Lecture #8: Correlation. Matthijs Koot / SNE-IDS college 07-08
|
|
- Teresa Booth
- 5 years ago
- Views:
Transcription
1 Lecture #8: Correlation Faculteit van Natuurwetenschappen, Wiskunde en Informatica Universiteit van Amsterdam / SNE-IDS college 07-08
2 Outline
3 Common problems with point-solution IDSs. Common problems with point-solution IDSs: Too many false positives The rare true positive will be overlooked Too many alerts for a single intrusion Causes brain damage to the (human) IDS operator No high-level views What is the blackhat trying to do? Can we predict his next step? (probabilistically) Does the attack impact critical business systems?
4 Correlation. Correlation provides (partial) solution: Algorithms & External info Correlation Intrusion alerts (uncorrelated) = Alert (unknown) Intrusion alerts (correlated) = Alert cor. attack 1 = Alert cor. attack 2 = False positive
5 Outline
6 . : IDSs (alerts) Host IDS (misuse/anomaly) Network IDS (misuse/anomaly) Application IDS (misuse/anomaly) Logs (log entries) Host: syslog, NT Eventlog Network: firewalls, routers, switches Application: Apache/IIS log, Oracle/MS-SQL log, SAP Other (context knowledge) Configuration Mgmt DB (CMDB) Network/service health monitors (Nagios, Solarwinds, etc) Vulnerability assessment systems
7 Outline
8 . : Signals Events Alerts Network traffic OS activity Application data Hardware sensors
9 Log policy and alert policy. Log policy and alert policy: Signals Log policy Alert policy Network traffic Events Alerts OS activity Application data Hardware sensors
10 Event correlation and alert correlation. Event correlation and alert correlation: Log policy Alert policy Signals Events Alerts Network traffic OS activity Application data Hardware sensors Event correlation
11 Definitions. Definition Intrusion event correlation refers to the interpretation, combination, and analysis of neutral events from all available sources, about target system activity for the purposes of intrusion detection and response. Definition Intrusion alert correlation refers to the interpretation, combination, and analysis of intrusion alerts, together with information external to the intrusion detection system, with the purpose of intrusion alert refinement and intrusion scenario building. Source: Extending with Alert Correlation and Intrusion Tolerance", Dan Gorton, 2003
12 Example correlation table. Today s focus is alert correlation. But here is an example event correlation table: Source: Log Correlation for - A Proof of Concept", Abad et al., 2003 (paper)
13 Outline
14 Log policy. Log policy: what should (not) be logged? Candidate-loggables (signals): Application/data-level activity OS-level activity Network-level activity Hardware-level activity What signals are (not) relevant to recognizing malicious activity? (non-trivial!) Examine known attacks for (potential) log trails Deploy honeynet, get attacked, and learn Log everything, always (this might allow better recognition of 0-day attacks) Logging guidelines (NIST , NSA, vendors) Trade-off: logging detail vs. cost in performance/storage
15 Alert policy. Alert policy: what events (don t) yield an alert? Context Situation-specific understanding of threat and intrusion CTO: attacks on technology CIO/CISO: attacks on information Compliancy officer: attack compromizing compliancy to law and regulations (e.g. attacks against audit trails (Sox), leakage of customer or patient data) CEO/CFO: attacks on high-value assets and business goals What combination of events indicate an intrusion? Examine known attack strategies for (potential) traces Deploy honeynet, get attacked, and learn Share/maintain expert rules in a common, public knowledgebase for security logs/events/alerts (CAPEC?)
