security administration tools and practices
DESCRIPTION
TRANSCRIPT
![Page 1: Security Administration Tools and Practices](https://reader033.vdocuments.site/reader033/viewer/2022061115/54628c07af7959422a8b4dde/html5/thumbnails/1.jpg)
Security Administration Tools and Practices
Amit Bhan
Usable Privacy and Security
![Page 2: Security Administration Tools and Practices](https://reader033.vdocuments.site/reader033/viewer/2022061115/54628c07af7959422a8b4dde/html5/thumbnails/2.jpg)
Agenda
• Security Administration• Purpose of Security Tools• Examples of Security Tools• Security Incident Manager (SIM)
– Security Monitoring
• Cases from the Field• Problems with Security Administration• Improvements
![Page 3: Security Administration Tools and Practices](https://reader033.vdocuments.site/reader033/viewer/2022061115/54628c07af7959422a8b4dde/html5/thumbnails/3.jpg)
Security Administration?
• is the process of maintaining a safe computing environment.
• Purpose? Need?
• Security Administrator
• Responsibilities?
![Page 4: Security Administration Tools and Practices](https://reader033.vdocuments.site/reader033/viewer/2022061115/54628c07af7959422a8b4dde/html5/thumbnails/4.jpg)
Purpose of Security Tools
• Combining text and visuals
• Reporting
• Monitoring
• Correlating
• Simplify the life of a Security Administrator
![Page 5: Security Administration Tools and Practices](https://reader033.vdocuments.site/reader033/viewer/2022061115/54628c07af7959422a8b4dde/html5/thumbnails/5.jpg)
Combining Text and Visuals
• Size and complexity of networks• A System Administrator has a variety of
responsibilities: install, configure, monitor, debug and patch
• Visualization vs. Perl Scripts • VisFlowConnect-IP (who is connecting
to whom on my network?)• Other tools (discuss later)
![Page 6: Security Administration Tools and Practices](https://reader033.vdocuments.site/reader033/viewer/2022061115/54628c07af7959422a8b4dde/html5/thumbnails/6.jpg)
Reporting
• Many security tools have an in built capability for reporting
• Why is reporting important?
• Examples: – Nessus (vulnerability information)– SIM (security incidents information)
![Page 7: Security Administration Tools and Practices](https://reader033.vdocuments.site/reader033/viewer/2022061115/54628c07af7959422a8b4dde/html5/thumbnails/7.jpg)
Monitoring
• Some security tools have live data feed for the network
• Different types of monitoring– Network monitoring– Security event monitoring– Network Security Incident monitoring
![Page 8: Security Administration Tools and Practices](https://reader033.vdocuments.site/reader033/viewer/2022061115/54628c07af7959422a8b4dde/html5/thumbnails/8.jpg)
Correlation
• Correlation integrates the key security factors that are critical in determining the potential for significant damage within an organization. These factors are:– Real time events from heterogeneous devices– Results of vulnerability scans and other sources of
threat data– The value of the host, database or application to
the organization.
![Page 9: Security Administration Tools and Practices](https://reader033.vdocuments.site/reader033/viewer/2022061115/54628c07af7959422a8b4dde/html5/thumbnails/9.jpg)
Life of a Security Administrator
• According to the paper “Combining Text and Visual Interfaces for Security-System Administration”, Security administrators are very conservative when it comes to technology adoption.
• Why?
![Page 10: Security Administration Tools and Practices](https://reader033.vdocuments.site/reader033/viewer/2022061115/54628c07af7959422a8b4dde/html5/thumbnails/10.jpg)
Security Admin Tools• Mentioned in Text:
– Bro – Nessus– Symantec Anti-virus– Tripwire– Rootkit– Sebek
![Page 11: Security Administration Tools and Practices](https://reader033.vdocuments.site/reader033/viewer/2022061115/54628c07af7959422a8b4dde/html5/thumbnails/11.jpg)
Bro
• Bro (http://www.bro-ids.org/) is a NIDS.• Bro supports signature analysis, and in
fact can read Snort signatures. (Snort is one of the most popular NIDS available.)
