Guide to Network Defense and Countermeasures Chapter 11

Chapter 11 - Strengthening Defense through Ongoing Management Strengthen control by managing security events Heighten analysis by auditing network security procedures Strengthen detection by managing your intrusion detection system

Chapter 11 - Strengthening Defense through Ongoing Management Enhance a defense by changing your Defense in Depth configuration Strengthen network performance by keeping pace with changing needs Heighten your own knowledge base by keeping on top of industry trends

Strengthening Control: Security Event Management A security event management program gathers and consolidates events from multiple sources for analysis and security improvement Network protection needs to be conducted on an ongoing basis in order to keep up with new vulnerabilities and increase security defense One way to improve defenses is through ongoing event monitoring - reviewing alert and event logs produced by security devices and operating systems, and periodically testing the network to identify weak points

Strengthening Control: Security Event Management Security event management program (cont.): The goal of event monitoring is to strengthen defenses by gathering information, changing procedures, and improving the network Monitor the following events: logins; account creation; handling of e-mail attachments; backup and other maintenance utilities; anti-virus scanning and control; procedures for granting remote access Develop a team approach to security, make use of automated responses, coordinate data from multiple sources, and keep aware of new network threats

Strengthening Control: Security Event Management Managing data from multiple sensors requires database software that will sort through the events, and provide systematic views of data Sensor data management options: Centralized data collection allows data from different locations to be consolidated and flow through a central security location; benefits include: less cost and administration due to fewer systems to maintain, greater efficiency; drawback: finding a way to securely transmit data from collection points to the centralized management console

Strengthening Control: Security Event Management Sensor data management options: Distributed data collection allows data from security devices such as firewalls and IDSs to go to a management console in its own local network; Security managers in each network must review the data separately, analyze it and respond as needed Distributed data collection set up requires the organization to maintain separate security managers as well as separate management console software; this arrangement saves bandwidth, but still requires offices to communicate with each other about security incidents

Strengthening Control: Security Event Management Evaluating IDS signatures provides evidence that indicates whether IDS signatures are working well enough or if they need updating A variety of IDS vendors are available, each with their own set of signatures for suspicious events Neohapsis has proposed the Open Security Evaluation Criteria (OSEC) for reviewing signatures, which includes a core set of tests for: device integrity checking; signature baseline; state test; discard test; engine flex; evasion list; in line/tap test Check vendor Web sites often for new signatures

Strengthening Control: Security Event Management Managing change should be done in a systematic way so as to minimize impact Change management involves the modification of equipment, systems, software, or procedures in a sequential and preplanned way; the process should include an assessment of the impact of a change Consider implementing change management in the following ways: significant changes to firewall or IDS rules; new VPN gateways; changes to access control lists; new password systems or procedures

Strengthening Analysis: Security Auditing Security auditing is the process of testing the effectiveness of a network defense system Auditing can be performed by actively testing the network defenses by attempting break-ins; as well, recording and analyzing events such as logins, logouts, and file access helps; be sure to examine the security procedures of the organization too To actively test the network, put together data from many disparate sources, such as: packet filters; application logs; router logs; firewall logs; event monitors; HIDS, NIDS

Strengthening Analysis: Security Auditing Security auditing (cont.): One way to consolidate data generated by disparate data sources, is to transfer, or push the information to a central database; store at least the: time; data; application; OS; user; process ID; and log entry With multiple security components in place, so much data will accumulate from log files that it must be managed before it consumes available storage space; choose a time period for how long detailed information from IDS logs is retained (ninety days is common), then archive it to long-term storage

Strengthening Analysis: Security Auditing Security auditing (cont.): Operational auditing involves in-house staff examining system logs to see if needed information is being audited; staff should look for: accounts with weak or no passwords; accounts still assigned to departed employees; and new accounts Independent auditing involves hiring an outside firm to inspect audit logs to check effectiveness of data collection; such an audit might examine: where security equipment is physically located; how well it is protected from unauthorized users; and how thoroughly data is erased when you dispose of it

Strengthening Detection: Managing the IDS Strengthen the IDS to keep it running smoothly and efficiently Maintaining the current system is one way to make it stronger; do this by: Backing up firewalls and IDSs in case of disaster; as well, keep backup of routers, bastion hosts, servers, and special-purpose devices Manage accounts by reviewing them every few months and making sure no accounts have been added by hackers, inactivating departed employee accounts, and ensuring that passwords are safe

