Security Monitoring and Architectures for Security Logging
|
|
- Sophie Haynes
- 8 years ago
- Views:
Transcription
1 Security Monitoring and Architectures for Security Logging Christer Andersson 15 December December 2008 Introduction to myself Christer Andersson Information Security Consultant at Combitech Karlstad office, 2 employees now PhD Engineering in Computer Security Privacy and Security (PRISEC) group at KaU Anonymous communication in mobile networks December 2008 Combitech 7 Service Areas Information security (IS) Logistics Mechanical engineering System development System integration System security Customer adapted solutions President Combitech: Marie Bredäng 3 December
2 Information Security (IS) More than 100 employees IS Manager Jerker Löf Divided into three units ISA Information Security Architectures ISS Information Security Solutions IST Information Security Technologies Clients Swedish defence (~55%) FMV largest customer Swedish institutions (~20%) Skatteverket, Banverket, Rikspolisstyrelsen, KMB, etc. Private companies (~25%) Telecom companies, private defence industry (SAAB, Kockum, etc.) 4 December 2008 Information Security Architectures (ISA) 14 employees distributed in 6 cities Växjö, Karlstad, Linköping, Stockholm, Kristianstad, Enköping ISA Manager Lena Johansson Two focus areas 2008 for ISA 1. Monitored security and logging 2. Service-based security architectures Intra-IS cooperation with other units 5 December 2008 Security Monitoring and Logging Can both seen as one combined area and two distinct areas: Security Information Management (SIM) Refers to the collection of data (typically log files; e.g. event logs) into a central repository for trend analysis SIM is mainly focused on the discovery of bad behavior Security Event Management (SEM) A SEM stores large amount of logs in disk devices for historical storage purposes It typically offers integrity and confidentiality A SEM is slow but can typically store years of logs Sometimes combined into a SEIM Note that terminology confusion often occurs Often a SIM claims to be SEM by implementing a minimal set of SEM functionalities, and vice versa 6 December
3 Motivation There is a lot of traffic in corporate nets Between clients and business applications To / from internal servers Between clients and Internet Problems How to find intrusions from Internet How to find misbehaving users / compromised machines in the internal network Commercial value When an incident happen we want a quick reaction time and traceability Additional motivation: compliance Bonus: will detect badly configured network applications 7 December 2008 A possible solution Security monitoring and logging architectures (SIM and SEM) SIM and SEM is becoming increasingly more important and prioritized among companies. It is essential for mapping vulnerabilities and threats against the information security in an organization Benefits Keep control over business application and IT system logs System-wide picture of the information security status React quickly on incidents (real-time analysis or analysis on regular basis) Provides rich material for efficient investigation of security incidents 8 December 2008 Phases in Security Monitoring and Logging ANALYZE Requirement analysis IMPLEMENT & DRIVE Proof of concept deployment Acquisition/development support Usage guidelines Full scale installation FOLLOW UP Monitoring and analysis Training Maintenance My involvement in projects so far includes: Networked-based intrusion detection and security monitoring using OSSIM (Svenska Räddningsverket) Assessment of current logging situation and writing guidelines and directives (Arbetsförmedlingen, Ludvika kommun) Certification in open-source based SIM tool OSSIM MONITORED SECURITY 9 December
4 Typical Monitoring Architecture One or several servers One or several databases Several sensors using agent-based or agent-less collection Several log sources Analysis Server(s) for correlation and normalization Sensor(s) Console with GUI Real-time Forensic database Long-term Forensic database agent agent agent agent Syslog SMTP SNMP Cisco IDS CheckPoint Windows XP 10 Firewall-1 Nessus December 2008 Example of SIM and SEM products ArcSight RSA envision IBM Consul InSight Symantec Enterprise Security Manager CiscoWorks SIMS Network Intelligence NetForensics Intellitactics NetIQ IBM (Tivoli) Netcool/Neusecure Novell Sentinel OSSIM (open source) 11 December 2008 Example SIM: OSSIM 12 December
