Xavier Mertens, profile picture
Uploaded byXavier Mertens
PPT, PDF524 views

Belnet events management

The document discusses how to effectively handle security incidents. It recommends implementing continuous event management with tools, procedures, and integration across systems to gain visibility into the network. A four-step process of collection, normalization, indexing, and storage is proposed to analyze security data. The presentation also outlines establishing procedures for change management, incident response, and prevention through security awareness.

Embed presentation

Download to read offline
Events Management or How to Survive Security Incidents Belnet Security Conference May 2010
Agenda Today's Situation How to implement a solution How to handle security incidents Examples & tools Q & A
About Xavier Mertens Senior Security Consultant @ C-CURE CISSP, CISA Security Blogger BruCON Volunteer More info? Maltego!
Introduction Some scenarios Present Source: Real-time alerts Action: Immediate investigation Past (during last week or month) Source: Reporting Action: Adapt procedures & infrastructure Investigations (smoke signal) Source: Specific Request Action: Forensics
Today's Issues Technical Networks are complex Based on non-heterogeneous components (firewalls, IDS, proxies, etc) Millions of daily events Lot of consoles/tools Protocols & applications
Today's Issues (next) Economical ” Time is Money” Investigations must be performed in real-time Downtime may have a huge business impact Reduced staff & budgets Happy Shareholders
Today's Issues (next) Legal Compliance requirements PCI-DSS, SOX, HIPAA, etc Initiated by the group or business Local laws Due diligence & due care Security policies must be enforced!
Current Situation Organizations are using good security perimeters based on proven solutions But without a clear view and control of the infrastructure Attacks become more and more sophisticated and frequent Not prepared to deal with security incidents
Requirements To handle security incidents properly organization must rely on: Tools Procedures Upstream Downstream Continuous (!) Event Management != Big Brother
Visibility More integration, more sources, more chances to detect a problem Integration of external source of information could help the detection of incidents Automatic vulnerability scans Import of vulnerabilities database Awareness
Know your Network Inventory Devices Protocols Users Behavior Bandwidth Usage EPS (Events per Second)
Procedures Boring but required! Back to the Basics: Input  Change management Output  Incident management Process Input Output
Change Management New devices are connected Old devices are decommissioned Users provisioning New applications are deployed Security perimeter? Still valid?
Incident Management Business first! (MTTR) Avoid decisions made urgently Keywords Understand Protect Recover Investigate
Prevention Recurrent process! Security lifecycle Require time Informations Forums Blogs Conferences
A Security Incident? Definitions An event is “ an observable change to the normal behavior of a system, environment, process, workflow or person (components). ” Incident is “ a series of events that adversely affects the information assets of an organization ” Examples? Read the press! ;-) You will face one!
Security Convergence Physical Security + Logical Security Example Geolocalization Users authentication + badge control
A Four-Steps Process Collection Normalization Index Storage
Three Actions Real-time alerts Reports ” Forensics” or ”smoke signals”
Architecture Devices Systems Applications Collectors Indexer Store Alerts Reports Search Long Term Storage
Need of a SOC? Yes but ... SOC or SPoC Directly depending on your organization size Starting with a dedicated person is enough Investments (time & money) Roles: Alerts, Reports, Investigate
Communication Mandatory step in the process Do not lie! Be transparant Online reputation Must be properly managed Think about shareholders The press Customers
Examples To follow... Apache Google Splunk To avoid... The ”Belgian Juweler”
Examples & Tools OSSEC OSSIM Apache mod_dlp Ngrep for basic DLP
Thank You! [email_address] http://blog.rootshell.be twitter.com/xme

More Related Content

PPSX
Next-Gen security operation center
byMuhammad Sahputra
 
PPTX
Data Security Solutions @ISACA LV Chapter Meeting 15.05.2013 SIEM based …
byAndris Soroka
 
