Security Information and Event Management Project

Similar documents
Security Services. Service Description Version Effective Date: 07/01/2012. Purpose. Overview

Mobile Device Manager Admin Guide. Reports and Alerts

Name. Description. Rationale

CNS-205: Citrix NetScaler 11 Essentials and Networking

Endpoint Protection Solution Test Plan

TrustED Briefing Series:

Research Report. Abstract: The Emerging Intersection Between Big Data and Security Analytics. November 2012

9 ITS Standards Specification Catalog and Testing Framework

esafe SmartSuite Release Notes

Implementing CiscoWorks LMS

2. When logging is used, which severity level indicates that a device is unusable?

MANAGED VULNERABILITY SCANNING

How to Reduce Project Lead Times Through Improved Scheduling

// Solution Brief. Pro-Active Support Services KARMA. Khipu Automated Remote Monitoring Application. Networks, Systems and Security Infrastructure

Risk Reduction and Compliance through Vulnerability Management

City of Dublin Education & Training Board. Programme Module for. Network Security. leading to. Level 6 QQI. Network Security 6N0720

WHITEPAPER Reference Architectures for Portal-based Rich Internet Applications

RSA-Pivotal Security Big Data Reference Architecture RSA & Pivotal combine to help security teams detect threats quicker and speed up response

Serv-U Distributed Architecture Guide

Remote Monitoring Service

Improved Data Center Power Consumption and Streamlining Management in Windows Server 2008 R2 with SP1

Bit9 Security Solution Technology Whitepaper Date: September 17, 2015

Junos Pulse Instructions for Windows and Mac OS X

Document Management Versioning Strategy

Licensing the Core Client Access License (CAL) Suite and Enterprise CAL Suite

PROTIVITI FLASH REPORT

MiaRec. Performance Monitoring. Revision 1.1 ( )

State of Wisconsin Division of Enterprise Technology (DET) Distributed Database Hosting Service Offering Definition (SOD)

Process Automation With VMware

The Importance Advanced Data Collection System Maintenance. Berry Drijsen Global Service Business Manager. knowledge to shape your future

Workflow Automation Early Access Program

Key Steps for Organizations in Responding to Privacy Breaches

Solution. Industry. Challenges. Client Case Study. Legacy Systems too Costly to Maintain. Supply Chain Advantage. Delivered.

UNITED STATES OF AMERICA FEDERAL ENERGY REGULATORY COMMISSION. Statement of Thomas F. O Brien. Vice President & Chief Information Officer

CNS-205 Citrix NetScaler 10.5 Essentials and Networking

PCI - Why You Need to be Compliant When Accepting Credit Card Payments. Agenda. Breaches in the Headlines. Breach Events & Commonalities

UC4 AUTOMATED VIRTUALIZATION Intelligent Service Automation for Physical and Virtual Environments

State of Wisconsin DET Dedicated Virtual Host Services Offering Definition

McAfee Enterprise Security Manager. Data Source Configuration Guide. Infoblox NIOS. Data Source: September 2, Infoblox NIOS Page 1 of 8

STORAGE MONITORING AS A SERVICE STOR2RRD AS A SERVICE MODEL

Team Leader, Cyber Threat Management

Deployment Overview (Installation):

The AppSec How-To: Choosing a SAST Tool

Network Security Monitoring: Beyond Intrusion Detection. By: rewtninja

NC3A SOA Techwatch Day Call for Presentations

Appendix H. Annual Risk Assessment and Audit Plan 2013/14

Information Services Hosting Arrangements

International Services Catalog Navigating the Security Landscape from Takeoff to Landing

COURSE DETAILS. Introduction to Ethical Hacking. FootPrinting. What is Hacking. Who is a Hacker. Skills of a Hacker.

BUSINESS NEED SUMMARY TABLE: # Need P Concerns Current Solution Proposed Solution

State of Wisconsin. File Server Service Service Offering Definition

Service Level Agreement Distributed Hosting and Distributed Database Hosting

This report provides Members with an update on of the financial performance of the Corporation s managed IS service contract with Agilisys Ltd.

Datasheet. PV4E Management Software Features

Integrating With incontact dbprovider & Screen Pops

Request for Resume (RFR) CATS II Master Contract. All Master Contract Provisions Apply

Request for Proposal Technology Services

ACTIVITY MONITOR Real Time Monitor Employee Activity Monitor

Systems Support - Extended

Implementing an electronic document and records management system using SharePoint 7

Version: Modified By: Date: Approved By: Date: 1.0 Michael Hawkins October 29, 2013 Dan Bowden November 2013

Service Description: Cisco RMS Compliance Management Services

Configuring, Monitoring and Deploying a Private Cloud with System Center 2012 Boot Camp

