Your SlideShare is downloading. ×

Sans alienvault monitoring

294

Published on

SANS and Alienvault Unified Security Monitoring Solution

SANS and Alienvault Unified Security Monitoring Solution

Published in: Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
294
On Slideshare
0
From Embeds
0
Number of Embeds
3
Actions
Shares
0
Downloads
0
Comments
0
Likes
0
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
No notes for slide

Transcript

  • 1. An Incident Response Playbook: From Monitoring to Operations Dave Shackleford, Voodoo Security and SANS Joe Schreiber, AlienVault © 2014 The SANS™ Institute - www.sans.org
  • 2. Introduction • The range and sophistication of today’s attacks are growing rapidly • More and more organizations are dedicating resources to detection and response tools and processes – Less effort and money is spent on purely “preventive” measures • We’ll explore a number of different types of incidents, as well as indicators and monitoring/response process considerations © 2014 The SANS™ Institute - www.sans.org 2
  • 3. Use What for What? • Right Tool -> Right Job • Right Job -> Right Skills • Right Skills -> Right Response • Right Response -> [right] Incident © 2014 The SANS™ Institute - www.sans.org 3
  • 4. How do I know which response? © 2014 The SANS™ Institute - www.sans.org 4
  • 5. Make Plans. • Be prepared for an incident – Create several plans based on incident type – Have a contact methodology – Escalation Paths • So you have a plan? – What’s your backup? – Be Flexible • Time is against you • Outside Help – Pre-arrange services or consultants © 2014 The SANS™ Institute - www.sans.org 5
  • 6. What if I’m missing something? • Use the Internet – IOCs – Threat Reputation – Malware Analyzers – Virus Scanners • Community Efforts – Open source tools – Message Boards © 2014 The SANS™ Institute - www.sans.org 6
  • 7. Attack Types and Responses • Sensitive Data • Malware • Insider • Web Application © 2014 The SANS™ Institute - www.sans.org 7
  • 8. Sensitive Data Exposure/Exfiltration • Data loss and exposure is one of the top concerns and incident types facing organizations today • In the 2014 Verizon DBIR, 1367 data loss incidents were investigated • Most security teams have been focused on data loss in some way since 2005-6. © 2014 The SANS™ Institute - www.sans.org 8
  • 9. Indicators of sensitive data exposure • A number of leading indicators can lead to detection of exposure or exfiltration • Human-based: – Fraud alerts or identity theft – Notification from 3rd parties – Extortion attempts • Data indicators: – DLP alerts – Proxy logs – Firewall/IDS/IPS events © 2014 The SANS™ Institute - www.sans.org 9
  • 10. Operations for Data Exposure Incidents • Specific operational steps to be considered for IR with data exposure: – First, unless directed by law enforcement, stop the leak! (if known how/where) – Determine who and what is affected then coordinate with HR/legal/PR – Leverage DLP or other monitoring tools to pattern match data types stored and in transit © 2014 The SANS™ Institute - www.sans.org 10
  • 11. Advanced Malware Incidents • Not all malware incidents are advanced – Standard antivirus and host-based tools still catch many variants • Some malware is much more stealthy and sophisticated, however – Malware sandboxes, behavioral monitoring, and forensics techniques and tools may be needed © 2014 The SANS™ Institute - www.sans.org 11
  • 12. Indicators of Advanced Malware • Advanced malware may be detected with a number of indicators: – Unusual processes or services on hosts – Known malicious registry keys and entries – File names or attributes – Network traffic signatures and patterns (ports, protocols, etc.) – Sandbox detonation events © 2014 The SANS™ Institute - www.sans.org 12
  • 13. Operations for Advanced Malware Incidents • Response processes for advanced malware incidents should include: – Quarantine capabilities (host and network) – Volatile forensic data capture – Rapid development of IOC “fingerprints” to propagate to additional systems – Data leak response steps – Reverse engineering © 2014 The SANS™ Institute - www.sans.org 13