PPTX
CyberSecurity Strategy For Defendable ROI
bySiemplify
 
PPTX
Security operation center
byMuthuKumaran267
 
PDF
Rothke secure360 building a security operations center (soc)
byBen Rothke
 
PPTX
What is Security Orchestration?
bySiemplify
 
PPTX
AlienVault Partner Update: So Many Security Products to Sell to My Customers…...
byAlienVault
 
PDF
Automation and Orchestration - Harnessing Threat Intelligence for Better Inci...
byChris Ross
 
Next-Gen security operation center
byMuhammad Sahputra
 
Data Security Solutions @ISACA LV Chapter Meeting 15.05.2013 SIEM based …
byAndris Soroka
 
CyberSecurity Strategy For Defendable ROI
bySiemplify
 
Security operation center
byMuthuKumaran267
 
Rothke secure360 building a security operations center (soc)
byBen Rothke
 
What is Security Orchestration?
bySiemplify
 
AlienVault Partner Update: So Many Security Products to Sell to My Customers…...
byAlienVault
 
Automation and Orchestration - Harnessing Threat Intelligence for Better Inci...
byChris Ross
 

What's hot

PPTX
Security Analytics for Data Discovery - Closing the SIEM Gap
byEric Johansen, CISSP
 
PPTX
Optimizing Security Operations: 5 Keys to Success
bySirius
 
PPTX
Security Operation Center Fundamental
byAmir Hossein Zargaran
 
PDF
Building A Security Operations Center
bySiemplify
 
PDF
Understanding security operation.pptx
byPiyush Jain
 
PPTX
Reasoning About Enterprise Application Security in a Cloudy World
byElastica Inc.
 
PDF
Cyber security do your part be the resistance
byPaul-Charife Allen
 
PPTX
Shadow Data Exposed
byElastica Inc.
 
PDF
Security Orchestration and Automation with Hexadite+
byNathan Burke
 
PPTX
Comprehensive Data Leak Prevention
byTanvir Hashmi
 
PDF
Defense In-Depth
byWill Kelly
 
PPTX
Top 10 tips for effective SOC/NOC collaboration or integration
bySridhar Karnam
 
PPTX
Web application security measures
byICT Frame Magazine Pvt. Ltd.
 
PPTX
Rothke rsa 2012 building a security operations center (soc)
byBen Rothke
 
PPT
SOC presentation- Building a Security Operations Center
byMichael Nickle
 
PPTX
Alex Hanway - Securing the Breach: Using a Holistic Data Protection Framework
bycentralohioissa
 
PPTX
Security Operations Center (SOC) Essentials for the SME
byAlienVault
 
PDF
DTS Solution - Building a SOC (Security Operations Center)
byShah Sheikh
 
PDF
Extended Detection and Response (XDR) An Overhyped Product Category With Ulti...
byRaffael Marty
 
PDF
Symantec Cyber Security Services: Security Simulation
bySymantec
 
Security Analytics for Data Discovery - Closing the SIEM Gap
byEric Johansen, CISSP
 
Optimizing Security Operations: 5 Keys to Success
bySirius
 
Security Operation Center Fundamental
byAmir Hossein Zargaran
 
Building A Security Operations Center
bySiemplify
 
Understanding security operation.pptx
byPiyush Jain
 
Reasoning About Enterprise Application Security in a Cloudy World
byElastica Inc.
 
Cyber security do your part be the resistance
byPaul-Charife Allen
 
Shadow Data Exposed
byElastica Inc.
 
Security Orchestration and Automation with Hexadite+
byNathan Burke
 
Comprehensive Data Leak Prevention
byTanvir Hashmi
 
Defense In-Depth
byWill Kelly
 
Top 10 tips for effective SOC/NOC collaboration or integration
bySridhar Karnam
 
Web application security measures
byICT Frame Magazine Pvt. Ltd.
 
