Security Information Managers: State of the Art. Joel M Snyder Senior Partner Opus One
|
|
- Tyrone Dalton
- 6 years ago
- Views:
Transcription
1 Security Information Managers: State of the Art Joel M Snyder Senior Partner Opus One jms@opus1.com
2 Definition: SIMs accept security information from multiple sources within the enterprise and analyze it to provide a higher level of understanding. SIM SEM SEIM SIEM ESM You-name-it 2
3 SYSLOG Windows SSH/Telnet Files Or, in pretty pictures Insight! Alerts! Reports! SNMP Archives! Databases 3
4 You have lots and lots of data You can collect from existing points You can add tools, such as IDS Your servers & workstations have useful data as well 4
5 Data Are Pretty Useless Without Analysis Collecting raw data doesn t help you very much unless your goal is filling up that SAN (50 switches * 1 event/hour + 4 firewalls * 10 log entry/second + 20 routers * 25 netflows/second + 10 servers * 1 event/minute workstations * 1 event/hour+ 2 IDS sensors * 15 events/second) * 100 chars/entry * 24 hrs/day * 7 days/week = 32 Gbytes/week 5
6 Welcome to the World of SIM/SEM Grabbing all that data is just a starting point, though eiqnetworks CA Hightower netforensics OpenService Tenable Arcsight Consul Intellitactics NetIQ Protego (CSCO) Q1 Labs LogLogic E-Security (Novell) netforensics Network Intelligence (RSA/EMC) Symantec TriGeo 6
7 SIMs support a security information lifecycle Collect Forensics Normalize and Store Reporting Correlate/ Analyze Alert/ Respond 7
8 Collecting Is More Than Filling up Disks Data have to be collected Syslog (sure, pick the easy one) SNMP Traps Windows Event Logs and Performance Data Agent-full Agent-less Vulnerability analyzer reports/logs/data J. Random Log Files Anything Else You Can Imagine Data have to be normalized Data have to be stored and managed Forensics Reporting Collect Alert/ Respond Normalize & Store Correlate/ Analyze 8
9 Normalization and Storage Management are Hard Normalization: These are the same 14:55:20 accept fw1.opus1.com >eth1 product VPN-1 & Firewall-1 src s_port 4523 dst service http proto tcp rule 15 Jan 16 14:55: netscreen.opus1.com: Netscreen device_id= systemnotification 00257(traffic): start_time=" :55:19" duration=1 policy_id=0 service=http proto=6 src zone-trust dst zone=untrust action=permit sent=11903 rcvd src= dst= src_port=4523 dst_port=80 Storage: Data grow forever On-line Near-line Off-line 9
10 Most SIM products normalize fields, and apply a hierarchy 14:55:20 accept fw1.opus1.com >eth1 product VPN-1 & Firewall-1 src s_port 4523 dst service http proto tcp rule 15 Date/ Time Message Source IP Source Port Dest IP Dest Port Proto. Severity 14:55 Traffic accepted by firewall TCP INFO 14:55 IIS backslash evasion TCP WARNING 14:55:20 sfs2 SFIMS: [119:9:1] Snort Alert [Classification: Unknown] [Priority: 3] {TCP} :4523-> :80 10
11 The Hierarchy is Important to Unifying your View Attack Behavior Inferred Attack Resource Attack Network Attack Access Access->Application Access-> Daabase Access->Application Access-> File Transfer Access->Application Access-> Mail Access Access->Configuration Access Access->Core Access -> ICMP Redirect Access Access->File System Access->NFS Access Suspicious Behavior Authentication Suspicious Failed Authentication 11
12 Correlation and Analysis are where SIMs earn their keep Events/Log Data need to be prioritized Events/Log Data need to be combined to form a greater whole Events/Log Data need to be correlated so that particular patterns can be identified Events/Log Data/Flow Data need to be aggregated so that traffic and trend data can be brought out Forensics Reporting Collect Alert/ Respond Normalize & Store Correlate/ Analyze 12
