Day2 NSTrack JSnyder SecurityDashboard MainBallroom

7/26/2019 Day2 NSTrack JSnyder SecurityDashboard MainBallroom

1/24

Building a

Security Dashboard

Joel M Snyder

ms@o us1.com

Senior Partner

Opus One


2/24

dont fit in an

hour


3/24

posture


4/24

Security Posture?

in

Security is Risk Avoidance, Joels

e n on s:

Degree to Which You


5/24

RISKRisk

MitigatorRISK


6/24

For Example:

Before Mitigator AfterLots of viruses Anti-virus A few viruses

ots o spam nt -spam ew spam

Lots of attacks Intrusion

Prevention

A few attacks

Lots ofinappropriatetraffic

Contentfiltering

A littleinappropriatetraffic

data Protection data

Lots of port Firewall A few port


7/24

Anomaly Detectors can

+1 standard deviation

Secondary signs of increase inrisk are also visible in the form

of anomalous activity


8/24

Step 1 of

Risk mitigation technologies

Anomaly detection technologies


9/24

Example: Opus OneSource of Type of Informationn orma on

Firewall TrafficLog

Traffic in/out of the network; prohibitedinbound/outbound attempts

Mail SecurityGateway

Level of inbound email traffic; number of viruses andspam blocked

IDS/IPS Alerts on suspicious traffic; alerts on blocked traffic

NetworkMonitoring

Systems up/down; ping latency;link/disk/memory/CPU usage

Bandwidth Traffic levels at network port granularity

Graphing

VulnerabilityAnalyzer

System vulnerability detection; deltas invulnerabilities; changes in open ports

Log Collector Information from SYSLOG, Windows Event Log, SNMP

Tripwire Changes in system security or sensitive files


10/24

How Do We Measure

Identify assets and Identify threats

Calculate=

CalculateALEbefore = ARObefore * SLEbefore

Figure out a solutionthat mitigates risk

Change EF,ALE, and ARO

Compare ALEbeforewith ALEafter

CalculateALEafter = AROafter * SLEafter


11/24

OK, Better Question:

broken But you may be able to see it

Anomaly detectors cant tell you whensomethin is broken

But you may be able to see it


12/24

For Example,

What can you see in this information that helps

you to evaluate security posture and risk?


13/24

1 hr, 8 hr, 100hr


14/24


15/24

Example 2: Network Status


16/24

How About:

Remember: who is down is not securitydashboard oull et alerts for that stuff. We

want additional insight on un-alertable datahere.


17/24

Too Generic:

Who is Unusually Fast/Slow?

color code based on how faroff of normal behavior this is.Even better dont fixate on

ping but extend responsetime to applications


18/24

Step 2 of

.

to minimum needed to determinesecurity posture!

If you want the full boat, you canalways click-through to the

display


19/24

Incorporating Anomaly Detection

Quick: is there something wronghere or not?


20/24

Without Baselining,

Looks like we kick off backups onTuesda at midni ht for this s stem


21/24

Source of Deviation To Look For

Firewall TrafficLog

Traffic high/low; outbound deny high

Monitoring

VulnerabilityAnal zer

Delta in open ports/responding services

Log Collector SYSLOG/Windows Log/SNMP Trap above normal levelsfor each system


22/24

Step 3 of

.

security metrics and report whenbaseline is exceeded

You will also want to have purebandwidth graphs on your

,room for too many


23/24

Next Steps

4. Identify most critical 12 to 16 panes

of data giving insight into security

5. Bring together into graphical format

6. Reconcile with alerting

7. Get promotion from drooling boss


24/24

Thanks!

Joel M Snyder

ms@o us1.com

Senior Partner

Opus One

Date post:	13-Apr-2018
Category:	Documents
Upload:	hossin-mzaourou
View:	218 times
Download:	0 times

Day2 NSTrack JSnyder SecurityDashboard MainBallroom

Documents