5 Sensors/probes Sensors/probes collect log data from different log sources and/or generates security events based on monitored logs The log data (or security events) are sent to the central monitoring server, possibly after being normalized to a standard format Sensor components are mostly passive (do not generate traffic) Collection can both be agent-based and agent-less 13 December 2008 Sensors components Network-based Intrusion Detection Systems (NIDS) Monitors network traffic in order to detect intrusions Often matches network packets against known signatures Can also detect new attacks by looking for suspicious behavior Often deployed outside and inside firewall, on backbones and subnets, etc. Host-based Intrusion Detection Systems (HIDS) Detects intrusions on important hosts (servers, routers, switches, clients, etc.) Performs integrity checking on files, log monitoring of different logs, etc. Log collector components Collect/monitor logs from hosts in the network Examples of log sources: firewall logs, OS logs (syslog / windows event logs), logs from business applications, etc. 14 December 2008 Logging component and log sources A logging component parses log data from different log sources Extracts fields like date, IP address, free text information, log generator, etc. One example method of parsing is regular expressions Common log sources Windows event logs Syslog in Linux / Unix SNMP (Simple Network Management Protocol) Traps Business application logs Firewall logs Logs may be sent to server both in original and normalized format Collecting all all logs from all all monitored components to to a central server requires a lot lot of of bandwidth and and performance 15 December
6 Example NIDS: Open-source based NIDS developed by Sourcefire Statefull and stateless analysis Stateless analysis is based on network traffic signatures Stateless analysis discovers known attacks Signatures are grouped and collected in rule sets Common rule sets are Sourcefire s official rules and the Bleeding Edge rules Statefull analysis is done by different preprocessors in Snort Statefull analysis may discover unknown attacks (anomaly detection) Example preprocessors: spade, http_inspect, stream, portscan, etc. False positives are common and serious problem The NIDS must be configured according to the monitored network and the signature rule sets must be fine tuned 16 December 2008 The Snort Process libpcap Packet Decoder Works through the TCP/IP stack Preprocessor Examines packets using often using statefull inspection Detection Engine Matches against the rule set with signatures Output plugin 17 December 2008 Example Snort Rule Payload Plain Display Download of Payload Download in pcap format length = : : : : : : : 01 DC C9 B0 42 EB 0E AE...B...p. 070 : AE DC C9 B.p.B...h : B0 42 B C9 B E2 FD B P : E E 64 6C 6C C 33...P..Qh.dllhel3 0a0 : B E F 75 6E B 2hkernQhounthick 0b0 : B9 6C 6C E 64 ChGetTf.llQh32.d 0c0 : F 66 B F 63 6B 66 hws2_f.etqhsockf 0d0 : B9 74 6F E 64 BE AE 42 8D 45.toQhsend...B.E 0e0 : D4 50 FF D 45 E0 50 8D 45 F0 50 FF P..P.E.P.E.P..P 0f0 : BE AE 42 8B 1E 8B 03 3D 55 8B EC B...=U..Qt. 100 : BE 1C 10 AE 42 FF 16 FF D0 31 C F1...B...1.QQP : B 81 F D 45 CC 50 8B...Q.E.P. 120 : 45 C0 50 FF 16 6A 11 6A 02 6A 02 FF D0 50 8D 45 E.P..j.j.j...P.E 130 : C4 50 8B 45 C0 50 FF C6 09 DB 81 F3 3C 61.P.E.P...<a 140 : D9 FF 8B 45 B4 8D 0C 40 8D C1 E C2...E...@ : C1 E C2 8D D B4 6A 10 8D...)...E.j : 45 B C F D E.P1.Qf..x.Q.E.P 170 : 8B 45 AC 50 FF D6 EB CA.E.P... Snort rule syntax: Snort rule syntax: alert udp $EXTERNAL_NET any -> $HOME_NET 1434 (msg:"sql Wormpropagation attempt"; flow:to_server; content:" 04 "; alert udp $EXTERNAL_NET any -> $HOME_NET 1434 (msg:"sql Wormpropagation attempt"; flow:to_server; content:" 04 "; depth:1; content:" 81 F B 81 F1 01 "; content:"sock"; content:"send"; ; classtype:misc-attack; sid:2003; rev:12;) depth:1; content:" 81 F B 81 F1 01 "; content:"sock"; content:"send"; ; classtype:misc-attack; sid:2003; rev:12;) 18 December
7 Example HIDS: Snare and OSSEC A Snare agent monitors windows event logs from Security, Application and System logs in Windows Can be configured to send collected logs to a central log server For example a syslog server on a Linux host or a Snare server This central log server can in turn be monitored by a SIM/SEM server Advanced HIDS for Linux / Unix / Windows Central OSSEC server/distributed OSSEC agents hierarchy Log analysis, integrity checking, Windows registry monitoring, rootkit detection, real-time alerting and active response, etc. 19 December 2008 Example SIM: OSSIM 20 December 2008 Server and Central Repository The server collect log data and security events from the sensors The events are being correlated and prioritized Events may generate alarms / incidents Alarms / incidents may trigger automatic actions The server often includes active components that generate traffic Example: vulnerability scanning (Nessus), port scanning (Nmap), etc. 21 December
8 Correlation Problems Multitudes of events/alarms from different sensors Multitudes of false positives Possibility of false negatives Solution Cross correlate events/alarms in a correlation engine Detect patterns of events/alarms A high degree of fulfillment of specific pattern the greater the reliability of a real attack Can decrease false positives and false negatives significantly 22 December 2008 Example of a Snort pattern 23 December 2008 Correlation directives in OSSIM 24 December
