Campus. Impact. UC Riversidee Security Tools. Security Tools. of systems



Similar documents
Security Data Analytics Platform

Threat Center. Real-time multi-level threat detection, analysis, and automated remediation

The SIEM Evaluator s Guide

QRadar SIEM 6.3 Datasheet

SANS Top 20 Critical Controls for Effective Cyber Defense

MANAGED SECURITY SERVICES (MSS)

Multi- factor Authentication Initiative

Cautela Labs Cloud Agile. Secured. Threat Management Security Solutions at Work

Effective Threat Management. Building a complete lifecycle to manage enterprise threats.

Effective IDS/IPS Network Security in a Dynamic World with Next-Generation Intrusion Detection & Prevention

Netzwerkvirtualisierung? Aber mit Sicherheit!

IBM Security QRadar SIEM & Fortinet FortiGate / FortiAnalyzer

Brian Albrecht, MIS, CISSP Senior Knowledge Engineer LogRhythm, Inc.

IT Security & Compliance. On Time. On Budget. On Demand.

The Comprehensive Guide to PCI Security Standards Compliance

Payment Card Industry Data Security Standard

Enabling Security Operations with RSA envision. August, 2009

The Sumo Logic Solution: Security and Compliance

WAN security threat landscape and best mitigation practices. Rex Stover Vice President, Americas, Enterprise & ICP Sales

Tivoli Security Information and Event Manager V1.0

MANAGED SECURITY SERVICES (MSS)

Obtaining Enterprise Cybersituational

Business Case Outsourcing Information Security: The Benefits of a Managed Security Service

End-user Security Analytics Strengthens Protection with ArcSight

Company Overview. Enterprise Cloud Solutions

CorreLog Alignment to PCI Security Standards Compliance

VULNERABILITY & COMPLIANCE MANAGEMENT SYSTEM

Technology Blueprint. Assess Your Vulnerabilities. Maintain a continuous understanding of assets and manage vulnerabilities in real time

WHITE PAPER Cloud-Based, Automated Breach Detection. The Seculert Platform

How To Protect A Network From Attack From A Hacker (Hbss)

Cyber Security RFP Template

How To Protect Your Cloud From Attack

High End Information Security Services

Analyzing HTTP/HTTPS Traffic Logs

Effective Log Management

Unified Security, ATP and more

Security Information and Event Management (SIEM)

NEXPOSE ENTERPRISE METASPLOIT PRO. Effective Vulnerability Management and validation. March 2015

1 Introduction Product Description Strengths and Challenges Copyright... 5

CimTrak Technical Summary. DETECT All changes across your IT environment. NOTIFY Receive instant notification that a change has occurred

White Paper. Time for Integrated vs. Bolted-on IT Security. Cyphort Platform Architecture: Modular, Open and Flexible

Clavister InSight TM. Protecting Values

Concierge SIEM Reporting Overview

Assuria can help protectively monitor firewalls for PCI compliance. Assuria can also check the configurations of personal firewalls on host devices

The Importance of Cybersecurity Monitoring for Utilities

Security Intelligence Services.

ANNEXURE-1 TO THE TENDER ENQUIRY NO.: DPS/AMPU/MIC/1896. Network Security Software Nessus- Technical Details

Requirements When Considering a Next- Generation Firewall

Boosting enterprise security with integrated log management

Cisco Remote Management Services for Security

An Introduction to SIEM & RSA envision (Security Information and Event Management) January, 2011

Teradata and Protegrity High-Value Protection for High-Value Data

Log Analysis: Overall Issues p. 1 Introduction p. 2 IT Budgets and Results: Leveraging OSS Solutions at Little Cost p. 2 Reporting Security

An Open Source IPS. IIT Network Security Project Project Team: Mike Smith, Sean Durkin, Kaebin Tan

Session 9: Changing Paradigms and Challenges Tools for Space Systems Cyber Situational Awareness

PROJECT BOEING SGS. Interim Technology Performance Report 3. Company Name: The Boeing Company. Contract ID: DE-OE

CLOUD GUARD UNIFIED ENTERPRISE

How we see malware introduced Phishing Targeted Phishing Water hole Download (software (+ free ), music, films, serialz)

PCI DSS Reporting WHITEPAPER

Braindumps QA

Passive Logging. Intrusion Detection System (IDS): Software that automates this process

Scalability in Log Management

PCI Requirements Coverage Summary Table

ForeScout CounterACT. Device Host and Detection Methods. Technology Brief

Security Information Management (SIM)

Guideline on Auditing and Log Management

WHITE PAPER SPLUNK SOFTWARE AS A SIEM

Managed Intrusion, Detection, & Prevention Services (MIDPS) Why Sorting Solutions? Why ProtectPoint?

