This document discusses security controls and monitoring for Drupal systems. It outlines frameworks like NIST SP-800-53 and the SANS Top 20 controls. It describes concepts like continuous monitoring, logging, auditing and the anatomy of security controls. It also discusses tools and techniques for Drupal security monitoring including Watchdog, Nagios, OSSIM, Logstash and SCAP. The goal is to provide focused, application-centric security monitoring moving from standard to intelligent monitoring.

1. Drupal Security Controls and Monitoring
Mike Nescot, JBS International

2. Drupal Security Controls and Monitoring
Mike Nescot, JBS International
http://drupal.jbsinternational.com

3. Information Systems
Logging and Monitoring

4. Security Controls
• FISMA Standard: SP-53 Rev 4

5. SP800-53 Rev 4
Security Controls: 18 Families
• Access Control
• Awareness & Training
• Audit & Accountability
• Security Assessment & Authorization
• Configuration Management
• Contingency Planning
• Identification & Authorization
• Incident Response
• Maintenance

6. SP800-53 Rev 4
Security Controls: 18 Families (con.)
• Media Protection
• Physical and Environmental Protection
• Planning
• Personnel Security
• Risk Assessment
• System and Services Acquistion
• System & Communications Protection
• System & Information Integrity
• Program Management

7. SP800-53 Rev 4
Privacy Controls: 8 Families (FEA)
• Authority & Purpose
• Accountability, Audit, & Risk Management
• Data Quality & Integrity
• Data Minimization & Retention
• Individual Participation & Redress
• Security
• Transparency
• Use Limitation

8. Anatomy of a Control
• Account Management
• Control count: from 198 to 267, or 600 to 850
• More tailoring guidance, overlays, focus on
assurance controls, strategic, privacy

9. SANS Top 20
• Inventory of Authorized and Unauthorized Devices
• Inventory of Authorized and Unauthorized Software
• Secure Configurations for Hardware & Software on
Laptops, Workstations, & Servers
• Continuous Vulnerability Assessment and Remediation
• Malware Defense
• Application Software Security
• Wireless Device Control
• Data Recovery Capability
• Security Skills Assessment & Training
• Secure Configurations for Firewalls, Routers, & Switches

10. SANS Top 20 (cont)
• Limitation & Control of Network Ports, Protocols, &
Services
• Controlled Use of Administrative Privileges
• Boundary Defense
• Maintenance, Monitoring, & Analysis of Audit Logs
• Controlled Access Based on Need to Know
• Account Monitoring & Control
• Data Loss Prevention
• Incident Response & Management
• Secure Network Engineering
• Penetration Testing & Team Exercises

11. SANS Top 20
The five critical tenets of an effective cyber defense
system as reflected in the Critical Controls are:
• Offense informs defense: Use knowledge of actual
attacks for defense
• Prioritization: Invest first in controls that will provide
the greatest risk reduction and protection
• Metrics: Establish common metrics to measure
effectiveness
• Continuous monitoring: Test and validate the
effectiveness of current security measures.
• Automation: Automate defenses, achieve reliable,
scalable, and continuous measurements

12. State of Required Security Controls
• Newly updated: NIST SP-53 Rev 4
• SANS Top 20 Controls
• Build it Right (SDLC), Continuous Monitoring
• 2011: NIST SP 800-137

13. Information Systems Continuous
Monitoring (ISCM)
• Maintaining ongoing awareness of
information security, vulnerabilities, and
threats to support organizational risk
management decisions.
• From compliance driven to data driven risk
management

14. Conventional
• Hostile cyber attacks
• Natural disaster
• Structural failures
• Human errors of omission or commission
• Strong Foundation

15. Advanced Persistent Threat
• Significant expertise
• Multiple attack vectors
• Establishes footholds

16. Continuous Asset Evaluation,
Situational Awareness, and Risk
Scoring (CAESARS)
• Reference Architecture: Security Automation
Standards
• Data Sources
• Data Collection
• Data Storage & Analysis
• Consumer Presentation
• Decisions

17. CAESARS Subsystems
• Sensor
(Assets, devices, servers, devices, appliances)
• Database Sub (repository of configuration and
inventory baselines)
• Analysis/Scoring
• Presentation (variety of views, query
capabilities)

19. CAESARS
The end goal of CAESARS FE is to enable
enterprise CM by presenting a technical
reference model that allows organizations to
aggregate collected data from across a diverse
set of security tools, analyze that data, perform
scoring, enable user queries, and provide overall
situational awareness.

