Presentation is loading. Please wait.

Presentation is loading. Please wait.

Security Guidelines and Management

Published byGloria Short Modified over 9 years ago

Similar presentations

Presentation on theme: "Security Guidelines and Management"— Presentation transcript:

1 Security Guidelines and Management

2 Security Management Log Management Malware incident handling
Forensic Techniques Vulnerability Management Program

3 Log Management A Log is a record of events that happen in computer systems and networks of an organization Three types of logs are of interest in security Security software logs Operating system logs Application logs

4 Log Management Configuring log sources Log analysis
Initiating responses Long term storage Monitoring logging status Monitoring log archival Upgrades of logging software Clock synchronization Reconfiguration Documenting log process anomalies

5 Security Software Logs
Anti-malware software logs detected malware file and system disinfection attempts quarantines previous scans updates of virus databases IDS/IPS log suspicious behavior and detected attacks IPS actions to prevent ongoing malicious activities Remote Access software successful and failed login attempts dates and times user connected and disconnected amount of data user sent and received per session use of resources may be logged with more refined software

6 Security Software Logs
Web proxies log all urls requested Vulnerability management software log patch installation history vulnerability status of each host Authentication servers log all login attempts Routers log most recently blocked traffic Firewalls store results of analysis of suspicious activities Network quarantine servers status of quarantined hosts reason for quarantines

7 Operating System Logs System events Audit records Shutting down
Restarting services Failed events Audit records Failed/successful authentication events File accesses Security policy changes Account changes Use of privileges

8 Application Logs Applications provide their own custom logging mechanisms. Granularity can be very high. Typical logs: Client requests and server responses ( servers, web servers, financial records) Account information (authentication, change of accounts, password cracking, use of privileges) Usage information (number of transactions in a given time period, unusual activity like bulk mails) Significant operational actions (application startup, shutdown, failures, configuration changes

9 Need for Log Management
Logs are usually in proprietary format and difficult to manage Routine log reviews and analysis are beneficial for identifying security incidents, policy violations, fraudulent activity, and operational problems Logs can also be useful for performing auditing and forensic analysis, supporting the organization’s internal investigations, establishing baselines, and identifying operational trends Legal compliance. For critical applications like, health, public financial records, bank accounts, Government requires the organizations to maintain logs Protecting the trustworthiness of the log sources and also, the logs themselves need to be protected from malicious activities

10 Challenges in Log Management
Multiple Log Sources Inconsistent log content (like recording only pieces of information) Inconsistent timestamps (especially when logging across multiple hosts) Inconsistent formats ( XML, plain text, binary)

11 Log Management Infrastructure
A three-tier Architecture Log generation : Synchronized hosts generate Logs analysis and storage : One or more log servers that receive the logged data. This transfer is either real-time or periodic. Such servers are called collectors or aggregators Log monitoring : analyze and monitor the logged data using application consoles

12 Features of the Infrastructure
General Log parsing is extracting data from a log so that the parsed values can be used as input for another logging process Event filtering is the suppression of log entries from analysis, reporting, or long-term storage because their characteristics indicate that they are unlikely to contain information of interest Event aggregation, similar entries are consolidated into a single entry containing a count of the number of occurrences of the event

13 Features of the Infrastructure
Storage Log rotation is closing a log file and opening a new log file when the first file is considered to be complete. Benefits are: compression of logs and analysis Log archival is retaining logs for an extended period of time, typically on removable media, a storage area network (SAN) or a server. Two forms of archival Retention : is archiving logs on a regular basis as part of standard operational activities Preservation : is keeping logs that normally would be discarded, because they contain records of activity of particular interest Log compression is storing a log file in a way that reduces the amount of storage space needed for the file without altering the meaning of its contents

14 Features of the Infrastructure
Log reduction is removing unneeded entries from a log to create a new log that is smaller Log conversion is parsing a log in one format and storing its entries in a second format. Text to XML etc Log normalization, each log data field is converted to a particular data representation and categorized consistently. Example converting all date/times into a common format Log file integrity checking involves calculating a message digest for each file and storing the message digest securely to ensure that changes to archived logs are detected

15 Features of the Infrastructure
Analysis Event correlation is finding relationships between two or more log entries E.g., rule-based correlation, which matches multiple log entries from a single source or multiple sources based on logged values, such as timestamps, IP addresses, and event types Log viewing is displaying log entries in a human-readable format Log reporting is displaying the results of log analysis Disposal Log clearing is removing all entries from a log that precede a certain date and time Some popular implementations are syslog, SIEM software, Host-based intrusion detection systems,

16 Roles/Responsibilities in Log Management
System and network administrators, responsible for configuring logging on individual systems and network devices, analyzing logs periodically, reporting results of log management activities, and performing regular maintenance of logs and logging software Security administrators, responsible for managing and monitoring the log management infrastructures, configuring logging on security devices (e.g., firewalls, network-based intrusion detection systems, antivirus servers), reporting on the results of log management activities, and assisting others with configuring logging and performing log analysis Computer security incident response teams, use log data when handling incidents Application developers, need to design or customize applications so that they perform logging in accordance with the logging requirements Information security officers, who oversee the log management infrastructures Auditors, who may use log data when performing audits Individuals involved in the procurement of software to generate computer security log data.

