanced Services for Network Security IP Communications networking the convergence of data, voice, and video onto a single network offers opportunities for reducing communication costs

More information

Modular Network Security. Tyler Carter, McAfee Network Security

Modular Network Security. Tyler Carter, McAfee Network Security Modular Network Security Tyler Carter, McAfee Network Security Surviving Today s IT Challenges DDos BOTS PCI SOX / J-SOX Data Exfiltration Shady RAT Malware Microsoft Patches Web Attacks No Single Solution

More information