20. Establish
• Metrics: number and severity of
vulnerabilities, unauthorized access attempts,
contingency plan testing results, risk scores
for configuration
• Monitoring and assessment frequencies:
volatility, impact levels, identified weaknesses,
threat info, vulnerabilit info, assessment
results, strategic reviews, reporting
requirements

21. Logging vs. Auditing vs. Monitoring
• Logging: Collecting event records
• Event: single occurance involinvg an attempted state
chabge
• Message: what a system does or generates in response
to request or stimulus
• Timestamp, source, data
• Auditing: System is behaving as expected, compliance
• Monitoring: Situational awareness
• Log all you can, but alert on what you must respond
(monitor as little as you need)

22. Logging Formats and Standards
• Syslog
• XML (SCAP)
• Relational Database
• NoSQL Database (Hadoop, MongoDB)
• Binary (Windows Event Log)

23. NIST: Security Automation Domains
• Vulnerability Management
• Patch Management
• Event Management
• Incident Management
• Malware Detection
• Asset Management
• Configuration Management
• Network Management
• License Mangement
• Information Management
• Software Assurnce

24. Monitoring Targets: Objects System
Boundary
• Web Server Status
• Database Server Status
• Operating System
• File system changes (HIDS)
• Network Traffic
• Network Devices (Firewalls, routers,
switches)
• Vulnerabilities
• Drupal application(s)

25. Monitoring Targets: Metrics
• Adverse Events
• Performance & Reliability
• Configuration Compliance
• Authorized devices and services
• Vulnerabilities
• Risk

26. Minimize Monitoring
• Cloud & virtualization
• Integrate development, design, operations,
acquisition
• Centralized, Application-Centric View

27. Integration: Continuous Continuum
• Continuous Quality Improvement
• Continuous Integration
• Continuous Delivery
• Continuous Design
• Continuous Monitoring

28. From Standard Monitoring :

30. To Focused,
Application-Centric
Monitoring:

32. Security Monitoring Capability Levels
• Centralized Logging
• Infrastructure Monitoring
• Security Information and Event Management
(SIEM): Risk Assessment
• Real-Time Intelligent Query

33. Drupal Monitoring Assets
• Watchdog: SQL, MongoDB or Syslog
• Infrastructue: Nagios Module/Plugin
Infrastructure Monitoring
– Production Check/Monitor
• SIEM: OSSIM Plugin (Watchdog) SIEM
• Search Enhancements: Logstash Module,log
collection, centralization, parsing, storage and
search

34. Network & Infrastructure Monitoring
(Nagios)
• monitoring and alerting
• servers
• switches
• applications
• Services
• Status: availability, load, physical condition

35. Security Information and Event
Management (SIEM)
• Intrusion Detection
• Anomaly Detection
• Vulnerability Detection
• Discovery, Learning and Network Profiling
systems
• Inventory systems
Incident Reporting & Responese

36. Open Source Security Information
Management (OSSIM)
• Asset Discovery
• Vulnerability Assessment
• Threat Detection
• Behavioral Monitoring
• Security Intelligence

37. OSSIM Components
• Snort (Network Intrusion Detection System)
• • Ntop (Network and usage Monitor)
• • OpenVAS (Vulnerability Scanning)
• • P0f (Passive operative system detection) fingerprint OS
• • Pads (Passive Asset Detection System) complements
SNORT with context
• • Arpwatch (Ethernet/Ip address parings monitor)
• • OSSEC (Host Intrusion Detection System)
• • Osiris (Host integrity Monitoring)
• • Nagios (Availability Monitoring)
• • OCS (Inventory)

38. Drupal Monitoring Assets
• Watchdog: logdb/SQL, MongoDB or Syslog
• Infrastructure: Nagios Module/Plugin
Infrastructure Monitoring
– Production Check/Monitor
• SIEM: OSSIM Plugin (Watchdog) SIEM
• Search Enhancements: Logstash Module: log
collection, centralization, parsing, storage and
search

40. Core Nagios Monitoring
• Pending Drupal version update
• Pending Drupal module updates
• Unwritable 'files' directory
• Pending updates to the database schema
• Status of Cron
• Number of published nodes.
• Number of active users

42. Drupal Monitoring Assets
• Watchdog: SQL, MongoDB or Syslog
• Infrastructure: Nagios Module/Plugin
Infrastructure Monitoring
– Production Check/Monitor
• SIEM: OSSIM Plugin (Watchdog) SIEM
• Search Enhancements: Logstash Modulelog
collection, centralization, parsing, storage and
search

43. OSSIM

44. OSSIM, Nagios

45. LogStash, Kibana, Elasticsearch

47. Software Defined Defined
Infrastructure
• SDIM: Machine Configuration (Virtualization,
Chef & Puppet), AWS, VMWare & OpenStack
• SDN: Software Defined Networking
• SDS: Software Defined Storage
• Software Defined Drupal Security?

49. Configuration & Patch Management
Security Content Automation Protocol
(SCAP)
• Specifications for Security Data (baselines, xccdf,
oval)
• Checklist Repository (USCGB)
• NIST Validated Commercial tools
• OpenSCAP
• RH Satellite, Spacewalk

50. SCAP Workbench

51. Thank You!!!
Comments, Questions, Criticism?
http://drupal.jbsinternational.com
mnescot@jbsinterntional.com