Presentation is loading. Please wait.

Presentation is loading. Please wait.

Copyright Justin C. Klein Security Intelligence From What and Why to How.

Published byLoraine George Modified over 8 years ago

Similar presentations

Presentation on theme: "Copyright Justin C. Klein Security Intelligence From What and Why to How."— Presentation transcript:

1 Copyright Justin C. Klein Keane @madirish2600 Security Intelligence From What and Why to How

2 Copyright Justin C. Klein Keane @madirish2600 What is Security Intelligence? Business intelligence principles applied to security data Apply data to decision making More than just metrics – Soft data points included as well Security data abounds – Making useful decisions based on data is tough

3 Copyright Justin C. Klein Keane @madirish2600 Sample Sources of Data Host based intrusion detection alerts Darknet data (network traffic) Port scans Honeypots (attempted logins, attack toolkits, etc.) Vulnerability scans Public vulnerability alerts and disclosures System event logs Incident response reports Etc.

4 Copyright Justin C. Klein Keane @madirish2600 Why  Anecdotal evidence often guides security  “Best practice” is often indefensible  Change your password every 60 days - why???  Security isn't really engineering, or science  No hard and fast rules (or laws)  Analysis should guide decision making  Security intelligence gathers data points to support analysis

5 Copyright Justin C. Klein Keane @madirish2600 Security Intelligence vs. Vulnerability Remediation Traditional InfoSec relies on vulnerability scanning Ideally: – Find problems, fix them, find more, rinse, repeat In reality: – Scanner generates a report full of extraneous and incorrect details, no reliable severity or impact – report ignored – rinse, repeat

6 Copyright Justin C. Klein Keane @madirish2600 Why Vuln Centric Security Fails Vulnerability scanning is “dumb” Asset owners don't request scans Defaults to an enforcement approach Vulnerability reports are massive and provide little guidance Ultimately reports get filed in the trash bin

7 Copyright Justin C. Klein Keane @madirish2600 Security Intelligence Goals Add perspective and analysis to security recommendations Provide a good case for change requests Guide targeted campaigns to remediate vulnerabilities Show good ROI for efforts Maximize your limited staff resources Encourage compliance

8 Copyright Justin C. Klein Keane @madirish2600 Use Case #1 Vulnerability disclosed in a well known service Look for spikes in scanning for that service on darknet sensors Quickly identify all machines in the environment running that service Build a contact list and alert admins to patch Implement targeted vulnerability scanning to track remediation

9 Copyright Justin C. Klein Keane @madirish2600 Use Case #2 Attacker observed (malicious IP identified) Query all data sources for other evidence of activity from that IP Darknet probes, honeypot data, IDS logs, etc. Look for attack profile from data sources Alert admins of machines that fit the particular profile Identify vulnerable machines Potentially uncover compromises

10 Copyright Justin C. Klein Keane @madirish2600 Issues with Security Intelligence Problems of big data will crop up quickly Scale complicated development, deployment and debugging Much of the effort of SI will be spent on middleware Interesting data only emerges when all data is aggregated Getting access to other folks' data will be challenging Deliberate initial planning pays off – altering a table of 80 million rows is painful!

11 Copyright Justin C. Klein Keane @madirish2600 Specific Implementation - HECTOR HECTOR is our solution for security intelligence

12 Copyright Justin C. Klein Keane @madirish2600 Open Source HECTOR is based entirely on open source technologies Runs best on a LAMP stack Uses PHP, Perl, Python, MySQL, iptables, Kojoney, OSSEC, NMAP, and more... More info and download at: https://sites.sas.upenn.edu/kleinkeane/software/ hector

13 Copyright Justin C. Klein Keane @madirish2600 Principles Guiding Development SAS has no access to network data for NIDS Over 15,000 internet addressable IP's Asset management was a huge challenge Vulnerability disclosure mitigation was ad-hoc Multiple different security data sources (darknet, honeypots, HIDS logs, etc.) were scattered over different systems Needed a way to query data across sources and guide intelligent security decision making