Download ppt "Security Guidelines and Management"

Similar presentations

Presented by Nikita Shah 5th IT ( )

Presented by Nikita Shah 5th IT ( )
Introducing WatchGuard Dimension. Oceans of Log Data The 3 Dimensions of Big Data Volume –“Log Everything - Storage is Cheap” –Becomes too much data –

Introducing WatchGuard Dimension. Oceans of Log Data The 3 Dimensions of Big Data Volume –“Log Everything - Storage is Cheap” –Becomes too much data –
1 Chapter 8 Fundamentals of System Security. 2 Objectives In this chapter, you will: Understand the trade-offs among security, performance, and ease of.

1 Chapter 8 Fundamentals of System Security. 2 Objectives In this chapter, you will: Understand the trade-offs among security, performance, and ease of.
Online Banking Fraud Prevention Recommendations and Best Practices This document provides you with fraud prevention best practices that every employee.

Online Banking Fraud Prevention Recommendations and Best Practices This document provides you with fraud prevention best practices that every employee.
Access Control Chapter 3 Part 5 Pages 248 to 252.

Access Control Chapter 3 Part 5 Pages 248 to 252.
Intrusion Detection Systems and Practices

Intrusion Detection Systems and Practices
Ragib Hasan Johns Hopkins University en.600.412 Spring 2011 Lecture 10 04/18/2011 Security and Privacy in Cloud Computing.

Ragib Hasan Johns Hopkins University en Spring 2011 Lecture 10 04/18/2011 Security and Privacy in Cloud Computing.
ITS Offsite Workshop 2002 PolyU IT Security Policy PolyU IT/Computer Systems Security Policy (SSP) By Ken Chung Senior Computing Officer Information Technology.

ITS Offsite Workshop 2002 PolyU IT Security Policy PolyU IT/Computer Systems Security Policy (SSP) By Ken Chung Senior Computing Officer Information Technology.
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved. Security Policies and Implementation Issues.

© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company All rights reserved. Security Policies and Implementation Issues.
Maintaining and Updating Windows Server 2008

Maintaining and Updating Windows Server 2008
 Proxy Servers are software that act as intermediaries between client and servers on the Internet.  They help users on private networks get information.

 Proxy Servers are software that act as intermediaries between client and servers on the Internet.  They help users on private networks get information.
Designed By: Technical Training Department

Designed By: Technical Training Department
Department Of Computer Engineering

Department Of Computer Engineering
Network security policy: best practices

Network security policy: best practices
Intrusion Prevention, Detection & Response. IDS vs IPS IDS = Intrusion detection system IPS = intrusion prevention system.

Intrusion Prevention, Detection & Response. IDS vs IPS IDS = Intrusion detection system IPS = intrusion prevention system.
Presented by Manager, MIS.  GRIDCo’s intentions for publishing an Acceptable Use Policy are not to impose restrictions that are contrary to GRIDCo’s.

Presented by Manager, MIS.  GRIDCo’s intentions for publishing an Acceptable Use Policy are not to impose restrictions that are contrary to GRIDCo’s.
Presented by INTRUSION DETECTION SYSYTEM. CONTENT Basically this presentation contains, What is TripWire? How does TripWire work? Where is TripWire used?

Presented by INTRUSION DETECTION SYSYTEM. CONTENT Basically this presentation contains, What is TripWire? How does TripWire work? Where is TripWire used?
10-Conducting Security Audits. Privilege Auditing Person’s access level over an object – User should be given minimal amount of privilege necessary to.

10-Conducting Security Audits. Privilege Auditing Person’s access level over an object – User should be given minimal amount of privilege necessary to.
Information Systems CS-507 Lecture 40. Availability of tools and techniques on the Internet or as commercially available software that an intruder can.

Information Systems CS-507 Lecture 40. Availability of tools and techniques on the Internet or as commercially available software that an intruder can.
© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public 1 Version 4.1 ISP Responsibility Working at a Small-to-Medium Business or ISP – Chapter 8.

© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public 1 Version 4.1 ISP Responsibility Working at a Small-to-Medium Business or ISP – Chapter 8.

Similar presentations

Ads by Google