1 / 35

Security Administration Tools and Practices

Security Administration Tools and Practices. Amit Bhan Usable Privacy and Security. Agenda. Security Administration Purpose of Security Tools Examples of Security Tools Security Incident Manager (SIM) Security Monitoring Cases from the Field Problems with Security Administration

Jimmy
Download Presentation

Security Administration Tools and Practices

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Security Administration Tools and Practices Amit Bhan Usable Privacy and Security

  2. Agenda • Security Administration • Purpose of Security Tools • Examples of Security Tools • Security Incident Manager (SIM) • Security Monitoring • Cases from the Field • Problems with Security Administration • Improvements

  3. Security Administration? • is the process of maintaining a safe computing environment. • Purpose? Need? • Security Administrator • Responsibilities?

  4. Purpose of Security Tools • Combining text and visuals • Reporting • Monitoring • Correlating • Simplify the life of a Security Administrator

  5. Combining Text and Visuals • Size and complexity of networks • A System Administrator has a variety of responsibilities: install, configure, monitor, debug and patch • Visualization vs. Perl Scripts • VisFlowConnect-IP (who is connecting to whom on my network?) • Other tools (discuss later)

  6. Reporting • Many security tools have an in built capability for reporting • Why is reporting important? • Examples: • Nessus (vulnerability information) • SIM (security incidents information)

  7. Monitoring • Some security tools have live data feed for the network • Different types of monitoring • Network monitoring • Security event monitoring • Network Security Incident monitoring

  8. Correlation • Correlation integrates the key security factors that are critical in determining the potential for significant damage within an organization. These factors are: • Real time events from heterogeneous devices • Results of vulnerability scans and other sources of threat data • The value of the host, database or application to the organization.

  9. Life of a Security Administrator • According to the paper “Combining Text and Visual Interfaces for Security-System Administration”, Security administrators are very conservative when it comes to technology adoption. • Why?

  10. Security Admin Tools • Mentioned in Text: • Bro • Nessus • Symantec Anti-virus • Tripwire • Rootkit • Sebek

  11. Bro • Bro (http://www.bro-ids.org/) is a NIDS. • Bro supports signature analysis, and in fact can read Snort signatures. (Snort is one of the most popular NIDS available.) • Bro also performs (a limited form of) anomaly detection, looking for activity that resembles an intrusion.

  12. Structure of Bro

  13. Nessus • Nessus is a free comprehensive vulnerability scanning software. • Its goal is to detect potential vulnerabilities on the tested systems

  14. Nessus Screenshot - 1 Nessus Screenshot - 1

  15. Nessus Screenshot - 2 Nessus Screenshot - 2

  16. Nessus Screenshot - 3 Nessus - Screenshot 3

  17. Other tools • Security Incident Management System • ArcSight • Novell e-Security Sentinel • Network Incident Management System • Whatsup Gold • IBM Tivoli

  18. ArcSight • Large Enterprises and Governments infrastructures are growing increasingly dynamic and complex • ArcSight ESM is an event management tool • Different capabilities: filters, correlation, reporting, threat monitor, vulnerability knowledge base, asset information, risk management, zones, etc.

  19. Architecture - ArcSight ESM • SmartAgents (residing on remote systems or on a separate layer) • Devices or Remote Systems (Firewalls, IDSs etc.) • Correlation engine • Central database • ArcSight Manager (console/browser)

  20. Testing ArcSight • Real strength - analyzing huge volumes at data • When tested at an ISP that provided managed services to many corporate clients, generating millions of events a day (stress test), ArcSight had no hiccups. • Biggest advantage: Scaling

  21. ArcSight screenshot 1

  22. ArcSight screenshot 2

  23. ArcSight screenshot 3

  24. e-Security Sentinel • Competitor of ArcSight, Network Intelligence, Symantec Security Information Manager • Event collector • Analyses and correlates events to determine if an event violates a predetermined condition or acceptable threshold. • Control Center & Correlation Engine • Unlike Arcsight, e-Security Sentinel has an iScale Message Bus that is based on the Sonic JMS* bus architecture. • Highly scalable • Doesn’t rely on a relational database

  25. E-Sentinel Screenshot 1

  26. E-Security Screenshot 2

  27. Cases from the Field • Security Checkup • Latest fixes/patches • Use of IDS + regular scanning of network • Security Engineers need to be well informed (discussions on forums)

  28. Case 1 - virus/worm/spyware on the network

  29. Case 2 - false alarms

  30. Case 3 - Real time network security monitoring

  31. Case 4 - Security Scans

  32. Problems with Security Administration • Integration is required • From firewalls to IDSs to Websense to vulnerability information to KB • Challenges • Too much to look at • No single standard data format • Out of sync system clocks • Correlation becomes difficult

  33. Problems cont. • Information asymmetry • Use of manual tools (location, address books, information directories) • Process is slow because of very little integration • A problem in times of actual attacks • Critical factor - “Time” • New vulnerabilities - proactive work pays • Administrator motto - “Know Thy Network”

  34. Improvements • New tools to help security administrators need to be developed • Standardization of event formats for easier integration • Application of data mining in event classification, analysis and noise reduction • Automated event stream processing • Improved information management tools

  35. Questions ? ? ? ? ? ? ? ? ? ?

More Related