9 Priorization Problem How should a security analyst know which security events he/she should invest resources to investigate? Solution A system for prioritizing security event must be included in the SIM/SEM In Snort events are prioritized between priority value 1 3 In OSSIM events are prioritized between risk value 1 10 Priorities are calculated based on parameters such as (i) probability that an attack has occurred, (ii) the resulting level of severity if the attack would succeed, and (iii) value of the attacked host In OSSIM, the RISK = (RELAIABILITY * PRIORITY * ASSET) / 25 A security event of RISK >= 1 generates a security alarm 25 December 2008 Priorization 26 December 2008 Example SIM: OSSIM 27 December
10 Storage databases A hierarchy of databases should be used for archiving the log data and the security events / alarms Databases for both (i) short term (fast) real-time analysis and (ii) longterm (slow) forensic analysis should preferably be used Storage medium (database, file system, etc.) is chosen according to requirements (performance, reliability, etc.) Fast online search queries on the last days of collected security events and log data Front-end Real-time Forensic database Back-end Long-term Forensic database Slower offline search queries on the complete databse of collected security events and log data Integrity of data is important 28 December 2008 Example SIM: OSSIM 29 December 2008 Console Web Interface Different usersbelonging to different roles administrate and use the SIM from (often) a web interface Typically, the GUI can be configured so that the boss, the analyst, the administrators, etc., have different (sometimes overlapping) views of the GUI 30 December
11 Practical Demonstration 31 December
Passive Logging. Intrusion Detection System (IDS): Software that automates this process
Passive Logging Intrusion Detection: Monitor events, analyze for signs of incidents Look for violations or imminent violations of security policies accepted use policies standard security practices Intrusion
More informationIDS Categories. Sensor Types Host-based (HIDS) sensors collect data from hosts for
Intrusion Detection Intrusion Detection Security Intrusion: a security event, or a combination of multiple security events, that constitutes a security incident in which an intruder gains, or attempts
More informationThe SIEM Evaluator s Guide
Using SIEM for Compliance, Threat Management, & Incident Response Security information and event management (SIEM) tools are designed to collect, store, analyze, and report on log data for threat detection,
More informationIntroduction of Intrusion Detection Systems
Introduction of Intrusion Detection Systems Why IDS? Inspects all inbound and outbound network activity and identifies a network or system attack from someone attempting to compromise a system. Detection:
More informationIDS / IPS. James E. Thiel S.W.A.T.
IDS / IPS An introduction to intrusion detection and intrusion prevention systems James E. Thiel January 14, 2005 S.W.A.T. Drexel University Overview Intrusion Detection Purpose Types Detection Methods
More informationCHAPETR 3. DISTRIBUTED DEPLOYMENT OF DDoS DEFENSE SYSTEM
59 CHAPETR 3 DISTRIBUTED DEPLOYMENT OF DDoS DEFENSE SYSTEM 3.1. INTRODUCTION The last decade has seen many prominent DDoS attack on high profile webservers. In order to provide an effective defense against
More informationIntrusion Detection in AlienVault
Complete. Simple. Affordable Copyright 2014 AlienVault. All rights reserved. AlienVault, AlienVault Unified Security Management, AlienVault USM, AlienVault Open Threat Exchange, AlienVault OTX, Open Threat
More informationAn Open Source IPS. IIT Network Security Project Project Team: Mike Smith, Sean Durkin, Kaebin Tan
An Open Source IPS IIT Network Security Project Project Team: Mike Smith, Sean Durkin, Kaebin Tan Introduction IPS or Intrusion Prevention System Uses a NIDS or Network Intrusion Detection System Includes
More informationIntrusion Detection and Intrusion Prevention. Ed Sale VP of Security Pivot Group, LLC
Intrusion Detection and Intrusion Prevention Ed Sale VP of Security Pivot Group, LLC Presentation Goals Describe IDS and IPS Why They Are Important Deployment and Use Major Players The IT Security Camera
More informationIntrusion Detection System Based Network Using SNORT Signatures And WINPCAP
Intrusion Detection System Based Network Using SNORT Signatures And WINPCAP Aakanksha Vijay M.tech, Department of Computer Science Suresh Gyan Vihar University Jaipur, India Mrs Savita Shiwani Head Of
More informationHow To Manage Sourcefire From A Command Console
Sourcefire TM Sourcefire Capabilities Store up to 100,000,000 security & host events, including packet data Centralized policy & sensor management Centralized audit logging of configuration & security
More informationAlienVault Unified Security Management Solution Complete. Simple. Affordable Life Cycle of a log
