Organizational Issues of Implementing Intrusion Detection Systems (IDS) Shayne Pitcock, CISSP First Data Corporation

Similar documents

DETECT AND RESPOND TO THREATS FROM THE DATA CENTER TO THE CLOUD

Cautela Labs Cloud Agile. Secured. Threat Management Security Solutions at Work

How To Manage Your Information Systems At Aerosoft.Com

Effective Threat Management. Building a complete lifecycle to manage enterprise threats.

Security Frameworks. An Enterprise Approach to Security. Robert Belka Frazier, CISSP

Configuring Personal Firewalls and Understanding IDS. Securing Networks Chapter 3 Part 2 of 4 CA M S Mehta, FCA

Der Weg, wie die Verantwortung getragen werden kann!

Business Case Outsourcing Information Security: The Benefits of a Managed Security Service

HP and netforensics Security Information Management solutions. Business blueprint

Client Security Risk Assessment Questionnaire

2012 North American Managed Security Service Providers Growth Leadership Award

CLOUD GUARD UNIFIED ENTERPRISE

Building a Security Operations Center (SOC)

The Truth about False Positives

LogRhythm and NERC CIP Compliance

Security. Security consulting and Integration: Definition and Deliverables. Introduction

The SIEM Evaluator s Guide

Tivoli Security Information and Event Manager V1.0

How To Manage Log Management

Analyzing Security for Retailers An analysis of what retailers can do to improve their network security

IBM Security QRadar SIEM & Fortinet FortiGate / FortiAnalyzer

QRadar SIEM 6.3 Datasheet

Clavister InSight TM. Protecting Values

Intrusion Detection and Cyber Security Monitoring of SCADA and DCS Networks

CASSIDIAN CYBERSECURITY SECURITY OPERATIONS CENTRE SERVICES

CYBER SECURITY OPERATIONS CENTRE

Taxonomy of Intrusion Detection System

MANAGED SECURITY SERVICES (MSS)

Enabling Security Operations with RSA envision. August, 2009

MANAGED SECURITY SERVICES

Cyber Security Operations: Building or Outsourcing

Alcatel-Lucent Services

Threat Center. Real-time multi-level threat detection, analysis, and automated remediation

Payment Card Industry Data Security Standard

CORE Security and GLBA

SPSP Phase III Recruiting, Selecting, and Developing Secure Power Systems Professionals: Job Profiles

Caretower s SIEM Managed Security Services

Intrusion Detection Systems

Current IBAT Endorsed Services

BUILDING A SECURITY OPERATION CENTER (SOC) ACI-BIT Vancouver, BC. Los Angeles World Airports

State of Vermont. Intrusion Detection and Prevention Policy. Date: Approved by: Tom Pelham Policy Number:

Cisco Remote Management Services for Security

Log Management Standard 1.0 INTRODUCTION 2.0 SYSTEM AND APPLICATION MONITORING STANDARD. 2.1 Required Logging

OIT User Conference Security Team November 2014

Security Event and Log Management Service:

Intelligence Driven Security

Oracle Maps Cloud Service Enterprise Hosting and Delivery Policies Effective Date: October 1, 2015 Version 1.0

MANAGED SECURITY SERVICES (MSS)

CSCE 465 Computer & Network Security

Vulnerability Management

Security and Services

Solution Briefing. Integrating the LogLogic API with NSN s Remediation & Escalation Mgmt. System

Report on CAP Cybersecurity November 5, 2015

ITIL: Service Operation

The Business Case for Security Information Management

Introduction of Intrusion Detection Systems

Intrusion Detection and Intrusion Prevention. Ed Sale VP of Security Pivot Group, LLC

BlackStratus for Managed Service Providers

Unicenter Asset Intelligence r11

Passive Logging. Intrusion Detection System (IDS): Software that automates this process

NASA Consolidated Active Directory Overview ( August 20, 2012 ) Les Chafin Infrastructure Engineering HPES

IBM Security Operations Center Poland! Wrocław! Daniel Donhefner SOC Manager!

