Security Administration Tools and Practices
Upcoming SlideShare
Loading in...5
×
 

Like this? Share it with your network

Share

Security Administration Tools and Practices

on

  • 867 views

 

Statistics

Views

Total Views
867
Views on SlideShare
865
Embed Views
2

Actions

Likes
0
Downloads
47
Comments
0

1 Embed 2

http://www.slideshare.net 2

Accessibility

Categories

Upload Details

Uploaded via as Microsoft PowerPoint

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

Security Administration Tools and Practices Presentation Transcript

  • 1. Security Administration Tools and Practices Amit Bhan Usable Privacy and Security
  • 2. Agenda
    • Security Administration
    • Purpose of Security Tools
    • Examples of Security Tools
    • Security Incident Manager (SIM)
      • Security Monitoring
    • Cases from the Field
    • Problems with Security Administration
    • Improvements
  • 3. Security Administration?
    • is the process of maintaining a safe computing environment.
    • Purpose? Need?
    • Security Administrator
    • Responsibilities?
  • 4. Purpose of Security Tools
    • Combining text and visuals
    • Reporting
    • Monitoring
    • Correlating
    • Simplify the life of a Security Administrator
  • 5. Combining Text and Visuals
    • Size and complexity of networks
    • A System Administrator has a variety of responsibilities: install, configure, monitor, debug and patch
    • Visualization vs. Perl Scripts
    • VisFlowConnect-IP (who is connecting to whom on my network?)
    • Other tools (discuss later)
  • 6. Reporting
    • Many security tools have an in built capability for reporting
    • Why is reporting important?
    • Examples:
      • Nessus (vulnerability information)
      • SIM (security incidents information)
  • 7. Monitoring
    • Some security tools have live data feed for the network
    • Different types of monitoring
      • Network monitoring
      • Security event monitoring
      • Network Security Incident monitoring
  • 8. Correlation
    • Correlation integrates the key security factors that are critical in determining the potential for significant damage within an organization. These factors are:
      • Real time events from heterogeneous devices
      • Results of vulnerability scans and other sources of threat data
      • The value of the host, database or application to the organization.
  • 9. Life of a Security Administrator
    • According to the paper “Combining Text and Visual Interfaces for Security-System Administration”, Security administrators are very conservative when it comes to technology adoption.
    • Why?
  • 10. Security Admin Tools
    • Mentioned in Text:
      • Bro
      • Nessus
      • Symantec Anti-virus
      • Tripwire
      • Rootkit
      • Sebek
  • 11. Bro
    • Bro (http://www.bro-ids.org/) is a NIDS.
    • Bro supports signature analysis, and in fact can read Snort signatures. (Snort is one of the most popular NIDS available.)
    • Bro also performs (a limited form of) anomaly detection, looking for activity that resembles an intrusion.
  • 12. Structure of Bro
  • 13. Nessus
    • Nessus is a free comprehensive vulnerability scanning software.
    • Its goal is to detect potential vulnerabilities on the tested systems
  • 14. Nessus Screenshot - 1 Nessus Screenshot - 1
  • 15. Nessus Screenshot - 2 Nessus Screenshot - 2
  • 16. Nessus Screenshot - 3 Nessus - Screenshot 3
  • 17. Other tools
    • Security Incident Management System
      • ArcSight
      • Novell e-Security Sentinel
    • Network Incident Management System
      • Whatsup Gold
      • IBM Tivoli
  • 18. ArcSight
    • Large Enterprises and Governments infrastructures are growing increasingly dynamic and complex
    • ArcSight ESM is an event management tool
    • Different capabilities: filters, correlation, reporting, threat monitor, vulnerability knowledge base, asset information, risk management, zones, etc.
  • 19. Architecture - ArcSight ESM
    • SmartAgents (residing on remote systems or on a separate layer)
    • Devices or Remote Systems (Firewalls, IDSs etc.)
    • Correlation engine
    • Central database
    • ArcSight Manager (console/browser)
  • 20. Testing ArcSight
    • Real strength - analyzing huge volumes at data
    • When tested at an ISP that provided managed services to many corporate clients, generating millions of events a day (stress test), ArcSight had no hiccups.
    • Biggest advantage: Scaling
  • 21. ArcSight screenshot 1
  • 22. ArcSight screenshot 2
  • 23. ArcSight screenshot 3
  • 24. e-Security Sentinel
    • Competitor of ArcSight, Network Intelligence, Symantec Security Information Manager
    • Event collector
    • Analyses and correlates events to determine if an event violates a predetermined condition or acceptable threshold.
    • Control Center & Correlation Engine
    • Unlike Arcsight, e-Security Sentinel has an iScale Message Bus that is based on the Sonic JMS* bus architecture.
      • Highly scalable
      • Doesn’t rely on a relational database
  • 25. E-Sentinel Screenshot 1
  • 26. E-Security Screenshot 2
  • 27.
    • Security Checkup
      • Latest fixes/patches
      • Use of IDS + regular scanning of network
      • Security Engineers need to be well informed (discussions on forums)
    Cases from the Field
  • 28. Case 1 - virus/worm/spyware on the network
  • 29. Case 2 - false alarms
  • 30. Case 3 - Real time network security monitoring
  • 31. Case 4 - Security Scans
  • 32. Problems with Security Administration
    • Integration is required
      • From firewalls to IDSs to Websense to vulnerability information to KB
    • Challenges
      • Too much to look at
      • No single standard data format
      • Out of sync system clocks
        • Correlation becomes difficult
  • 33. Problems cont.
    • Information asymmetry
      • Use of manual tools (location, address books, information directories)
    • Process is slow because of very little integration
      • A problem in times of actual attacks
    • Critical factor - “Time”
    • New vulnerabilities - proactive work pays
    • Administrator motto - “Know Thy Network”
  • 34. Improvements
    • New tools to help security administrators need to be developed
      • Standardization of event formats for easier integration
      • Application of data mining in event classification, analysis and noise reduction
      • Automated event stream processing
      • Improved information management tools
  • 35. Questions
            • ?
            • ?
            • ?
            • ?
            • ?
            • ?
            • ?
            • ?
            • ?
            • ?