Complete. Simple. Affordable Copyright 2014 AlienVault. All rights reserved. AlienVault, AlienVault Unified Security Management, AlienVault USM, AlienVault Open Threat Exchange, AlienVault OTX, Open Threat
More informationAdvancement in Virtualization Based Intrusion Detection System in Cloud Environment
Advancement in Virtualization Based Intrusion Detection System in Cloud Environment Jaimin K. Khatri IT Systems and Network Security GTU PG School, Ahmedabad, Gujarat, India Mr. Girish Khilari Senior Consultant,
More informationCSCE 465 Computer & Network Security
CSCE 465 Computer & Network Security Instructor: Dr. Guofei Gu http://courses.cse.tamu.edu/guofei/csce465/ Intrusion Detection System 1 Intrusion Definitions A set of actions aimed to compromise the security
More informationArchitecture Overview
Architecture Overview Design Fundamentals The networks discussed in this paper have some common design fundamentals, including segmentation into modules, which enables network traffic to be isolated and
More informationThreat Center. Real-time multi-level threat detection, analysis, and automated remediation
Threat Center Real-time multi-level threat detection, analysis, and automated remediation Description Advanced targeted and persistent threats can easily evade standard security, software vulnerabilities
More informationAlienVault Unified Security Management (USM) 4.x-5.x. Deployment Planning Guide
AlienVault Unified Security Management (USM) 4.x-5.x Deployment Planning Guide USM 4.x-5.x Deployment Planning Guide, rev. 1 Copyright AlienVault, Inc. All rights reserved. The AlienVault Logo, AlienVault,
More informationEverything You Always Wanted to Know About Log Management But Were Afraid to Ask. August 21, 2013
Everything You Always Wanted to Know About Log Management But Were Afraid to Ask August 21, 2013 Logging and Log Management Logging and Log Management The authoritative Guide to Understanding the Concepts
More informationA Review on Network Intrusion Detection System Using Open Source Snort
, pp.61-70 http://dx.doi.org/10.14257/ijdta.2016.9.4.05 A Review on Network Intrusion Detection System Using Open Source Snort Sakshi Sharma and Manish Dixit Department of CSE& IT MITS Gwalior, India Sharmasakshi1009@gmail.com,
More informationSecurity Event Management. February 7, 2007 (Revision 5)
Security Event Management February 7, 2007 (Revision 5) Table of Contents TABLE OF CONTENTS... 2 INTRODUCTION... 3 CRITICAL EVENT DETECTION... 3 LOG ANALYSIS, REPORTING AND STORAGE... 7 LOWER TOTAL COST
More informationConfiguring Personal Firewalls and Understanding IDS. Securing Networks Chapter 3 Part 2 of 4 CA M S Mehta, FCA
Configuring Personal Firewalls and Understanding IDS Securing Networks Chapter 3 Part 2 of 4 CA M S Mehta, FCA 1 Configuring Personal Firewalls and IDS Learning Objectives Task Statements 1.4 Analyze baseline
More informationEffective Use of Security Event Correlation
Effective Use of Security Event Correlation Mark G. Clancy Chief Information Security Officer The Depository Trust & Clearing Corporation DTCC Non-Confidential (White) About DTCC DTCC provides custody
More informationTo read more Linux Journal or start your subscription, please visit http://www.linuxjournal.com.
AlienVault the Future of Security Information Management Meet AlienVault OSSIM, a complex security system designed to make your life simpler. JERAMIAH BOWLING Security Information Management (SIM) systems
More informationRAVEN, Network Security and Health for the Enterprise
RAVEN, Network Security and Health for the Enterprise The Promia RAVEN is a hardened Security Information and Event Management (SIEM) solution further providing network health, and interactive visualizations
More informationCourse Title: Penetration Testing: Security Analysis
Course Title: Penetration Testing: Security Analysis Page 1 of 9 Course Description: The Security Analyst Series from EC-Council Press is comprised of five books covering a broad base of topics in advanced
More informationIntruPro TM IPS. Inline Intrusion Prevention. White Paper
IntruPro TM IPS Inline Intrusion Prevention White Paper White Paper Inline Intrusion Prevention Introduction Enterprises are increasingly looking at tools that detect network security breaches and alert
More informationINTRUSION DETECTION SYSTEMS and Network Security
INTRUSION DETECTION SYSTEMS and Network Security Intrusion Detection System IDS A layered network security approach starts with : A well secured system which starts with: Up-to-date application and OS
More informationWho am I? BlackHat RSA
Intrusion Detection Who am I? Informal Security Education CS - Colby College Honors work in Static Analysis Fortify Software Engineer Architect Product Management HP AlienVault Products BlackHat RSA What
More informationIntrusion Detection Systems
Intrusion Detection Systems Advanced Computer Networks 2007 Reinhard Wallner reinhard.wallner@student.tugraz.at Outline Introduction Types of IDS How works an IDS Attacks to IDS Intrusion Prevention Systems
