Presentation is loading. Please wait.

Presentation is loading. Please wait.

Knowing What You Missed Forensic Techniques for Investigating Network Traffic.

Published byBlake Morrison Modified over 8 years ago

Similar presentations

Presentation on theme: "Knowing What You Missed Forensic Techniques for Investigating Network Traffic."— Presentation transcript:

1 Knowing What You Missed Forensic Techniques for Investigating Network Traffic

2 Forensics ? “The science that examines and studies evidence in criminal cases and legal matters” “The True Witness” “In God we Trust, everyone else gets logged”

3 Agenda 1 1 2 3 4 Forensic Evidence – Why? Measuring Security What to look for ? Make Evidence Work for You

4 Implementation of an effective Enterprise Security Program It is extremely important to follow through with all the implementation steps. Most organizations tend to stop upon completion of the Security Strategy and never get to implementing: Administrative and User Guidelines Monitoring and Event Auditing Process Policy Compliance and Enforcement Process Incident Response

5 Administrative and User Guidelines Administrative guidelines and procedures  How to: Implement and maintain security standards and technical configuration guide  Defined technical and security administration processes and procedures  Daily responsibilities and tasks End-User guidelines and procedures  The human element is a decisive factor in a successful information security effort  Clearly defined expectations, roles and responsibilities  Awareness of current vulnerabilities and exposures  Security concepts, procedures and techniques explained

6 Enforcement, Event Auditing and Incident Response Processes and Procedures Manual and automated processes, procedures and activities to prevent, detect and correct activities that could compromise information security  Enforcement and Policy Compliance Administrative Operational Technical  Event Auditing and Monitoring Periodic Status Audit Enterprise Event Correlation and real-time transaction activity assessments Dynamic Policy Compliance Assessments (Exception Reporting and Real time based alerts)  Incident Response and Recovery Business resumption and disaster recovery Non-compliance with security standards Incident management (intrusion, breach, etc.)

7 Companies are trying to reach new heights Openness Security Business Continuity at Higher Level of Security and Openness 80% of enterprises will be using the Internet as a key part of their business processes by 2004. U.S. companies will increase security spending tenfold over the next decade. The Trade-Off New Business Opportunities

8 Still, IT Managers are Overwhelmed So Many Systems So Many Reports Vulnerabilities, Firewalls, Intrusion detection, security event logs, Real Time Alerts, Host Based IDS, Security Policies. Security compliance, Virus scans, Access control ….. 2.3 million hosts are connected to the Net each month. There aren’t 2.3 million sysadmins. Something has to give…. Not Enough Time nor Staff

9 The Real Threat Lies Within Companies want one consolidated view of network security…

10 By using an Audit Methodology Real Time Alerts Event Logs Security Events Security Policies Severity Relevance Consolidate Normalize Audit Real Time Alerts Less Cost More Effectiveness Less Risk Continuous Improvement Security Management Reports To Provide Valid Info

11 … and Relevant Incident Management Executive Overview with drill down: Gathering Meaningful Information for Risk Assessment Consolidation of Real Time, Platform and Application Events Consolidated Non Stop Network Security reports

12 How Secure are you? How Secure is your IT ? How do you know ? When do you need forensic?

13 Measuring Security Security will be about events, not about barriers. Security is about providing access to enable business …. and about knowing who, what where and when uses your resources.

14 Measuring Security – Why? Management Measurement Trust Assets + Risk Value Security $ Assets Virtual Business opportunities

15 By creating a cycle of improvement Measure policies Review policies Exception overview Attention overview Severity Executive summary Security status Analyze Real Time Violation Attentions Intrusions Incident Management Availability Alert Security policies CEV’s Early detection Vulnerabilities Prevent Improve

16 Security is the Top Challenge Who are the Challengers ? You can’t measure it. You can’t manage it

17 Security breaks through the curve Openness Security Measure Manage

18 A uthentication A uthorization A dministration IT Security What’s needed?  Firewall  Intrusion Detection  Security Policy A udit  Audit/Monitoring tool

19 Measuring Security – How ? Turn on your event logging Consolidate your logs Establish a good Security Policy Audit against security policy

20 Log SNMP Syslog W W ho W W hat W W hen W W here W on W hat Security Policy Normalize Alerts Reports Audits Archives Forensics Correlate From Noise to Information Establish a 7/24/365 Auditor/ Monitor

21 Alerts and Violations From all security appliances, platforms and applications  Repeated logon violations  Simulations logons with same ID  Access violations  Attack patterns

22 Compliance Authorized Access to Authorized Functions  changing a firewall rule  creating an (administrator) userid  activity on your valuable data You should only see planned activity by trusted people

23 Compliance and Forensics (authorized) activity by normal users  Look for out-of-hours activity  Look for volume  Make sure you have forensic data to reconstruct …. Just in case Empowering your users implies the need to monitor

24 What to look at ? Who:Groups of users or roles with comparable right and responsibilities What:Types of activity When:Relevant time periods Where: Groups of target platforms with comparable security needs On What:Groups of objects needing a comparable level of protecting

Download ppt "Knowing What You Missed Forensic Techniques for Investigating Network Traffic."