Rothke rsa 2012 building a security operations center (soc)
byBen Rothke
 
SOC presentation- Building a Security Operations Center
byMichael Nickle
 
Alex Hanway - Securing the Breach: Using a Holistic Data Protection Framework
bycentralohioissa
 
Security Operations Center (SOC) Essentials for the SME
byAlienVault
 
DTS Solution - Building a SOC (Security Operations Center)
byShah Sheikh
 
Extended Detection and Response (XDR) An Overhyped Product Category With Ulti...
byRaffael Marty
 
Symantec Cyber Security Services: Security Simulation
bySymantec
 

Similar to Belnet events management

PPTX
Lecture 06 - Incident Management and SOC.pptx
byprasadsanjaya2
 
PPTX
chapter on Incident Response Management.
bySuhail Qadir Mir
 
PDF
Ch5-Incident Response Management.pdfncident Response Management.
bySuhail Qadir Mir
 
PDF
CISSP Prep: Ch 8. Security Operations
bySam Bowne
 
PPTX
You Will Be Breached
byMike Saunders
 
PPTX
Wasn't expecting that! Now what?
byJisc
 
PDF
CNIT 125 Ch 8. Security Operations
bySam Bowne
 
PPTX
Ch2-Incident Response Process.pptxIncident Response Process
bySuhail Qadir Mir
 
PDF
YBB-NW-distribution
byMike Saunders
 
ODP
Cissp Week 23
byjemtallon
 
PDF
7. Security Operations
bySam Bowne
 
PPTX
Cyber Incident Response - When it happens, will you be ready?
byDan Michaluk
 
PPTX
Mastering Incident Threat Detection and Response: Strategies and Best Practices
byBert Blevins
 
PDF
INCIDENT RESPONSE CONCEPTS
bySylvain Martinez
 
PPT
Incident handling.final
byahmad abdelhafeez
 
PPTX
Enterprise incident response 2017
byzapp0
 
PDF
InfoSecurity.be 2011
byXavier Mertens
 
PPTX
Enterprise security incident management
byzapp0
 
PDF
INCIDENT RESPONSE NIST IMPLEMENTATION
bySylvain Martinez
 
PPTX
L11 Transition And Key Roles and SAT ROB IRP.pptx
byStevenTharp2
 
Lecture 06 - Incident Management and SOC.pptx
byprasadsanjaya2
 
chapter on Incident Response Management.
bySuhail Qadir Mir
 
Ch5-Incident Response Management.pdfncident Response Management.
bySuhail Qadir Mir
 
CISSP Prep: Ch 8. Security Operations
bySam Bowne
 
You Will Be Breached
byMike Saunders
 
Wasn't expecting that! Now what?
byJisc
 
CNIT 125 Ch 8. Security Operations
bySam Bowne
 
Ch2-Incident Response Process.pptxIncident Response Process
bySuhail Qadir Mir
 
YBB-NW-distribution
byMike Saunders
 
Cissp Week 23
byjemtallon
 
7. Security Operations
bySam Bowne
 
Cyber Incident Response - When it happens, will you be ready?
byDan Michaluk
 
Mastering Incident Threat Detection and Response: Strategies and Best Practices
byBert Blevins
 
