belnet events management
TRANSCRIPT
![Page 1: Belnet events management](https://reader036.vdocuments.site/reader036/viewer/2022081516/55636048d8b42ae6088b4796/html5/thumbnails/1.jpg)
Events Management or
How to Survive Security Incidents
Belnet Security ConferenceMay 2010
![Page 2: Belnet events management](https://reader036.vdocuments.site/reader036/viewer/2022081516/55636048d8b42ae6088b4796/html5/thumbnails/2.jpg)
Agenda
Today's Situation How to implement a solution How to handle security incidents Examples & tools Q & A
![Page 3: Belnet events management](https://reader036.vdocuments.site/reader036/viewer/2022081516/55636048d8b42ae6088b4796/html5/thumbnails/3.jpg)
About
Xavier Mertens Senior Security Consultant @ C-CURE CISSP, CISA Security Blogger BruCON Volunteer More info? Maltego!
![Page 4: Belnet events management](https://reader036.vdocuments.site/reader036/viewer/2022081516/55636048d8b42ae6088b4796/html5/thumbnails/4.jpg)
Introduction
Some scenarios Present
Source: Real-time alerts Action: Immediate investigation
Past (during last week or month) Source: Reporting Action: Adapt procedures & infrastructure
Investigations (smoke signal) Source: Specific Request Action: Forensics
![Page 5: Belnet events management](https://reader036.vdocuments.site/reader036/viewer/2022081516/55636048d8b42ae6088b4796/html5/thumbnails/5.jpg)
Today's Issues
Technical Networks are complex Based on non-heterogeneous
components (firewalls, IDS, proxies, etc)
Millions of daily events Lot of consoles/tools Protocols & applications
![Page 6: Belnet events management](https://reader036.vdocuments.site/reader036/viewer/2022081516/55636048d8b42ae6088b4796/html5/thumbnails/6.jpg)
Today's Issues (next)
Economical ”Time is Money”
Investigations must be performed in real-time
Downtime may have a huge business impact
Reduced staff & budgets Happy Shareholders
![Page 7: Belnet events management](https://reader036.vdocuments.site/reader036/viewer/2022081516/55636048d8b42ae6088b4796/html5/thumbnails/7.jpg)
Today's Issues (next)
Legal Compliance requirements
PCI-DSS, SOX, HIPAA, etc Initiated by the group or
business Local laws Due diligence & due care
Security policies mustbe enforced!
![Page 8: Belnet events management](https://reader036.vdocuments.site/reader036/viewer/2022081516/55636048d8b42ae6088b4796/html5/thumbnails/8.jpg)
Current Situation
Organizations are using good security perimeters based on proven solutions
But without a clear view and control of the infrastructure
Attacks become more and more sophisticated and frequent
Not prepared to deal withsecurity incidents
![Page 9: Belnet events management](https://reader036.vdocuments.site/reader036/viewer/2022081516/55636048d8b42ae6088b4796/html5/thumbnails/9.jpg)
Requirements
To handle security incidents properly
organization must rely on: Tools Procedures
Upstream Downstream Continuous (!)
Event Management != Big Brother
![Page 10: Belnet events management](https://reader036.vdocuments.site/reader036/viewer/2022081516/55636048d8b42ae6088b4796/html5/thumbnails/10.jpg)
Visibility
More integration, more sources, more chances to detect a problem
Integration of external source of information could help the detection of incidents
Automatic vulnerability scans Import of vulnerabilities database
Awareness
![Page 11: Belnet events management](https://reader036.vdocuments.site/reader036/viewer/2022081516/55636048d8b42ae6088b4796/html5/thumbnails/11.jpg)
Know your Network
Inventory Devices Protocols Users
Behavior Bandwidth Usage EPS (Events per Second)
![Page 12: Belnet events management](https://reader036.vdocuments.site/reader036/viewer/2022081516/55636048d8b42ae6088b4796/html5/thumbnails/12.jpg)
Procedures
Boring but required! Back to the Basics:
Input Change management Output Incident management
ProcessInput Output
![Page 13: Belnet events management](https://reader036.vdocuments.site/reader036/viewer/2022081516/55636048d8b42ae6088b4796/html5/thumbnails/13.jpg)
Change Management
New devices are connected Old devices are decommissioned Users provisioning New applications are deployed Security perimeter? Still valid?
![Page 14: Belnet events management](https://reader036.vdocuments.site/reader036/viewer/2022081516/55636048d8b42ae6088b4796/html5/thumbnails/14.jpg)
Incident Management
Business first! (MTTR) Avoid decisions made urgently Keywords
Understand Protect Recover Investigate
![Page 15: Belnet events management](https://reader036.vdocuments.site/reader036/viewer/2022081516/55636048d8b42ae6088b4796/html5/thumbnails/15.jpg)
Prevention
Recurrent process! Security lifecycle Require time Informations
Forums Blogs Conferences
![Page 16: Belnet events management](https://reader036.vdocuments.site/reader036/viewer/2022081516/55636048d8b42ae6088b4796/html5/thumbnails/16.jpg)
A Security Incident?
Definitions An event is “an observable change to
the normal behavior of a system, environment, process, workflow or person (components).”
Incident is “a series of events that adversely affects the information assets of an organization”
Examples? Read the press! ;-) You will face one!
![Page 17: Belnet events management](https://reader036.vdocuments.site/reader036/viewer/2022081516/55636048d8b42ae6088b4796/html5/thumbnails/17.jpg)
Security Convergence
Physical Security + Logical Security Example
Geolocalization Users authentication + badge control
![Page 18: Belnet events management](https://reader036.vdocuments.site/reader036/viewer/2022081516/55636048d8b42ae6088b4796/html5/thumbnails/18.jpg)
A Four-Steps Process
Collection Normalization Index Storage
![Page 19: Belnet events management](https://reader036.vdocuments.site/reader036/viewer/2022081516/55636048d8b42ae6088b4796/html5/thumbnails/19.jpg)
Three Actions
Real-time alerts Reports ”Forensics” or ”smoke signals”
![Page 20: Belnet events management](https://reader036.vdocuments.site/reader036/viewer/2022081516/55636048d8b42ae6088b4796/html5/thumbnails/20.jpg)
ArchitectureDevices
Systems
Applications
Co
llec
tors Indexer
Store
Alerts Reports Search
Long Term Storage
![Page 21: Belnet events management](https://reader036.vdocuments.site/reader036/viewer/2022081516/55636048d8b42ae6088b4796/html5/thumbnails/21.jpg)
Need of a SOC?
Yes but ... SOC or SPoC Directly depending on your
organization size Starting with a dedicated person is
enough Investments (time & money) Roles: Alerts, Reports, Investigate
![Page 22: Belnet events management](https://reader036.vdocuments.site/reader036/viewer/2022081516/55636048d8b42ae6088b4796/html5/thumbnails/22.jpg)
Communication
Mandatory step in the process Do not lie! Be transparant Online reputation
Must be properly managed Think about shareholders The press Customers
![Page 23: Belnet events management](https://reader036.vdocuments.site/reader036/viewer/2022081516/55636048d8b42ae6088b4796/html5/thumbnails/23.jpg)
Examples
To follow... Apache Google Splunk
To avoid... The ”Belgian Juweler”
![Page 24: Belnet events management](https://reader036.vdocuments.site/reader036/viewer/2022081516/55636048d8b42ae6088b4796/html5/thumbnails/24.jpg)
Examples & Tools
OSSEC OSSIM Apache mod_dlp Ngrep for basic DLP