1 / 126

Network Monitoring & Troubleshooting plus Log Analysis

Network Monitoring & Troubleshooting plus Log Analysis. Faculty: Scott Greene of Evidence Solutions, Inc. Scott@ EvidenceSolutions .com www.EvidenceSolutions.com. 10 Signs you aren’t cut out for IT. 10 signs that you aren't cut out for IT 1 : You lack patience.

nizana
Download Presentation

Network Monitoring & Troubleshooting plus Log Analysis

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Network Monitoring & Troubleshooting plus Log Analysis Faculty: Scott Greene of Evidence Solutions, Inc. Scott@EvidenceSolutions.com www.EvidenceSolutions.com

  2. 10 Signs you aren’t cut out for IT • 10 signs that you aren't cut out for IT • 1: You lack patience

  3. U of Nebraska Incident An Undergrad suspected in Univ. of Nebraska breach where more than 650K personal records were compromised in attack. The intrusion was into a university database containing personal information on more than 650,000 students, parents and employees.

  4. U of Nebraska Incident The intrusion, which was described by university officials as a "skilled attack," exposed the Social Security Numbers (SSNs), names, addresses, course grades financial aid and other information on students who attended the university since 1985.

  5. U of Nebraska Incident The breach also exposed personal data and financial information for parents of students who applied for financial aid at UNL, according to the university. A staff member in UNL's Computing Services Network discovered the breach in the Nebraska Student Information System (NeSIS) on May 23.

  6. U of Nebraska Incident An Undergrad suspected in Univ. of Nebraska breach where more than 650K personal records were compromised in attack. The intrusion was into a university database containing personal information on more than 650,000 students, parents and employees.

  7. U of Nebraska Incident The system manages student admissions, campus housing and course registration. It was built over a three-year period at a cost of $29.9 million, has been operational for the past two years and is based on Oracle's PeopleSoft Enterprise Campus Solution platform.

  8. U of Nebraska Incident An FAQ on the incident posted by the university makes it clear that personal data in the breached server was not encrypted. "However, we are confident that the type of attack we experienced would have bypassed any encryption that was in place," the university said.

  9. U of Nebraska Incident The vulnerability that enabled the intrusion has since been closed and the university is currently working with a third-party firm to review and address remaining vulnerabilities.

  10. 20 Critical Security Controls 1) Inventory of Authorized & Unauthorized Devices 2) Inventory of Authorized & Unauthorized Software 3) Secure Configurations for Hardware & Software on Laptops, Workstations, & Servers

  11. 20 Critical Security Controls 4) Continuous Vulnerability Assessment & Remediation 5) Malware Defenses

  12. 20 Critical Security Controls • 6) Application Software Security • Code Reviews • Proper Logging • Abnormal operation reporting

  13. 20 Critical Security Controls 7) Wireless Device Control 8) Data Recovery Capability 9) Security Skills Assessment and Appropriate Training to Fill Gaps 10) Secure Configurations for Network Devices such as Firewalls, Routers, and Switches

  14. 20 Critical Security Controls • 11) Limitation and Control of Network Ports, Protocols, and Services • Including custom applications • Development departments need to communicate with network departments

  15. 20 Critical Security Controls • 12) Controlled Use of Administrative Privileges • 13) Boundary Defense • See 10 • Include penetration testing • Include review of firewall rules • Remote Users • Mobile Devices

  16. 20 Critical Security Controls 14) Maintenance, Monitoring, & Analysis of Security Audit Logs 15) Controlled Access Based on the Need to Know

  17. 20 Critical Security Controls • 16) Account Monitoring and Control • What do users have rights to • Why? • What do processes have rights to • Why?

  18. 20 Critical Security Controls • 17) Data Loss Prevention • 18) Incident Response Capability • Who responds • Test those responses • Who gets notified • Hr • Legal

  19. 20 Critical Security Controls 19) Secure Network Engineering aka “Develop a Secure Infrastructure” 20) Penetration testing

  20. #14 • Validate audit log settings for each hardware device and the software installed on it, ensuring that logs include: • Date • Timestamp • source addresses • destination addresses • Any other useful information

  21. #14 • Normalize Logs • Syslog • Common Event Expression initiative • Use normalization tools to convert logs

  22. #14 • Reports • Security personnel and/or system administrators should run weekly reports that identify anomalies in logs. • They should then actively review the anomalies, documenting their findings. • A log for the log events

  23. #14 • Time Synch • Use at least two synchronized time sources • All servers and network equipment should be in synch. • Test • Validate their synchness

  24. Federal Security Standards • NIST Special Publication (SP) 800-37 • Categorize • The information system and the information processed, stored, and transmitted by that system based on an impact analysis

  25. Federal Security Standards • NIST Special Publication (SP) 800-37 • Baseline • Select an initial set of baseline security controls for the information system based on the security categorization; tailoring and supplementing the security control baseline as needed based on an organizational assessment of risk and local conditions.

