Optimizing Business Productivity Through Automated Security Controls<br />Heather Axworthy<br />Network Security Engineer<...
Bio<br />Ten Years Experience In Networks And Security<br />Secured Many Sensitive And Strategic Networks For Fortune 50 C...
Agenda<br />3<br />© 2010 Heather L. Axworthy<br />
© 2010 Heather L. Axworthy<br />4<br />Response<br />Detection<br />Prevention<br />Security Continuum <br />IDS & Desktop...
Security Continuum <br />© 2010 Heather L. Axworthy<br />5<br />
Security Assets<br />© 2010 Heather L. Axworthy<br />6<br />
© 2010 Heather L. Axworthy<br />7<br />Internet Traffic<br />Composition of Threat Response<br />
Composition of Threat Response:Computers, IT, and Users<br />Security Involves Variable HumanInteraction<br />Perimeter Se...
Single Security-Strategy Risks<br />© 2010 Heather L. Axworthy<br />9<br />
Single Security Strategy<br /><ul><li>Organizations Often Decide To Deploy                                                ...
Different Security Methods Are Not Equal
Each Provides Different Levels Of Protection
If You Deploy One Technology, It’s Best To Have                                                     A Proactive Technology...
IPS Reduces The Amount Of Malicious Traffic                                                That Gets To The End User
Employees See Less Alerts
More Time To Focus On The Business
Previous Chart  Illustrates Risk Levels For Deploying Only One Security Technology.
For Example, Deploying Only Desktop Security Technologies Results In The Highest Risk Because The Threat Has Already Enter...
User-centric Measures Are Inconsistent Because Users Do Not The Same Thing Every Time.</li></ul>© 2010 Heather L. Axworthy...
Protection & Equipment Costs<br />© 2010 Heather L. Axworthy<br />11<br />
Upcoming SlideShare
Loading in …5
×

Business Productivity and Automated Security Controls

567 views
489 views

Published on

Published in: Education
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
567
On SlideShare
0
From Embeds
0
Number of Embeds
4
Actions
Shares
0
Downloads
7
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide
  • IPS is short for Intrusion Prevention, when the specific traffic matches a signature, the device “drops” the traffic immediately and creates an event with details on the traffic. Designed to be deployed inline. IPS takes a proactive approach to traffic monitoring.
  • capacity planning – buy the right device – Do your homework: Look at the traffic load of the segments you want to monitor. Every model has a threshold level. If the vlan you want to monitor registers bandwidth in excess of 100MB, and you may want to monitor additional vlan’s, a 400MB limit box will not work for you. Don’t expect to buy just one box. If you have remote sites or several internal vlan’s, you will need additional units. Buy a large enough unit that can be deployed at the perimeter in between the firewall and DMZ/Internal networks. Buy smaller units for remote sites and smaller segments.There are several out there on the market today. ISS, TippingPoint, Cisco, Sourcefire Choose the vendor that has the best reputation for good, sound security intelligence.
  • You will probably need more than one device, at least one at the perimeter, and possibly a few smaller throughput devices. All IPS devices have two modes, block aka “IPS” mode, and non-block aka “IDS” mode. When you first deploy your device, it is in non-block mode, you then spend a period of time tuning out any false positives. After that period is complete, then put your device into blocking mode. “IPS” mode should always be your primary end goal!
  • Now that my device is in place in non-block mode, what do I do?take a period of at least 30 days and look at the events being generated by the device on a daily basis. This time period is known as the “tuning phase”, this time is when you make adjustments to the signatures on the device. You are filtering out the false positives, so you can look at the events that are showing valid attacks.
  • Business Productivity and Automated Security Controls

