Date post: | 21-Dec-2015 |
Category: |
Documents |
View: | 216 times |
Download: | 0 times |
Security Security administratorsadministrators
The experts need better tools The experts need better tools too!too!
AgendaAgenda
Projects?Projects?– Final conflicts?Final conflicts?– Report and presentationsReport and presentations
Security adminsSecurity admins General wrap-upGeneral wrap-up
Report and Report and presentationpresentation Intro and motivationIntro and motivation Describe the study - tasks, surveys, Describe the study - tasks, surveys,
how many users, etc.how many users, etc. Describe the results – tables of data, Describe the results – tables of data,
issues observed, etc.issues observed, etc. Describe the implications – what do Describe the implications – what do
the results mean? What would the results mean? What would someone do with these results?someone do with these results?
Future work – how would you modify Future work – how would you modify study based on your pilot? What future study based on your pilot? What future studies does this suggest?studies does this suggest?
Security Administrator Security Administrator KnowledgeKnowledge Growing more and more difficultGrowing more and more difficult Decade ago: Decade ago:
– possible for intimate knowledge of smaller possible for intimate knowledge of smaller computer systems, fewer applications and computer systems, fewer applications and infrastructures to supportinfrastructures to support
– An intruder also likely needed intimate knowledge, An intruder also likely needed intimate knowledge, less malicious code out thereless malicious code out there
Now: Now: – large operating systems, 10s of thousands of files, large operating systems, 10s of thousands of files,
large infrastructureslarge infrastructures– Widely distributed attack tools, very Widely distributed attack tools, very
interconnected networks, infection occurs interconnected networks, infection occurs everywhere all the timeeverywhere all the time
Slides adapted from Matthew DeSantis, CMU
(Some) tools of the (Some) tools of the tradetrade Intrusion Detection Systems (IDS)Intrusion Detection Systems (IDS)
– Monitor network traffic and alert to suspicious patternsMonitor network traffic and alert to suspicious patterns Scanning toolsScanning tools
– Look for known vulnerabilities in networks and Look for known vulnerabilities in networks and machinesmachines
File/host integrity toolsFile/host integrity tools– Virus detectionVirus detection– Filesystem monitoringFilesystem monitoring
Home made scriptsHome made scripts– Filter and process log files, run services, etc.Filter and process log files, run services, etc.
Information sourcesInformation sources– Descriptions of attacks, source code, etc.Descriptions of attacks, source code, etc.
Admin challengesAdmin challenges
Problems complex, still require human Problems complex, still require human judgement to determine and solvejudgement to determine and solve
Information overloadInformation overload– Large numbers of alerts and emailsLarge numbers of alerts and emails– Large log filesLarge log files– Many tools to help with different tasksMany tools to help with different tasks
Usability still not an aspect of these Usability still not an aspect of these toolstools– Command lines ruleCommand lines rule– No standards for tool output, difficult to No standards for tool output, difficult to
synthesizesynthesize
Solutions?Solutions?
Identify work practices and needs of these Identify work practices and needs of these usersusers– What is the implications of having security What is the implications of having security
experts as users?experts as users?– What usability properties do tools need to What usability properties do tools need to
have?have? VisualizationVisualization
– Help users identify patterns in high volume dataHelp users identify patterns in high volume data– Synthesize data from multiple sources to Synthesize data from multiple sources to
provide higher level viewsprovide higher level views– Challenge: another thing to attackChallenge: another thing to attack
Example - NVisionIPExample - NVisionIPhttp://security.ncsa.uiuc.edu/distribution/NVisionIPDownLoad.html
VisualizVisualize traffic e traffic flows flows to/from to/from every every machinmachine on a e on a large large computcomputer er networknetwork
RumintRumint
Visualize Visualize network network packets packets
http://www.rumint.org/
RainstorRainstorm IDSm IDS Visualize Visualize
IDS alarm IDS alarm events over events over an entire an entire network network spacespace
Wormhole detectionWormhole detection
Weichao Wang and Aidong Lu, Weichao Wang and Aidong Lu, UNCCUNCC
What else?What else?
Advantages, disadvantages of Advantages, disadvantages of visualizations?visualizations?
Why don’t sysadmins use more of Why don’t sysadmins use more of these visualization tools?these visualization tools?
What else could potentially make What else could potentially make security administrator’s jobs security administrator’s jobs easier?easier?
What do end user’s need to know What do end user’s need to know about security administrators?about security administrators?
Course wrap-upCourse wrap-up
Big lessons:Big lessons:– HCI can play a role in security and HCI can play a role in security and
privacy solutionsprivacy solutions– Security and privacy are secondary tasksSecurity and privacy are secondary tasks– Usability is not necessarily contrary to Usability is not necessarily contrary to
securitysecurity– As with anything, tradeoffs in As with anything, tradeoffs in
approachesapproaches– Good user-centered design can improve Good user-centered design can improve
today’s toolstoday’s tools
So what have you So what have you learned?learned? What are the biggest lessons you take What are the biggest lessons you take
away from this course?away from this course? How will you incorporate what you How will you incorporate what you
have learned into your job or life?have learned into your job or life? What are important new themes to What are important new themes to
study in this area?study in this area?– What needs additional focus?What needs additional focus?– anything we didn’t cover you think is really anything we didn’t cover you think is really
important?important?
Next weekNext week
Give me 24 hours to give you Give me 24 hours to give you feedback on a project draftfeedback on a project draft
Presentations: 6:30pm in CHHS Presentations: 6:30pm in CHHS 285285