16 Outline
17 Goals. Goals of alert correlation: Reduce the total number of alerts Elimination Fusion Aggregation Synthesis Improve diagnostics Type of activity Relevance Verification Track activity Information leaked to attacker Information leaked from attacker
18 process. Source: and Correlation", Krügel, Valeur and Vigna, 2005 (book)
19 process. Source: and Correlation", Krügel, Valeur and Vigna, 2005 (book)
20 Outline
21 . : Normalize syntax and semantics Semantics: CVE, Bugtraq, intrusion alert ontology Syntax: CIDF yielded IETF-IDWG, which yielded IDMEF/IDXP IDMEF = Message Exchange Format
22 (2). Example IDMEF: <IDMEF-Message version="0.3"> <Alert ident="12345" impact="unknown"> <Analyzer analyzerid="snort:1.8.6: "> <Node><name>brp-snort</name></Node> </Analyzer> <CreateTime ntpstamp="0xc12b141a.0xa5baa000"/> <Source><Node> <Address category="ipv4-addr"> <address> </address></address> </Node></Source> <Target><Node> <Address category="ipv4-addr"> <address> </address></address> </Node></Target> <Classification origin="vendor-specific"> <name>icmp PING NMAP</name></Classification> </Alert> </IDMEF-Message> Adapted from: A Comprehensive Approach to Intrusion Alert Correlation", Valeur et al., 2004 (paper)
23 (3). IDXP is the transport model for IDMEF: IDXP = Exchange Protocol BEEP = Blocks Extensible Exchange Protocol (RFC 3080) IDXP carries IDMEF messages and is implemented as a BEEP profile
24 Outline
25 Alert reduction (1): fusion. Alert reduction (1): fusion recognize and remove redundancy in alerts from different sensors
26 Alert reduction (2): verification. Alert reduction (2): verification recognize and remove irrelevant and failed attacks Passive Verify target s (in)vulnerability in CMDB (e.g. ignore OS/2-Warp attacks on MINIX machines) Wait for post-intrusion activity Wait for post-intrusion INactivity (missing heartbeats?) Active (perturbing) Connect to target, check for rogue processes Connect to target, check (config) files against known-good hashes (e.g. Tripwire)
27 Outline
28 Intention recognition and alert clustering. Two possible approaches to correlation: Alert clustering Don t know what s happening, but these alerts appear to be related." Rather like anomaly-detection (statistics and probabilism). Intention recognition Aha! Alerts seem to match <attack-pattern>." Rather like misuse-detection (predefined patterns).
29 Alert thread reconstruction. Alert thread reconstruction (alert clustering) Cluster alerts into threads based on spatial and temporal proximity Incoming alerts are added to their best-matching thread; one thread represents one attack (session) Which attributes should be compared? How? Exact match (a 1.srcIP = a 2.srcIP) Domain-specific non-exact (proximity, subnet) What weight is assigned to each attribute? Similarity matrices/expectations (require human knowledge, prone to human error).
30 Alert thread reconstruction (2). One view on correlativity between two alerts h i and h j : p p Cor(h i, h j ) = w ij Cor(x i, y j )/ w ij (1) i,j=1 i,j=1 Here, two alerts h i and h j have p attributes with values x 1..x p resp. y 1..y p. The weight w ij is empirically fine-tuned. Cor(x i, y j ) is evaluated using similarity matrices. Source: Automatic attack plan recognition from intrusion alerts", Li et al., 2007
31 Predefined attack scenarios. Predefined attack scenarios (intention recognition): Specification of attack scenarios: Attack Scenario Language (Krügel) Chronicles formalism (Débar) LAMBA (Cuppens)
32 Prerequisite-consequence analysis. Prerequisite-consequence analysis (intention recognition): Alert conditionality through hyper-alerts: (fact, prerequisite, consequence) Fact specifies an alert (attributes) Prerequisite specifies a necessary condition for an attack to be successful (predicate) Consequence specifies possible result (predicate) If chronologics allow it, this may fulfill another prerequisite This yields a (may-)prepare-for relation
33 Prerequisite-consequence analysis (2). Example hyper-alert correlation graph: Source: Constructing Attack Scenario s through Correlation of Intrusion Alerts", Ning et al., 2002
34 Discussed: + policy Reasons for doing event/alert correlation Normalization, reduction, correlation (ad 2005) Not discussed (but should have): Bayes, Granger-Causality, EWMA control charts, visualization
35 Feedback! Questions Questions regarding this lecture? Lab assignments: NONE. (focus on your project proposal) These slides will be uploaded here:
Different attack manifestations Network packets OS calls Audit records Application logs Different types of intrusion detection Host vs network IT
Different attack manifestations Network packets OS calls Audit records Application logs Different types of intrusion detection Host vs network IT environment (e.g., Windows vs Linux) Levels of abstraction
More informationINTRUSION DETECTION AND CORRELATION. Challenges and Solutions
INTRUSION DETECTION AND CORRELATION Challenges and Solutions Advances in Information Security Sushil Jajodia Consulting editor Center for Secure Information Systems George Mason University Fairfax, VA
More informationMeans for Intrusion Detection. Intrusion Detection. INFO404 - Lecture 13. Content
Intrusion Detection INFO404 - Lecture 13 21.04.2009 nfoukia@infoscience.otago.ac.nz Content Definition Network vs. Host IDS Misuse vs. Behavior Based IDS Means for Intrusion Detection Definitions (1) Intrusion:
