Your SlideShare is downloading. ×
0
Drupal Security Controls and Monitoring
Mike Nescot, JBS International
Drupal Security Controls and Monitoring
Mike Nescot, JBS International
http://drupal.jbsinternational.com
Information Systems
Logging and Monitoring
Security Controls
• FISMA Standard: SP-53 Rev 4
SP800-53 Rev 4
Security Controls: 18 Families
• Access Control
• Awareness & Training
• Audit & Accountability
• Security ...
SP800-53 Rev 4
Security Controls: 18 Families (con.)
• Media Protection
• Physical and Environmental Protection
• Planning...
SP800-53 Rev 4
Privacy Controls: 8 Families (FEA)
• Authority & Purpose
• Accountability, Audit, & Risk Management
• Data ...
Anatomy of a Control
• Account Management
• Control count: from 198 to 267, or 600 to 850
• More tailoring guidance, overl...
SANS Top 20
• Inventory of Authorized and Unauthorized Devices
• Inventory of Authorized and Unauthorized Software
• Secur...
SANS Top 20 (cont)
• Limitation & Control of Network Ports, Protocols, &
Services
• Controlled Use of Administrative Privi...
SANS Top 20
The five critical tenets of an effective cyber defense
system as reflected in the Critical Controls are:
• Off...
State of Required Security Controls
• Newly updated: NIST SP-53 Rev 4
• SANS Top 20 Controls
• Build it Right (SDLC), Cont...
Information Systems Continuous
Monitoring (ISCM)
• Maintaining ongoing awareness of
information security, vulnerabilities,...
Conventional
• Hostile cyber attacks
• Natural disaster
• Structural failures
• Human errors of omission or commission
• S...
Advanced Persistent Threat
• Significant expertise
• Multiple attack vectors
• Establishes footholds
Continuous Asset Evaluation,
Situational Awareness, and Risk
Scoring (CAESARS)
• Reference Architecture: Security Automati...
CAESARS Subsystems
• Sensor
(Assets, devices, servers, devices, appliances)
• Database Sub (repository of configuration an...
CAESARS
The end goal of CAESARS FE is to enable
enterprise CM by presenting a technical
reference model that allows organi...
Establish
• Metrics: number and severity of
vulnerabilities, unauthorized access attempts,
contingency plan testing result...
Logging vs. Auditing vs. Monitoring
• Logging: Collecting event records
• Event: single occurance involinvg an attempted s...
Logging Formats and Standards
• Syslog
• XML (SCAP)
• Relational Database
• NoSQL Database (Hadoop, MongoDB)
• Binary (Win...
NIST: Security Automation Domains
• Vulnerability Management
• Patch Management
• Event Management
• Incident Management
•...
Monitoring Targets: Objects System
Boundary
• Web Server Status
• Database Server Status
• Operating System
• File system ...
Monitoring Targets: Metrics
• Adverse Events
• Performance & Reliability
• Configuration Compliance
• Authorized devices a...
Minimize Monitoring
• Cloud & virtualization
• Integrate development, design, operations,
acquisition
• Centralized, Appli...
Integration: Continuous Continuum
• Continuous Quality Improvement
• Continuous Integration
• Continuous Delivery
• Contin...
From Standard Monitoring :
To Focused,
Application-Centric
Monitoring:
Security Monitoring Capability Levels
• Centralized Logging
• Infrastructure Monitoring
• Security Information and Event M...
Drupal Monitoring Assets
• Watchdog: SQL, MongoDB or Syslog
• Infrastructue: Nagios Module/Plugin
Infrastructure Monitorin...
Network & Infrastructure Monitoring
(Nagios)
• monitoring and alerting
• servers
• switches
• applications
• Services
• St...
Security Information and Event
Management (SIEM)
• Intrusion Detection
• Anomaly Detection
• Vulnerability Detection
• Dis...
Open Source Security Information
Management (OSSIM)
• Asset Discovery
• Vulnerability Assessment
• Threat Detection
• Beha...
OSSIM Components
• Snort (Network Intrusion Detection System)
• • Ntop (Network and usage Monitor)
• • OpenVAS (Vulnerabil...
Drupal Monitoring Assets
• Watchdog: logdb/SQL, MongoDB or Syslog
• Infrastructure: Nagios Module/Plugin
Infrastructure Mo...
Core Nagios Monitoring
• Pending Drupal version update
• Pending Drupal module updates
• Unwritable 'files' directory
• Pe...
Drupal Monitoring Assets
• Watchdog: SQL, MongoDB or Syslog
• Infrastructure: Nagios Module/Plugin
Infrastructure Monitori...
OSSIM
OSSIM, Nagios
LogStash, Kibana, Elasticsearch
Software Defined Defined
Infrastructure
• SDIM: Machine Configuration (Virtualization,
Chef & Puppet), AWS, VMWare & OpenS...
Configuration & Patch Management
Security Content Automation Protocol
(SCAP)
• Specifications for Security Data (baselines...
SCAP Workbench
Thank You!!!
Comments, Questions, Criticism?
http://drupal.jbsinternational.com
mnescot@jbsinterntional.com
Mnescot controls monitoring
Mnescot controls monitoring
Mnescot controls monitoring
Mnescot controls monitoring
Mnescot controls monitoring
Mnescot controls monitoring
Mnescot controls monitoring
Upcoming SlideShare
Loading in...5
×

