why we keep doing security wrong grant cohoe. about me system administrator – rsa (the security...
TRANSCRIPT
About Me
• System Administrator– RSA (The security division of EMC)
• OpComm Director / Sysadmin / Chairman– Computer Science House @ RIT
• ISTS Team OpComm (“Team Uptime”)– 3rd place 2011, 2nd place 2012
Firewalls
• Host-based– Windows Firewall, iptables, pf– Drill holes!– No one filters outbound traffic
Firewalls
• Network-based– Cisco ASA/PIX, CheckPoint Gateway, etc– Drill less holes, but worse ones• Example: SSH
NAT
• Non-routable private IP addresses• No one can get to you directly?– WRAUNG!– Example: Adjacent Router
IPS
• Look for malicious activity and stop it– What/who defines “malicious”?
• Often very specific targets
VoIP Phones
• Rely on a trusted network infrastructure• Do little to no verification of configuration• Desktop bugging devices
Printers
• Rarely segregated (dedicated printer network)• Bad software• No firewalls• Springboard for more advanced attack
Achievement
• High CapEx– Equipment, infrastructure
• Low resources to monitor– No SOC monkeys, investigators
• Even less to respond– In a crisis, you can’t move
Process
• Moderate CapEx– Different equipment, infrastructure
• Moderate resources to monitor– 24/7 staffed SOC w/ investigators
• Moderate resources to response – System management tools, live network mapping,
etc
Security Analytics
• Real-time holistic intelligence platform• Gather data from many sources• Compare against profiles• Replay entire sessions and content
Security Analytics
• As things happen, log them– Wireshark everything and store it– Server logs– Active Directory events
• If anything seems weird, analyze it
Profiles
• Old-and-busted approach:– Someone is trying to get into Oracle
• New hotness approach:– Josh is authenticated to the VPN– Jeff is authenticated to AD– Nick is trying to get into Oracle
Session Replay
• Server access logs tell you when something happened
• Wireshark lets you replay the network traffic• Get the badness into a secured environment• Poke at it
Summary
• Don’t rely solely on perimeter defenses• Don’t overlook anything no matter how small• Security is a process, not an achievement• Security analytics should be a thing