The Security Kung Fu Series was created as both a thought leadership and awareness campaign which ran from Q1 – Q2 2017. It was meant to educate attendees on the internal and external threats businesses face, and the compliance challenges many must endure. It also served to highlight the need for an array of software solutions from the SolarWinds Core IT Security Portfolio which can assist with these concerns.
A primary focus of the event was SolarWinds® Log & Event Manager which can contribute to greater IT security and assist businesses in meeting and maintaining compliance with a variety of compliance regimes.
Part 2: Firewall Logs
Part 2 of the series shifted our attention to the periphery of a network to focus on how firewalls serve as a first line of defense against security threats. In addition to discussing the patterns of attack which have been demonstrated countless times by hackers, we showed how firewall log data can give notice of attempts at infiltrating a network, exfiltrating data, and more. Beyond that, we discussed how Network Change and Configuration Management solutions can too contribute to deeper IT security by helping to alert to config. changes on firewalls - and other network devices - in addition to a host of other capabilities which can help with this cause.
Other Security Kung Fu Events:
Part 1: SIEM Solutions | http://bit.ly/2qkwVWh
Part 3: Active Directory Changes | http://bit.ly/2s5kFFc
Part 4: Security vs. Compliance | http://bit.ly/2qXuc3I
If you are interested in learning about the impact of this campaign, please visit my LinkedIn Profile for more details or feel free to reach out to me directly over LinkedIn.
Acknowledgements
I’d like to thank the following individuals for assisting me in the execution of this campaign:
Justina Lister, Angeline Kelly, Jamie Hynds, Ian Trump, Destiny Bertucci, Curtis Ingram, Chris Wiley, Ren Penaflor, Allie Eby, Ann Guidry, Rainy Schermerhorn, Kirsten Tanges, Damon Garcia
6. ANATOMY OF AN ATTACK
Delivery Exploitation Installation C2 Actions
WAN to LAN End Point End Point LAN to WAN End Point
Lockheed Martin Cyber Kill Chain®
8. BREACH NOTIFICATION
Regulations, Rules, & Requirements
• State law in many states
o Forty-seven states, the District of Columbia, Guam, Puerto Rico, and the Virgin
Islands have enacted legislation requiring private, governmental or educational
entities to notify individuals of security breaches of information involving
personally identifiable information
o Only three states—Alabama, New Mexico, and South Dakota—do not currently
have a law requiring consumer notification of security breaches
• Federal law
o H.R.1770 - Data Security and Breach Notification Act of 2015 – on legislative
calendar as of 2017
o HIPAA & GLBA
10. PLAYING WITH FIRE[WALL LOGS]
What kinds of events do firewalls log?
• Traffic, traffic, traffic
o Many devices can log both traffic statistics and per-ACL/policy
o For ACLs/policy, you can specify whether to log (and in some cases when – session start vs.
end)
• Device administration
o Configuration changes, sometimes down to the specific command ran
o Authentication (both admins and things like VPN)
• Add-on module and “smarter” data
o UTMs and Next-Gen Firewalls, IPS modules, etc. generate lots of security-specific details
o VPN connections and tunnels
11. SIEM AND NCCM SOLUTIONS
How do security information and event management (SIEM) solutions help me
manage firewall logs?
• High volume makes it hard to be high value!
o Make logs work for you now, rather than waiting for an investigation
• Apply your environment details to logs to make them more intelligent
• Correlate (in real-time or as a part of investigation/troubleshooting) firewall data with
other event sources to get a full picture of what’s actually happening
• Leverage active response on the device or somewhere else to isolate problems
12. SIEM AND NCCM SOLUTIONS
How does configuration management help mitigate risk and contribute to
compliance?
• Consistently configure devices to policy baseline
• Audit configurations for compliance to standards and policies
• Monitor configurations for unauthorized changes and remediate
• Archive configs to rollback a config change or recover a failed device
• Assess vulnerabilities in device firmware
• Upgrade outdated device firmware
• Discover, inventory and manage device lifecycle
• Maintain device documentation (e.g., location, purpose, configuration contacts, etc.)
16. SECURITY KUNG FU WEBINAR SERIES
The SolarWinds, SolarWinds & Design, Orion, and THWACK trademarks
are the exclusive property of SolarWinds Worldwide, LLC or its affiliates,
are registered with the U.S. Patent and Trademark Office, and may be
registered or pending registration in other countries. All other SolarWinds
trademarks, service marks, and logos may be common law marks or are
registered or pending registration. All other trademarks mentioned herein
are used for identification purposes only and are trademarks of (and may
be registered trademarks) of their respective companies.