More informationA Knowledge-based Alert Evaluation and Security Decision Support Framework 1
A Knowledge-based Alert Evaluation and Security Decision Support Framework 1 Jinqiao Yu Department of Mathematics and Computer Science Illinois Wesleyan Univerisity P.O.Box 2900 Bloomington, IL 61701 Ramana
More informationThis shows a typical architecture that enterprises use to secure their networks: The network is divided into a number of segments Firewalls restrict
1 This shows a typical architecture that enterprises use to secure their networks: The network is divided into a number of segments Firewalls restrict access between segments This creates a layered defense
More informationComprehensive Security Framework for Global Threads Analysis
IJCSI International Journal of Computer Science Issues, Vol. 2, No. x, xxxx 1 Comprehensive Security Framework for Global Threads Analysis Jacques Saraydaryan, Fatiha Benali and Stéphane Ubéda 1 Exaprotect
More informationThe State of Standardization Efforts to support Data Exchange in the Security Domain
The State of Standardization Efforts to support Data Exchange in the Security Domain Roman Danyliw FloCon 2004: Standards Talk Network Group Software Engineering Institute Carnegie Mellon
More informationEC-Council Certified Network Defender (CND) Duration: 5 Days Method: Instructor-Led
EC-Council Certified Network Defender (CND) Duration: 5 Days Method: Instructor-Led Certification: Certified Network Defender Exam: 312-38 Course Description This course is a vendor-neutral, hands-on,
More informationsecuring your network perimeter with SIEM
The basics of auditing and securing your network perimeter with SIEM Introduction To thwart network attacks, you first need to be on top of critical security events occurring in your network. While monitoring
More informationNOTHING IS WHAT IT SIEMs: COVER PAGE. Simpler Way to Effective Threat Management TEMPLATE. Dan Pitman Principal Security Architect
NOTHING IS WHAT IT SIEMs: COVER PAGE Simpler Way to Effective Threat Management TEMPLATE Dan Pitman Principal Security Architect Cybersecurity is harder than it should be 2 SIEM can be harder than it should
More informationComprehensive Security Framework for Global Threats Analysis
IJCSI International Journal of Computer Science Issues, Vol. 2, 2009 ISSN (Online): 1694-0784 ISSN (Print): 1694-0814 18 Comprehensive Security Framework for Global Threats Analysis Jacques SARAYDARYAN
More informationBasic Concepts. Network Management. Spring Bahador Bakhshi CE & IT Department, Amirkabir University of Technology
Basic Concepts Network Management Spring 2018 Bahador Bakhshi CE & IT Department, Amirkabir University of Technology This presentation is based on the slides listed in references. Outline Introduction:
More informationDatabase Security Service. Service Overview. Issue 16 Date HUAWEI TECHNOLOGIES CO., LTD.
Issue 16 Date 2019-03-08 HUAWEI TECHNOLOGIES CO., LTD. Copyright Huawei Technologies Co., Ltd. 2019. All rights reserved. No part of this document may be reproduced or transmitted in any form or by any
More informationUNIFICATION OF TECHNOLOGIES
UNIFICATION OF TECHNOLOGIES SIEM Management Incident Management Risk Intelligence Storage Detection Prevention Awareness Security Technology IDS/IPS WIDS Vulnerability Assessment Identity Unified SIEM
More informationIC32E - Pre-Instructional Survey
Name: Date: 1. What is the primary function of a firewall? a. Block all internet traffic b. Detect network intrusions c. Filter network traffic d. Authenticate users 2. A system that monitors traffic into
More informationCE Advanced Network Security
CE 817 - Advanced Network Security Lecture 5 Mehdi Kharrazi Department of Computer Engineering Sharif University of Technology Acknowledgments: Some of the slides are fully or partially obtained from other
More informationIBM Proventia Management SiteProtector Sample Reports
IBM Proventia Management SiteProtector Page Contents IBM Proventia Management SiteProtector Reporting Functionality Sample Report Index 2-25 Reports 26 Available SiteProtector Reports IBM Proventia Management
More informationPROTECTING INFORMATION ASSETS NETWORK SECURITY
PROTECTING INFORMATION ASSETS NETWORK SECURITY PAUL SMITH 20 years of IT experience (desktop, servers, networks, firewalls.) 17 years of engineering in enterprise scaled networks 10+ years in Network Security
More informationAlert correlation and aggregation techniques for reduction of security alerts and detection of multistage attack
Alert correlation and aggregation techniques for reduction of security alerts and detection of multistage attack Faeiz M. Alserhani College of Computer & Information Sciences, Dep. of Computer Engineering
More informationIBM Security technology and services for GDPR programs GIULIA CALIARI SECURITY ARCHITECT
IBM Security technology and services for GDPR programs GIULIA CALIARI SECURITY ARCHITECT NOTICE Clients are responsible for ensuring their own compliance with various laws and regulations, including the
More informationThe Reconnaissance Phase
The Reconnaissance Phase Detecting the Enemy Before the Attack Carrie Gates PhD Candidate, Dalhousie University Visiting Scientist, CERT, Carnegie Mellon University Outline! Indicate a gap in our defences!