13 Cross-event Correlation is the most common type to consider Sometimes a single event is what you care about Sometimes you want multiple events Jan 16 14:37: netscreen.opus1.com: NetScreen device_id= system-warning : duration=0 start_time=" :37:04" netscreen: Admin User "netscreen" logged in for Web(https) management (port 443) from :3473. ( :34:32) 14:55:20 accept fw1.opus1.com >eth1 product VPN-1 & Firewall-1 src s_port 4523 dst service http proto tcp rule 15 resource= 14:55:22 accept fw1.opus1.com >eth0 product VPN-1 & Firewall-1 src s_port 69 dst service tftp proto udp rule 18 Unauthorized Access to Administrative Services Successful NIMDA causing victim to TFTP down virus 13
14 Correlation and Analysis can also bring together different data sources sflow Record sflow Record sflow Record Firewall Data VA Data IDS Data Host Information DNS & NetBIOS names Operating System MAC & IP Addresses VLAN Tag Attributes Criticality Notes Addt l User-specified Host Profile Protocols L3: IP, etc. L4: TCP, UDP, etc. Services Ports and Protocols Banners Manager Configuration Client Applications Vulnerabilities 14
15 Flow Data are a nice Bonus SYN SYN-ACK ACK Data Data FIN FIN-ACK ACK 15
16 With Correlation and Analysis, You Want Alerting Alerting has a bad name (and well it should) Poor alerting was invented by the pager companies as a way to sell minutes Alerting requires very flexible thinking and configuration Time-of-day differences Rate limiting Different profile Forensics Reporting Collect Normalize & Store Correlate/ Analyze Alert/ Respond 16
17 Correlation and Alerts Form Business Rules This is the heart of SIM You explain: what is important to you what you want to do about it The SIM sorts through the pile of poop Experienced consulting helps a lot here 17
18 Business Rules Are Not Hard to Write Track Compromised Systems IF (attack signature towards a system) AND THEN WITHIN 10 MINUTES (ICMP rate towards same system goes over 5/minute) THEN ALERT Keep Backups of Diskless Devices IF (Cisco syslog shows configuration was changed) THEN Launch Script to Backup Config 18
19 Good SIMs also come with a pile of business rules and auto-correlation Rule HT11 Inactive Reporting Asset Notification HT12 Attack Followed by Account Change HT13 Attack Followed by Service Change Description Rule HT11 reports inactivity from Reporting Assets during a given time frame. Rule HT11 determines if a Reporting Asset has stopped reporting. Rule HT12 monitors Windows, Linux, and Solaris operating systems (OSs) and other assets for account changes that occur directly after attacks. Rule HT13 monitors Windows, Linux, and Solaris operating systems (OSs) and other assets for service changes (additions, deletions, or modifications) that occur directly after attacks. This rule will also monitor for key words in a URL string and the direction of traffic between assets and non-assets. 19
20 Some Brave Souls like Active Response Anatomy of a Self-Inflicted Denial of Service Attack 2. SIM decides to block all traffic from for 1 hr. SIM 1. IPS or system reports login failures from (User can t remember password to his web server.) 20
21 So What Happens Next? 1. Traffic is blocked to user s web server. User can no longer get to web server from his home cable modem. 2. User assumes web server is dead. User VPNs into remote power system and cycles power to device. 3. User is impatient. Device is fsck-ing disk 5 minutes later when user cycles power again. 4. Now web server is truly dead. 21
22 Even if you like it, Active Response is harder than it sounds????? Attack from the Internet: where does the block go? Attack from within: where does the block go? How long to block? 22