Chapter 7 Business Continuity and Risk Management

SYSTEM MONITORING PLUG-IN FOR MICROSOFT SQL SERVER

VCU Payment Card Policy

Seattle Police Department

HIPAA HITECH ACT Compliance, Review and Training Services

PENETRATION TEST OF THE INDIAN HEALTH SERVICE S COMPUTER NETWORK

CNS-300-2I Advanced Administration for Citrix NetScaler 9.0 Platinum Edition

SERVICES BEST PRACTICES

Best Practices for Optimizing Performance and Availability in Virtual Infrastructures

Serv-U Distributed Architecture Guide

Help Desk Level Competencies

Research Report. Abstract: Advanced Malware Detection and Protection Trends. September 2013

Zimbra Professional Services Portfolio, Purchasing Guide & Price List

MaaS360 Cloud Extender

CMS Eligibility Requirements Checklist for MSSP ACO Participation

EMR Certification Comprehensive Care Management Billing Support Specification

Software Quality Assurance Plan

The Relativity Appliance Installation Guide

SaaS Listing CA Cloud Service Management

Preparing to Deploy Reflection : A Guide for System Administrators. Version 14.1

Firewall/Proxy Server Settings to Access Hosted Environment. For Access Control Method (also known as access lists and usually used on routers)

Traffic monitoring on ProCurve switches with sflow and InMon Traffic Sentinel

How To Install An Orin Failver Engine On A Network With A Network Card (Orin) On A 2Gigbook (Orion) On An Ipad (Orina) Orin (Ornet) Ornet (Orn

Wireless Light-Level Monitoring

The Whole of Government Approach: Models and Tools for EGOV Strategy & Alignment

University of Texas at Dallas Policy for Accepting Credit Card and Electronic Payments

FY-2006 Networking and Security Engineering and Operations NASA Task TM: Richard Kurak

TaskCentre v4.5 Send Message (SMTP) Tool White Paper

RSA SOLUTION OVERVIEW

Introduction to Mindjet MindManager Server

SapphireIMS 4.0 Product Features

Port Manager. Microsoft Dynamics CRM for Ports

COPIES-F.Y.I., INC. Policies and Procedures Data Security Policy

Knowledge Base Article

Internal Audit Charter and operating standards

Transcription:

Security Infrmatin and Event Management Prject Prpsal Submissin: Mr. Ken Fster 1

Cntents Recmmendatin:... 3 What is Security Infrmatin and Event Management:... 3 Business Case fr SEIM Deplyment:... 3 Cre Functins f an effective SEIM:... 4 T be effective a SEIM slutin must be able t cnsume:... 4 Examples f an Attack with and withut SEIM integratin:... 5 References:... 8 2

SEIM Prcurement Prject: Recmmendatin: Tday s security infrastructure is cmprised f stand-alne security slutins, designed t prvide a defense in depth apprach. The slutin lacks a central pint f analysis fr the identificatin f cmplex blended attacks and the ability t implement cnsistent plices fr event handling acrss netwrks. This rganizatin must implement a Security Infrmatin and Event Management (SEIM) slutin t identify and inhibit blended attacks frm successfully penetrating and remaining undetected within the existing netwrk infrastructure. What is Security Infrmatin and Event Management: A Security Infrmatin and Event Management (SEIM) appliance prvides an autmated analysis f multiple events frm acrss the netwrk seeking relatinships which may indicate an effrt t attack r exfiltrate sensitive data. SEIM appliances are able t handle events based n levels f severity and predetermined plicies. These plicies determine severity f event, pre-determined islatin and actin requirements, and reprt ntificatin prcedures. These plicies in additin t increasing the verall security f the netwrk may be utilized fr mandatry auditing cmpliance verificatin and prvide additinal frensic evidence which may be prvided t authrities fr prsecutin. Business Case fr SEIM Deplyment: There are tw cmpelling business cases fr deplyment f a SEIM in ur envirnment. 1. Cunter-Measure Effectiveness: SEIM s prvide enhanced peratinal awareness f ur attack surface and their effectiveness against bth internal and external penetratin attempts. These devices prvide bth a preventative (perimeter) and reactive (pst-intrusin) slutin t plicy-based vilatins. Currently a typical rganizatin with an OC3 cnnectin see s an average f 2,204 critical/majr alerts each mnth n its intrusin detectin/preventin systems. This equates t ne serius event every 19 secnds n average. These alerts d nt include denials n the firewalls which ccur prir t the IPS s visibility but shuld a SEIM be integrated wuld prvide a mre detailed verview f the attack vectrs used. 2. Cmpliance Mnitring, Reprting, and Scring: SEIM s prvide bth prebuilt and ptinal custm built reprts t prvide an verview f the effectiveness and security psture f the netwrk. These reprts can be used as tls fr determining activity trends, cmpliance ratings, dcument pstintrusin event analysis, and prvide metrics fr plicy review and imprvement. Dependent upn the sectr f the rganizatin, these reprts may be mandated by SOX, HIPPA, and ther cmpliance requirements. 3