Mnescot controls monitoring

198

Published on

Published in: Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
198
On Slideshare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
2
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

Transcript of "Mnescot controls monitoring"

  1. 1. Drupal Security Controls and Monitoring Mike Nescot, JBS International
  2. 2. Drupal Security Controls and Monitoring Mike Nescot, JBS International http://drupal.jbsinternational.com
  3. 3. Information Systems Logging and Monitoring
  4. 4. Security Controls • FISMA Standard: SP-53 Rev 4
  5. 5. SP800-53 Rev 4 Security Controls: 18 Families • Access Control • Awareness & Training • Audit & Accountability • Security Assessment & Authorization • Configuration Management • Contingency Planning • Identification & Authorization • Incident Response • Maintenance
  6. 6. SP800-53 Rev 4 Security Controls: 18 Families (con.) • Media Protection • Physical and Environmental Protection • Planning • Personnel Security • Risk Assessment • System and Services Acquistion • System & Communications Protection • System & Information Integrity • Program Management
  7. 7. SP800-53 Rev 4 Privacy Controls: 8 Families (FEA) • Authority & Purpose • Accountability, Audit, & Risk Management • Data Quality & Integrity • Data Minimization & Retention • Individual Participation & Redress • Security • Transparency • Use Limitation
  8. 8. Anatomy of a Control • Account Management • Control count: from 198 to 267, or 600 to 850 • More tailoring guidance, overlays, focus on assurance controls, strategic, privacy
  9. 9. SANS Top 20 • Inventory of Authorized and Unauthorized Devices • Inventory of Authorized and Unauthorized Software • Secure Configurations for Hardware & Software on Laptops, Workstations, & Servers • Continuous Vulnerability Assessment and Remediation • Malware Defense • Application Software Security • Wireless Device Control • Data Recovery Capability • Security Skills Assessment & Training • Secure Configurations for Firewalls, Routers, & Switches
  10. 10. SANS Top 20 (cont) • Limitation & Control of Network Ports, Protocols, & Services • Controlled Use of Administrative Privileges • Boundary Defense • Maintenance, Monitoring, & Analysis of Audit Logs • Controlled Access Based on Need to Know • Account Monitoring & Control • Data Loss Prevention • Incident Response & Management • Secure Network Engineering • Penetration Testing & Team Exercises
  11. 11. SANS Top 20 The five critical tenets of an effective cyber defense system as reflected in the Critical Controls are: • Offense informs defense: Use knowledge of actual attacks for defense • Prioritization: Invest first in controls that will provide the greatest risk reduction and protection • Metrics: Establish common metrics to measure effectiveness • Continuous monitoring: Test and validate the effectiveness of current security measures. • Automation: Automate defenses, achieve reliable, scalable, and continuous measurements
  12. 12. State of Required Security Controls • Newly updated: NIST SP-53 Rev 4 • SANS Top 20 Controls • Build it Right (SDLC), Continuous Monitoring • 2011: NIST SP 800-137
  13. 13. Information Systems Continuous Monitoring (ISCM) • Maintaining ongoing awareness of information security, vulnerabilities, and threats to support organizational risk management decisions. • From compliance driven to data driven risk management
  14. 14. Conventional • Hostile cyber attacks • Natural disaster • Structural failures • Human errors of omission or commission • Strong Foundation
  15. 15. Advanced Persistent Threat • Significant expertise • Multiple attack vectors • Establishes footholds
  16. 16. Continuous Asset Evaluation, Situational Awareness, and Risk Scoring (CAESARS) • Reference Architecture: Security Automation Standards • Data Sources • Data Collection • Data Storage & Analysis • Consumer Presentation • Decisions
  17. 17. CAESARS Subsystems • Sensor (Assets, devices, servers, devices, appliances) • Database Sub (repository of configuration and inventory baselines) • Analysis/Scoring • Presentation (variety of views, query capabilities)
  18. 18. CAESARS The end goal of CAESARS FE is to enable enterprise CM by presenting a technical reference model that allows organizations to aggregate collected data from across a diverse set of security tools, analyze that data, perform scoring, enable user queries, and provide overall situational awareness.
  19. 19. Establish • Metrics: number and severity of vulnerabilities, unauthorized access attempts, contingency plan testing results, risk scores for configuration • Monitoring and assessment frequencies: volatility, impact levels, identified weaknesses, threat info, vulnerabilit info, assessment results, strategic reviews, reporting requirements