  • 14. Insider Incidents • Insider incidents can be some of the most challenging to detect and respond to • Insider threats can lead to other types of incidents (data loss, destruction/availability, etc.) • Always coordinate with HR and legal teams for insider threat response • Many insider attacks are not that advanced…just hard to detect © 2014 The SANS™ Institute - www.sans.org 14
  • 15. Indicators of Insider Incidents • Insider indicators may be more challenging to detect: – Disgruntled behavior – Unusual pattern of file/data access – Changes in working hours or behavior – Disregard for policies and procedures – Account logon failures and unusual patterns – Traffic from personal/work systems – Unusual system command use or attempts at privilege escalation © 2014 The SANS™ Institute - www.sans.org 15
  • 16. Operations for Insider Incidents • Response processes for insider incidents should include: – Inclusion of law enforcement (maybe) and HR/legal (definitely) – Rapid root cause analysis • Was it accidental? A system hijack? Or deliberate? – Account monitoring – Privilege revocation (maybe) – Equipment seizure when possible – Forensic analysis – Risk analysis © 2014 The SANS™ Institute - www.sans.org 16
  • 17. Web Application Incidents • Web app attacks are more common than ever • These attacks can lead to defacement and reputation impact, as well as data exposure • Application security often lags network and infrastructure controls • Many open source components, or products like CMS platforms, are notoriously vulnerable © 2014 The SANS™ Institute - www.sans.org 17
  • 18. Indicators of Web Application Incidents • Web application attacks and breaches may exhibit the following indicators: – Unusual behavior or crashes in applications – Web and app server logs of repeated access attempts – Web and app server logs of SQL syntax and/or scripting characters – IDS/IPS events for known app attacks – High local resource utilization on Web and app servers – Web app firewall events for behavioral or signature-based attacks © 2014 The SANS™ Institute - www.sans.org 18
  • 19. Operations for Web Application Incidents • Response processes for Web App incidents may include: – Coordination with server operations/admin teams and possibly development teams – Web app firewall or application filtering commands/rules – Load balancer and proxy redirection and traffic control – Correlation between presentation and persistent tier traffic and account data © 2014 The SANS™ Institute - www.sans.org 19
  • 20. Conclusion • There are a lot of ways to detect and respond to incidents today • Many types of incidents have common tools and processes – Most have their own specific differences, however • Security monitoring and response teams can always enhance their capabilities with new events, correlation, and IOCs from inside and outside their networks © 2014 The SANS™ Institute - www.sans.org 20
  • 21. Powered by AV Labs Threat Intelligence AlienVault USMTM ASSET DISCOVERY • Active Network Scanning • Passive Network Scanning • Asset Inventory • Host-based Software Inventory VULNERABILITY ASSESSMENT • Continuous Vulnerability Monitoring • Authenticated / Unauthenticated Active Scanning BEHAVIORAL MONITORING • Log Collection • Netflow Analysis • Service Availability Monitoring THREAT DETECTION • Network IDS • Host IDS • Wireless IDS • File Integrity Monitoring A Unified Approach SECURITY INTELLIGENCE • SIEM Event Correlation • Incident Response
  • 22. Coordinated Analysis, Actionable Guidance • 200-350,000 IPs validated daily • 8,000 collection points • 140 countries Collaborative Threat Intelligence: AlienVault Open Threat ExchangeTM (OTX) Join OTX: www.alienvault.com/open-threat-exchange
  • 23. Questions? Q@SANS.ORG Thank You! © 2014 The SANS™ Institute - www.sans.org 23 Three Ways to Test Drive AlienVault USM Download a Free 30-Day Trial http://www.alienvault.com/free-trial Try our Interactive Demo http://www.alienvault.com/live-demo-site Join us for a LIVE Demo! http://www.alienvault.com/marketing/ali envault-usm-live-demo

×