• Share
  • Email
  • Embed
  • Like
  • Save
  • Private Content
Mnescot controls monitoring
 

Mnescot controls monitoring

on

  • 384 views

 

Statistics

Views

Total Views
384
Views on SlideShare
384
Embed Views
0

Actions

Likes
0
Downloads
1
Comments
0

0 Embeds 0

No embeds

Accessibility

Categories

Upload Details

Uploaded via as Microsoft PowerPoint

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

    Mnescot controls monitoring Mnescot controls monitoring Presentation Transcript

    • Drupal Security Controls and Monitoring Mike Nescot, JBS International
    • Drupal Security Controls and Monitoring Mike Nescot, JBS International http://drupal.jbsinternational.com
    • Information Systems Logging and Monitoring
    • Security Controls • FISMA Standard: SP-53 Rev 4
    • SP800-53 Rev 4 Security Controls: 18 Families • Access Control • Awareness & Training • Audit & Accountability • Security Assessment & Authorization • Configuration Management • Contingency Planning • Identification & Authorization • Incident Response • Maintenance
    • SP800-53 Rev 4 Security Controls: 18 Families (con.) • Media Protection • Physical and Environmental Protection • Planning • Personnel Security • Risk Assessment • System and Services Acquistion • System & Communications Protection • System & Information Integrity • Program Management
    • SP800-53 Rev 4 Privacy Controls: 8 Families (FEA) • Authority & Purpose • Accountability, Audit, & Risk Management • Data Quality & Integrity • Data Minimization & Retention • Individual Participation & Redress • Security • Transparency • Use Limitation
    • Anatomy of a Control • Account Management • Control count: from 198 to 267, or 600 to 850 • More tailoring guidance, overlays, focus on assurance controls, strategic, privacy
    • SANS Top 20 • Inventory of Authorized and Unauthorized Devices • Inventory of Authorized and Unauthorized Software • Secure Configurations for Hardware & Software on Laptops, Workstations, & Servers • Continuous Vulnerability Assessment and Remediation • Malware Defense • Application Software Security • Wireless Device Control • Data Recovery Capability • Security Skills Assessment & Training • Secure Configurations for Firewalls, Routers, & Switches
    • SANS Top 20 (cont) • Limitation & Control of Network Ports, Protocols, & Services • Controlled Use of Administrative Privileges • Boundary Defense • Maintenance, Monitoring, & Analysis of Audit Logs • Controlled Access Based on Need to Know • Account Monitoring & Control • Data Loss Prevention • Incident Response & Management • Secure Network Engineering • Penetration Testing & Team Exercises
    • SANS Top 20 The five critical tenets of an effective cyber defense system as reflected in the Critical Controls are: • Offense informs defense: Use knowledge of actual attacks for defense • Prioritization: Invest first in controls that will provide the greatest risk reduction and protection • Metrics: Establish common metrics to measure effectiveness • Continuous monitoring: Test and validate the effectiveness of current security measures. • Automation: Automate defenses, achieve reliable, scalable, and continuous measurements
    • State of Required Security Controls • Newly updated: NIST SP-53 Rev 4 • SANS Top 20 Controls • Build it Right (SDLC), Continuous Monitoring • 2011: NIST SP 800-137
    • Information Systems Continuous Monitoring (ISCM) • Maintaining ongoing awareness of information security, vulnerabilities, and threats to support organizational risk management decisions. • From compliance driven to data driven risk management
    • Conventional • Hostile cyber attacks • Natural disaster • Structural failures • Human errors of omission or commission • Strong Foundation
    • Advanced Persistent Threat • Significant expertise • Multiple attack vectors • Establishes footholds
    • Continuous Asset Evaluation, Situational Awareness, and Risk Scoring (CAESARS) • Reference Architecture: Security Automation Standards • Data Sources • Data Collection • Data Storage & Analysis • Consumer Presentation • Decisions
    • CAESARS Subsystems • Sensor (Assets, devices, servers, devices, appliances) • Database Sub (repository of configuration and inventory baselines) • Analysis/Scoring • Presentation (variety of views, query capabilities)
    • CAESARS The end goal of CAESARS FE is to enable enterprise CM by presenting a technical reference model that allows organizations to aggregate collected data from across a diverse set of security tools, analyze that data, perform scoring, enable user queries, and provide overall situational awareness.
    • Establish • Metrics: number and severity of vulnerabilities, unauthorized access attempts, contingency plan testing results, risk scores for configuration • Monitoring and assessment frequencies: volatility, impact levels, identified weaknesses, threat info, vulnerabilit info, assessment results, strategic reviews, reporting requirements