14 Copyright Justin C. Klein Keane @madirish2600 Fundamentals No network span ports or taps required! HECTOR is designed to be an augmented asset management platform All data is tied to hosts Each host includes contact information for users as well as technical support HECTOR designed to allow supplementary data to be linked with hosts, from port scans to incident histories to vulnerability reports

15 Copyright Justin C. Klein Keane @madirish2600 How It Works (Basics) MySQL database aggregates data sources Web front end for querying and reporting Access control via CoSign (or fallback) Hosts are assigned to support groups, support groups assigned a contact e-mail address Nightly NMAP scans updates host profiles Vulnerability scan data added to the database HECTOR is extensible – add your own scans

16 Copyright Justin C. Klein Keane @madirish2600 Currently Supports Data Sources OSSEC host based intrusion detection logs Kojoney based SSH honeypots Iptables based darknet sensors NMAP port scans Vulnerability scans (Nikto, Nessus, etc.) Security news outlets (RSS feeds, vulnerability announcements, etc.)

17 Copyright Justin C. Klein Keane @madirish2600 Summary Screen

18 Copyright Justin C. Klein Keane @madirish2600 Intrusion Detection Summary

19 Copyright Justin C. Klein Keane @madirish2600 Alerts Summary

20 Copyright Justin C. Klein Keane @madirish2600 Host Summary

21 Copyright Justin C. Klein Keane @madirish2600 Search for Malicious IP

22 Copyright Justin C. Klein Keane @madirish2600 Sample Report

23 Copyright Justin C. Klein Keane @madirish2600 Scan Schedule

24 Copyright Justin C. Klein Keane @madirish2600 Asset Management

25 Copyright Justin C. Klein Keane @madirish2600 System Configuration

26 Copyright Justin C. Klein Keane @madirish2600 Lessons Learned Internal software development takes a really long time Logistical considerations are always the most difficult challenge As soon as software enters a useful beta it tends to migrate rapidly to essential service Bug fixes tend to weight towards feature use Simple NMAP scans are never simple Remediation tracking is as difficult as vulnerability identification Querying large data sets takes careful planning

27 Copyright Justin C. Klein Keane @madirish2600 Thank You jukeane@sas.upenn.edu @madirish2600 http://www.MadIrish.net

28 Copyright Justin C. Klein Keane @madirish2600 Links to Resources HECTOR download - https://sites.sas.upenn.edu/kleinkeane/software/ hector https://sites.sas.upenn.edu/kleinkeane/software/ hector NMAP - http://nmap.org/http://nmap.org/ OSSEC - http://www.ossec.net/http://www.ossec.net/ Kojoney - http://kojoney.sourceforge.net/http://kojoney.sourceforge.net/ Kippo - https://code.google.com/p/kippo/https://code.google.com/p/kippo/ Rsyslog - http://www.rsyslog.com/http://www.rsyslog.com/

Download ppt "Copyright Justin C. Klein Security Intelligence From What and Why to How."

Similar presentations

Presented by Nikita Shah 5th IT ( )

Presented by Nikita Shah 5th IT ( )
Overview of local security issues in Campus Grid environments Bruce Beckles University of Cambridge Computing Service.

Overview of local security issues in Campus Grid environments Bruce Beckles University of Cambridge Computing Service.
Protecting Cyber-TA Contributors: Risks and Challenges Vitaly Shmatikov The University of Texas at Austin.

Protecting Cyber-TA Contributors: Risks and Challenges Vitaly Shmatikov The University of Texas at Austin.
SIEM Based Intrusion Detection Jim Beechey May 2010 GSEC, GCIA, GCIH, GCFA, GCWN twitter: jim_beechey.

SIEM Based Intrusion Detection Jim Beechey May 2010 GSEC, GCIA, GCIH, GCFA, GCWN twitter: jim_beechey.
Snort & ACID. UTSA IS 6973 Computer Forensics SNORT.

