Date post: | 13-Apr-2018 |
Category: |
Documents |
Upload: | hossin-mzaourou |
View: | 218 times |
Download: | 0 times |
of 24
7/26/2019 Day2 NSTrack JSnyder SecurityDashboard MainBallroom
1/24
Building a
Security Dashboard
Joel M Snyder
ms@o us1.com
Senior Partner
Opus One
7/26/2019 Day2 NSTrack JSnyder SecurityDashboard MainBallroom
2/24
dont fit in an
hour
7/26/2019 Day2 NSTrack JSnyder SecurityDashboard MainBallroom
3/24
posture
7/26/2019 Day2 NSTrack JSnyder SecurityDashboard MainBallroom
4/24
Security Posture?
in
Security is Risk Avoidance, Joels
e n on s:
Degree to Which You
7/26/2019 Day2 NSTrack JSnyder SecurityDashboard MainBallroom
5/24
RISKRisk
MitigatorRISK
7/26/2019 Day2 NSTrack JSnyder SecurityDashboard MainBallroom
6/24
For Example:
Before Mitigator AfterLots of viruses Anti-virus A few viruses
ots o spam nt -spam ew spam
Lots of attacks Intrusion
Prevention
A few attacks
Lots ofinappropriatetraffic
Contentfiltering
A littleinappropriatetraffic
data Protection data
Lots of port Firewall A few port
7/26/2019 Day2 NSTrack JSnyder SecurityDashboard MainBallroom
7/24
Anomaly Detectors can
+1 standard deviation
Secondary signs of increase inrisk are also visible in the form
of anomalous activity
7/26/2019 Day2 NSTrack JSnyder SecurityDashboard MainBallroom
8/24
Step 1 of
Risk mitigation technologies
Anomaly detection technologies
7/26/2019 Day2 NSTrack JSnyder SecurityDashboard MainBallroom
9/24
Example: Opus OneSource of Type of Informationn orma on
Firewall TrafficLog
Traffic in/out of the network; prohibitedinbound/outbound attempts
Mail SecurityGateway
Level of inbound email traffic; number of viruses andspam blocked
IDS/IPS Alerts on suspicious traffic; alerts on blocked traffic
NetworkMonitoring
Systems up/down; ping latency;link/disk/memory/CPU usage
Bandwidth Traffic levels at network port granularity
Graphing
VulnerabilityAnalyzer
System vulnerability detection; deltas invulnerabilities; changes in open ports
Log Collector Information from SYSLOG, Windows Event Log, SNMP
Tripwire Changes in system security or sensitive files
7/26/2019 Day2 NSTrack JSnyder SecurityDashboard MainBallroom
10/24
How Do We Measure
Identify assets and Identify threats
Calculate=
CalculateALEbefore = ARObefore * SLEbefore
Figure out a solutionthat mitigates risk
Change EF,ALE, and ARO
Compare ALEbeforewith ALEafter
CalculateALEafter = AROafter * SLEafter
7/26/2019 Day2 NSTrack JSnyder SecurityDashboard MainBallroom
11/24
OK, Better Question:
broken But you may be able to see it
Anomaly detectors cant tell you whensomethin is broken
But you may be able to see it
7/26/2019 Day2 NSTrack JSnyder SecurityDashboard MainBallroom
12/24
For Example,
What can you see in this information that helps
you to evaluate security posture and risk?
7/26/2019 Day2 NSTrack JSnyder SecurityDashboard MainBallroom
13/24
1 hr, 8 hr, 100hr
7/26/2019 Day2 NSTrack JSnyder SecurityDashboard MainBallroom
14/24
7/26/2019 Day2 NSTrack JSnyder SecurityDashboard MainBallroom
15/24
Example 2: Network Status
7/26/2019 Day2 NSTrack JSnyder SecurityDashboard MainBallroom
16/24
How About:
Remember: who is down is not securitydashboard oull et alerts for that stuff. We
want additional insight on un-alertable datahere.
7/26/2019 Day2 NSTrack JSnyder SecurityDashboard MainBallroom
17/24
Too Generic:
Who is Unusually Fast/Slow?
color code based on how faroff of normal behavior this is.Even better dont fixate on
ping but extend responsetime to applications
7/26/2019 Day2 NSTrack JSnyder SecurityDashboard MainBallroom
18/24
Step 2 of
.
to minimum needed to determinesecurity posture!
If you want the full boat, you canalways click-through to the
display
7/26/2019 Day2 NSTrack JSnyder SecurityDashboard MainBallroom
19/24
Incorporating Anomaly Detection
Quick: is there something wronghere or not?
7/26/2019 Day2 NSTrack JSnyder SecurityDashboard MainBallroom
20/24
Without Baselining,
Looks like we kick off backups onTuesda at midni ht for this s stem
7/26/2019 Day2 NSTrack JSnyder SecurityDashboard MainBallroom
21/24
Source of Deviation To Look For
Firewall TrafficLog
Traffic high/low; outbound deny high
Monitoring
VulnerabilityAnal zer
Delta in open ports/responding services
Log Collector SYSLOG/Windows Log/SNMP Trap above normal levelsfor each system
7/26/2019 Day2 NSTrack JSnyder SecurityDashboard MainBallroom
22/24
Step 3 of
.
security metrics and report whenbaseline is exceeded
You will also want to have purebandwidth graphs on your
,room for too many
7/26/2019 Day2 NSTrack JSnyder SecurityDashboard MainBallroom
23/24
Next Steps
4. Identify most critical 12 to 16 panes
of data giving insight into security
5. Bring together into graphical format
6. Reconcile with alerting
7. Get promotion from drooling boss
7/26/2019 Day2 NSTrack JSnyder SecurityDashboard MainBallroom
24/24
Thanks!
Joel M Snyder
ms@o us1.com
Senior Partner
Opus One