    • Logging vs. Auditing vs. Monitoring • Logging: Collecting event records • Event: single occurance involinvg an attempted state chabge • Message: what a system does or generates in response to request or stimulus • Timestamp, source, data • Auditing: System is behaving as expected, compliance • Monitoring: Situational awareness • Log all you can, but alert on what you must respond (monitor as little as you need)
    • Logging Formats and Standards • Syslog • XML (SCAP) • Relational Database • NoSQL Database (Hadoop, MongoDB) • Binary (Windows Event Log)
    • NIST: Security Automation Domains • Vulnerability Management • Patch Management • Event Management • Incident Management • Malware Detection • Asset Management • Configuration Management • Network Management • License Mangement • Information Management • Software Assurnce
    • Monitoring Targets: Objects System Boundary • Web Server Status • Database Server Status • Operating System • File system changes (HIDS) • Network Traffic • Network Devices (Firewalls, routers, switches) • Vulnerabilities • Drupal application(s)
    • Monitoring Targets: Metrics • Adverse Events • Performance & Reliability • Configuration Compliance • Authorized devices and services • Vulnerabilities • Risk
    • Minimize Monitoring • Cloud & virtualization • Integrate development, design, operations, acquisition • Centralized, Application-Centric View
    • Integration: Continuous Continuum • Continuous Quality Improvement • Continuous Integration • Continuous Delivery • Continuous Design • Continuous Monitoring
    • From Standard Monitoring :
    • To Focused, Application-Centric Monitoring:
    • Security Monitoring Capability Levels • Centralized Logging • Infrastructure Monitoring • Security Information and Event Management (SIEM): Risk Assessment • Real-Time Intelligent Query
    • Drupal Monitoring Assets • Watchdog: SQL, MongoDB or Syslog • Infrastructue: Nagios Module/Plugin Infrastructure Monitoring – Production Check/Monitor • SIEM: OSSIM Plugin (Watchdog) SIEM • Search Enhancements: Logstash Module,log collection, centralization, parsing, storage and search
    • Network & Infrastructure Monitoring (Nagios) • monitoring and alerting • servers • switches • applications • Services • Status: availability, load, physical condition
    • Security Information and Event Management (SIEM) • Intrusion Detection • Anomaly Detection • Vulnerability Detection • Discovery, Learning and Network Profiling systems • Inventory systems Incident Reporting & Responese
    • Open Source Security Information Management (OSSIM) • Asset Discovery • Vulnerability Assessment • Threat Detection • Behavioral Monitoring • Security Intelligence
    • OSSIM Components • Snort (Network Intrusion Detection System) • • Ntop (Network and usage Monitor) • • OpenVAS (Vulnerability Scanning) • • P0f (Passive operative system detection) fingerprint OS • • Pads (Passive Asset Detection System) complements SNORT with context • • Arpwatch (Ethernet/Ip address parings monitor) • • OSSEC (Host Intrusion Detection System) • • Osiris (Host integrity Monitoring) • • Nagios (Availability Monitoring) • • OCS (Inventory)
    • Drupal Monitoring Assets • Watchdog: logdb/SQL, MongoDB or Syslog • Infrastructure: Nagios Module/Plugin Infrastructure Monitoring – Production Check/Monitor • SIEM: OSSIM Plugin (Watchdog) SIEM • Search Enhancements: Logstash Module: log collection, centralization, parsing, storage and search
    • Core Nagios Monitoring • Pending Drupal version update • Pending Drupal module updates • Unwritable 'files' directory • Pending updates to the database schema • Status of Cron • Number of published nodes. • Number of active users
    • Drupal Monitoring Assets • Watchdog: SQL, MongoDB or Syslog • Infrastructure: Nagios Module/Plugin Infrastructure Monitoring – Production Check/Monitor • SIEM: OSSIM Plugin (Watchdog) SIEM • Search Enhancements: Logstash Modulelog collection, centralization, parsing, storage and search
    • OSSIM
    • OSSIM, Nagios
    • LogStash, Kibana, Elasticsearch
    • Software Defined Defined Infrastructure • SDIM: Machine Configuration (Virtualization, Chef & Puppet), AWS, VMWare & OpenStack • SDN: Software Defined Networking • SDS: Software Defined Storage • Software Defined Drupal Security?
    • Configuration & Patch Management Security Content Automation Protocol (SCAP) • Specifications for Security Data (baselines, xccdf, oval) • Checklist Repository (USCGB) • NIST Validated Commercial tools • OpenSCAP • RH Satellite, Spacewalk
    • SCAP Workbench
    • Thank You!!! Comments, Questions, Criticism? http://drupal.jbsinternational.com mnescot@jbsinterntional.com