• Bro also performs (a limited form of) anomaly detection, looking for activity that resembles an intrusion.
![Page 12: Security Administration Tools and Practices](https://reader033.vdocuments.site/reader033/viewer/2022061115/54628c07af7959422a8b4dde/html5/thumbnails/12.jpg)
Structure of Bro
QuickTime™ and aTIFF (Uncompressed) decompressor
are needed to see this picture.
![Page 13: Security Administration Tools and Practices](https://reader033.vdocuments.site/reader033/viewer/2022061115/54628c07af7959422a8b4dde/html5/thumbnails/13.jpg)
Nessus
• Nessus is a free comprehensive vulnerability scanning software.
• Its goal is to detect potential vulnerabilities on the tested systems
![Page 14: Security Administration Tools and Practices](https://reader033.vdocuments.site/reader033/viewer/2022061115/54628c07af7959422a8b4dde/html5/thumbnails/14.jpg)
Nessus Screenshot - 1
Nessus Screenshot - 1
![Page 15: Security Administration Tools and Practices](https://reader033.vdocuments.site/reader033/viewer/2022061115/54628c07af7959422a8b4dde/html5/thumbnails/15.jpg)
Nessus Screenshot - 2
Nessus Screenshot - 2
![Page 16: Security Administration Tools and Practices](https://reader033.vdocuments.site/reader033/viewer/2022061115/54628c07af7959422a8b4dde/html5/thumbnails/16.jpg)
Nessus Screenshot - 3
Nessus - Screenshot 3
![Page 17: Security Administration Tools and Practices](https://reader033.vdocuments.site/reader033/viewer/2022061115/54628c07af7959422a8b4dde/html5/thumbnails/17.jpg)
Other tools
• Security Incident Management System– ArcSight– Novell e-Security Sentinel
• Network Incident Management System– Whatsup Gold– IBM Tivoli
![Page 18: Security Administration Tools and Practices](https://reader033.vdocuments.site/reader033/viewer/2022061115/54628c07af7959422a8b4dde/html5/thumbnails/18.jpg)
ArcSight
• Large Enterprises and Governments infrastructures are growing increasingly dynamic and complex
• ArcSight ESM is an event management tool• Different capabilities: filters, correlation,
reporting, threat monitor, vulnerability knowledge base, asset information, risk management, zones, etc.
![Page 19: Security Administration Tools and Practices](https://reader033.vdocuments.site/reader033/viewer/2022061115/54628c07af7959422a8b4dde/html5/thumbnails/19.jpg)
Architecture - ArcSight ESM
• SmartAgents (residing on remote systems or on a separate layer)
• Devices or Remote Systems (Firewalls, IDSs etc.)
• Correlation engine
• Central database
• ArcSight Manager (console/browser)
![Page 20: Security Administration Tools and Practices](https://reader033.vdocuments.site/reader033/viewer/2022061115/54628c07af7959422a8b4dde/html5/thumbnails/20.jpg)
Testing ArcSight
• Real strength - analyzing huge volumes at data
• When tested at an ISP that provided managed services to many corporate clients, generating millions of events a day (stress test), ArcSight had no hiccups.
• Biggest advantage: Scaling
![Page 21: Security Administration Tools and Practices](https://reader033.vdocuments.site/reader033/viewer/2022061115/54628c07af7959422a8b4dde/html5/thumbnails/21.jpg)
ArcSight screenshot 1
![Page 22: Security Administration Tools and Practices](https://reader033.vdocuments.site/reader033/viewer/2022061115/54628c07af7959422a8b4dde/html5/thumbnails/22.jpg)
ArcSight screenshot 2
![Page 23: Security Administration Tools and Practices](https://reader033.vdocuments.site/reader033/viewer/2022061115/54628c07af7959422a8b4dde/html5/thumbnails/23.jpg)
ArcSight screenshot 3
![Page 24: Security Administration Tools and Practices](https://reader033.vdocuments.site/reader033/viewer/2022061115/54628c07af7959422a8b4dde/html5/thumbnails/24.jpg)
e-Security Sentinel• Competitor of ArcSight, Network Intelligence, Symantec
Security Information Manager• Event collector• Analyses and correlates events to determine if an event
violates a predetermined condition or acceptable threshold.
