Presentation is loading. Please wait.

Presentation is loading. Please wait.

Logging and Monitoring. Motivation Attacks are common (see David's talk) – Sophisticated – hard to reveal, (still) quite limited in our environment –

Published byJeffery Hamilton Modified over 8 years ago

Similar presentations

Presentation on theme: "Logging and Monitoring. Motivation Attacks are common (see David's talk) – Sophisticated – hard to reveal, (still) quite limited in our environment –"— Presentation transcript:

1 Logging and Monitoring

2 Motivation Attacks are common (see David's talk) – Sophisticated – hard to reveal, (still) quite limited in our environment – Frequent “noise” Clouds make the situation more complex – You address issues caused by random users

3 Motivation Goals – Efficient IR – Build and maintain good reputation Means – Prevent incidents from happening – Timely response – Efficient handling of incidents Automation of procedures, reporting

4 Revealing Incidents - Motivation Detecting attack from own monitoring – EGI “FedCloud” incident at CESNET – Network monitoring revealed dDoS attacks from a cloud machine – Further forensics showed compromised Tomcat account (with enabled default password) Report from outside – “We found malicious activity originating from your IP address 1.2.3.4 during ”

5 Attackers Behavior - Motivation Common scenario – Get user access to a machine via common vectors – (escalate privileges) – Hide traces – Launch a “bot”,... Forensics tries to identify the steps

6 Setting up Basic Elements Logging and monitoring is crucial for incident response and prevention Consider involvement of cloud users infrastructure vs. vms Basic tools – logs – patch management – VM monitoring – Network monitoring

7 Log Management

8 Gathering Logs Make sure key components generate logs Verify that logs are complete – IP, usernames – traceability Think about policies Collect logs centrally (syslog) – Attackers wipe logs – Easy evaluation Provide support for VMs – Pre-configured images, documentations, …

9 Processing Logs Check logs automatically – Logwatch, … – Identify suspicious patterns – successful ssh attacks Logs may be large – Prepare a proper solution (ELK) – Identify what needs to be retained (policies) – Prepare storage

10

11 Patch Monitoring

12 Patch Monitoring using Pakiti Patch monitoring, detects known vulnerabilities Client - server architecture In production use by EGI CSIRT, Nagios probe against WNs http://pakiti.sourceforge.net/

13 Pakiti in EGI New vulnerabilities assessed EGI CSIRT / SVG → Critical or High-rated. Sites are requested to address the issue, Update package(s) and/or apply mitigations. 7 bussiness days for new vulnerabilities, 2 days for re-occurences Sites failing to address the issue may be suspended Results available to sites/NGIs (limited access)

14 Pakiti GUI

15 Patch Management in EGI

16 Monitoring of Cloud Machines be faster then attackers

17 VM Assessment Users are creative Identify common attack vectors – Default/weak passwords – Testing accounts Develop procedures and policies – Regular audits Integrate with general issue handling – automation

18 VM Assessment at CESNET Regular network scans of cloud machines – SSH accounts – Tomcat accounts – open “amplifiers” Policies being updated – VMs are contained after found vulnerable

19 Network Monitoring

20 Why Monitor Network? Everybody leaves traces in network traffic (you can’t hide). – Identification of attack attempts – Identify successful attacks – Incident analysis Outcomes improve knowledge about network

21 Monitoring using Flows Passive monitoring collecting metadata – No support needed from users/customers Flow contains key information about every connection – Source, destination IP, ports, times, protocols, … – No content data (mostly) Very valuable for forensics and attack analysis

22 Collecting Flows Several solutions available "NetFlow Architecture 2012" by Amp 32 (wikipedia.org)

23 Using Network Monitoring Data Automated processing – Successful phishing, network attacks, suspicions IPs, … Auxiliary processing

24 Questions ?

Download ppt "Logging and Monitoring. Motivation Attacks are common (see David's talk) – Sophisticated – hard to reveal, (still) quite limited in our environment –"

Similar presentations

INADEQUATE SECURITY POLICIES Each covered entity and business associate must have written polices that cover all the Required and Addressable HIPAA standards.