23 Once the Data Are There, Managing Them Is a Part of the Job Forensics Reporting Archiving Companies are coming under more and more compliance regimes which require not only keeping 3 to 7 years worth of logs but the ability to retrieve data from those archives quickly and flexibly Forensics Reporting Collect Normalize & Store Correlate/ Analyze Alert/ Respond 23
24 Reporting Is More Than Making C- series Execs Happy Performance analysis is useful data for you And of course pretty pictures are nice for management 24
25 Forensics Are a Natural Follow-on to Any Pile of Data This system was attacked by X. Who else has X attacked? System Y generated a log message. How many times has this happened this year? Alert Z happened. Wht other alerts happen every time Z happens? Event M is happening. What went on just prior to this starting? 25
26 Picking a SIM Means Looking at Each Requirement How does it collect and store data? Can it integrate with a variety of network elements? Does it talk to a VA scanner (if you care)? How smart is it regarding hosts (if you care)? How are business rules expressed? How does it correlate and analyze data? How flexible is it in alerting? If you want active response Does it work? What are the forensics capabilities? Can it support your data retention requirements? Does it have useful reports? Useful to you Useful to management 26
27 Thanks! Joel Snyder Senior Partner Opus One
Top 10 use cases of HP ArcSight Logger
Top 10 use cases of HP ArcSight Logger Sridhar Karnam @Sri747 Karnam@hp.com #HPSecure Big data is driving innovation The Big Data will continue to expand Collect Big Data for analytics Store Big Data for
More informationNetwork Security: Firewall, VPN, IDS/IPS, SIEM
Security: Firewall, VPN, IDS/IPS, SIEM Ahmet Burak Can Hacettepe University abc@hacettepe.edu.tr What is a Firewall? A firewall is hardware, software, or a combination of both that is used to prevent unauthorized
More informationOptimizing Security for Situational Awareness
Optimizing Security for Situational Awareness BRIAN KENYON McAfee Session ID: SPO1-106 Session Classification: Intermediate p gg able=network_objects, Operation=Update,Administrator=fwadmin, Machine=cp-mgmt-
More informationImproving Your Network Defense. Joel M Snyder Senior Partner Opus One
Improving Your Network Defense Joel M Snyder Senior Partner Opus One jms@opus1.com Agenda: Improving Your Network Defense What s the Thesis? Intrusion Detection Collecting Information Enabling Features
More informationForeScout Extended Module for ArcSight
Version 2.8 Table of Contents About the ArcSight Integration... 4 Use Cases... 4 Send Endpoint Status, Compliance, or Property Changes from CounterACT to ArcSight... 5 SmartConnector Health and Compliance
More informationForeScout Extended Module for HPE ArcSight
ForeScout Extended Module for HPE ArcSight Version 2.7.1 Table of Contents About the HPE ArcSight Integration... 4 Use Cases... 4 Send Endpoint Status, Compliance, or Property Changes from CounterACT to
More informationSnare v6 - Feature Summary
Snare v6 - Feature Summary Introduction User Interface A comprehensive range of reports Powerful Query and Output options Elegant data presentation Robust collection, and intelligent caching Enabling content
More informationCisco Security Monitoring, Analysis and Response System 4.2
Q&A Cisco Security Monitoring, Analysis and Response System 4.2 GENERAL Q. What is the Cisco Security Monitoring, Analysis and Response System? A. The Cisco Security Monitoring, Analysis and Response System
More informationLog Management Delivers Intelligence with Speed
WHITEPAPER Log Management Delivers Intelligence with Speed 1 Contents Log Management Delivers Intelligence with Speed... 1 Introduction - Log Data Matters... 3 Log Management is an Integral Part of IT
More informationThis article explains how to configure NSRP-Lite for a NS50 firewall to a single WAN.