More informationCSE 565 Computer Security Fall 2018
CSE 565 Computer Security Fall 2018 Lecture 19: Intrusion Detection Department of Computer Science and Engineering University at Buffalo 1 Lecture Outline Intruders Intrusion detection host-based network-based
More informationCommon Event Expression. Larry Shields William Heinbockel
Common Event Expression Larry Shields [lshields@mitre.org] William Heinbockel [heinbockel@mitre.org] Organization The Situation The Problem The Goals The Solution The Standard: CEE Common Event Expression
More informationCybersecurity Auditing in an Unsecure World
About This Course Cybersecurity Auditing in an Unsecure World Course Description $5.4 million that s the average cost of a data breach to a U.S.-based company. It s no surprise, then, that cybersecurity
More informationNetwork Security Terms. Based on slides from gursimrandhillon.files.wordpress.com
Network Security Terms Based on slides from gursimrandhillon.files.wordpress.com Network Security Terms Perimeter is the fortified boundary of the network that might include the following aspects: 1. Border
More informationApplication and Data Security with F5 BIG-IP ASM and Oracle Database Firewall
F5 White Paper Application and Data Security with F5 BIG-IP ASM and Oracle Database Firewall Organizations need an end-to-end web application and database security solution to protect data, customers,
More informationIntrusion Detection by Combining and Clustering Diverse Monitor Data
Intrusion Detection by Combining and Clustering Diverse Monitor Data TSS/ACC Seminar April 5, 26 Atul Bohara and Uttam Thakore PI: Bill Sanders Outline Motivation Overview of the approach Feature extraction
More informationGame Theoretic Solutions to Cyber Attack and Network Defense Problems
Game Theoretic Solutions to Cyber Attack and Network Defense Problems 12 th ICCRTS "Adapting C2 to the 21st Century Newport, Rhode Island, June 19-21, 2007 Automation, Inc Dan Shen, Genshe Chen Cruz &
More informationReal-time DDoS Defense: A collaborative Approach at Internet Scale
Real-time DDoS Defense: A collaborative Approach at Internet Scale Agenda Problem & Goal Insight Overview Challenges Implementation Evaluation Conclusion Discussion 2 Problem & Goal Problem Source: https://www.youtube.com/watch?v=kbbiqkevddo
More informationCS Review. Prof. Clarkson Spring 2017
CS 5430 Review Prof. Clarkson Spring 2017 Recall: Audit logs Recording: what to log what not to log how to log locally remotely how to protect the log Reviewing: manual exploration automated analysis MANUAL
More informationCreating the IETF IDWG Intrusion Detection Protocols IDMEF & IDXP
Creating the IETF IDWG Intrusion Detection Protocols IDMEF & IDXP Ground System Architectures Workshop GSAW 2002 March 12-15, 2002 Joe Betser Andy Walther The Aerospace Corp Mike Erlinger, Tim Buchheim
More informationAlienVault USM Appliance for Security Engineers 5 day course outline. Module 2: USM Appliance Basic Configuration and Verifying Operations
AlienVault USM Appliance for Security Engineers 5 day course outline Course Introduction Module 1: Overview The Course Introduction provides students with the course objectives and prerequisite learner
More information90% 191 Security Best Practices. Blades. 52 Regulatory Requirements. Compliance Report PCI DSS 2.0. related to this regulation
Compliance Report PCI DSS 2.0 Generated by Check Point Compliance Blade, on April 16, 2018 15:41 PM O verview 1 90% Compliance About PCI DSS 2.0 PCI-DSS is a legal obligation mandated not by government
More informationIntrusion Detection Systems (IDS)
Intrusion Detection Systems (IDS) Presented by Erland Jonsson Department of Computer Science and Engineering Contents Motivation and basics (Why and what?) IDS types and detection principles Key Data Problems
More informationA Rule-Based Intrusion Alert Correlation System for Integrated Security Management *
A Rule-Based Intrusion Correlation System for Integrated Security Management * Seong-Ho Lee 1, Hyung-Hyo Lee 2, and Bong-Nam Noh 1 1 Department of Computer Science, Chonnam National University, Gwangju,
More informationSecurity and Compliance Powered by the Cloud. Ben Friedman / Strategic Accounts Director /
Security and Compliance Powered by the Cloud Ben Friedman / Strategic Accounts Director / bf@alertlogic.com Founded: 2002 Headquarters: Ownership: Houston, TX Privately Held Customers: 1,200 + Employees:
More informationIntrusion prevention systems are an important part of protecting any organisation from constantly developing threats.
