Architecting Solutions for Security Investigations and Monitoring (2012 San Diego)
by Cisco Security on Jun 19, 2012
- 1,396 views
This is a new session for 2012. Over 10 years, security threats have grown from network annoyances to attacks on sensitive infrastructure. Evidence indicates that security threats are growing more ...
This is a new session for 2012. Over 10 years, security threats have grown from network annoyances to attacks on sensitive infrastructure. Evidence indicates that security threats are growing more sophisticated and aimed at embedding malware in infrastructure. This presentation will share Cisco CSIRT's evolving architecture for addressing sophisticated, embedded threats. Topics will describe how CSIRT has evolved its network infrastructure over the past 10 years, and will give detailed architectural examples and guidance regarding their multi-petabyte global deployments of: * Log/event collection of syslog, DNS, web proxy logs, ModSecurity logs * NetFlow collection * Host and user attribution techniques (using DHCP, NAT, VPN logs to identify users) It will also include a description of how CSIRT Engineering is integrating the following solutions into their global deployment: * Challenges and solutions for multiple filtered detection using SPANs and taps (IDS, DNS collection, web proxy, DLP) * Rapid operationalization of collaborative, commercial, and home-grown intelligence * Pulling this all together in a free-form custom SEIM. Security experts from Cisco's Computer Security Incident Response Team (CSIRT) demonstrate how to detect security incidents on your global network. This session will include in-depth discussions on 1) using network telemetry to build contextual information about your network, 2) putting this powerful information to work inside your security monitoring toolkit, and 3) overlaying this knowledge against corporate security policies to produce actionable results. This session will also present methods to ensure critical security monitoring data sources are kept online and available. This session will help you make certain that event data needed for investigations is captured, relevant, and available during critical incident response.
Cisco Live 365: https://www.ciscolive365.com/connect/sessionDetail.ww?SESSION_ID=4607
- Total Views
- Views on SlideShare
- Embed Views