Three Phases of Security

Transcription

1

2 Three Phases of Security

3 Security Analyst: Tools of the Trade Patrick Lane, M.Ed., Security+, Network+, CISSP, MCSE Senior Manager, Product Development Product Manager for: CompTIA Security+ CompTIA Cybersecurity Analyst (CSA+) CompTIA Advanced Security PracCConer (CASP) CompTIA Server+

4 Agenda 1. Why have security analyst skills become so important? 2. What tools do security analysts use? 3. How does a SIEM work unified security management? 4. How is threat intelligence integrated? 5. Real- world examples Splunk: Database hack discovered LogRhythm: Financial server hack discovered AlienVault: Bruteforce ayack discovered

5 Why have security 1 analyst skills become so important?

6 Seminal Event: Target Hack of 2014 Wake up call for the IT security world Brought widespread ayencon to the Advanced Persistent Threat Demonstrated that tradiconal security tools, such as firewalls and anc- virus, do not alone protect networks Recent high profile ayacks at Yahoo! and DemocraCc NaConal CommiYee (DNC)

7 The Advanced Persistent Threat (APT) CharacterisCcs: Never stop Oaen highly coordinated / state sponsored Bad actors lurk on systems and networks Hard to detect Planning Malware Introduc>on Command & Control Lateral Movement Target Iden>fica>on Exfiltra>on (AGack Event) Retreat

8 Lessons Learned We must apply behavioral analy>cs to the IT security market to improve the overall state of IT security. We must focus on network behavior in an organizacon s interior network We must idencfy network anomalies that indicate bad behavior We must train IT security professionals security analyst skills, which include: ü Threat management ü Vulnerability management ü Cyber incident response ü Security and architecture tool sets

9 TOTAL NUMBER OF JOB POSTINGS: Security Analyst Job Role Informa>on Security Analysts 130, ,000 90, % increase from 2012 to Data for U.S. only, but reflects an interna>onal need. 109,819 70,000 50,000 39,920 30,000 48,947 58,456 10, Source: Burning Glass Technologies Labor Insights, January 2016

10 AddiConal Indicators The U.S. Bureau of Labor StaCsCcs predicts that informacon security analysts will be the fastest growing job category, with 37% overall growth between 2012 and 2022.* In an analysis of recent U.S. Bureau of Labor StaCsCcs data, informacon security analysts saw an 8% bump in growth over the first three months of That s a new BLS record.** 8 in 10 managers indicate that IT security cercficacons are very valuable (38%) or valuable (42%) in terms of validacng security- related knowledge/ skills or evaluacng job candidates.*** * CompTIA, Trends in InformaCon Security 2015 ** U.S. Bureau of Labor StaCsCcs data *** InternaConal Trends in Cybersecurity, CompTIA, 2016

11 (Quick AdverCsement) CompTIA Cybersecurity Analyst (CSA+) Cer>fica>on Developed to address the need for IT Security Analysts. Exam available February 15, 2017 As ayackers have learned to evade tradiconal signature- based solucons, an analyccs- based approach has become extremely important. CSA+ applies behavioral analyccs to the IT security market to improve the overall state of security.

12 2 What tools do security analysts use?

13 Tools of the Trade Open Source Open source so^ware Descrip>on URL Wireshark Network protocol analyzer / packet capture tool hgps:// Bro and/or Snort Network intrusion deteccon systems (NIDS) hgps:// hgps:// AlienVault Open Source SIEM (OSSIM) with Open Threat Exchange (OTX) Security InformaCon and Event Management (SIEM) soaware hgps:// products/ossim

14 Security InformaCon and Event Management (SIEM) soaware All about logs To constantly aggregate and analyze internal and external network logs To quickly prevent breaches or perform incident response using these logs What does it address? Threat management Incident response Compliance 80% of SIEMs are funded to close a compliance gap Security OperaCons Center (SOC) Security Analyst, SOC Analyst, Vulnerability Analyst, Cybersecurity Specialist Threat Intelligence Analyst, Security Engineer

15 Tools of the Trade Vendor Specific Vendor- specific so^ware Descrip>on URL Intel Security / MacAfee Enterprise Security Manager SIEM, threat deteccon hgp:// enterprise- security- manager.aspx Dell/EMC RSA Security AnalyCcs and RSA NetWitness Suite SIEM, threat deteccon hgp:// hgps:// us/products- services/ threat- detec>on- and- response Splunk Enterprise Security SIEM, threat deteccon hgps:// premium- solu>ons/splunk- enterprise- security.html AlienVault Unified Security SIEM, threat hgps://