Network IPS Overview Intrusion prevention systems are an important part of protecting any organisation from constantly developing threats. By using protocol recognition, identification, and traffic analysis
More informationConverged security. Gerben Verstraete, CTO, HP Software Services Colin Henderson, Managing Principal, Enterprise Security Products
Converged security Gerben Verstraete, CTO, HP Software Services Colin Henderson, Managing Principal, Enterprise Security Products Increased risk and wasted resources Gartner estimates more than $1B in
More informationOSSIM Fast Guide
----------------- OSSIM Fast Guide ----------------- February 8, 2004 Julio Casal http://www.ossim.net WHAT IS OSSIM? In three phrases: - VERIFICATION may be OSSIM s most valuable contribution
More informationMaster Course Computer Networks IN2097
Chair for Network Architectures and Services Prof. Carle Department for Computer Science TU München Master Course Computer Networks IN2097 Chapter 7 - Network Measurements Introduction Architecture & Mechanisms
More informationIASM Support for FISMA
Introduction Most U.S. civilian government agencies, and commercial enterprises processing electronic data on behalf of those agencies, are concerned about whether and how Information Assurance products
More informationBig Data Security Internal Threat Detection. The Critical Role of Machine Learning.
Big Data Security Internal Threat Detection The Critical Role of Machine Learning Objectives 1.Discuss internal user risk management challenges in Big Data Environment 2.Discuss why machine learning is
More informationCisco Security Manager 4.1: Integrated Security Management for Cisco Firewalls, IPS, and VPN Solutions
Data Sheet Cisco Security Manager 4.1: Integrated Security Management for Cisco Firewalls, IPS, and VPN Solutions Security Operations Challenges Businesses are facing daunting new challenges in security
More informationMaster Course Computer Networks IN2097
Chair for Network Architectures and Services Prof. Carle Department for Computer Science TU München Master Course Computer Networks IN2097 Prof. Dr.-Ing. Georg Carle Christian Grothoff, Ph.D. Dr. Nils
More informationModule 2: AlienVault USM Basic Configuration and Verifying Operations
AlienVault USM for Security Engineers 5 day course outline Course Introduction Module 1: Overview The Course Introduction provides students with the course objectives and prerequisite learner skills and
More informationIBM services and technology solutions for supporting GDPR program
IBM services and technology solutions for supporting GDPR program 1 IBM technology solutions as key enablers - Privacy GDPR Program Work-stream IBM software 2.1 Privacy Risk Assessment and Risk Treatment
More informationChapter 5: Vulnerability Analysis
Chapter 5: Vulnerability Analysis Technology Brief Vulnerability analysis is a part of the scanning phase. In the Hacking cycle, vulnerability analysis is a major and important part. In this chapter, we
More informationIndicate whether the statement is true or false.
Indicate whether the statement is true or false. 1. NIDPSs can reliably ascertain if an attack was successful or not. 2. Intrusion detection consists of procedures and systems that identify system intrusions
More information* Knowledge of Adaptive Security Appliance (ASA) firewall, Adaptive Security Device Manager (ASDM).
