Events Management or How to Survive Security Incidents


Published on

Presentation performed during the 2nd edition of the Belnet Security Conference.

Published in: Technology
  • Be the first to comment

  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide
  • Time: 35 minutes Q&A: 5 minutes Hello and good morning. Be patient, the lunch is coming just after my presentation…
  • I’ll speak about “events”. Events are normal. All your devices generate tons of events per day. But some of them may containt critical information and lead to “incident”. After an overview of the situation today in most organizations, I’ll review how to implement (basically) an event management solution. Then you’ll be able to handle security incidents. Finally, I’ll give some tips or tools to increase the detection of security incidents on your network. Of course, I’d like to make this talk interactive. Feel free to raise your hand and ask your questions.
  • Well about me? I’m working for C-CURE, a consultancy company focusing on security. (based in Mechelen). Involved in several types of projects Certifications Security blogger BTW, did you know that this year will be the 2 nd edition of BruCON (24-25 sep) Otherwise, maltego me! ;-)
  • Events are your source to investigate security issues. If we check on a timeline, events can be processed at different times: Present: “quicker is better”: generate an alert when a threat is detected on the network. Ex: Access denied for user root on server console Past: “does miss anything” : review the users management procedure once a week or moth Investigations: “looking for smoke signals”
  • - Technical = “bits & bytes” - Complexity comes from the business (company takeover) or the requirements (security, performance, availability) Millions of events = impossible to review manually and even => human processing leads to errors! (We are “only” poor humans) Protocols & applications -> web 2.0
  • “ Business is business”, organization are make to earn money. Problems detected as soon as possible -> less impact
  • Local law: specific data retention requirements Due diligence: ensure that risks are identified and managed Due care: “to keep in working conditions”
  • Inventory: avoid rogue devices!
  • - Understand extent and source of incident – Protect sensitive data contained on systems – Protect systems/networks and their ability to continue operating as intended and recover systems – Collect information to understand what happened Without such happened. information, you may inadvertently take actions that can further damage your systems – Support legal investigations, forensics pp g g ,
  • Investment : like an insurance, could be helpful “one day” SPoC = Security Point of Contact
  • Events Management or How to Survive Security Incidents