• Control Center & Correlation Engine• Unlike Arcsight, e-Security Sentinel has an iScale
Message Bus that is based on the Sonic JMS* bus architecture.– Highly scalable– Doesn’t rely on a relational database
![Page 25: Security Administration Tools and Practices](https://reader033.vdocuments.site/reader033/viewer/2022061115/54628c07af7959422a8b4dde/html5/thumbnails/25.jpg)
E-Sentinel Screenshot 1
QuickTime™ and aTIFF (Uncompressed) decompressor
are needed to see this picture.
![Page 26: Security Administration Tools and Practices](https://reader033.vdocuments.site/reader033/viewer/2022061115/54628c07af7959422a8b4dde/html5/thumbnails/26.jpg)
E-Security Screenshot 2
QuickTime™ and aTIFF (Uncompressed) decompressor
are needed to see this picture.
![Page 27: Security Administration Tools and Practices](https://reader033.vdocuments.site/reader033/viewer/2022061115/54628c07af7959422a8b4dde/html5/thumbnails/27.jpg)
• Security Checkup– Latest fixes/patches– Use of IDS + regular scanning of network– Security Engineers need to be well
informed (discussions on forums)
Cases from the Field
![Page 28: Security Administration Tools and Practices](https://reader033.vdocuments.site/reader033/viewer/2022061115/54628c07af7959422a8b4dde/html5/thumbnails/28.jpg)
Case 1 - virus/worm/spyware on the network
![Page 29: Security Administration Tools and Practices](https://reader033.vdocuments.site/reader033/viewer/2022061115/54628c07af7959422a8b4dde/html5/thumbnails/29.jpg)
Case 2 - false alarms
![Page 30: Security Administration Tools and Practices](https://reader033.vdocuments.site/reader033/viewer/2022061115/54628c07af7959422a8b4dde/html5/thumbnails/30.jpg)
Case 3 - Real time network security monitoring
![Page 31: Security Administration Tools and Practices](https://reader033.vdocuments.site/reader033/viewer/2022061115/54628c07af7959422a8b4dde/html5/thumbnails/31.jpg)
Case 4 - Security Scans
![Page 32: Security Administration Tools and Practices](https://reader033.vdocuments.site/reader033/viewer/2022061115/54628c07af7959422a8b4dde/html5/thumbnails/32.jpg)
Problems with Security Administration
• Integration is required– From firewalls to IDSs to Websense to
vulnerability information to KB
• Challenges– Too much to look at– No single standard data format– Out of sync system clocks
• Correlation becomes difficult
![Page 33: Security Administration Tools and Practices](https://reader033.vdocuments.site/reader033/viewer/2022061115/54628c07af7959422a8b4dde/html5/thumbnails/33.jpg)
Problems cont.
• Information asymmetry– Use of manual tools (location, address books,
information directories)
• Process is slow because of very little integration– A problem in times of actual attacks
• Critical factor - “Time”• New vulnerabilities - proactive work pays• Administrator motto - “Know Thy Network”
![Page 34: Security Administration Tools and Practices](https://reader033.vdocuments.site/reader033/viewer/2022061115/54628c07af7959422a8b4dde/html5/thumbnails/34.jpg)
Improvements
• New tools to help security administrators need to be developed– Standardization of event formats for easier
integration– Application of data mining in event
classification, analysis and noise reduction– Automated event stream processing– Improved information management tools
![Page 35: Security Administration Tools and Practices](https://reader033.vdocuments.site/reader033/viewer/2022061115/54628c07af7959422a8b4dde/html5/thumbnails/35.jpg)
Questions
?
?
?
?
?
?
?
?
?
?