More informationNext Level. Elevated to the. 22 nd Chaos Communication Congress. Alien8 - Matthias Petermann
Intrusion Detection Systems Elevated to the Next Level Alien8 - Matthias Petermann 22 nd Chaos Communication Congress Agenda Attacks and Intrusion Methods Why Intrusion Detection? IDS Technologies Basic
More informationOWASP Logging Project - Roadmap
OWASP Logging Project - Roadmap SUMMARY Why log?... 2 What is commonly logged?... 2 What are security logs?... 2 What are the most common issues with logging?... 2 What are the common functions of a log
More informationCS 356 Lecture 17 and 18 Intrusion Detection. Spring 2013
CS 356 Lecture 17 and 18 Intrusion Detection Spring 2013 Review Chapter 1: Basic Concepts and Terminology Chapter 2: Basic Cryptographic Tools Chapter 3 User Authentication Chapter 4 Access Control Lists
More informationIntrusion Detection & SNORT. Fakrul Alam fakrul@bdhbu.com
Intrusion Detection & SNORT Fakrul Alam fakrul@bdhbu.com Sometimes, Defenses Fail Our defenses aren t perfect Patches weren t applied promptly enough Antivirus signatures not up to date 0- days get through
More informationLog Analysis: Overall Issues p. 1 Introduction p. 2 IT Budgets and Results: Leveraging OSS Solutions at Little Cost p. 2 Reporting Security
Foreword p. xvii Log Analysis: Overall Issues p. 1 Introduction p. 2 IT Budgets and Results: Leveraging OSS Solutions at Little Cost p. 2 Reporting Security Information to Management p. 5 Example of an
More informationIntrusion Detection Systems
Intrusion Detection Systems Assessment of the operation and usefulness of informatics tools for the detection of on-going computer attacks André Matos Luís Machado Work Topics 1. Definition 2. Characteristics
More informationSymantec Security Information Manager Version 4.7
Version 4.7 Agenda What are the challenges? What is Security Information Manager? How does Security Information Manager work? Why? 2 Security Management Challenges 3 Managing IT Security PREVENT INFORM
More informationOSSIM. Open Source Security Information Management. Brian E. Lavender. Sac State. CSC 250, Spring 2008. Final Project
Open Source Security Information Management Sac State CSC 250, Spring 2008 Final Project 2008 1 Table of Contents Introduction...2 How Functions...2 Installation...5 Initial Configuration Steps...6 Creating
More informationSystem Specification. Author: CMU Team
System Specification Author: CMU Team Date: 09/23/2005 Table of Contents: 1. Introduction...2 1.1. Enhancement of vulnerability scanning tools reports 2 1.2. Intelligent monitoring of traffic to detect
More informationNetwork Security Monitoring
Network Security Monitoring Network Startup Resource Center www.nsrc.org These materials are licensed under the Creative Commons Attribution-NonCommercial 4.0 International license (http://creativecommons.org/licenses/by-nc/4.0/)
More informationJuniper Security Threat Response Manager (STRM) Mikko Kuljukka COMPUTERLINKS Oy
Juniper Security Threat Response Manager (STRM) Mikko Kuljukka COMPUTERLINKS Oy Customer Challenges Dispersed Threats IT Overload IT information overload Flood of logged events from many point network
More informationTraffic Monitoring : Experience
Traffic Monitoring : Experience Objectives Lebah Net To understand who and/or what the threats are To understand attacker operation Originating Host Motives (purpose of access) Tools and Techniques Who
More informationIntrusion Detections Systems
Intrusion Detections Systems 2009-03-04 Secure Computer Systems Poia Samoudi Asli Davor Sutic Contents Intrusion Detections Systems... 1 Contents... 2 Abstract... 2 Introduction... 3 IDS importance...
More informationWHITE PAPER PROCESS CONTROL NETWORK SECURITY: INTRUSION PREVENTION IN A CONTROL SYSTEMS ENVIRONMENT
WHITE PAPER PROCESS CONTROL NETWORK SECURITY: INTRUSION PREVENTION IN A CONTROL SYSTEMS ENVIRONMENT WHAT S INSIDE: 1. GENERAL INFORMATION 1 2. EXECUTIVE SUMMARY 1 3. BACKGROUND 2 4. QUESTIONS FOR CONSIDERATION
More informationNetwork Intrusion Analysis (Hands-on)
Network Intrusion Analysis (Hands-on) TCP/IP protocol suite is the core of the Internet and it is vital to understand how it works together, its strengths and weaknesses and how it can be used to detect
More informationNetwork- vs. Host-based Intrusion Detection
Network- vs. Host-based Intrusion Detection A Guide to Intrusion Detection Technology 6600 Peachtree-Dunwoody Road 300 Embassy Row Atlanta, GA 30348 Tel: 678.443.6000 Toll-free: 800.776.2362 Fax: 678.443.6477
More informationDeploying HIDS Client to Windows Hosts
Complete. Simple. Affordable Copyright 2014 AlienVault. All rights reserved. AlienVault, AlienVault Unified Security Management, AlienVault USM, AlienVault Open Threat Exchange, AlienVault OTX, Open Threat
More informationName. Description. Rationale
Complliiance Componentt Description DEEFFI INITION Network-Based Intrusion Detection Systems (NIDS) Network-Based Intrusion Detection Systems (NIDS) detect attacks by capturing and analyzing network traffic.