INADEQUATE SECURITY POLICIES Each covered entity and business associate must have written polices that cover all the Required and Addressable HIPAA standards.
SIEM Based Intrusion Detection Jim Beechey May 2010 GSEC, GCIA, GCIH, GCFA, GCWN twitter: jim_beechey.

SIEM Based Intrusion Detection Jim Beechey May 2010 GSEC, GCIA, GCIH, GCFA, GCWN twitter: jim_beechey.
Ragib Hasan University of Alabama at Birmingham CS 491/691/791 Fall 2012 Lecture 2 08/21/2012 Security and Privacy in Cloud Computing.

Ragib Hasan University of Alabama at Birmingham CS 491/691/791 Fall 2012 Lecture 2 08/21/2012 Security and Privacy in Cloud Computing.
BotMiner Guofei Gu, Roberto Perdisci, Junjie Zhang, and Wenke Lee College of Computing, Georgia Institute of Technology.

BotMiner Guofei Gu, Roberto Perdisci, Junjie Zhang, and Wenke Lee College of Computing, Georgia Institute of Technology.
5/1/2006Sireesha/IDS1 Intrusion Detection Systems (A preliminary study) Sireesha Dasaraju CS526 - Advanced Internet Systems UCCS.

5/1/2006Sireesha/IDS1 Intrusion Detection Systems (A preliminary study) Sireesha Dasaraju CS526 - Advanced Internet Systems UCCS.
Stephen S. Yau CSE 465-591, Fall 2006 1 Security Strategies.

Stephen S. Yau CSE , Fall Security Strategies.
Authors: Thomas Ristenpart, et at.

Authors: Thomas Ristenpart, et at.
INTRUSION DETECTION SYSTEMS Tristan Walters Rayce West.

INTRUSION DETECTION SYSTEMS Tristan Walters Rayce West.
1 Enabling Secure Internet Access with ISA Server.

1 Enabling Secure Internet Access with ISA Server.
Security Guidelines and Management

Security Guidelines and Management
Incident Response Updated 03/20/2015

Incident Response Updated 03/20/2015
Security Risk Management Marcus Murray, CISSP, MVP (Security) Senior Security Advisor, Truesec

Security Risk Management Marcus Murray, CISSP, MVP (Security) Senior Security Advisor, Truesec
Website Hardening HUIT IT Security | Sep 30 2011.

Website Hardening HUIT IT Security | Sep
Threat Modeling for Cloud Computing (some slides are borrowed from Dr. Ragib Hasan) Keke Chen 1.

Threat Modeling for Cloud Computing (some slides are borrowed from Dr. Ragib Hasan) Keke Chen 1.
© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public 1 Version 4.1 ISP Responsibility Working at a Small-to-Medium Business or ISP – Chapter 8.

© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public 1 Version 4.1 ISP Responsibility Working at a Small-to-Medium Business or ISP – Chapter 8.
Www.egi.eu EGI-Engage www.egi.eu Recent Experiences in Operational Security: Incident prevention and incident handling in the EGI and WLCG infrastructure.

EGI-Engage Recent Experiences in Operational Security: Incident prevention and incident handling in the EGI and WLCG infrastructure.
© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public ITE PC v4.0 Chapter 1 1 Troubleshooting Your Network Networking for Home and Small Businesses.

© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public ITE PC v4.0 Chapter 1 1 Troubleshooting Your Network Networking for Home and Small Businesses.
B OTNETS T HREATS A ND B OTNETS DETECTION Mona Aldakheel 434920317 1.

B OTNETS T HREATS A ND B OTNETS DETECTION Mona Aldakheel
Karlstad University Introduction to Vulnerability Assessment Labs Ge Zhang Dvg-C03.

Karlstad University Introduction to Vulnerability Assessment Labs Ge Zhang Dvg-C03.
PROCESS OF CONDUCTING A DOS/IDS INCIDENT ANALYSIS

PROCESS OF CONDUCTING A DOS/IDS INCIDENT ANALYSIS

Similar presentations

Ads by Google