Presentation is loading. Please wait.

Presentation is loading. Please wait.

Intrusion Detection MIS.5213.011 ALTER 0A234 Lecture 11.

Published byAmy Summers Modified over 9 years ago

Similar presentations

Presentation on theme: "Intrusion Detection MIS.5213.011 ALTER 0A234 Lecture 11."— Presentation transcript:

1 Intrusion Detection MIS.5213.011 ALTER 0A234 Lecture 11

2 Remediation Process Declaration of an incident. Form the remediation Team Determine remediation Timing Hybrid Action (Containment & posturing Action) Hybrid Action (Containment & posturing Action) Hybrid Action (Containment & posturing Action)

3 Remediation Process - Cont Remediation Complete Develop Eradication Plan Execute Eradication Plan Develop Strategic Recommendations Document Lessons Learned

4 Remediation Process 1) Form the Remediation Team Remediation team is similar to the CIRT team. It may consists of the same members or members with similar skill sets 2) Determine the timing of the remediation actions What activities can be started or what needs to wait until the investigation is completed

5 Remediation Process 3) Develop and implement remediation posturing actions These actions occur while the incident is still ongoing ie: password resets, patch application, vulnerability remediation, etc. 4) Develop and implement incident containment actions These actions are designed to restrict access to sensitive areas.

6 Remediation Process 5) Develop an eradication plan the goal is to remove attacker’s access to the environment 6) Determine eradication event timing and implement the plan Once the investigative team determines that all possible breaches, tools, techniques have been identified and no new infections are occurring. It is determined that a steady state for the environment has been reached. At this point eradication plan may be implemented to began the clean up.

7 Remediation Process 7) Develop Strategic Recommendations These are long term observations that need to be implemented. It is generally done as a long term plan for remediation 8) Document the lessons learned. This is a result of identifying all of the things that worked or did not worked during an incident crisis situation. These lessons learned need to be stored in a secure location.

8 Critical Factors for Remediation Efforts Incident Severity Remediation Timing This will serve as a guide to what needs to happen when and everyone needs to agree. This is critical to the success of the remediation. Remediation Team (Size, Skill, Support)

9 Critical Factors for Remediation Efforts Technology All technology used during an incident should be tested and familiar so that during the incident you are not learning new technologies. Budget Management Support Public Scrutiny Be aware of what information is release to the public and when. Revisions may prove more embarrassing.

10 Remediation Owner Some one who is a strong senior technical manager who will negotiate all aspects of the remediation effort. 5 Qualities of a Remediation Owner In-Depth understanding of IT and Security Focus on Execution Understanding of Internal Politics Proven Track record of building support of Initiatives Ability to Communicate with technical and nontechnical personnel.

11 Posturing Actions Enhancing Logging Enhance Alerting Patching 3 rd party applications Implement – multifactor authentication Reduce the locations where critical data is stored Strengthen Password Requirements

12 Posturing Actions Things to be wary off Alerting the attacker results in changed tactics and behavior by the attacker. Attacker Becomes dormant – results in additional compromised machine that become silent, impacting the trusted state of the environment. Attacker becomes destructive Attacker become more active and attempts to infect more machines, resulting an active war between the attacker and the incident response team.

13 Containment Plan Actions Change all of the passwords for all users and accounts Split responsibilities, Some users that can create while others are used to authorize. Improved ACLs.

14 Eradication Action Plan Ie: Completely disconnect the Victim organization from the Internet Block Malicious Ips Change All account passwords Implement Network Segmentation Mitigate all vulnerabilities..especially the original one that allowed the attack in the first place Rebuild compromised systems

15 Strategic Recommendations Ie: Period review of Firewall ACLs and other Network device configurations Period code reviews Implement IDS to monitor network traffic at all critical network points and services. Proper network segmentations Allow only multifactor authentication for remote access Outsource DMZ monitor to MSSP (Managed Security Service Providers)

16 OUTSOURCING SECURITY MSSP – Managed Security Service Providers

17 MSSP Outsourcing What is outsourcing? Act of outsourcing involves contracting out for goods or services to a provider either domestic or foreign in place of internal sourcing. What is outsourced? Software Development, Help Desk Services, Call Center, Medical Billing, etc..

18 Managed Security Services Providers Options: Managed firewall services managed intrusion detection services managed VPN services

19 MSSP – Pros and Cons

20 MSSP Pros: Costs: Running an in-house security team means hiring and paying salaries and benefits, creating office space and overall operational costs. By outsourcing security, you pay for services only. It’s up to the MSSP to handle their employee’s needs. Superior Technology and Expertise: When outsourcing security, you hire a company whose sole business is securing other businesses. This means, managed security service providers have the best hardware and software and skilled personnel. Buying such technology or hiring skilled personnel would be expensive and counterproductive for businesses that don’t specialize in security. Support: Security is a sensitive area and so all managed security service providers offer support all-day, all year as long as the contract is valid. Your business is secured always and time it takes to resolve security issues is minimal.

21 MSSP Cons: Risk: For instance, being a sensitive subject, trusting a different company with your intellectual property, can be hard. Most managed security service providers have well-known reputation and track record. oss of Control: When you hand over security to another company, it means you will have to accept the terms they propose. For example, when outsourcing I.T security, the provider decides the security software and hardware to run in your company. Changing such software would be breaching contract with the managed security service provider. Loss of Quality: Although rare, hiring managed security service providers known to compromise quality for profits is a security risk. To prevent this, researching before signing a contract and asking for service level agreements is advisable.