More informationHow To Protect A Network From Attack From A Hacker (Hbss)
Leveraging Network Vulnerability Assessment with Incident Response Processes and Procedures DAVID COLE, DIRECTOR IS AUDITS, U.S. HOUSE OF REPRESENTATIVES Assessment Planning Assessment Execution Assessment
More informationOpen Source Security Tool Overview
Open Source Security Tool Overview Presented by Kitch Spicer & Douglas Couch Security Engineers for ITaP 1 Introduction Vulnerability Testing Network Security Passive Network Detection Firewalls Anti-virus/Anti-malware
More informationIntroduction to Network Discovery and Identity
The following topics provide an introduction to network discovery and identity policies and data: Host, Application, and User Detection, page 1 Uses for Host, Application, and User Discovery and Identity
More informationdisect Systems Logging Snort alerts to Syslog and Splunk PRAVEEN DARSHANAM
disect Systems Logging Snort alerts to Syslog and Splunk PRAVEEN DARSHANAM INTRODUCTION Snort is an open source network Intrusion Detection and Prevention Systems (IDS/IPS) developed by Martin Roesch capable
More informationIntrusion Detection Systems
Intrusion Detection Systems Intrusion Detection Systems Intrusion Detection Systems: Overview IDS Acronyms & Definition Components Recognition & Response Security Interoperability & Cooperation HIDS NIDS
More informationIntrusion Detection Systems. Darren R. Davis Student Computing Labs
Intrusion Detection Systems Darren R. Davis Student Computing Labs Overview Intrusion Detection What is it? Why do I need it? How do I do it? Intrusion Detection Software Network based Host based Intrusion
More informationIntroduction to Intrusion Detection and Snort p. 1 What is Intrusion Detection? p. 5 Some Definitions p. 6 Where IDS Should be Placed in Network
Introduction to Intrusion Detection and Snort p. 1 What is Intrusion Detection? p. 5 Some Definitions p. 6 Where IDS Should be Placed in Network Topology p. 8 Honey Pots p. 9 Security Zones and Levels
More informationGetting Ahead of Malware
IT@Intel White Paper Intel Information Technology Security December 2009 Getting Ahead of Malware Executive Overview Since implementing our security event monitor and detection processes two years ago,
More informationSURVEY OF INTRUSION DETECTION SYSTEM
SURVEY OF INTRUSION DETECTION SYSTEM PRAJAPATI VAIBHAVI S. SHARMA DIPIKA V. ASST. PROF. ASST. PROF. MANISH INSTITUTE OF COMPUTER STUDIES MANISH INSTITUTE OF COMPUTER STUDIES VISNAGAR VISNAGAR GUJARAT GUJARAT
More informationKingston University London
Kingston University London Analysis and Testing of Intrusion Detection/Prevention Systems (IDS/IPS) XYLANGOURAS ELEFTHERIOS Master of Science in Networking and Data Communications THESIS Kingston University
More informationIBM Security QRadar SIEM & Fortinet FortiGate / FortiAnalyzer
IBM Security QRadar SIEM & Fortinet / FortiAnalyzer Introducing new functionality for IBM QRadar Security Intelligence Platform: integration with Fortinet s firewalls and logs forwarded by FortiAnalyzer.
More informationIntrusion Detection Systems and Supporting Tools. Ian Welch NWEN 405 Week 12
Intrusion Detection Systems and Supporting Tools Ian Welch NWEN 405 Week 12 IDS CONCEPTS Firewalls. Intrusion detection systems. Anderson publishes paper outlining security problems 1972 DNS created 1984
More informationEnvironment. Attacks against physical integrity that can modify or destroy the information, Unauthorized use of information.
Cyber Security. Environment, Solutions and Case study. Special Telecommunications Service David Gabriel, Buciu Adrian Contact: gdavid13@sts.ro adibuciu@sts.ro Environment Network/services can be damaged
More informationNetwork Security Management
Network Security Management TWNIC 2003 Objective Have an overview concept on network security management. Learn how to use NIDS and firewall technologies to secure our networks. 1 Outline Network Security
More informationBUILDING A SECURITY OPERATION CENTER (SOC) ACI-BIT Vancouver, BC. Los Angeles World Airports
BUILDING A SECURITY OPERATION CENTER (SOC) ACI-BIT Vancouver, BC. Los Angeles World Airports Building a Security Operation Center Agenda: Auditing Your Network Environment Selecting Effective Security
More informationIntrusion Detection Systems (IDS)
Intrusion Detection Systems (IDS) What are They and How do They Work? By Wayne T Work Security Gauntlet Consulting 56 Applewood Lane Naugatuck, CT 06770 203.217.5004 Page 1 6/12/2003 1. Introduction Intrusion
More informationSIEM Optimization 101. ReliaQuest E-Book Fully Integrated and Optimized IT Security
SIEM Optimization 101 ReliaQuest E-Book Fully Integrated and Optimized IT Security Introduction SIEM solutions are effective security measures that mitigate security breaches and increase the awareness
More informationSnort Installation - Ubuntu FEUP. SSI - ProDEI-2010. Paulo Neto and Rui Chilro. December 7, 2010
December 7, 2010 Work Proposal The purpose of this work is: Explain a basic IDS Architecture and Topology Explain a more advanced IDS solution Install SNORT on the FEUP Ubuntu distribution and test some
More informationIntrusion Detection Systems with Correlation Capabilities
Intrusion Detection Systems with Correlation Capabilities Daniel Johansson danjo133@student.liu.se Pär Andersson paran213@student.liu.se Abstract Alert correlation in network intrusion detection systems
More informationFederated Network Security Administration Framework
Available Online at www.ijcsmc.com International Journal of Computer Science and Mobile Computing A Monthly Journal of Computer Science and Information Technology IJCSMC, Vol. 2, Issue. 3, March 2013,
More informationJoshua Beeman University Information Security Officer October 17, 2011
Joshua Beeman University Information Security Officer October 17, 2011 1 June, 2011- NPTF Security Presentation on FY 12 InfoSec goals: Two Factor Authentication Levels of Assurance Shibboleth InCommon
More informationCisco IPS Tuning Overview
Cisco IPS Tuning Overview Overview Increasingly sophisticated attacks on business networks can impede business productivity, obstruct access to applications and resources, and significantly disrupt communications.
