Security Administration Tools and Practices


Published on

  • Be the first to comment

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

Security Administration Tools and Practices

  1. 1. Security Administration Tools and Practices Amit Bhan Usable Privacy and Security
  2. 2. Agenda <ul><li>Security Administration </li></ul><ul><li>Purpose of Security Tools </li></ul><ul><li>Examples of Security Tools </li></ul><ul><li>Security Incident Manager (SIM) </li></ul><ul><ul><li>Security Monitoring </li></ul></ul><ul><li>Cases from the Field </li></ul><ul><li>Problems with Security Administration </li></ul><ul><li>Improvements </li></ul>
  3. 3. Security Administration? <ul><li>is the process of maintaining a safe computing environment. </li></ul><ul><li>Purpose? Need? </li></ul><ul><li>Security Administrator </li></ul><ul><li>Responsibilities? </li></ul>
  4. 4. Purpose of Security Tools <ul><li>Combining text and visuals </li></ul><ul><li>Reporting </li></ul><ul><li>Monitoring </li></ul><ul><li>Correlating </li></ul><ul><li>Simplify the life of a Security Administrator </li></ul>
  5. 5. Combining Text and Visuals <ul><li>Size and complexity of networks </li></ul><ul><li>A System Administrator has a variety of responsibilities: install, configure, monitor, debug and patch </li></ul><ul><li>Visualization vs. Perl Scripts </li></ul><ul><li>VisFlowConnect-IP (who is connecting to whom on my network?) </li></ul><ul><li>Other tools (discuss later) </li></ul>
  6. 6. Reporting <ul><li>Many security tools have an in built capability for reporting </li></ul><ul><li>Why is reporting important? </li></ul><ul><li>Examples: </li></ul><ul><ul><li>Nessus (vulnerability information) </li></ul></ul><ul><ul><li>SIM (security incidents information) </li></ul></ul>
  7. 7. Monitoring <ul><li>Some security tools have live data feed for the network </li></ul><ul><li>Different types of monitoring </li></ul><ul><ul><li>Network monitoring </li></ul></ul><ul><ul><li>Security event monitoring </li></ul></ul><ul><ul><li>Network Security Incident monitoring </li></ul></ul>
  8. 8. Correlation <ul><li>Correlation integrates the key security factors that are critical in determining the potential for significant damage within an organization. These factors are: </li></ul><ul><ul><li>Real time events from heterogeneous devices </li></ul></ul><ul><ul><li>Results of vulnerability scans and other sources of threat data </li></ul></ul><ul><ul><li>The value of the host, database or application to the organization. </li></ul></ul>
  9. 9. Life of a Security Administrator <ul><li>According to the paper “Combining Text and Visual Interfaces for Security-System Administration”, Security administrators are very conservative when it comes to technology adoption. </li></ul><ul><li>Why? </li></ul>
  10. 10. Security Admin Tools <ul><li>Mentioned in Text: </li></ul><ul><ul><li>Bro </li></ul></ul><ul><ul><li>Nessus </li></ul></ul><ul><ul><li>Symantec Anti-virus </li></ul></ul><ul><ul><li>Tripwire </li></ul></ul><ul><ul><li>Rootkit </li></ul></ul><ul><ul><li>Sebek </li></ul></ul>
  11. 11. Bro <ul><li>Bro ( is a NIDS. </li></ul><ul><li>Bro supports signature analysis, and in fact can read Snort signatures. (Snort is one of the most popular NIDS available.) </li></ul><ul><li>Bro also performs (a limited form of) anomaly detection, looking for activity that resembles an intrusion. </li></ul>
  12. 12. Structure of Bro
  13. 13. Nessus <ul><li>Nessus is a free comprehensive vulnerability scanning software. </li></ul><ul><li>Its goal is to detect potential vulnerabilities on the tested systems </li></ul>
  14. 14. Nessus Screenshot - 1 Nessus Screenshot - 1
  15. 15. Nessus Screenshot - 2 Nessus Screenshot - 2
  16. 16. Nessus Screenshot - 3 Nessus - Screenshot 3
  17. 17. Other tools <ul><li>Security Incident Management System </li></ul><ul><ul><li>ArcSight </li></ul></ul><ul><ul><li>Novell e-Security Sentinel </li></ul></ul><ul><li>Network Incident Management System </li></ul><ul><ul><li>Whatsup Gold </li></ul></ul><ul><ul><li>IBM Tivoli </li></ul></ul>