    1. 1. Optimizing Business Productivity Through Automated Security Controls<br />Heather Axworthy<br />Network Security Engineer<br />haxworthy@gmail.com<br />1<br />© 2010 Heather L. Axworthy<br />
    2. 2. Bio<br />Ten Years Experience In Networks And Security<br />Secured Many Sensitive And Strategic Networks For Fortune 50 Companies<br />Sr. Security Engineer <br />Worked On Multiple IDS/IPS And Security Platforms<br />Really Good Cook, Tried Flying A Helicopter, And Love To Hike<br />Blog Http://Chickbits.Blogspot.Com<br />Linkedin: Http://Www.Linkedin.Com/In/Heatheraxworthy<br />Twitter: Haxworthy<br />2<br />© 2010 Heather L. Axworthy<br />
    3. 3. Agenda<br />3<br />© 2010 Heather L. Axworthy<br />
    4. 4. © 2010 Heather L. Axworthy<br />4<br />Response<br />Detection<br />Prevention<br />Security Continuum <br />IDS & Desktop<br />People<br />IPS<br />
    5. 5. Security Continuum <br />© 2010 Heather L. Axworthy<br />5<br />
    6. 6. Security Assets<br />© 2010 Heather L. Axworthy<br />6<br />
    7. 7. © 2010 Heather L. Axworthy<br />7<br />Internet Traffic<br />Composition of Threat Response<br />
    8. 8. Composition of Threat Response:Computers, IT, and Users<br />Security Involves Variable HumanInteraction<br />Perimeter Security Block Malicious Traffic From Entering The Network. <br />IPS Provides Active Blocking & Minimizes User Involvement, Reducing Response Urgency<br />I.T. Employees Involved With Deployment And Maintenance<br />Intrusion Detection (IDS) Alerts I.T. To Malicious Traffic But Does Not Prevent It From Penetrating The Network. <br />IDS Requires Higher IT Employee Interaction To React To Alerts. <br />Desktop Security Controls Involve The Highest Participation From Users.<br />© 2010 Heather L. Axworthy<br />8<br />
    9. 9. Single Security-Strategy Risks<br />© 2010 Heather L. Axworthy<br />9<br />
    10. 10. Single Security Strategy<br /><ul><li>Organizations Often Decide To Deploy Only One Security Technology
    11. 11. Different Security Methods Are Not Equal
    12. 12. Each Provides Different Levels Of Protection
    13. 13. If You Deploy One Technology, It’s Best To Have A Proactive Technology Like IPS At The Perimeter.
    14. 14. IPS Reduces The Amount Of Malicious Traffic That Gets To The End User
    15. 15. Employees See Less Alerts
    16. 16. More Time To Focus On The Business
    17. 17. Previous Chart Illustrates Risk Levels For Deploying Only One Security Technology.
    18. 18. For Example, Deploying Only Desktop Security Technologies Results In The Highest Risk Because The Threat Has Already Entered Your Network
    19. 19. User-centric Measures Are Inconsistent Because Users Do Not The Same Thing Every Time.</li></ul>© 2010 Heather L. Axworthy<br />10<br />
    20. 20. Protection & Equipment Costs<br />© 2010 Heather L. Axworthy<br />11<br />
    21. 21. Protection & Equipment Costs<br />IPS Technologies Are Proactive<br />Higher Initial Cost <br />Higher Level Of Protection<br />IDS Technologies Are Reactive <br />Lower Initial Cost <br />Many Tools Are Open Source <br />Majority Of The Cost Is Hardware. <br />Protection Level Is Lower: IDS Only Alerts I.T. To Malicious Traffic And I.T. Must Spend Large Amounts Of Time Investigating, Which Can Incur Extra Costs For Additional Response Training.<br />Desktop Security Is Reactive <br />Quantity Of Desktops Drive Costs. <br />Relatively Inexpensive SW<br />User-training Costs Must Be Considered<br />© 2010 Heather L. Axworthy<br />12<br />
    22. 22. Deployment Considerations<br />© 2010 Heather L. Axworthy<br />13<br />criteria<br />partial<br />
    23. 23. Recommendation To Your Clients<br />IPS….IDS….Desktop SW….Security Awareness Training….Log Management & Monitoring ????<br />© 2010 Heather L. Axworthy<br />14<br />Keep The Threats Out!<br />
    24. 24. What is IPS?<br />IPS = Intrusion Prevention System/Service.<br />Designed To Be Deployed Inline.<br />Proactive Approach To Traffic Monitoring.<br />Preventing The Attack Packet From Penetrating Your Network.<br />15<br />© 2010 Heather L. Axworthy<br />
    25. 25. Architecture<br />Capacity Planning – Biggest Mistake Purchasing Hardware That Is Too “Small” For Your Network.<br />Look At The Traffic Load Of The Segments You Want To Monitor. If The Segments (vlans) You Want To Monitor Register Bandwidth In Excess Of 100MB Each, A Small 400MB Device Is Not Large Enough. <br />Most Devices Have A Maximum Throughput Which Is Often An Aggregate Of All Interfaces On The Device.<br />16<br />© 2010 Heather L. Axworthy<br />
    26. 26. Deployment<br />17<br />© 2010 Heather L. Axworthy<br />
    27. 27. Event Monitoring/Tuning<br />My Device Is In Place, What Do I Do Next?<br />Tuning – The Time Period When You Look At Your Events And Weed Out Any False Positives And Modify Signatures. <br />Best Practice Is At Least 30 Days Of Looking At Traffic On A Daily Basis.<br />This Will Enable You To Filter Out Signatures That Are “Noisy” And See Events That Show Valid Attacks.<br />Once Tuning Period Is Over, Put The Device Into Block “IPS” Mode.<br />18<br />© 2010 Heather L. Axworthy<br />
    28. 28. Ensuring Success<br />Company Buy-in, From Top Executive Management To End User. IPS Will Make “Us” More Secure.<br />Staffing Levels – Proper Staffing Must Be In Place To Support The IPS Device(s) And The Monitoring Of Events On A Daily Basis.<br />If The IPS Device Stops One Botnet Outbreak, Or A SQL Injection Attack, It Has Paid For Itself!<br />19<br />© 2010 Heather L. Axworthy<br />
    29. 29. Q & A<br />Heather Axworthy<br />Network Security Engineer<br />haxworthy@gmail.com<br />20<br />© 2010 Heather L. Axworthy<br />

    ×