INCIDENT RESPONSE CONCEPTS
bySylvain Martinez
 
Incident handling.final
byahmad abdelhafeez
 
Enterprise incident response 2017
byzapp0
 
InfoSecurity.be 2011
byXavier Mertens
 
Enterprise security incident management
byzapp0
 
INCIDENT RESPONSE NIST IMPLEMENTATION
bySylvain Martinez
 
L11 Transition And Key Roles and SAT ROB IRP.pptx
byStevenTharp2
 

More from Xavier Mertens

PDF
FPC for the Masses (SANSFire Edition)
byXavier Mertens
 
PDF
FPC for the Masses - CoRIIN 2018
byXavier Mertens
 
PDF
HTTP For the Good or the Bad - FSEC Edition
byXavier Mertens
 
PDF
Unity Makes Strength
byXavier Mertens
 
PDF
HTTP For the Good or the Bad
byXavier Mertens
 
PDF
Developers are from Mars, Security guys are from Venus
byXavier Mertens
 
PDF
Building A Poor man’s Fir3Ey3 Mail Scanner
byXavier Mertens
 
PDF
$HOME Sweet $HOME SANSFIRE Edition
byXavier Mertens
 
PDF
Automatic MIME Attachments Triage
byXavier Mertens
 
PDF
$HOME Sweet $HOME Devoxx 2015
byXavier Mertens
 
PDF
$HOME Sweet $HOME
byXavier Mertens
 
PDF
Secure Web Coding
byXavier Mertens
 
PDF
Malware Analysis Using Free Software
byXavier Mertens
 
PDF
Because we are just humans
byXavier Mertens
 
PDF
You have a SIEM! And now?
byXavier Mertens
 
PDF
What are-you-investigate-today? (version 2.0)
byXavier Mertens
 
PDF
The BruCO"NSA" Network
byXavier Mertens
 
PDF
What Will You Investigate Today?
byXavier Mertens
 
PDF
Unity Makes Strength SOURCE Dublin 2013
byXavier Mertens
 
PPT
Mobile Apps Security
byXavier Mertens
 
FPC for the Masses (SANSFire Edition)
byXavier Mertens
 
FPC for the Masses - CoRIIN 2018
byXavier Mertens
 
HTTP For the Good or the Bad - FSEC Edition
byXavier Mertens
 
Unity Makes Strength
byXavier Mertens
 
HTTP For the Good or the Bad
byXavier Mertens
 
Developers are from Mars, Security guys are from Venus
byXavier Mertens
 
Building A Poor man’s Fir3Ey3 Mail Scanner
byXavier Mertens
 
$HOME Sweet $HOME SANSFIRE Edition
byXavier Mertens
 
Automatic MIME Attachments Triage
byXavier Mertens
 
$HOME Sweet $HOME Devoxx 2015
byXavier Mertens
 
$HOME Sweet $HOME
byXavier Mertens
 
Secure Web Coding
byXavier Mertens
 
Malware Analysis Using Free Software
byXavier Mertens
 
Because we are just humans
byXavier Mertens
 
You have a SIEM! And now?
byXavier Mertens
 
What are-you-investigate-today? (version 2.0)
byXavier Mertens
 
The BruCO"NSA" Network
byXavier Mertens
 
What Will You Investigate Today?
byXavier Mertens
 
Unity Makes Strength SOURCE Dublin 2013
byXavier Mertens
 
Mobile Apps Security
byXavier Mertens
 

Belnet events management

  • 1.
    Events Management or How to Survive Security Incidents Belnet Security Conference May 2010
  • 2.
    Agenda Today's SituationHow to implement a solution How to handle security incidents Examples & tools Q & A
  • 3.
    About Xavier MertensSenior Security Consultant @ C-CURE CISSP, CISA Security Blogger BruCON Volunteer More info? Maltego!
  • 4.
    Introduction Some scenariosPresent Source: Real-time alerts Action: Immediate investigation Past (during last week or month) Source: Reporting Action: Adapt procedures & infrastructure Investigations (smoke signal) Source: Specific Request Action: Forensics
  • 5.
    Today's Issues TechnicalNetworks are complex Based on non-heterogeneous components (firewalls, IDS, proxies, etc) Millions of daily events Lot of consoles/tools Protocols & applications
  • 6.
    Today's Issues (next)Economical ” Time is Money” Investigations must be performed in real-time Downtime may have a huge business impact Reduced staff & budgets Happy Shareholders
  • 7.
    Today's Issues (next)Legal Compliance requirements PCI-DSS, SOX, HIPAA, etc Initiated by the group or business Local laws Due diligence & due care Security policies must be enforced!
  • 8.
    Current Situation Organizationsare using good security perimeters based on proven solutions But without a clear view and control of the infrastructure Attacks become more and more sophisticated and frequent Not prepared to deal with security incidents
  • 9.
    Requirements To handlesecurity incidents properly organization must rely on: Tools Procedures Upstream Downstream Continuous (!) Event Management != Big Brother
  • 10.
    Visibility More integration,more sources, more chances to detect a problem Integration of external source of information could help the detection of incidents Automatic vulnerability scans Import of vulnerabilities database Awareness
  • 11.