An Introduction to SIEM & RSA envision (Security Information and Event Management) January, 2011

nfx One for Managed Service Providers

Leading The World Into Connected Security. Dipl.-Inform., CISSP, S+ Rolf Haas Enterprise Technology Specialist Content Lead EMEA

DEFENSE THROUGHOUT THE VULNERABILITY LIFE CYCLE WITH ALERT LOGIC THREAT AND LOG MANAGER

Log Management How to Develop the Right Strategy for Business and Compliance. Log Management

How To Protect A Network From Attack From A Hacker (Hbss)

Best Practices for Building a Security Operations Center

Getting Ahead of Malware

Information Security for the Rest of Us

1. Thwart attacks on your network.

Managed Security Services

Enterprise SysLog Manager (ESM)

IDS Categories. Sensor Types Host-based (HIDS) sensors collect data from hosts for

Scalability in Log Management

Cloud Assurance: Ensuring Security and Compliance for your IT Environment

Continuous Network Monitoring

How To Protect Your It Infrastructure

Defending the Database Techniques and best practices

RSA envision. Platform. Real-time Actionable Security Information, Streamlined Incident Handling, Effective Security Measures. RSA Solution Brief

CRR Supplemental Resource Guide. Volume 5. Incident Management. Version 1.1

Session 334 Incident Management. Jeff Roth, CISA, CGEIT, CISSP

Transcription:

Organizational Issues of Implementing Intrusion Detection Systems (IDS) Shayne Pitcock, CISSP First Data Corporation

Agenda Problem Description Issues for Consideration Mitigation of the Issues Options for Implementation of IDS Tools Quantifiable Metrics Conclusion 2

Problem Description Security/Network Operations Center Alert Monitoring Sensors Computing Systems Data Notify Training Identify tools & Procedures IDS Administrators Change as Required On Call SME for Alert Analysis Staffing & Expertise Escalate Activate Facilitation Response Team to Identify and Mitigate Risk Security Legal HW experts Application experts Operations PR HR 3

Issues for Consideration Security Policy Development Business Requirements for Using IDS Impacts to Computing Environment Security Alerts Integration and Management Resolution Incident Response 4

Security Policy Development Establishes corporate level need for IDS Approval Guidance Direction Establishes responsible organization for implementation and control of the IDS tools Establishes expected output of the IDS implementation Reports Incident Response Attack Mitigation 5

Business Requirements for IDS Federal mandate by GLBA and HIPAA Business partner connections Distributed business units within the company Specialized security alerting and analysis of suspicious activity 6

1. Electronic Sensing: NIDS Network Impacts to Computing Raw alarms HIDS Hosts Environment 2. Electronic Triage: Realtime alerting 4. Off-line analysis Off-Line Analysis Tools Database Filtered alarms Incident alerts 3. Correlation Triage @ SOC: Incident alerts 5. Computing Emergency Response Team Technical monitoring & improvement Incident communication & coordination 8. Vulnerability Management: 7. IDS Team: 6. Virtual Incident Response Teams 7

Alert Integration and Mgt. Consolidating security alerts from multiple sources (firewalls, IDS, and network gear) Actively monitoring and responding to all alerts Managing the volume of security alerts Normalizing the alert data for common points of integration 8

Alert Resolution Correlating the various alerts from multiple security sources Evaluating the risk of suspicious activity Determining the level of vulnerability Determining what is within normal activity for the monitored environment Mitigating false positive alerts Communications with security, network, or operating system (OS) administrators Documentation 9

Alert Incident Response 10

Mitigation of the Issues - Program Management Approach Define Plan Fund Implement Test Deliver Maintain 11

Mitigation of the Issues - System Engineering Approach Define the requirements System design Build the pieces Test the pieces Integration testing System delivery Maintenance 12

Options for IDS Implementation Company Resources Out-Sourcing to Consultants or Managed Security Service Providers Utilizing Vendor Professional Services 13

Use Company Resources When Top Secret or Highly Sensitive Information (e.g. military, financial, or international). Company is diversified across geographical continents. Company has appropriate staff to support the implementation. Company is diversified across multiple business disciplines. An example is a company with both Government and Commercial business customers. 14

Use Out-Sourcing When Consultants Temporary addition to current staff Expertise beyond the current level of staff Jump-Start for an IDS deployment or alert monitoring operations Managed Security Service Providers 24 x 7 x 52 alert monitoring operations staff Alert consolidation and correlation Expertise for risk awareness and analysis False positive mitigation Alert resolution and incident escalation 15

Use Vendor Services When Single vendor approach to deployment of IDS tools. Single vendor providing a majority of the computing systems used by the company. To augment the expertise of company personnel. To provide indirect training of the product during implementation. 16

Reports Quantifiable Metrics Actions grouped according to company risk Suspicious Activity Attempted Intrusion Escalated Events Incidents for Resolution Top 10 suspicious IP addresses Numbers of high, medium, and low alerts System status of IDS tools 17

Conclusion IDS tools are good for specialized security alerting and analysis of suspicious activity. Implementing an IDS solution requires that a company address how they will monitor and resolve the associated alerts. Considerations for the 80% of the solution will greatly enhance the security posture. 18