This article explains how to configure NSRP-Lite for a NS50 firewall to a single WAN. Requirements: When configuring NSRP-Lite for the NS-50, confirm the following necessary requirements: The NS-25 or
More informationNetwork Security. Kitisak Jirawannakool Electronics Government Agency (public organisation)
1 Network Security Kitisak Jirawannakool Electronics Government Agency (public organisation) A Brief History of the World 2 OSI Model vs TCP/IP suite 3 TFTP & SMTP 4 ICMP 5 NAT/PAT 6 ARP/RARP 7 DHCP 8
More informationGlobal Information Assurance Certification Paper
Global Information Assurance Certification Paper Copyright SANS Institute Author Retains Full Rights This paper is taken from the GIAC directory of certified professionals. Reposting is not permited without
More informationScreenOS Message Log Reference Guide
ScreenOS Log Reference Guide Release 5.4.0, Rev. A Juniper Networks, Inc. 1194 North Mathilda Avenue Sunnyvale, CA 94089 USA 408-745-2000 www.juniper.net Part Number: 530-015767-01, Revision A Copyright
More informationIBM Security QRadar SIEM Version Getting Started Guide
IBM Security QRadar SIEM Version 7.2.0 Getting Started Guide Note: Before using this information and the product that it supports, read the information in Notices and Trademarks on page 35. Copyright IBM
More informationChapter 8 roadmap. Network Security
Chapter 8 roadmap 8.1 What is network security? 8.2 Principles of cryptography 8.3 Message integrity 8.4 Securing e-mail 8.5 Securing TCP connections: SSL 8.6 Network layer security: IPsec 8.7 Securing
More informationSecurity Automation. Challenge: Automatizzare le azioni di isolamento e contenimento delle minacce rilevate tramite soluzioni di malware analysis
Security Automation Challenge: Automatizzare le azioni di isolamento e contenimento delle minacce rilevate tramite soluzioni di malware analysis Network Admission Control See Managed Unmanaged Computing
More informationForeScout Extended Module for Splunk
Enterprise Strategy Group Getting to the bigger truth. ESG Lab Review ForeScout Extended Module for Splunk Date: May 2017 Author: Tony Palmer, Senior Lab Analyst Abstract This report provides a first look
More informationCIS Top 20 #12 Boundary Defense. Lisa Niles: CISSP, Director of Solutions Integration
CIS Top 20 #12 Boundary Defense Lisa Niles: CISSP, Director of Solutions Integration CSC # 12 - Detect/prevent/correct the flow of information transferring networks of different trust levels with a focus
More informationUnit 4: Firewalls (I)
Unit 4: Firewalls (I) What is a firewall? Types of firewalls Packet Filtering Statefull Application and Circuit Proxy Firewall services and limitations Writing firewall rules Example 1 Example 2 What is
More informationSecuring CS-MARS C H A P T E R
C H A P T E R 4 Securing CS-MARS A Security Information Management (SIM) system can contain a tremendous amount of sensitive information. This is because it receives event logs from security systems throughout
More informationRussian Cyber Attack Warning and Impact on AccessEnforcer UTM Firewall
Russian Cyber Attack Warning and Impact on AccessEnforcer UTM Firewall 1 U.S. and U.K. authorities last week alerted the public to an on-going effort to exploit network infrastructure devices including
More informationConfiguring Anomaly Detection
CHAPTER 9 This chapter describes anomaly detection and its features and how to configure them. It contains the following topics: Understanding Security Policies, page 9-2 Understanding Anomaly Detection,
More informationArcSight Activate Framework
ArcSight Activate Framework Petropoulos #HPProtect 44% Have trouble managing their SIEM eiqnetworks 2013 SIEM Survey #1 challenge Identification of key events SANS 2012 Log Management and Event Management
More informationIC32E - Pre-Instructional Survey
Name: Date: 1. What is the primary function of a firewall? a. Block all internet traffic b. Detect network intrusions c. Filter network traffic d. Authenticate users 2. A system that monitors traffic into
More informationHigh Availability Synchronization PAN-OS 5.0.3
High Availability Synchronization PAN-OS 5.0.3 Revision B 2013, Palo Alto Networks, Inc. www.paloaltonetworks.com Contents Overview... 3 Device Configuration... 4 Network Configuration... 9 Objects Configuration...