    Know your NetworkInventory Devices Protocols Users Behavior Bandwidth Usage EPS (Events per Second)
  • 12.
    Procedures Boring butrequired! Back to the Basics: Input  Change management Output  Incident management Process Input Output
  • 13.
    Change Management Newdevices are connected Old devices are decommissioned Users provisioning New applications are deployed Security perimeter? Still valid?
  • 14.
    Incident Management Businessfirst! (MTTR) Avoid decisions made urgently Keywords Understand Protect Recover Investigate
  • 15.
    Prevention Recurrent process!Security lifecycle Require time Informations Forums Blogs Conferences
  • 16.
    A Security Incident?Definitions An event is “ an observable change to the normal behavior of a system, environment, process, workflow or person (components). ” Incident is “ a series of events that adversely affects the information assets of an organization ” Examples? Read the press! ;-) You will face one!
  • 17.
    Security Convergence PhysicalSecurity + Logical Security Example Geolocalization Users authentication + badge control
  • 18.
    A Four-Steps ProcessCollection Normalization Index Storage
  • 19.
    Three Actions Real-timealerts Reports ” Forensics” or ”smoke signals”
  • 20.
    Architecture Devices SystemsApplications Collectors Indexer Store Alerts Reports Search Long Term Storage
  • 21.
    Need of aSOC? Yes but ... SOC or SPoC Directly depending on your organization size Starting with a dedicated person is enough Investments (time & money) Roles: Alerts, Reports, Investigate
  • 22.
    Communication Mandatory stepin the process Do not lie! Be transparant Online reputation Must be properly managed Think about shareholders The press Customers
  • 23.
    Examples To follow...Apache Google Splunk To avoid... The ”Belgian Juweler”
  • 24.
    Examples & ToolsOSSEC OSSIM Apache mod_dlp Ngrep for basic DLP
  • 25.
    Thank You! [email_address]http://blog.rootshell.be twitter.com/xme

Editor's Notes

  • #2 Time: 35 minutes Q&A: 5 minutes Hello and good morning. Be patient, the lunch is coming just after my presentation…
  • #3 I’ll speak about “events”. Events are normal. All your devices generate tons of events per day. But some of them may containt critical information and lead to “incident”. After an overview of the situation today in most organizations, I’ll review how to implement (basically) an event management solution. Then you’ll be able to handle security incidents. Finally, I’ll give some tips or tools to increase the detection of security incidents on your network. Of course, I’d like to make this talk interactive. Feel free to raise your hand and ask your questions.
  • #4 Well about me? I’m working for C-CURE, a consultancy company focusing on security. (based in Mechelen). Involved in several types of projects Certifications Security blogger BTW, did you know that this year will be the 2 nd edition of BruCON (24-25 sep) Otherwise, maltego me! ;-)
  • #5 Events are your source to investigate security issues. If we check on a timeline, events can be processed at different times: Present: “quicker is better”: generate an alert when a threat is detected on the network. Ex: Access denied for user root on server console Past: “does miss anything” : review the users management procedure once a week or moth Investigations: “looking for smoke signals”
  • #6 - Technical = “bits & bytes” - Complexity comes from the business (company takeover) or the requirements (security, performance, availability) Millions of events = impossible to review manually and even => human processing leads to errors! (We are “only” poor humans) Protocols & applications -> web 2.0
  • #7 “ Business is business”, organization are make to earn money. Problems detected as soon as possible -> less impact
  • #8 Local law: specific data retention requirements Due diligence: ensure that risks are identified and managed Due care: “to keep in working conditions”
  • #12 Inventory: avoid rogue devices!
  • #15 - Understand extent and source of incident – Protect sensitive data contained on systems – Protect systems/networks and their ability to continue operating as intended and recover systems – Collect information to understand what happened Without such happened. information, you may inadvertently take actions that can further damage your systems – Support legal investigations, forensics pp g g ,
  • #22 Investment : like an insurance, could be helpful “one day” SPoC = Security Point of Contact