JK0-022 CompTIA Academic/E2C Security+ Certification Exam CompTIA

Security Administration R77

Vulnerability Management

Information & Asset Protection with SIEM and DLP

SYMANTEC DATA CENTER SECURITY: SERVER ADVANCED 6.5

PCI Compliance for Branch Offices: Using Router-Based Security to Protect Cardholder Data

LogRhythm and PCI Compliance

IBM Tivoli Compliance Insight Manager

Cisco Cyber Threat Defense - Visibility and Network Prevention

Defending Against Data Beaches: Internal Controls for Cybersecurity

LOG MANAGEMENT AND SIEM FOR SECURITY AND COMPLIANCE

Ovation Security Center Data Sheet

NitroView. Content Aware SIEM TM. Unified Security and Compliance Unmatched Speed and Scale. Application Data Monitoring. Database Monitoring

Niara Security Analytics. Overview. Automatically detect attacks on the inside using machine learning

PCI Compliance for Cloud Applications

Intelligent End User Compute Strategy. Ted Smith Nigel Brown

DMZ Virtualization Using VMware vsphere 4 and the Cisco Nexus 1000V Virtual Switch

DETECT AND RESPOND TO THREATS FROM THE DATA CENTER TO THE CLOUD

Intro to NSX. Network Virtualization VMware Inc. All rights reserved.

mbits Network Operations Centrec

Verve Security Center

Secure Cloud Computing

Network Security Policy: Best Practices White Paper

PacketTrap One Resource for Managed Services

Cyber Security for NERC CIP Version 5 Compliance

Average annual cost of security incidents

Prevent cyber attacks. SEE. what you are missing. Netw rk Infrastructure Security Management

How To Manage Security On A Networked Computer System

Architecture Overview

Transcription:

Security Tools (SecTools) UCR's implementationn of a security dashboard (nominally designated SecTools) is a wonderfully flexible and useful framework for viewing current security incidents and for gaining an understanding of the current security posture on campus. Currently the informationn provided in the dashboard includes the number and IPs of external hosts that have null routes in place, a listing off current security events such as ssh brute force attacks, and global information about attacking hosts. Each of the above can be focused on so thatt low level details are revealed. Thus, not only does the SecTools site provide a window into current security events and preventions, it allows operationall personnel to turn off campus systems, whitelist others, and, in the future, look at campus servers forr adherence to campus security standards. The security tools platform is a great advancement in UCR's security infrastructure. Russ Harvey, Director, Computing Infrastructure & Security, Campus Impact The growth of the UCR campus in recent years has forced UCR Computing and Communications to reconsider how IT resources are provisioned, monitored and protected. With hundreds of systems hosting applications and providing critical services for campus needs, it has become clear that protecting these systems and obtaining enterprise visibility into the active security environment can be a 1

complicated and expensive challenge. Moreover, IT security teams can quickly becomee overloaded with data and manual processes can significantly hamper the ability to rapidly respond to evolving threats. As campus services have grown and security threats continuously evolve, UCR wanted to develop a better way to understand and manage its enterprise security environment. Business Need A proposal was laid out to significantly improve UCR s enterprise security capabilities by building a new security ecosystem utilizing free open source software (FOSS) and inexpensive commodity hardware solutions. A central component of this security ecosystem would be a Security Information and Event Management system ( SIEM) that would aggregate large amounts of data and correlatee security events across a multitude of systems and network devices. Vendor SIEM solutions can be expensive, difficult to customize and have limited flexibility for dynamic environments operating with limited resources. The challenge was to build a system that leveraged FOSS as muchh as possible and fill in the gaps with custom software that providedd SIEM capability without significant investments in additional infrastructure or personnel. To meet these challenges, UCR has successfully created and deployed a core component of our new ecosystem called Security Tools or simply, SecTools. SecTools provides a real time dashboard displaying host and network security alerts using data acquired from intrusion detection sensors. Various incident response tools have been added to assist security teams in quickly responding to events. Additionally, SecTools automatically responds to certain events by blocking the attacker s access to campus resources without requiring manual intervention by IT security staff. Ultimately, SecTools will acquire security relevant data from many sources including directory services and inventory management systems to help enhance incident response activities. 2

Highlights The SecTools dashboard provides an enhanced situational awareness capability that UCR did not have before. SecTools provides a single, unified environment for viewing and responding to security events based on data acquired from host intrusion detection (HIDS) and network intrusion detection systems (NIDS). Security events are categorized and reported based on defined levels of severity. Security personnel can view the specific log or audit records from a particular hostt or device that triggered the respectivee security event. Existing legacy incident response tools have been updated, optimized and integrated into the SecTools environment. Security staff have the ability to block active attacks (internal or external) via campus border routers throughh simple interfaces. Event data is correlated from intrusion detection sensors giving staff insight into the behavior of a particular attack before making a response decision. 3