More informationArcSight Supports a Wide Range of Security Relevant Products
ArcSight Supports a Wide Range of Security Relevant Products ArcSight s data collection capabilities are the most versatile in the industry and run the gamut from a centralized collection point on the
More informationEffective IDS/IPS Network Security in a Dynamic World with Next-Generation Intrusion Detection & Prevention
Effective IDS/IPS Network Security in a Dynamic World with Next-Generation Intrusion Detection & Prevention Your Security Challenges Defending the Dynamic Network! Dynamic threats 䕬 䕬 䕬 䕬 Many threats
More informationTaxonomy of Intrusion Detection System
Taxonomy of Intrusion Detection System Monika Sharma, Sumit Sharma Abstract During the past years, security of computer networks has become main stream in most of everyone's lives. Nowadays as the use
More informationRule 4-004M Payment Card Industry (PCI) Monitoring, Logging and Audit (proposed)
Version: Modified By: Date: Approved By: Date: 1.0 Michael Hawkins October 29, 2013 Dan Bowden November 2013 Rule 4-004M Payment Card Industry (PCI) Monitoring, Logging and Audit (proposed) 01.1 Purpose
More informationFISMA / NIST 800-53 REVISION 3 COMPLIANCE
Mandated by the Federal Information Security Management Act (FISMA) of 2002, the National Institute of Standards and Technology (NIST) created special publication 800-53 to provide guidelines on security
More informationDeployment of Snort IDS in SIP based VoIP environments
Deployment of Snort IDS in SIP based VoIP environments Jiří Markl, Jaroslav Dočkal Jaroslav.Dockal@unob.cz K-209 Univerzita obrany Kounicova 65, 612 00 Brno Czech Republic Abstract This paper describes
More informationEffective Threat Management. Building a complete lifecycle to manage enterprise threats.
Effective Threat Management Building a complete lifecycle to manage enterprise threats. Threat Management Lifecycle Assimilation of Operational Security Disciplines into an Interdependent System of Proactive
More informationAnalysis and Evaluation of Network-Based Intrusion Detection and Prevention System in an Enterprise Network Using Snort Freeware
Analysis and Evaluation of Network-Based Intrusion Detection and Prevention System in an Enterprise Network Using Snort Freeware 1 Corresponding Author: lawal5@yahoo.com 1 O.B. Lawal Computer Science Department,
More informationIntrusion Detection System in Campus Network: SNORT the most powerful Open Source Network Security Tool
Intrusion Detection System in Campus Network: SNORT the most powerful Open Source Network Security Tool Mukta Garg Assistant Professor, Advanced Educational Institutions, Palwal Abstract Today s society
More informationNetwork Based Intrusion Detection Using Honey pot Deception
Network Based Intrusion Detection Using Honey pot Deception Dr.K.V.Kulhalli, S.R.Khot Department of Electronics and Communication Engineering D.Y.Patil College of Engg.& technology, Kolhapur,Maharashtra,India.