Similar presentations

ETHICAL HACKING A LICENCE TO HACK

ETHICAL HACKING A LICENCE TO HACK
The Whole/Hole of Security Public (DoD) v. Corporate Carl Bourland US Army Judge Advocate Generals Corps.

The Whole/Hole of Security Public (DoD) v. Corporate Carl Bourland US Army Judge Advocate Generals Corps.
© 2013 Bradford Networks. All rights reserved. Rapid Threat Response From 7 Days to 7 Seconds.

© 2013 Bradford Networks. All rights reserved. Rapid Threat Response From 7 Days to 7 Seconds.
Introducing WatchGuard Dimension. Oceans of Log Data The 3 Dimensions of Big Data Volume –“Log Everything - Storage is Cheap” –Becomes too much data –

Introducing WatchGuard Dimension. Oceans of Log Data The 3 Dimensions of Big Data Volume –“Log Everything - Storage is Cheap” –Becomes too much data –
Information Security Policies and Standards

Information Security Policies and Standards
The State of Security Management By Jim Reavis January 2003.

The State of Security Management By Jim Reavis January 2003.
Enterprise security How to bring security transparency into your organization ISSA EDUCATIONAL SESSION Nicklaus Schleicher, VP Support & Customer Service.

Enterprise security How to bring security transparency into your organization ISSA EDUCATIONAL SESSION Nicklaus Schleicher, VP Support & Customer Service.
1 An Overview of Computer Security computer security.

1 An Overview of Computer Security computer security.
Developing Network Security Strategies Network Security D ESIGN Network Security M ECHANISMS.

Developing Network Security Strategies Network Security D ESIGN Network Security M ECHANISMS.
Cybersecurity Summit 2004 Andrea Norris Deputy Chief Information Officer/ Director of Division of Information Systems.

Cybersecurity Summit 2004 Andrea Norris Deputy Chief Information Officer/ Director of Division of Information Systems.
Lesson 13-Intrusion Detection. Overview Define the types of Intrusion Detection Systems (IDS). Set up an IDS. Manage an IDS. Understand intrusion prevention.

Lesson 13-Intrusion Detection. Overview Define the types of Intrusion Detection Systems (IDS). Set up an IDS. Manage an IDS. Understand intrusion prevention.
Security Awareness: Applying Practical Security in Your World Chapter 6: Total Security.

Security Awareness: Applying Practical Security in Your World Chapter 6: Total Security.
Computer Security: Principles and Practice

Computer Security: Principles and Practice
seminar on Intrusion detection system

seminar on Intrusion detection system
Stephen S. Yau CSE 465-591, Fall 2006 1 Security Strategies.

Stephen S. Yau CSE , Fall Security Strategies.
Chapter 8 Information Systems Controls for System Reliability— Part 1: Information Security Copyright © 2012 Pearson Education, Inc. publishing as Prentice.

Chapter 8 Information Systems Controls for System Reliability— Part 1: Information Security Copyright © 2012 Pearson Education, Inc. publishing as Prentice.
Brian Bradley.  Data is any type of stored digital information.  Security is about the protection of assets.  Prevention: measures taken to protect.

Brian Bradley.  Data is any type of stored digital information.  Security is about the protection of assets.  Prevention: measures taken to protect.
Network security policy: best practices

Network security policy: best practices
Security Risk Management Marcus Murray, CISSP, MVP (Security) Senior Security Advisor, Truesec

Security Risk Management Marcus Murray, CISSP, MVP (Security) Senior Security Advisor, Truesec
Www.skyboxsecurity.com Skybox® Security Solutions for Symantec CCS Comprehensive IT Governance Risk and Access Compliance Management Skybox Security's.

Skybox® Security Solutions for Symantec CCS Comprehensive IT Governance Risk and Access Compliance Management Skybox Security's.

Similar presentations

Ads by Google