Technology and Implemen ntation Free and Open Source Technologies There have been no software or licensing costs to implementt SecTools. The SecTools dashboard and HIDS interface layer were built by using Mojolicious, a real time web services framework, in conjunction with a MySQL database backend. Host and network intrusionn detection capability for event collection and correlation use the open source solutions OSSEC and Bro IDS. Both systems have a robust rules framework allowing new rules to be quickly implemented to deal with evolving security vulnerabilities. Web Services Architecture SecTools has been implemented using a REST web services framework utilizing simple HTTP GET or POST operations. This provides an easy to use API for storing and retrieving security event data while making it easy to add new functionality for future tools and leverage new sourcess of event data. SecTools also provides wrapper services for network devices or systems such as Cisco LAN Management Solution, providing a convenient way for security staff and their applications/scriptss to retrieve data without needing to deal with the complexities of the vendor API. The web servicess offer data in HTML, JSON or XML formats. Dashboard Capability Security engineers are provided a unified dashboard allowingg an integrated visibility into the security environment. Additionally, various security tools have been integrated into the environment providing a single point for security event management and incident response. Intrusionn Prevention In order to implement SecTools, it was critical for the Securityy team to work with the Network Services Group. Personnel in both Security and Network Services cooperated to implement a hardware and software solution allowing SecTools to automatically respondd to security threats by blocking malicious actors at campus border routers. Capability is also in place too quickly respond to internal campus incidents. 4

Cross Platform Analysis OSSEC HIDS provide cross platform data collection, file integrity monitoring and log analysis for Linux, Unix (Solaris, AIX, HP UX, BSD), Mac and Windows platforms. Agentless monitoring is also available for monitoring special purpose appliances or network devices (e.g. network switches). OSSEC also supports a large collection of host services including web servers, mail servers, directory services, databases and firewalls. A web services wrapper for OSSEC was written to facilitate data exchange with SecTools. Collaborative Response The handling of IT security incidents are occasionally complicated by the division of responsibilities in the UCR environment. Security staff may act on given activity behind the scenes, while support staff deal with the clients directly. SecTools optimizes the response security staff have to incidents, but it also provides support personnel capabilities to continue the remediation process of incidents without requiring security staff intervention. Case Studies Campus E Mail System As with many universities, phishing attacks are a persistent and evolving problem at UCR. Phishers are constantly changing their tactics with hundreds of targeted phishing sites being setup daily. The challenge was to implement a system that could monitor this behavior and allow for quick updates to evolving threats. SecTools and OSSEC were chosen to provide an external security monitoring service to correlate events for detecting suspicious mail traffic, phished accounts and automatically generating security reports. SecTools provided automated response to security threats such as SMTP brute force attacks and account harvesting by blocking malicious users via campus border routers. This system has provided a real time assessment and response mechanism for UCR mail systems processing millions of messages each day. In the last couple months, over 60 compromised (phished) accounts have been successfully identified and remediated. Additionally, over 1500 mail server attacks have been stopped. Host Intrusion Detection/Prevention UCR is in the process of deploying HIDS and NIDS sensors to a wide range of critical systems. OSSEC sensors are currently monitoring various types of systems and service daemons. Certain types of attacks are reported to SecTools for automatic response, which includes blocking the attacks at campus border routers and alerting administrators of these actions. To date, over 300 attacks against UCR systems have been stopped primarily through automated intrusion prevention. These automated responses have helped offload routine remediation tasks from security teams. Compliance UCR has to meet compliance objectives like any other large organization. Specifically, we have systems that must meet PCI DSS compliance. SecTools and OSSEC were chosen to provide monitoring and analysis services to meet specific security control objectives outlines in PCI DSS, such as: File Integrity Monitoring Log collection, analysis and reporting Intrusion detection and prevention UC Riverside Security Tools 5

The system will also help meet specific control objectives of IS3 compliance. Administrators can be alerted regarding file integrity violations and utilize SecTools to view the specifics of the violation. Corrective action can then be immediately taken. Future phases of this project will provide scheduled and on demand compliance assessments, which will immediately report noncompliance to SecTools via its web service interface. Cross Functional Team Coordination UCR Computing Support (Help Desk) personnel have the ability to release security blocks for internal UCR hosts that were previously infected or otherwise compromised. SecTools has provided basic authorization features giving Help Desk staff a modified dashboard and applications to assist in responding to trouble tickets and perform basic user/host remediation tasks. For example, Help Desk personnel are able to work directly with students to release network blocks put in place due to malware infected machines or DMCA violations. Testimonials "A single place to go for security events and remediation information has long been a goal for our organization. Because it is architected and implemented using open source, standards based tools, the SecTools framework can meet our immediate needs and be extended to encompass future aspects of our security ecosystem. SecTools is our Killer App for security management." Timeline Bob Grant, Interim Executive Director, September 2012 November 2012 December 2012 May 2013 August 2013 Project Initiation System Testing with C&C Phase I Deployment (Dashboard, HIDS Module) Phase II Deployment (HIDS Agents) Phase III Deployment (NIDS) On the Web Production site: https://sectools.ucr.edu Team Members Stephen Hock Nicholas Turley Michael Brandeis Jonathan Ocab Dept., Org., Partners, etc. UC Riverside Security Tools 6

Submitted By Nicholas Turley Computing Infrastructure Security Analyst nick.turley@ucr.edu (951) 827 3070 UC Riverside Security Tools 7

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information