  18. 18. ArcSight <ul><li>Large Enterprises and Governments infrastructures are growing increasingly dynamic and complex </li></ul><ul><li>ArcSight ESM is an event management tool </li></ul><ul><li>Different capabilities: filters, correlation, reporting, threat monitor, vulnerability knowledge base, asset information, risk management, zones, etc. </li></ul>
  19. 19. Architecture - ArcSight ESM <ul><li>SmartAgents (residing on remote systems or on a separate layer) </li></ul><ul><li>Devices or Remote Systems (Firewalls, IDSs etc.) </li></ul><ul><li>Correlation engine </li></ul><ul><li>Central database </li></ul><ul><li>ArcSight Manager (console/browser) </li></ul>
  20. 20. Testing ArcSight <ul><li>Real strength - analyzing huge volumes at data </li></ul><ul><li>When tested at an ISP that provided managed services to many corporate clients, generating millions of events a day (stress test), ArcSight had no hiccups. </li></ul><ul><li>Biggest advantage: Scaling </li></ul>
  21. 21. ArcSight screenshot 1
  22. 22. ArcSight screenshot 2
  23. 23. ArcSight screenshot 3
  24. 24. e-Security Sentinel <ul><li>Competitor of ArcSight, Network Intelligence, Symantec Security Information Manager </li></ul><ul><li>Event collector </li></ul><ul><li>Analyses and correlates events to determine if an event violates a predetermined condition or acceptable threshold. </li></ul><ul><li>Control Center & Correlation Engine </li></ul><ul><li>Unlike Arcsight, e-Security Sentinel has an iScale Message Bus that is based on the Sonic JMS* bus architecture. </li></ul><ul><ul><li>Highly scalable </li></ul></ul><ul><ul><li>Doesn’t rely on a relational database </li></ul></ul>
  25. 25. E-Sentinel Screenshot 1
  26. 26. E-Security Screenshot 2
  27. 27. <ul><li>Security Checkup </li></ul><ul><ul><li>Latest fixes/patches </li></ul></ul><ul><ul><li>Use of IDS + regular scanning of network </li></ul></ul><ul><ul><li>Security Engineers need to be well informed (discussions on forums) </li></ul></ul>Cases from the Field
  28. 28. Case 1 - virus/worm/spyware on the network
  29. 29. Case 2 - false alarms
  30. 30. Case 3 - Real time network security monitoring
  31. 31. Case 4 - Security Scans
  32. 32. Problems with Security Administration <ul><li>Integration is required </li></ul><ul><ul><li>From firewalls to IDSs to Websense to vulnerability information to KB </li></ul></ul><ul><li>Challenges </li></ul><ul><ul><li>Too much to look at </li></ul></ul><ul><ul><li>No single standard data format </li></ul></ul><ul><ul><li>Out of sync system clocks </li></ul></ul><ul><ul><ul><li>Correlation becomes difficult </li></ul></ul></ul>
  33. 33. Problems cont. <ul><li>Information asymmetry </li></ul><ul><ul><li>Use of manual tools (location, address books, information directories) </li></ul></ul><ul><li>Process is slow because of very little integration </li></ul><ul><ul><li>A problem in times of actual attacks </li></ul></ul><ul><li>Critical factor - “Time” </li></ul><ul><li>New vulnerabilities - proactive work pays </li></ul><ul><li>Administrator motto - “Know Thy Network” </li></ul>
  34. 34. Improvements <ul><li>New tools to help security administrators need to be developed </li></ul><ul><ul><li>Standardization of event formats for easier integration </li></ul></ul><ul><ul><li>Application of data mining in event classification, analysis and noise reduction </li></ul></ul><ul><ul><li>Automated event stream processing </li></ul></ul><ul><ul><li>Improved information management tools </li></ul></ul>
  35. 35. Questions <ul><ul><ul><ul><ul><li>? </li></ul></ul></ul></ul></ul><ul><ul><ul><ul><ul><li>? </li></ul></ul></ul></ul></ul><ul><ul><ul><ul><ul><li>? </li></ul></ul></ul></ul></ul><ul><ul><ul><ul><ul><li>? </li></ul></ul></ul></ul></ul><ul><ul><ul><ul><ul><li>? </li></ul></ul></ul></ul></ul><ul><ul><ul><ul><ul><li>? </li></ul></ul></ul></ul></ul><ul><ul><ul><ul><ul><li>? </li></ul></ul></ul></ul></ul><ul><ul><ul><ul><ul><li>? </li></ul></ul></ul></ul></ul><ul><ul><ul><ul><ul><li>? </li></ul></ul></ul></ul></ul><ul><ul><ul><ul><ul><li>? </li></ul></ul></ul></ul></ul>