Snort & ACID. UTSA IS 6973 Computer Forensics SNORT.
©2009 Justin C. Klein Keane PHP Code Auditing Session 3 – Tools of the Trade & Crafting Malicious Input Justin C. Klein Keane

©2009 Justin C. Klein Keane PHP Code Auditing Session 3 – Tools of the Trade & Crafting Malicious Input Justin C. Klein Keane
1 Chapter 7 Intrusion Detection. 2 Objectives In this chapter, you will: Understand intrusion detection benefits and problems Learn about network intrusion.

1 Chapter 7 Intrusion Detection. 2 Objectives In this chapter, you will: Understand intrusion detection benefits and problems Learn about network intrusion.
Presentation by: Peter Thomas Blue Lance, Inc Using SIEM Solutions Effectively to meet Security, Audit, and Compliance Requirements.

Presentation by: Peter Thomas Blue Lance, Inc Using SIEM Solutions Effectively to meet Security, Audit, and Compliance Requirements.
1 SANS Technology Institute - Candidate for Master of Science Degree 1 SIEM Based Intrusion Detection Jim Beechey March 2010 GSEC Gold, GCIA Gold, GCIH,

1 SANS Technology Institute - Candidate for Master of Science Degree 1 SIEM Based Intrusion Detection Jim Beechey March 2010 GSEC Gold, GCIA Gold, GCIH,
System Security Scanning and Discovery Chapter 14.

System Security Scanning and Discovery Chapter 14.
Wireless and Switch Security NETS David Mitchell.

Wireless and Switch Security NETS David Mitchell.
1.  To analyze and explain the IDS placement in network topology  To explain the relationship between honey pots and IDS  To explain, analyze and evaluate.

1.  To analyze and explain the IDS placement in network topology  To explain the relationship between honey pots and IDS  To explain, analyze and evaluate.
Security+ Guide to Network Security Fundamentals, Third Edition Chapter 9 Performing Vulnerability Assessments.

Security+ Guide to Network Security Fundamentals, Third Edition Chapter 9 Performing Vulnerability Assessments.
Copyright 2010 Justin C. Klein Keane Using Kojoney Open Source Low Interaction Honeypot to Develop Defensive Strategies and Fingerprint Post-Compromise.

Copyright 2010 Justin C. Klein Keane Using Kojoney Open Source Low Interaction Honeypot to Develop Defensive Strategies and Fingerprint Post-Compromise.
Assessing Vulnerabilities ISA 4220 Server Systems Security James A. Edge Jr., CISSP, CISM, CISA, CPTE, MCSE Sr. Security Analyst Cincinnati Bell Technology.

Assessing Vulnerabilities ISA 4220 Server Systems Security James A. Edge Jr., CISSP, CISM, CISA, CPTE, MCSE Sr. Security Analyst Cincinnati Bell Technology.
Deploying Tools for Cleaning Personal Information University of Pennsylvania School of Arts and Sciences Justin C. Klein Keane Sr. Information Security.

Deploying Tools for Cleaning Personal Information University of Pennsylvania School of Arts and Sciences Justin C. Klein Keane Sr. Information Security.
Computer Security: Principles and Practice

Computer Security: Principles and Practice
IBM Security Network Protection (XGS)

IBM Security Network Protection (XGS)
SELECTING AND IMPLEMENTING VULNERABILITY SCANNER FOR FUN AND PROFIT by Tim Jett and Mike Townes.

SELECTING AND IMPLEMENTING VULNERABILITY SCANNER FOR FUN AND PROFIT by Tim Jett and Mike Townes.
Secure Network Design: Designing a Secure Local Area Network IT352 | Network Security |Najwa AlGhamdi1 Case Study

Secure Network Design: Designing a Secure Local Area Network IT352 | Network Security |Najwa AlGhamdi1 Case Study

Similar presentations

Ads by Google