Cre Functins f an effective SEIM: A SEIM has five primary functins that is must address t be cnsidered an effective Security Infrmatin and Event Management tl: Lg Cnslidatin: Centralized lg cllectin based n standardized frmats and cnsumptin. This includes deplyment and mnitring f cllectr devices / sensrs n surces. Event Nrmalizatin: Events cme frm many surces and in many frmats. The SEIM must be able t cnsume the lgs and analyze the data elements t crss crrelate the native values frm ne vender t the equivalent frm anther surce. Fr example the explit Sasser Wrm is: Cisc event 3338: IDS Signature Windws LSASS RPC Overflw Symantec anti-virus explit: W32/Sasser.wrm SNORT IDS event 2512: NETBIOS SMB-DS DCERPCLASS bind attempt. Threat Crrelatin: An artificial intelligence engine that uses cllected events and either event signatures r anmaly-based detectin algrithms t identify plicy vilatins. Incident Management: Execute a wrkflw that ccurs as the result f plicy vilatin detectin. These wrkflws may include any cmbinatin f: Ntificatin Facilities (e.g. Email, SNMP Traps t Netwrk mnitring sftware, etc ) Truble Ticket Creatin Executin f Autmated Scripts Plicy-based Respnse and Remediatin Crrelated Event Lgging Reprting: Prduct generatin f events that cmply with FISMA, HIPPA, and Frensics Investigatin frmats in additin t actinable metrics fr perfrmance measurement. T be effective a SEIM slutin must be able t cnsume: Firewall Events IDS Sensr Events AAA LDAP r AD (as applicable) Vulnerability Scanner results Server and Wrkstatin event lgs Anti-Virus / Malware Hst-base Intrusin Detectin Lgs 4

Examples f an Attack with and withut SEIM integratin: Discussin f SEIM s is best undertaken thrugh the visualizatin f a simulated attack against a netwrk. Using the cmmn industry established practices fr netwrk penetratin; a standardized prcess can be analyzed. Belw are tw examples f a simulated cmmn explitatin f a netwrk frm the perimeter. In example ne, the netwrk prvides cmmn anti-penetratin tactics withut any event crrelatin. In example tw, a SEIM is integrated int the slutin t demnstrate hw plicies and applied based n artificial intelligence engine and cmbined lg analysis (which ccurs in near-realtime). 5

Example 1: Current Netwrk (IPS w/ SEIM): Phase 1 Recnnaissance: Attacker uses HPING, NMAP, r Firewalker t execute a scan f the firewall t determine which prts are pen. Once pen prts are determined, OS and infrastructure fingerprinting attempt t identify devices fr targeted attacks. In the recnnaissance phase these prbes are dne slwly t attempt t avid firewall and IPS explit signatures. Phase 2 Stealth Targeting Paylads: Once the attacker has selected a target fr cmprmise, they must send packets t the target that will prvide them a mechanism t launch their cmprmise. This must be dne in a manner that prevents the Intrusin Preventin System frm detecting this actin. Cmmn tls in this space include nemesis, fragrute, admutate, and metasplit. In Phase 3 tw way cmmunicatins begin via stealth channels and data exfiltratin begins. System can be used as internal Cmmand and Cntrl fr further internal system cmprmise and recnnaissance Phase 3 System Cmprmise: The packets arrive t the hst causing a buffer verflw and allwing fr the installatin f backdrs, rtkits, and btnets. The cmprmised system then reprts in that it is ready fr cntrl t the attacker. This prtin may include fuling Anti-virus /Malware detectin mechanisms. Site x 6

Example 2: Current Netwrk (IPS with SEIM Intergratin): Phase 1 Recnnaissance: Attacker uses HPING, NMAP, r Firewalker t execute a scan f the firewall t determine which prts are pen. Events are sent t the SEIM which using artificial intelligence detects the prt scans and creates an event at the minr / warning level. It tracks this event. When OS and infrastructure fingerprinting begin, the SEIM crrelates this event with the previus tracked event and raises the event the elevated, triggering a wrkflw alert t the security team. Phase 2 Stealth Targeting Paylads: The firewall reprts fragmented packets r the IPS detects pssible explit patterns. The SEIM raises the event t critical, and executes the Plicy and wrkflw fr the event. This may include prt r IP blcking, system islatin, and security team ntificatin.! Plicy-based Actin (e.g. Alert, blck, etc ) Phase 3 System Cmprmise: If the attacker is successful in evading the Firewall, IPS, and Anti-virus in rder t deply a paylad n the system, cmmunicatin traffic back frm the cmprmised hst t the attacker wuld trigger a Majr Threat event and the Majr Event Plicy and ntificatin actins wuld be executed. Site x 7

References: Infrmatin Security Magazine. (nd). SIM and Lg Management. Needham, MA: Garland, Jsh. Swift, D. (2006). A Practical Applicatin f SIM/SEM/SIEM - Autmating Threat Identificatin. Bethesda, Maryland: SANS Institute. 8

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information