Contents Introduction Prerequisites Requirements Components Used Background Information Configuration Step 1. Configure Intrusion Policy Step 1.1. Create Intrusion Policy Step 1.2. Modify Intrusion Policy
More informationVisibility: The Foundation of your Cybersecurity Infrastructure. Marlin McFate Federal CTO, Riverbed
Visibility: The Foundation of your Cybersecurity Infrastructure Marlin McFate Federal CTO, Riverbed Detection is Only One Part of the Story Planning and Remediation are just as critical 20 18 Hackers Went
More informationISO27001 Preparing your business with Snare
WHITEPAPER Complying with ISO27001 Preparing your business with Snare T he technical controls imposed by ISO (International Organisation for Standardization) Standard 27001 cover a wide range of security
More informationBOR3307: Intro to Cybersecurity
Key Terms for lesson 4 are listed below: It is important that you maintain a copy of these key terms handy as you take this course and complete the readings. Working from a standard lexicon will keep you
More informationSO OS Secure Online Voting System
Johns Hopkins Engineering for Professionals Secure Online Voting System Systems Engineering Project Oral Presentation Haijing Henry Chen May 1, 2018 Agenda Introduction Proposed System Deliverables Requirement
More informationAdvanced Security Tester Course Outline
Advanced Security Tester Course Outline General Description This course provides test engineers with advanced skills in security test analysis, design, and execution. In a hands-on, interactive fashion,
More informationIntrusion Detection Systems (IDS)
Intrusion Detection Systems (IDS) Presented by Erland Jonsson Department of Computer Science and Engineering Intruders & Attacks Cyber criminals Activists State-sponsored organizations Advanced Persistent
More informationEducation Network Security
Education Network Security RECOMMENDATIONS CHECKLIST Learn INSTITUTE Education Network Security Recommendations Checklist This checklist is designed to assist in a quick review of your K-12 district or
More informationEnterprise Cybersecurity Best Practices Part Number MAN Revision 006
Enterprise Cybersecurity Best Practices Part Number MAN-00363 Revision 006 April 2013 Hologic and the Hologic Logo are trademarks or registered trademarks of Hologic, Inc. Microsoft, Active Directory,
More informationMechanisms for Database Intrusion Detection and Response. Michael Sintim - Koree SE 521 March 6, 2013.
Mechanisms for Database Intrusion Detection and Response Michael Sintim - Koree SE 521 March 6, 2013. Article Title: Mechanisms for Database Intrusion Detection and Response Authors: Ashish Kamra, Elisa
More informationITSM SERVICES. Delivering Technology Solutions With Passion
ITSM SERVICES Delivering Technology Solutions With Passion 02 CONTENTS OVERVIEW CLIENTS SOLUTIONS WHAT WE DO PROFESSIONAL SERVICES Overview IT Pillars is a dynamic company, which has served, over the past
More informationicast / TRUST Collaboration Year 2 - Kickoff Meeting
icast / TRUST Collaboration Year 2 - Kickoff Meeting Robin Sommer International Computer Science Institute robin@icsi.berkeley.edu http://www.icir.org Projects Overview Project 1 NIDS Evasion Testing in
More informationA New Cyber Defense Management Regulation. Ophir Zilbiger, CRISC, CISSP SECOZ CEO
A New Cyber Defense Management Regulation Ophir Zilbiger, CRISC, CISSP SECOZ CEO Personal Background IT and Internet professional (since 1992) PwC (1999-2003) Global SME for Network Director Information
More informationintelop Stealth IPS false Positive
There is a wide variety of network traffic. Servers can be using different operating systems, an FTP server application used in the demilitarized zone (DMZ) can be different from the one used in the corporate
More informationDeveloping the Sensor Capability in Cyber Security
Developing the Sensor Capability in Cyber Security Tero Kokkonen, Ph.D. +358504385317 tero.kokkonen@jamk.fi JYVSECTEC JYVSECTEC - Jyväskylä Security Technology - is the cyber security research, development
More informationSoftware Architectures. Lecture 2
Software Architectures Lecture 2 Roadmap of the course What is software architecture? Designing Software Architecture Requirements: quality attributes or qualities Today How to achieve requirements : tactics
More informationIntrusion Detection System (IDS) IT443 Network Security Administration Slides courtesy of Bo Sheng
Intrusion Detection System (IDS) IT443 Network Security Administration Slides courtesy of Bo Sheng 1 Internet Security Mechanisms Prevent: Firewall, IPsec, SSL Detect: Intrusion Detection Survive/ Response:
More informationHow security intelligence can be used for incident management. Volker Rath, Techn. Lead Consulting Services
How security intelligence can be used for incident management Volker Rath, Techn. Lead Consulting Services Safety and protection matters Lots of news about threats and diseases. Which immunizations? Spreading
More informationOverview Intrusion Detection Systems and Practices
Overview Intrusion Detection Systems and Practices Chapter 13 Lecturer: Pei-yih Ting Intrusion Detection Concepts Dealing with Intruders Detecting Intruders Principles of Intrusions and IDS The IDS Taxonomy
More informationVenusense UTM Introduction
Venusense UTM Introduction Featuring comprehensive security capabilities, Venusense Unified Threat Management (UTM) products adopt the industry's most advanced multi-core, multi-thread computing architecture,
More informationThreat Modeling. Bart De Win Secure Application Development Course, Credits to
Threat Modeling Bart De Win bart.dewin@ascure.com Secure Application Development Course, 2009 Credits to Frank Piessens (KUL) for the slides 2 1 Overview Introduction Key Concepts Threats, Vulnerabilities,
More informationCourses. X E - Verify that system acquisitions policies and procedures include assessment of risk management policies X X
4016 Points * = Can include a summary justification for that section. FUNCTION 1 - INFORMATION SYSTEM LIFE CYCLE ACTIVITIES Life Cycle Duties No Subsection 2. System Disposition/Reutilization *E - Discuss
More informationNetwork Security: Firewall, VPN, IDS/IPS, SIEM
Security: Firewall, VPN, IDS/IPS, SIEM Ahmet Burak Can Hacettepe University abc@hacettepe.edu.tr What is a Firewall? A firewall is hardware, software, or a combination of both that is used to prevent unauthorized
More informationNetWitness Overview. Copyright 2011 EMC Corporation. All rights reserved.
