Your SlideShare is downloading. ×
Mnescot controls monitoring
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×

Saving this for later?

Get the SlideShare app to save on your phone or tablet. Read anywhere, anytime - even offline.

Text the download link to your phone

Standard text messaging rates apply

Mnescot controls monitoring

172
views

Published on

Published in: Technology

0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
172
On Slideshare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
1
Comments
0
Likes
0
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
No notes for slide

Transcript

  • 1. Drupal Security Controls and Monitoring Mike Nescot, JBS International
  • 2. Drupal Security Controls and Monitoring Mike Nescot, JBS International http://drupal.jbsinternational.com
  • 3. Information Systems Logging and Monitoring
  • 4. Security Controls • FISMA Standard: SP-53 Rev 4
  • 5. SP800-53 Rev 4 Security Controls: 18 Families • Access Control • Awareness & Training • Audit & Accountability • Security Assessment & Authorization • Configuration Management • Contingency Planning • Identification & Authorization • Incident Response • Maintenance
  • 6. SP800-53 Rev 4 Security Controls: 18 Families (con.) • Media Protection • Physical and Environmental Protection • Planning • Personnel Security • Risk Assessment • System and Services Acquistion • System & Communications Protection • System & Information Integrity • Program Management
  • 7. SP800-53 Rev 4 Privacy Controls: 8 Families (FEA) • Authority & Purpose • Accountability, Audit, & Risk Management • Data Quality & Integrity • Data Minimization & Retention • Individual Participation & Redress • Security • Transparency • Use Limitation
  • 8. Anatomy of a Control • Account Management • Control count: from 198 to 267, or 600 to 850 • More tailoring guidance, overlays, focus on assurance controls, strategic, privacy
  • 9. SANS Top 20 • Inventory of Authorized and Unauthorized Devices • Inventory of Authorized and Unauthorized Software • Secure Configurations for Hardware & Software on Laptops, Workstations, & Servers • Continuous Vulnerability Assessment and Remediation • Malware Defense • Application Software Security • Wireless Device Control • Data Recovery Capability • Security Skills Assessment & Training • Secure Configurations for Firewalls, Routers, & Switches
  • 10. SANS Top 20 (cont) • Limitation & Control of Network Ports, Protocols, & Services • Controlled Use of Administrative Privileges • Boundary Defense • Maintenance, Monitoring, & Analysis of Audit Logs • Controlled Access Based on Need to Know • Account Monitoring & Control • Data Loss Prevention • Incident Response & Management • Secure Network Engineering • Penetration Testing & Team Exercises
  • 11. SANS Top 20 The five critical tenets of an effective cyber defense system as reflected in the Critical Controls are: • Offense informs defense: Use knowledge of actual attacks for defense • Prioritization: Invest first in controls that will provide the greatest risk reduction and protection • Metrics: Establish common metrics to measure effectiveness • Continuous monitoring: Test and validate the effectiveness of current security measures. • Automation: Automate defenses, achieve reliable, scalable, and continuous measurements
  • 12. State of Required Security Controls • Newly updated: NIST SP-53 Rev 4 • SANS Top 20 Controls • Build it Right (SDLC), Continuous Monitoring • 2011: NIST SP 800-137
  • 13. Information Systems Continuous Monitoring (ISCM) • Maintaining ongoing awareness of information security, vulnerabilities, and threats to support organizational risk management decisions. • From compliance driven to data driven risk management
  • 14. Conventional • Hostile cyber attacks • Natural disaster • Structural failures • Human errors of omission or commission • Strong Foundation
  • 15. Advanced Persistent Threat • Significant expertise • Multiple attack vectors • Establishes footholds
  • 16. Continuous Asset Evaluation, Situational Awareness, and Risk Scoring (CAESARS) • Reference Architecture: Security Automation Standards • Data Sources • Data Collection • Data Storage & Analysis • Consumer Presentation • Decisions
  • 17. CAESARS Subsystems • Sensor (Assets, devices, servers, devices, appliances) • Database Sub (repository of configuration and inventory baselines) • Analysis/Scoring • Presentation (variety of views, query capabilities)
  • 18. CAESARS The end goal of CAESARS FE is to enable enterprise CM by presenting a technical reference model that allows organizations to aggregate collected data from across a diverse set of security tools, analyze that data, perform scoring, enable user queries, and provide overall situational awareness.