    1. 1. Events Management or How to Survive Security Incidents Belnet Security Conference May 2010
    2. 2. Agenda <ul><li>Today's Situation </li></ul><ul><li>How to implement a solution </li></ul><ul><li>How to handle security incidents </li></ul><ul><li>Examples & tools </li></ul><ul><li>Q & A </li></ul>
    3. 3. About <ul><li>Xavier Mertens </li></ul><ul><li>Senior Security Consultant @ C-CURE </li></ul><ul><li>CISSP, CISA </li></ul><ul><li>Security Blogger </li></ul><ul><li>BruCON Volunteer </li></ul><ul><li>More info? Maltego! </li></ul>
    4. 4. Introduction <ul><li>Some scenarios </li></ul><ul><ul><li>Present </li></ul></ul><ul><ul><ul><li>Source: Real-time alerts </li></ul></ul></ul><ul><ul><ul><li>Action: Immediate investigation </li></ul></ul></ul><ul><ul><li>Past (during last week or month) </li></ul></ul><ul><ul><ul><li>Source: Reporting </li></ul></ul></ul><ul><ul><ul><li>Action: Adapt procedures & infrastructure </li></ul></ul></ul><ul><ul><li>Investigations (smoke signal) </li></ul></ul><ul><ul><ul><li>Source: Specific Request </li></ul></ul></ul><ul><ul><ul><li>Action: Forensics </li></ul></ul></ul>
    5. 5. Today's Issues <ul><li>Technical </li></ul><ul><ul><li>Networks are complex </li></ul></ul><ul><ul><li>Based on non-heterogeneous components (firewalls, IDS, proxies, etc) </li></ul></ul><ul><ul><li>Millions of daily events </li></ul></ul><ul><ul><li>Lot of consoles/tools </li></ul></ul><ul><ul><li>Protocols & applications </li></ul></ul>
    6. 6. Today's Issues (next) <ul><li>Economical </li></ul><ul><ul><li>” Time is Money” </li></ul></ul><ul><ul><ul><li>Investigations must be performed in real-time </li></ul></ul></ul><ul><ul><ul><li>Downtime may have a huge business impact </li></ul></ul></ul><ul><ul><li>Reduced staff & budgets </li></ul></ul><ul><ul><li>Happy Shareholders </li></ul></ul>
    7. 7. Today's Issues (next) <ul><li>Legal </li></ul><ul><ul><li>Compliance requirements </li></ul></ul><ul><ul><ul><li>PCI-DSS, SOX, HIPAA, etc </li></ul></ul></ul><ul><ul><ul><li>Initiated by the group or business </li></ul></ul></ul><ul><ul><li>Local laws </li></ul></ul><ul><ul><li>Due diligence & due care </li></ul></ul><ul><ul><ul><li>Security policies must be enforced! </li></ul></ul></ul>
    8. 8. Current Situation <ul><li>Organizations are using good security perimeters based on proven solutions </li></ul><ul><li>But without a clear view and control of the infrastructure </li></ul><ul><li>Attacks become more and more sophisticated and frequent </li></ul><ul><li>Not prepared to deal with security incidents </li></ul>
    9. 9. Requirements <ul><li>To handle security incidents properly </li></ul><ul><li>organization must rely on: </li></ul><ul><li>Tools </li></ul><ul><li>Procedures </li></ul><ul><ul><li>Upstream </li></ul></ul><ul><ul><li>Downstream </li></ul></ul><ul><ul><li>Continuous (!) </li></ul></ul><ul><li>Event Management != Big Brother </li></ul>
    10. 10. Visibility <ul><li>More integration, more sources, more chances to detect a problem </li></ul><ul><li>Integration of external source of information could help the detection of incidents </li></ul><ul><ul><li>Automatic vulnerability scans </li></ul></ul><ul><ul><li>Import of vulnerabilities database </li></ul></ul><ul><li>Awareness </li></ul>
    11. 11. Know your Network <ul><li>Inventory </li></ul><ul><ul><li>Devices </li></ul></ul><ul><ul><li>Protocols </li></ul></ul><ul><ul><li>Users </li></ul></ul><ul><li>Behavior </li></ul><ul><ul><li>Bandwidth Usage </li></ul></ul><ul><ul><li>EPS (Events per Second) </li></ul></ul>
    12. 12. Procedures <ul><li>Boring but required! </li></ul><ul><li>Back to the Basics: </li></ul><ul><li>Input  Change management </li></ul><ul><li>Output  Incident management </li></ul>Process Input Output
    13. 13. Change Management <ul><li>New devices are connected </li></ul><ul><li>Old devices are decommissioned </li></ul><ul><li>Users provisioning </li></ul><ul><li>New applications are deployed </li></ul><ul><li>Security perimeter? Still valid? </li></ul>
    14. 14. Incident Management <ul><li>Business first! (MTTR) </li></ul><ul><li>Avoid decisions made urgently </li></ul><ul><li>Keywords </li></ul><ul><ul><li>Understand </li></ul></ul><ul><ul><li>Protect </li></ul></ul><ul><ul><li>Recover </li></ul></ul><ul><ul><li>Investigate </li></ul></ul>
    15. 15. Prevention <ul><li>Recurrent process! </li></ul><ul><li>Security lifecycle </li></ul><ul><li>Require time </li></ul><ul><li>Informations </li></ul><ul><ul><li>Forums </li></ul></ul><ul><ul><li>Blogs </li></ul></ul><ul><ul><li>Conferences </li></ul></ul>
    16. 16. A Security Incident? <ul><li>Definitions </li></ul><ul><ul><li>An event is “ an observable change to the normal behavior of a system, environment, process, workflow or person (components). ” </li></ul></ul><ul><ul><li>Incident is “ a series of events that adversely affects the information assets of an organization ” </li></ul></ul><ul><li>Examples? Read the press! ;-) </li></ul><ul><li>You will face one! </li></ul>
    17. 17. Security Convergence <ul><li>Physical Security + Logical Security </li></ul><ul><li>Example </li></ul><ul><ul><li>Geolocalization </li></ul></ul><ul><ul><li>Users authentication + badge control </li></ul></ul>
    18. 18. A Four-Steps Process <ul><li>Collection </li></ul><ul><li>Normalization </li></ul><ul><li>Index </li></ul><ul><li>Storage </li></ul>
    19. 19. Three Actions <ul><li>Real-time alerts </li></ul><ul><li>Reports </li></ul><ul><li>” Forensics” or ”smoke signals” </li></ul>
    20. 20. Architecture Devices Systems Applications Collectors Indexer Store Alerts Reports Search Long Term Storage
    21. 21. Need of a SOC? <ul><li>Yes but ... </li></ul><ul><li>SOC or SPoC </li></ul><ul><li>Directly depending on your organization size </li></ul><ul><li>Starting with a dedicated person is enough </li></ul><ul><li>Investments (time & money) </li></ul><ul><li>Roles: Alerts, Reports, Investigate </li></ul>
    22. 22. Communication <ul><li>Mandatory step in the process </li></ul><ul><li>Do not lie! </li></ul><ul><li>Be transparant </li></ul><ul><li>Online reputation </li></ul><ul><ul><li>Must be properly managed </li></ul></ul><ul><ul><li>Think about shareholders </li></ul></ul><ul><ul><li>The press </li></ul></ul><ul><ul><li>Customers </li></ul></ul>
    23. 23. Examples <ul><li>To follow... </li></ul><ul><ul><li>Apache </li></ul></ul><ul><ul><li>Google </li></ul></ul><ul><ul><li>Splunk </li></ul></ul><ul><li>To avoid... </li></ul><ul><ul><li>The ”Belgian Juweler” </li></ul></ul>
    24. 24. Examples & Tools <ul><li>OSSEC </li></ul><ul><li>OSSIM </li></ul><ul><li>Apache mod_dlp </li></ul><ul><li>Ngrep for basic DLP </li></ul>
    25. 25. Thank You! [email_address]