NetWitness Overview 1 The Current Scenario APT Network Security Today Network-layer / perimeter-based Dependent on signatures, statistical methods, foreknowledge of adversary attacks High failure rate
More informationIntrusion Detection and Malware Analysis
Intrusion Detection and Malware Analysis IDS Taxonomy and Architecture Pavel Laskov Wilhelm Schickard Institute for Computer Science IDS functionality IDS functionality Restrict access to legitimate service
More informationIPv6 Security. David Kelsey (STFC-RAL) IPv6 workshop pre-gdb, CERN 7 June 2016
IPv6 Security David Kelsey (STFC-RAL) IPv6 workshop pre-gdb, CERN 7 June 2016 Outline MORE MATERIAL HERE THAN TIME TO PRESENT & DISCUSS (BUT SLIDES AVAILABLE FOR LATER REFERENCE) IPv6 security & threats
More informationVulnerability Management Policy
Vulnerability Management Policy Document Type: Policy (PLCY) Endorsed By: Information Technology Policy Committee Date: 4/29/2011 Promulgated By: Chancellor Herzog Date: 6/16/2011 I. Introduction IT resources
More informationPositive Security Model for Web Applications, Challenges. Ofer Shezaf OWASP IL Chapter leader CTO, Breach Security
Positive Security Model for Web Applications, Challenges and Promise Ofer Shezaf OWASP IL Chapter leader CTO, Breach Security Introduction Breach Security, Inc. Breach Security is the market leader in
More informationInternet Security: Firewall
Internet Security: Firewall What is a Firewall firewall = wall to protect against fire propagation More like a moat around a medieval castle restricts entry to carefully controlled points restricts exits
More informationIDSs may cooperate to complement each other s coverage. An Improved Framework for Intrusion Alert Correlation
, July 4-6, 2012, London, U.K. An Improved Framework for Intrusion Alert Correlation Huwaida Tagelsir Elshoush and Izzeldin Mohamed Osman Abstract Alert correlation analyzes the alerts from one or more
More informationSecurity Audit What Why
What A systematic, measurable technical assessment of how the organization's security policy is employed at a specific site Physical configuration, environment, software, information handling processes,
More informationDevice Discovery for Vulnerability Assessment: Automating the Handoff
Device Discovery for Vulnerability Assessment: Automating the Handoff O V E R V I E W While vulnerability assessment tools are widely believed to be very mature and approaching commodity status, they are
More informationFabrizio Patriarca. Come creare valore dalla GDPR
Fabrizio Patriarca Come creare valore dalla GDPR Disclaimer Notice: Clients are responsible for ensuring their own compliance with various laws and regulations, including the European Union General Data
More informationTransforming Security from Defense in Depth to Comprehensive Security Assurance
Transforming Security from Defense in Depth to Comprehensive Security Assurance February 28, 2016 Revision #3 Table of Contents Introduction... 3 The problem: defense in depth is not working... 3 The new
More informationWITH ACTIVEWATCH EXPERT BACKED, DETECTION AND THREAT RESPONSE BENEFITS HOW THREAT MANAGER WORKS SOLUTION OVERVIEW:
SOLUTION OVERVIEW: ALERT LOGIC THREAT MANAGER WITH ACTIVEWATCH EXPERT BACKED, DETECTION AND THREAT RESPONSE Protecting your business assets and sensitive data requires regular vulnerability assessment,
More informationInternet Scanner 7.0 Service Pack 2 Frequently Asked Questions
Frequently Asked Questions Internet Scanner 7.0 Service Pack 2 Frequently Asked Questions April 2005 6303 Barfield Road Atlanta, GA 30328 Tel: 404.236.2600 Fax: 404.236.2626 Internet Security Systems (ISS)
More informationCS 161 Computer Security
Paxson Spring 2017 CS 161 Computer Security Discussion 12 Week of April 24, 2017 Question 1 Detection strategies (20 min) Suppose you are responsible for detecting attacks on the UC Berkeley network, and
More informationIBM Internet Security Systems Proventia Management SiteProtector
Supporting compliance and mitigating risk through centralized management of enterprise security devices IBM Internet Security Systems Proventia Management SiteProtector Highlights Reduces the costs and
