Presentation is loading. Please wait.

Presentation is loading. Please wait.

Knowing What You Missed Forensic Techniques for Investigating Network Traffic.

Similar presentations


Presentation on theme: "Knowing What You Missed Forensic Techniques for Investigating Network Traffic."— Presentation transcript:

1 Knowing What You Missed Forensic Techniques for Investigating Network Traffic

2 Forensics ? “The science that examines and studies evidence in criminal cases and legal matters” “The True Witness” “In God we Trust, everyone else gets logged”

3 Agenda 1 1 2 3 4 Forensic Evidence – Why? Measuring Security What to look for ? Make Evidence Work for You

4 Implementation of an effective Enterprise Security Program It is extremely important to follow through with all the implementation steps. Most organizations tend to stop upon completion of the Security Strategy and never get to implementing: Administrative and User Guidelines Monitoring and Event Auditing Process Policy Compliance and Enforcement Process Incident Response

5 Administrative and User Guidelines Administrative guidelines and procedures  How to: Implement and maintain security standards and technical configuration guide  Defined technical and security administration processes and procedures  Daily responsibilities and tasks End-User guidelines and procedures  The human element is a decisive factor in a successful information security effort  Clearly defined expectations, roles and responsibilities  Awareness of current vulnerabilities and exposures  Security concepts, procedures and techniques explained

6 Enforcement, Event Auditing and Incident Response Processes and Procedures Manual and automated processes, procedures and activities to prevent, detect and correct activities that could compromise information security  Enforcement and Policy Compliance Administrative Operational Technical  Event Auditing and Monitoring Periodic Status Audit Enterprise Event Correlation and real-time transaction activity assessments Dynamic Policy Compliance Assessments (Exception Reporting and Real time based alerts)  Incident Response and Recovery Business resumption and disaster recovery Non-compliance with security standards Incident management (intrusion, breach, etc.)

7 Companies are trying to reach new heights Openness Security Business Continuity at Higher Level of Security and Openness 80% of enterprises will be using the Internet as a key part of their business processes by 2004. U.S. companies will increase security spending tenfold over the next decade. The Trade-Off New Business Opportunities

8 Still, IT Managers are Overwhelmed So Many Systems So Many Reports Vulnerabilities, Firewalls, Intrusion detection, security event logs, Real Time Alerts, Host Based IDS, Security Policies. Security compliance, Virus scans, Access control ….. 2.3 million hosts are connected to the Net each month. There aren’t 2.3 million sysadmins. Something has to give…. Not Enough Time nor Staff

9 The Real Threat Lies Within Companies want one consolidated view of network security…

10 By using an Audit Methodology Real Time Alerts Event Logs Security Events Security Policies Severity Relevance Consolidate Normalize Audit Real Time Alerts Less Cost More Effectiveness Less Risk Continuous Improvement Security Management Reports To Provide Valid Info

11 … and Relevant Incident Management Executive Overview with drill down: Gathering Meaningful Information for Risk Assessment Consolidation of Real Time, Platform and Application Events Consolidated Non Stop Network Security reports

12 How Secure are you? How Secure is your IT ? How do you know ? When do you need forensic?

13 Measuring Security Security will be about events, not about barriers. Security is about providing access to enable business …. and about knowing who, what where and when uses your resources.

14 Measuring Security – Why? Management Measurement Trust Assets + Risk Value Security $ Assets Virtual Business opportunities

15 By creating a cycle of improvement Measure policies Review policies Exception overview Attention overview Severity Executive summary Security status Analyze Real Time Violation Attentions Intrusions Incident Management Availability Alert Security policies CEV’s Early detection Vulnerabilities Prevent Improve

16 Security is the Top Challenge Who are the Challengers ? You can’t measure it. You can’t manage it

17 Security breaks through the curve Openness Security Measure Manage

18 A uthentication A uthorization A dministration IT Security What’s needed?  Firewall  Intrusion Detection  Security Policy A udit  Audit/Monitoring tool

19 Measuring Security – How ? Turn on your event logging Consolidate your logs Establish a good Security Policy Audit against security policy

20 Log SNMP Syslog W W ho W W hat W W hen W W here W on W hat Security Policy Normalize Alerts Reports Audits Archives Forensics Correlate From Noise to Information Establish a 7/24/365 Auditor/ Monitor

21 Alerts and Violations From all security appliances, platforms and applications  Repeated logon violations  Simulations logons with same ID  Access violations  Attack patterns

22 Compliance Authorized Access to Authorized Functions  changing a firewall rule  creating an (administrator) userid  activity on your valuable data You should only see planned activity by trusted people

23 Compliance and Forensics (authorized) activity by normal users  Look for out-of-hours activity  Look for volume  Make sure you have forensic data to reconstruct …. Just in case Empowering your users implies the need to monitor

24 What to look at ? Who:Groups of users or roles with comparable right and responsibilities What:Types of activity When:Relevant time periods Where: Groups of target platforms with comparable security needs On What:Groups of objects needing a comparable level of protecting


Download ppt "Knowing What You Missed Forensic Techniques for Investigating Network Traffic."

Similar presentations


Ads by Google