16 Tools of the Trade Vendor Specific Vendor- specific so^ware Descrip>on URL HPE Security ArcSight ESM SIEM, threat deteccon hgp://www8.hp.com/us/en/so^ware- solu>ons/siem- security- informa>on- event- management/ IBM Security QRadar SIEM SIEM, threat deteccon hgp://www- 03.ibm.com/so^ware/products/en/ qradar- siem/ LogRhythm Unified Security Intelligence Plarorm SIEM, threat deteccon hgps://logrhythm.com/products/security- intelligence- pladorm/

17 SIEM Example

18 How does a SIEM 3 work unified security management?

19 OSSIM AlienVault Open Source SIEM (OSSIM) free, but no support AlienVault USM is commercial version ($32K). What it does: External Data Sources: applicacons and devices that generate events Sensors: collect and normalize events Server: conducts risk assessment, correlacon direccves and storage of events in an SQL database (SIEM) Storage: events are digitally signed and Cme stamped in a massive storage system, usually NAS or SAN, called Logger, that includes an addiconal database for forensics. Web Interface - provides a reporcng system, metrics, reports, dashboards, CckeCng system, vulnerability management system, real- Cme network informacon

20 Source: LogRhythm s Unified Security Intelligence PlaAorm

21 OSSIM InstallaCon OSSIM.ISO image includes Linux Debian, OSSIM, and OSSIM agent soaware AlienVault_OSSIM_64bits_5.3.2.iso (630 MB) hyps:// Implement on virtual machine Needs power AWS or Azure recommended

22 OSSIM Agents and Plug Ins SIEMs work best in a large organizacon with mulcple network devices, such as firewalls, IDS/IPS, anc- virus, web servers, etc. To collect logs from hosts Install agents, such as OSSEC (Linux) and Snare (Windows) To connect data- sources to OSSIM server Install plug- ins (XML- based configuracon file) at data source Plug- ins integrated into many security tools: CheckPoint, Cisco, Citrix, Exchange, IIS, Syslog, Wmi, Nessus, AnC- virus (Sophos, Symantec, McAfee, Avast), OSSEC, Snare Apache, Snort, Ntop, Nmap, OpenVAS, P0f, Pads, Arpwatch, OSSEC, Osiris, Nagios, OCS, Kismet

23 CorrelaCon Separates SIEM from IDS/IPS using intelligence Reduces false posicves Calculates mulcple input events and alarms into a more manageable number of events to address Cross CorrelaCon Works only with events that have defined descnacon IP addresses Checks IP address in database to determine any vulnerabilices Changes the reliability value of the event, which is used to calculate risk Removes a lot of alarms

24 CorrelaCon (cont d) CorrelaCon DirecCve Generates an alarm by following rules Rules wriyen in XML (there can be thousands most preconfigured) Analyze mulcple events and decide whether to raise an alarm or not E.g., mulcple login ayempts into a web server using SSH Capable of idencfying zero- day ayacks, since it uses rules based on behavior

25 OSSIM data management: Raw logs Events Alarms Tickets Risk CalculaCon Raw logs are sent to OSSIM server and normalized The logs become events Alarms are raised when the risk value of event is 1 on a scale to 10. [ASSET VALUE(0-5)*PRIORITY(0-5)*RELIABILITY(0-10)] /25 = RISK OF THE EVENT(0-10) Tickets are manually or automaccally created in OSSIM aaer reviewing alarms. Assigned to appropriate personnel.

26 ReporCng Highly scalable Easy to use Schedule reports and e- mail

27 4 How is threat intelligence integrated?

28 Threat Intelligence Source: hbps://

29 Source: hbps://

30 Source: hbps://

31 5 Real world examples

32 LogRhythm: Financial Server Hack Discovered

33 Source: hbps://logrhythm.com/products/security- intelligence- plaaorm/

34 Source: hbps://logrhythm.com/products/security- intelligence- plaaorm/

35 Splunk: Database Hack Discovered

36 Source: hbps:// solujons/splunk- enterprise- security.html

37 Source: hbps:// solujons/splunk- enterprise- security.html

38 AlienVault: Bruteforce ayack discovered

39 Source: hbps://

40 Source: hbps://

41 Thank You QuesCons?