1 / 8

Monitoring Systems Richard Newman

Monitoring Systems Richard Newman. Security in Depth. Layered Security Physical access control Identification and Authentication – know who is using system Individual authentication – for audit Detect patterns of behavior Logical Access Control Programs, files, resources, etc.

mariselap
Download Presentation

Monitoring Systems Richard Newman

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Monitoring SystemsRichard Newman

  2. Security in Depth Layered Security • Physical access control • Identification and Authentication – know who is using system • Individual authentication – for audit • Detect patterns of behavior • Logical Access Control • Programs, files, resources, etc. • Check – use issues • Real-time monitoring • IDS • Off-line monitoring • Audit • Forensic uses • Chain of control

  3. Computer System Monitoring - Detection • May be done at any level • Pattern matching • Statistical anomaly • Self/Non-self - Classification • Severity level • Special considerations - Response • Event logging • Email alert to user/admin • Per event • Digest • RT call/page/IM • System reconfiguration

  4. Event Logging - System log • Start-up, shut-down of system, major processes • Opening/closing of important files, major resources - Security log • Major access control requests, logins • Access control failures - Application logs • Application specific events

  5. Log Entry Append-only file • Prevent log entry modification or loss Log entry fields • Time and date of event • Event source (process/component) • User identity • Event type • Event details – depend on event type

  6. Event Logging Mechanisms Process detects an event – configured to log • Creates log entry • Puts entry in buffer • Alerts logging process Logging process retrieves event from buffer • Classifies as worthy of collection or not Logging process writes events to audit log • Log selection • May fire other responses also Sysadmins review audit log • Data mining • Direct study Archiving • Signature, compression

  7. Access Control Strategies - Islands • Isolation and mediation • Untrusted process given “sandbox” - Vaults • Access to wider (more dangerous) resources requested individually with system mediation on a case-by-case basis • Required for access to shared resources - Puzzles • Process uses secret or hidden information to access desired resources – must be impractical to find it or to guess • Cryptography, steganography, security through obscurity - Patterns • Access patterns compared with known bad patterns, blocked or audited if match (virus signatures) • Normal access patterns noted and deviations detected (anomalies)

  8. External Requirements & Policy Treat external reqts as separate input to policy • Allows compliance tracking Treat possible legal or contractual problems as risks • Acknowledges non-compliance as risk Treat certifications as assets • More than marketing

More Related