More informationIntrusion Detection Systems
Intrusion Detection Systems Dr. Ahmad Almulhem Computer Engineering Department, KFUPM Spring 2008 Ahmad Almulhem - Network Security Engineering - 2008 1 / 15 Outline 1 Introduction Overview History 2 Types
More informationFederal Agency Firewall Management with SolarWinds Network Configuration Manager & Firewall Security Manager. Follow SolarWinds:
Federal Agency Firewall Management with SolarWinds Network Configuration Manager & Firewall Security Manager Introduction What s different about Federal Government Firewalls? The United States Federal
More informationISO COMPLIANCE GUIDE. How Rapid7 Can Help You Achieve Compliance with ISO 27002
ISO 27002 COMPLIANCE GUIDE How Rapid7 Can Help You Achieve Compliance with ISO 27002 A CONTENTS Introduction 2 Detailed Controls Mapping 3 About Rapid7 8 rapid7.com ISO 27002 Compliance Guide 1 INTRODUCTION
More informationChapter 7. Network Intrusion Detection and Analysis. SeoulTech UCS Lab (Daming Wu)
SeoulTech UCS Lab Chapter 7 Network Intrusion Detection and Analysis 2015. 11. 3 (Daming Wu) Email: wdm1517@gmail.com Copyright c 2015 by USC Lab All Rights Reserved. Table of Contents 7.1 Why Investigate
More informationDynamic Datacenter Security Solidex, November 2009
Dynamic Datacenter Security Solidex, November 2009 Deep Security: Securing the New Server Cloud Virtualized Physical Servers in the open Servers virtual and in motion Servers under attack 2 11/9/09 2 Dynamic
More informationCISSP - Certified Information Systems Security Professional
CISSP - Certified Information Systems Lab Outline The CISSP Practice Lab will provide you with the necessary platform to gain hands on skills in security. By completing the lab tasks you will improve your
More informationAAD - ASSET AND ANOMALY DETECTION DATASHEET
21 October 2018 AAD - ASSET AND ANOMALY DETECTION DATASHEET Meaningful Insights with Zero System Impact Classification: [Protected] 2018 Check Point Software Technologies Ltd. All rights reserved. This
More informationOperational Network Security
Tim Boerner April 25, 2013 CS598 Network Security Operational Network Security or how I learned that the purpose of network security has little to do with actually securing the network Introduction Thinking
More informationCase Study: Security Implementation for a Pharmaceutical Company
Case Study: Security Implementation for a Pharmaceutical Company The Story Security Challenges and Analysis The Case The SmartPoint Guard Solution The Results The Story About the Pharmaceutical Provider
More informationDemystifying Governance, Risk, and Compliance (GRC) with 4 Simple Use Cases. Gen Fields Senior Solution Consultant, Federal Government ServiceNow
Demystifying Governance, Risk, and Compliance (GRC) with 4 Simple Use Cases Gen Fields Senior Solution Consultant, Federal Government ServiceNow 1 Agenda The Current State of Governance, Risk, and Compliance
More informationData Security. Database Firewalls, Encryption and SIEM Systems ABSTRACT CONTACT
Data Security Database Firewalls, Encryption and SIEM Systems ABSTRACT Securing your data against unauthorized access and the certainty of data integrity are paramount in dealing with databases and file
More informationTHREAT INTEL AND CONTENT CURATION: ORGANIZING THE PATH TO SUCCESSFUL DETECTION
SESSION ID: AIR-W12 THREAT INTEL AND CONTENT CURATION: ORGANIZING THE PATH TO SUCCESSFUL DETECTION Justin Monti CTO MKACyber Mischel Kwon CEO MKACyber @MKACyber What is Cyber Threat Intelligence Data collected,
More informationThe Gartner Security Information and Event Management Magic Quadrant 2010: Dealing with Targeted Attacks
The Gartner Security Information and Event Management Magic Quadrant 2010: Dealing with Targeted Attacks Mark Nicolett Notes accompany this presentation. Please select Notes Page view. These materials
More informationBasic Concepts in Intrusion Detection
Technology Technical Information Services Security Engineering Roma, L Università Roma Tor Vergata, 23 Aprile 2007 Basic Concepts in Intrusion Detection JOVAN GOLIĆ Outline 2 Introduction Classification
More information