22 MSSP SLA What should SLA’s cover Time to detection Speed on response after an incident occurs What if the third party does not detect incidents How many incidents are being detected by the third party How many are not being detected by them

23 MSSP SLA Lack of standards and tools Lack of skills, training and/or certification on proper methodology Lack of communication Lack of established policy Repudiation of responsibility from the third party

24 MSSP Choosing the right MSSP Reputation Financial Stability Expertise Employee Turnover Rate etc..

25 MSSP Additional Concerns: How different organizations perform incident management? What is covered and required under Service Contracts? Is the outsourcing service provider obligated to keep the information secured and Security levels current? How are the roles and responsibilities clarified? What level of expertise does the company providing services have with Incident Management? What level of contracts do they have? How would the outsourcing organization be evaluated How would the organization know if the third party is doing its job What kind of incidents are expected to be identified by the third party What kind of reporting and notification is expected from the third party

Download ppt "Intrusion Detection MIS.5213.011 ALTER 0A234 Lecture 11."

Similar presentations

Identifying and Responding to Security Incidents in the Law Firm

Identifying and Responding to Security Incidents in the Law Firm
INADEQUATE SECURITY POLICIES Each covered entity and business associate must have written polices that cover all the Required and Addressable HIPAA standards.

INADEQUATE SECURITY POLICIES Each covered entity and business associate must have written polices that cover all the Required and Addressable HIPAA standards.
JEFF WILLIAMS INFORMATION SECURITY OFFICER CALIFORNIA STATE UNIVERSITY, SACRAMENTO Payment Card Industry Data Security Standard (PCI DSS) Compliance.

JEFF WILLIAMS INFORMATION SECURITY OFFICER CALIFORNIA STATE UNIVERSITY, SACRAMENTO Payment Card Industry Data Security Standard (PCI DSS) Compliance.
1 Chapter 8 Fundamentals of System Security. 2 Objectives In this chapter, you will: Understand the trade-offs among security, performance, and ease of.

1 Chapter 8 Fundamentals of System Security. 2 Objectives In this chapter, you will: Understand the trade-offs among security, performance, and ease of.
© 2005, QEI Inc. all characteristics subject to change. For clarity purposes, some displays may be simulated. Any trademarks mentioned remain the exclusive.

© 2005, QEI Inc. all characteristics subject to change. For clarity purposes, some displays may be simulated. Any trademarks mentioned remain the exclusive.
Separate Domains of IT Infrastructure

Separate Domains of IT Infrastructure
Security Controls – What Works

Security Controls – What Works
Chapter 12 Network Security.

Chapter 12 Network Security.
August 9, 2005 UCCSC -- 2005 IT Security at the University of California A New Initiative Jacqueline Craig. Director of Policy Information Resources and.

August 9, 2005 UCCSC IT Security at the University of California A New Initiative Jacqueline Craig. Director of Policy Information Resources and.
Lesson 11-Virtual Private Networks. Overview Define Virtual Private Networks (VPNs). Deploy User VPNs. Deploy Site VPNs. Understand standard VPN techniques.

Lesson 11-Virtual Private Networks. Overview Define Virtual Private Networks (VPNs). Deploy User VPNs. Deploy Site VPNs. Understand standard VPN techniques.
Security Management IACT 918 July 2004 Gene Awyzio SITACS University of Wollongong.

Security Management IACT 918 July 2004 Gene Awyzio SITACS University of Wollongong.
January 14, 2010 Introduction to Ethical Hacking and Network Defense MIS 4600 - © Abdou Illia.

January 14, 2010 Introduction to Ethical Hacking and Network Defense MIS © Abdou Illia.
Chapter 10 Information Systems Management. Agenda Information Systems Department Plan the Use of IT Manage Computing Infrastructure Manage Enterprise.

Chapter 10 Information Systems Management. Agenda Information Systems Department Plan the Use of IT Manage Computing Infrastructure Manage Enterprise.
Security Management IACT 418/918 Autumn 2005 Gene Awyzio SITACS University of Wollongong.

Security Management IACT 418/918 Autumn 2005 Gene Awyzio SITACS University of Wollongong.
Lesson 9-Securing a Network. Overview Identifying threats to the network security. Planning a secure network.

Lesson 9-Securing a Network. Overview Identifying threats to the network security. Planning a secure network.
Controls for Information Security

Controls for Information Security
Network security policy: best practices

Network security policy: best practices
Developing a Security Policy Chapter 2. Learning Objectives Understand why a security policy is an important part of a firewall implementation Determine.

Developing a Security Policy Chapter 2. Learning Objectives Understand why a security policy is an important part of a firewall implementation Determine.
Presented by Manager, MIS.  GRIDCo’s intentions for publishing an Acceptable Use Policy are not to impose restrictions that are contrary to GRIDCo’s.

Presented by Manager, MIS.  GRIDCo’s intentions for publishing an Acceptable Use Policy are not to impose restrictions that are contrary to GRIDCo’s.
Introduction to Network Defense

Introduction to Network Defense

Similar presentations

Ads by Google