Strengthening Detection: Managing the IDS Maintaining the current system (cont.): Managing the IDS rules by scaling back on their number and try to eliminate unnecessary rules Manage users by having an awareness program where employees, contractors and partners all understand the company’s security policy; use lectures and booklets to help disseminate data Changing or adding software and/or hardware are other ways to strengthen the IDS

Strengthening Defense: Improving Defense in Depth Defense in Depth calls for security through a variety of defensive techniques that work together to block different attacks Defense in Depth as it applies to network services calls for the maintenance of: availability; integrity; authentication; confidentiality; non-repudiation Active Defense in Depth is a particularly strong implementation of Defense of Depth Security personnel expect that attacks will occur and try to anticipate them; this calls for multiple levels of protection

Strengthening Defense: Improving Defense in Depth To improve security, add security layers Additional layers include firewalls, encryption, virus protection, authentication, intrusion detection, access control, SSL and IPSec, and auditing In addition, defensive zones were created to protect end-users and communications between zones Breaking communication needs into separate systems and relying on multiple security methods, allows organizations to achieve effective external security

Strengthening Performance: Keeping Pace with Network Needs Ideally, an IDS will capture all the packets that reach it, send alarms on all suspicious packets, and allow legitimate packets through; however, performance can be hampered by: A lack of RAM; the IDS should have more that the minimum RAM amount to maintain state information A lack of bandwidth; an IDS should be capable of handling 50 percent of bandwidth utilization without losing the capacity to detect A lack of storage; sufficient storage space is typically a gigabyte or more

Maintain Your Own Knowledge Base Remain effective in ongoing security efforts by growing your own knowledge and maintaining industry contacts Visit Web sites that gather news headlines on virus outbreaks and security breaches Mailing lists often provide you with up-to-date information about security issues and vulnerabilities Newsletters and trade publications that cover security often contain reviews of hardware /software Many certifications need to be renewed periodically

Chapter Summary This chapter discussed aspects of conducting ongoing maintenance of network security systems, and IDSs in particular. There is a need for security event management - accumulating data from a wide range of security devices by means of a coordinated program. Such a program includes event monitoring of alert and event logs produced by security devices and operating systems. It also involved the collection of data from multiple sensors either through a centralized or a distributed system. It requires you to review the attack signatures your IDS uses to make sure they are up-to-date

Chapter Summary Another aspect of event management is the need to make a change in a procedure in a systematic and thought-out way. Change management describes the modification of systems or procedures in a way that includes the approval of appropriate management and that notifies staff of the impending change Security auditing tests the effectiveness of network defenses after you have established them. In an operational audit your own staff examines the system logs and looks for vulnerabilities such as weak passwords or unnecessary user accounts. An independent audit is performed by an outside firm you hire to come in and inspect your logs

Chapter Summary Another aspect of ongoing security maintenance is the management of the IDS to keep it running smoothly. First, you need to maintain your current IDS by making backups, managing user accounts, and cutting back on any unnecessary rules that the IDS uses. You can also strengthen overall intrusion detection by instituting an awareness program in which employees, contractors, and business partners all understand and observe your security policy. You can also strengthen the IDS by adding software or hardware as needed

Chapter Summary By strengthening your network’s Defense of Depth configuration, you improve network defense overall and ensure availability and integrity of information. You also provide for non-repudiation: the use of authentication to prevent the parties involved in an electronic transaction from denying that it took place in order to escape paying for goods and services. Active Defense of Depth calls for actively trying to anticipate and thwart attempts before they occur. This can be done through training or through adding layers of security

Chapter Summary Next, the text discussed the importance of keeping pace with your network’s needs by providing sufficient memory for the IDS to process long-term attacks by maintaining a state of a connection with a potential hacker. You also need to provide the IDS with sufficient storage space for log and alert files. You also need to dispose of files thoroughly by shredding them electronically

Chapter Summary Finally, the importance of maintaining your own knowledge and expertise along with your ongoing maintenance of security devices. By visiting selected Web sites, you can keep abreast of security breaches and virus outbreaks. By joining mailing lists or posting on newsgroups, you gain a resource for getting answers and opinions on issues you confront. By subscribing to online or print publications, you get reviews of new equipment as well as articles that describe how to use them. Finally, you need to keep your security certifications up-to-date in order to maintain your own level of expertise, as well as the experience level of the organization as a whole