  • 19. Establish • Metrics: number and severity of vulnerabilities, unauthorized access attempts, contingency plan testing results, risk scores for configuration • Monitoring and assessment frequencies: volatility, impact levels, identified weaknesses, threat info, vulnerabilit info, assessment results, strategic reviews, reporting requirements
  • 20. Logging vs. Auditing vs. Monitoring • Logging: Collecting event records • Event: single occurance involinvg an attempted state chabge • Message: what a system does or generates in response to request or stimulus • Timestamp, source, data • Auditing: System is behaving as expected, compliance • Monitoring: Situational awareness • Log all you can, but alert on what you must respond (monitor as little as you need)
  • 21. Logging Formats and Standards • Syslog • XML (SCAP) • Relational Database • NoSQL Database (Hadoop, MongoDB) • Binary (Windows Event Log)
  • 22. NIST: Security Automation Domains • Vulnerability Management • Patch Management • Event Management • Incident Management • Malware Detection • Asset Management • Configuration Management • Network Management • License Mangement • Information Management • Software Assurnce
  • 23. Monitoring Targets: Objects System Boundary • Web Server Status • Database Server Status • Operating System • File system changes (HIDS) • Network Traffic • Network Devices (Firewalls, routers, switches) • Vulnerabilities • Drupal application(s)
  • 24. Monitoring Targets: Metrics • Adverse Events • Performance & Reliability • Configuration Compliance • Authorized devices and services • Vulnerabilities • Risk
  • 25. Minimize Monitoring • Cloud & virtualization • Integrate development, design, operations, acquisition • Centralized, Application-Centric View
  • 26. Integration: Continuous Continuum • Continuous Quality Improvement • Continuous Integration • Continuous Delivery • Continuous Design • Continuous Monitoring
  • 27. From Standard Monitoring :
  • 28. To Focused, Application-Centric Monitoring:
  • 29. Security Monitoring Capability Levels • Centralized Logging • Infrastructure Monitoring • Security Information and Event Management (SIEM): Risk Assessment • Real-Time Intelligent Query
  • 30. Drupal Monitoring Assets • Watchdog: SQL, MongoDB or Syslog • Infrastructue: Nagios Module/Plugin Infrastructure Monitoring – Production Check/Monitor • SIEM: OSSIM Plugin (Watchdog) SIEM • Search Enhancements: Logstash Module,log collection, centralization, parsing, storage and search
  • 31. Network & Infrastructure Monitoring (Nagios) • monitoring and alerting • servers • switches • applications • Services • Status: availability, load, physical condition
  • 32. Security Information and Event Management (SIEM) • Intrusion Detection • Anomaly Detection • Vulnerability Detection • Discovery, Learning and Network Profiling systems • Inventory systems Incident Reporting & Responese
  • 33. Open Source Security Information Management (OSSIM) • Asset Discovery • Vulnerability Assessment • Threat Detection • Behavioral Monitoring • Security Intelligence
  • 34. OSSIM Components • Snort (Network Intrusion Detection System) • • Ntop (Network and usage Monitor) • • OpenVAS (Vulnerability Scanning) • • P0f (Passive operative system detection) fingerprint OS • • Pads (Passive Asset Detection System) complements SNORT with context • • Arpwatch (Ethernet/Ip address parings monitor) • • OSSEC (Host Intrusion Detection System) • • Osiris (Host integrity Monitoring) • • Nagios (Availability Monitoring) • • OCS (Inventory)
  • 35. Drupal Monitoring Assets • Watchdog: logdb/SQL, MongoDB or Syslog • Infrastructure: Nagios Module/Plugin Infrastructure Monitoring – Production Check/Monitor • SIEM: OSSIM Plugin (Watchdog) SIEM • Search Enhancements: Logstash Module: log collection, centralization, parsing, storage and search
  • 36. Core Nagios Monitoring • Pending Drupal version update • Pending Drupal module updates • Unwritable 'files' directory • Pending updates to the database schema • Status of Cron • Number of published nodes. • Number of active users
  • 37. Drupal Monitoring Assets • Watchdog: SQL, MongoDB or Syslog • Infrastructure: Nagios Module/Plugin Infrastructure Monitoring – Production Check/Monitor • SIEM: OSSIM Plugin (Watchdog) SIEM • Search Enhancements: Logstash Modulelog collection, centralization, parsing, storage and search
  • 38. OSSIM
  • 39. OSSIM, Nagios
  • 40. LogStash, Kibana, Elasticsearch
  • 41. Software Defined Defined Infrastructure • SDIM: Machine Configuration (Virtualization, Chef & Puppet), AWS, VMWare & OpenStack • SDN: Software Defined Networking • SDS: Software Defined Storage • Software Defined Drupal Security?
  • 42. Configuration & Patch Management Security Content Automation Protocol (SCAP) • Specifications for Security Data (baselines, xccdf, oval) • Checklist Repository (USCGB) • NIST Validated Commercial tools • OpenSCAP • RH Satellite, Spacewalk
  • 43. SCAP Workbench
  • 44. Thank You!!! Comments, Questions, Criticism? http://drupal.jbsinternational.com mnescot@jbsinterntional.com