More informationCARENET-SE. NOC Tools Review. Communication System Design Summer 2010. Project team. Champion Björn Pehrson Coach Hans Eriksson
NOC Tools Review CARENET-SE Communication System Design Summer 2010 Project team IK2207 Alin Pastrama pastrama@kth.se Champion Björn Pehrson Coach Hans Eriksson IK2207 Annika Holmgren annika.holmgren@gmail.com
More informationIntrusion Detection and Cyber Security Monitoring of SCADA and DCS Networks
Intrusion Detection and Cyber Security Monitoring of SCADA and DCS Networks Dale Peterson Director, Network Security Practice Digital Bond, Inc. 1580 Sawgrass Corporate Parkway, Suite 130 Sunrise, FL 33323
More informationGuideline on Auditing and Log Management
CMSGu2012-05 Mauritian Computer Emergency Response Team CERT-MU SECURITY GUIDELINE 2011-02 Enhancing Cyber Security in Mauritius Guideline on Auditing and Log Management National Computer Board Mauritius
More informationSecospace elog. Secospace elog
Secospace elog Product Overview With the development of networks, security events continually occur on hosts, databases, and Web servers. These range from Trojans, worms, and SQL injections, to Web page
More informationChapter 9 Firewalls and Intrusion Prevention Systems
Chapter 9 Firewalls and Intrusion Prevention Systems connectivity is essential However it creates a threat Effective means of protecting LANs Inserted between the premises network and the to establish
More informationAnalyzing Logs For Security Information Event Management Whitepaper
ADVENTNET INC. Analyzing Logs For Security Information Event Management Whitepaper Notice: AdventNet shall have no liability for errors, omissions or inadequacies in the information contained herein or
More informationPeeling Back the Layers of the Network Security with Security Onion Gary Smith, Pacific Northwest National Laboratory
Peeling Back the Layers of the Network Security with Security Onion Gary Smith, Pacific Northwest National Laboratory A Little Context! The Five Golden Principles of Security! Know your system! Principle
More informationIntrusion Detection System (IDS)
Intrusion Detection System (IDS) Characteristics Systems User, Process predictable actions describing process under that actions what pattern subvert actions attack of correspond the systems processes
More informationO S S I M. Open Source Security Information Manager. User Manual
O S S I M Open Source Security Information Manager User Manual Created by Kevin Milne (www.z4ck.org) Contributions by OSSIM Staff 2 nd September 2004 Index Introduction 3 1 Logging in 5 1.1 The Metrics
More information2B0-023 ES Advanced Dragon IDS
ES Advanced Dragon IDS Q&A DEMO Version Copyright (c) 2007 Chinatag LLC. All rights reserved. Important Note Please Read Carefully For demonstration purpose only, this free version Chinatag study guide
More informationAssets, Groups & Networks
Complete. Simple. Affordable Copyright 2014 AlienVault. All rights reserved. AlienVault, AlienVault Unified Security Management, AlienVault USM, AlienVault Open Threat Exchange, AlienVault OTX, Open Threat
More informationTk20 Network Infrastructure
Tk20 Network Infrastructure Tk20 Network Infrastructure Table of Contents Overview... 4 Physical Layout... 4 Air Conditioning:... 4 Backup Power:... 4 Personnel Security:... 4 Fire Prevention and Suppression:...
More informationSecurity Power Tools
Security Power Tools nmap: Network Port Scanner nmap is a network port scanner. Its main function is to check a set of target hosts to see which TCP and UDP ports have servers listening on them. Since
More informationSecond-generation (GenII) honeypots
Second-generation (GenII) honeypots Bojan Zdrnja CompSci 725, University of Auckland, Oct 2004. b.zdrnja@auckland.ac.nz Abstract Honeypots are security resources which trap malicious activities, so they
More informationWHAT IS LOG CORRELATION? Understanding the most powerful feature of SIEM WWW.ALIENVAULT.COM
WHAT IS LOG CORRELATION? Understanding the most powerful feature of SIEM WWW.ALIENVAULT.COM IT S ALWAYS IN THE LOGS. 84% of Organizations that had their security breached in 2011, had evidence of the breach
More informationAlienVault. Unified Security Management (USM) 5.1 Running the Getting Started Wizard
AlienVault Unified Security Management (USM) 5.1 Running the Getting Started Wizard USM v5.1 Running the Getting Started Wizard, rev. 2 Copyright 2015 AlienVault, Inc. All rights reserved. The AlienVault
More informationCSCI 454/554 Computer and Network Security. Topic 8.4 Firewalls and Intrusion Detection Systems (IDS)
CSCI 454/554 Computer and Network Security Topic 8.4 Firewalls and Intrusion Detection Systems (IDS) Outline Firewalls Filtering firewalls Proxy firewalls Intrusion Detection System (IDS) Rule-based IDS
More informationTivoli Security Information and Event Manager V1.0
Tivoli Security Information and Event Manager V1.0 Summary Security information and event management (SIEM) is a primary concern of the CIOs and CISOs in many enterprises. They need to centralize security-relevant
More informationHow To Set Up Foglight Nms For A Proof Of Concept
Page 1 of 5 Foglight NMS Overview Foglight Network Management System (NMS) is a robust and complete network monitoring solution that allows you to thoroughly and efficiently manage your network. It is
More informationCALNET 3 Category 7 Network Based Management Security. Table of Contents
State of California IFB STPD 12-001-B CALNET 3 Category 7 Network Based Security Table of Contents 7.2.1.4.a DDoS Detection and Mitigation Features... 1 7.2.2.3 Email Monitoring Service Features... 2 7.2.3.2
More informationComprehensive Malware Detection with SecurityCenter Continuous View and Nessus. February 3, 2015 (Revision 4)
Comprehensive Malware Detection with SecurityCenter Continuous View and Nessus February 3, 2015 (Revision 4) Table of Contents Overview... 3 Malware, Botnet Detection, and Anti-Virus Auditing... 3 Malware
More information