  20. 20. Logging vs. Auditing vs. Monitoring • Logging: Collecting event records • Event: single occurance involinvg an attempted state chabge • Message: what a system does or generates in response to request or stimulus • Timestamp, source, data • Auditing: System is behaving as expected, compliance • Monitoring: Situational awareness • Log all you can, but alert on what you must respond (monitor as little as you need)
  21. 21. Logging Formats and Standards • Syslog • XML (SCAP) • Relational Database • NoSQL Database (Hadoop, MongoDB) • Binary (Windows Event Log)
  22. 22. NIST: Security Automation Domains • Vulnerability Management • Patch Management • Event Management • Incident Management • Malware Detection • Asset Management • Configuration Management • Network Management • License Mangement • Information Management • Software Assurnce
  23. 23. Monitoring Targets: Objects System Boundary • Web Server Status • Database Server Status • Operating System • File system changes (HIDS) • Network Traffic • Network Devices (Firewalls, routers, switches) • Vulnerabilities • Drupal application(s)
  24. 24. Monitoring Targets: Metrics • Adverse Events • Performance & Reliability • Configuration Compliance • Authorized devices and services • Vulnerabilities • Risk
  25. 25. Minimize Monitoring • Cloud & virtualization • Integrate development, design, operations, acquisition • Centralized, Application-Centric View
  26. 26. Integration: Continuous Continuum • Continuous Quality Improvement • Continuous Integration • Continuous Delivery • Continuous Design • Continuous Monitoring
  27. 27. From Standard Monitoring :
  28. 28. To Focused, Application-Centric Monitoring:
  29. 29. Security Monitoring Capability Levels • Centralized Logging • Infrastructure Monitoring • Security Information and Event Management (SIEM): Risk Assessment • Real-Time Intelligent Query
  30. 30. Drupal Monitoring Assets • Watchdog: SQL, MongoDB or Syslog • Infrastructue: Nagios Module/Plugin Infrastructure Monitoring – Production Check/Monitor • SIEM: OSSIM Plugin (Watchdog) SIEM • Search Enhancements: Logstash Module,log collection, centralization, parsing, storage and search
  31. 31. Network & Infrastructure Monitoring (Nagios) • monitoring and alerting • servers • switches • applications • Services • Status: availability, load, physical condition
  32. 32. Security Information and Event Management (SIEM) • Intrusion Detection • Anomaly Detection • Vulnerability Detection • Discovery, Learning and Network Profiling systems • Inventory systems Incident Reporting & Responese
  33. 33. Open Source Security Information Management (OSSIM) • Asset Discovery • Vulnerability Assessment • Threat Detection • Behavioral Monitoring • Security Intelligence
  34. 34. OSSIM Components • Snort (Network Intrusion Detection System) • • Ntop (Network and usage Monitor) • • OpenVAS (Vulnerability Scanning) • • P0f (Passive operative system detection) fingerprint OS • • Pads (Passive Asset Detection System) complements SNORT with context • • Arpwatch (Ethernet/Ip address parings monitor) • • OSSEC (Host Intrusion Detection System) • • Osiris (Host integrity Monitoring) • • Nagios (Availability Monitoring) • • OCS (Inventory)
  35. 35. Drupal Monitoring Assets • Watchdog: logdb/SQL, MongoDB or Syslog • Infrastructure: Nagios Module/Plugin Infrastructure Monitoring – Production Check/Monitor • SIEM: OSSIM Plugin (Watchdog) SIEM • Search Enhancements: Logstash Module: log collection, centralization, parsing, storage and search
  36. 36. Core Nagios Monitoring • Pending Drupal version update • Pending Drupal module updates • Unwritable 'files' directory • Pending updates to the database schema • Status of Cron • Number of published nodes. • Number of active users
  37. 37. Drupal Monitoring Assets • Watchdog: SQL, MongoDB or Syslog • Infrastructure: Nagios Module/Plugin Infrastructure Monitoring – Production Check/Monitor • SIEM: OSSIM Plugin (Watchdog) SIEM • Search Enhancements: Logstash Modulelog collection, centralization, parsing, storage and search
  38. 38. OSSIM
  39. 39. OSSIM, Nagios
  40. 40. LogStash, Kibana, Elasticsearch
  41. 41. Software Defined Defined Infrastructure • SDIM: Machine Configuration (Virtualization, Chef & Puppet), AWS, VMWare & OpenStack • SDN: Software Defined Networking • SDS: Software Defined Storage • Software Defined Drupal Security?
  42. 42. Configuration & Patch Management Security Content Automation Protocol (SCAP) • Specifications for Security Data (baselines, xccdf, oval) • Checklist Repository (USCGB) • NIST Validated Commercial tools • OpenSCAP • RH Satellite, Spacewalk
  43. 43. SCAP Workbench
  44. 44. Thank You!!! Comments, Questions, Criticism? http://drupal.jbsinternational.com mnescot@jbsinterntional.com
  1. A particular slide catching your eye?

    Clipping is a handy way to collect important slides you want to go back to later.

×