Time: 35 minutes Q&A: 5 minutes Hello and good morning. Be patient, the lunch is coming just after my presentation…
I’ll speak about “events”. Events are normal. All your devices generate tons of events per day. But some of them may containt critical information and lead to “incident”. After an overview of the situation today in most organizations, I’ll review how to implement (basically) an event management solution. Then you’ll be able to handle security incidents. Finally, I’ll give some tips or tools to increase the detection of security incidents on your network. Of course, I’d like to make this talk interactive. Feel free to raise your hand and ask your questions.
Well about me? I’m working for C-CURE, a consultancy company focusing on security. (based in Mechelen). Involved in several types of projects Certifications Security blogger BTW, did you know that this year will be the 2 nd edition of BruCON (24-25 sep) Otherwise, maltego me! ;-)
Events are your source to investigate security issues. If we check on a timeline, events can be processed at different times: Present: “quicker is better”: generate an alert when a threat is detected on the network. Ex: Access denied for user root on server console Past: “does miss anything” : review the users management procedure once a week or moth Investigations: “looking for smoke signals”
- Technical = “bits & bytes” - Complexity comes from the business (company takeover) or the requirements (security, performance, availability) Millions of events = impossible to review manually and even => human processing leads to errors! (We are “only” poor humans) Protocols & applications -> web 2.0
“ Business is business”, organization are make to earn money. Problems detected as soon as possible -> less impact
Local law: specific data retention requirements Due diligence: ensure that risks are identified and managed Due care: “to keep in working conditions”
Inventory: avoid rogue devices!
- Understand extent and source of incident – Protect sensitive data contained on systems – Protect systems/networks and their ability to continue operating as intended and recover systems – Collect information to understand what happened Without such happened. information, you may inadvertently take actions that can further damage your systems – Support legal investigations, forensics pp g g ,
Investment : like an insurance, could be helpful “one day” SPoC = Security Point of Contact