  26. Federal Security Standards • NIST Special Publication (SP) 800-37 • Implement • The security controls and describe how the controls are employed within the information system and its environment of operation.

  27. Federal Security Standards • NIST Special Publication (SP) 800-37 • Assess • Assess the security controls using appropriate assessment procedures to determine the extent to which the controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting the security requirements for the system.

  28. Federal Security Standards • NIST Special Publication (SP) 800-37 • Authorize • Information system operation based on a determination of the risk to organizational operations and assets, individuals, other organizations, and the Nation resulting from the operation of the information system and the decision that this risk is acceptable.

  29. Federal Security Standards • NIST Special Publication (SP) 800-37 • Monitor • The security controls in the information system on an ongoing basis including assessing control effectiveness, documenting changes to the system or its environment of operation, conducting security impact analyses of the associated changes, and reporting the security state of the system to designated organizational officials.

  30. Federal Security Standards • NIST Special Publication (SP) 800-37 • The final step in the cycle, Monitor, is of particular importance because it evaluates the effectiveness of a security control. But what if you only performed this evaluation periodically—for example, to satisfy a quarterly or annual audit for a regulation or other compliance related demand? Unfortunately, it could be months or even a year before you’d realize that the security control was not functioning as intended.

  31. Federal Security Standards • NIST Special Publication (SP) 800-37 • Assess • Assess the security controls using appropriate assessment procedures to determine the extent to which the controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting the security requirements for the system.

  32. Some Things to Monitor • Patch management • Network management tools • Security tools such as: • Change management • Configuration management • Log monitoring • Vulnerability scanning solutions

  33. 10 Signs you aren’t cut out for IT • 10 signs that you aren't cut out for IT • 1: You lack patience • 2: You have no desire to continue your education

  34. Logs? • Syslog is the predominant standard for computer system logging • Microsoft, in its infinite wisdom chose their own called “Windows Event Log”. • There are several converters to convert the Windows Event Log to the Syslog standard.

  35. Log LogLog • Many incidents can be readily revealed with a bit of logging and analysis those logs.

  36. Logs • Solutions • Almost everything that has a log should have the log turned on. • Logs should include: • Date/time • Source IP • Destination IP • Port • Etc

  37. Logs • Solutions • Use standard SYSLOG entries or use software that converts logs to a common log format. • Store logs for a while – space & DVDs are cheap • Create systems & procedures for analyzing logs. • These systems should have ‘normal’ items and ‘abnormal’ items

  38. Logs • Solutions • All remote access logging: • should be in detail • Should be rigorously analyzed. • All security alerts should be logged. • Workstation • Servers • Devices

  39. Logs • Solutions • Use unified time • This allows logs to be matched up across many devices and / or networks. • Border devices • Should log verbosely • Should log all traffic • Blocked • Allowed

  40. Logs • Solutions • Logs should be secured • Logs should be exported & saved on Write Once devices. or • Logs should be written to dedicated logging servers. • The dedicated logging servers with separate security credentials

  41. Logs • Solutions • Test the logs and review after: • Normal / acceptable traffic • Push the system • Attempt to penetrate the network. • Inside • Outside • Compare and correlate the data on all of the logs for validity.

  42. Logs • Solutions • Review • Logs everyday • Use automated tools to analyze large amounts of data. • Test • Attack a system • Test the response time. • Discovery • Action taken to attack

  43. Log Review Tools • Windows -> Syslog conversion • Snare agent (intersectalliance.com/projects/index.html) and ProjectLasso remote collector (sourceforge.net/projects/lassolog) are used to convert Windows Event Logs into syslog, a key component of any log management infrastructure today (at least until Visa/W7 log aggregation tools become mainstream

  44. 10 Signs you aren’t cut out for IT • 10 signs that you aren't cut out for IT • 1: You lack patience • 2: You have no desire to continue your education • 3: You refuse to work outside 9-to-5

  45. Database Activity Management • Database Activity Monitoring • (DAM) is a database security technology for monitoring and analyzing database activity that operates independently of the database management system (DBMS) • It does not rely on any form of native (DBMS-resident) auditing or native logs such as trace or transaction logs. • DAM is typically performed continuously and in real-time.

  46. Database Activity Management • Add prevention and you get (DAMP) • This extension to DAM goes beyond monitoring and alerting to also block unauthorized activities. • DAM helps organizations address compliance: • HIPAA • PCIDSS • Sarbanes-Oxley (SOX) • NIST 800-53

  47. Database Activity Management • Features include: • Event aggregation • Correlation • Reporting • Auditing • Does not require access to native database audit functions

  48. Database Activity Management • Privileged User Monitoring: • Monitoring privileged users: • DBAs • Sysadmins • Developers • who typically have unfettered access to corporate databases • Protects against external and internal threats

  49. Database Activity Management • Monitors all activities and transactions • Identifies anomalous activities • Viewing sensitive data • Creating new accounts • (with superuserprivileges?) • Adding or Deleting tables

More Related