More informationChair for Network Architectures and Services Department of Informatics TU München Prof. Carle. Network Security. Chapter 8
Chair for Network Architectures and Services Department of Informatics TU München Prof. Carle Network Security Chapter 8 System Vulnerabilities and Denial of Service Attacks System Vulnerabilities and
More informationIntegrate Cisco Sourcefire
Integrate Cisco Sourcefire EventTracker Enterprise Publication Date: April 18, 2016 EventTracker 8815 Centre Park Drive Columbia MD 21045 www.eventtracker.com About this Guide This guide will facilitate
More informationNetwork Security Platform Overview
Quick Tour Revision B McAfee Network Security Platform 8.1 Network Security Platform Overview McAfee Network Security Platform [formerly McAfee IntruShield ] is a combination of network appliances and
More informationUser Role Firewall Policy
User Role Firewall Policy An SRX Series device can act as an Infranet Enforcer in a UAC network where it acts as a Layer 3 enforcement point, controlling access by using IP-based policies pushed down from
More informationLessons from the Lab: NAC Framework Testing
Lessons from the Lab: NAC Framework Testing Joel M Snyder Opus One jms@opus1.com http://www.opus1.com/www/presentations/nac-testing-interoplv2007.pdf Context: The World of NAC Things Claiming To Be NAC
More informationThe following topics describe how to configure traffic profiles:
The following topics describe how to configure traffic profiles: Introduction to Traffic Profiles, page 1 Managing Traffic Profiles, page 5 Configuring Traffic Profiles, page 6 Introduction to Traffic
More informationProCurve Network Immunity
ProCurve Network Immunity Hans-Jörg Elias Key Account Manager hans-joerg.elias@hp.com 2007 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
More informationWorking With Configuration Files
CHAPTER 15 This chapter describes how to use commands that show, copy, and erase the configuration file. It contains the following sections: Displaying the Current Configuration, page 15-1 Displaying the
More informationFirewalls. Firewall. means of protecting a local system or network of systems from network-based security threats creates a perimeter of defense
FIREWALLS 3 Firewalls Firewall means of protecting a local system or network of systems from network-based security threats creates a perimeter of defense administered network public Internet firewall
More informationWhatsConfigured v3.1 User Guide
WhatsConfigured v3.1 User Guide Contents Table of Contents Welcome to WhatsConfigured v3.1 Finding more information and updates... 1 Sending feedback... 2 Deploying WhatsConfigured STEP 1: Prepare the
More information1. How will NAC deal with lying clients?
010 1010 0101 0 10 May, 2007 Agenda: Hard Questions about NAC Control: Hard Questions Joel M Snyder Senior Partner Opus One jms@opus1.com Questions you need to be able to answer about NAC regarding Lying
More informationConfiguring Anomaly Detection
CHAPTER 9 Caution Anomaly detection assumes it gets traffic from both directions. If the sensor is configured to see only one direction of traffic, you should turn off anomaly detection. Otherwise, when
More informationREMOTE ACCESS SSL BROWSER & CLIENT
REMOTE ACCESS SSL BROWSER & CLIENT Course 4001 1 SSL SSL - Comprised of Two Components Browser Clientless Access SSL Client SSL Browser SSL Client 2 SSL Remote Access Key Features! Part of GTA s remote
More informationOSSIM Fast Guide
----------------- OSSIM Fast Guide ----------------- February 8, 2004 Julio Casal http://www.ossim.net WHAT IS OSSIM? In three phrases: - VERIFICATION may be OSSIM s most valuable contribution
More informationDefense-in-Depth Against Malicious Software. Speaker name Title Group Microsoft Corporation
Defense-in-Depth Against Malicious Software Speaker name Title Group Microsoft Corporation Agenda Understanding the Characteristics of Malicious Software Malware Defense-in-Depth Malware Defense for Client
More informationTCP/IP Filtering. Main TCP/IP Filtering Dialog Box. Route Filters Button. Packet Filters Button CHAPTER
CHAPTER 11 Main Dialog Box To access this dialog box (Figure 11-1), select Global/Filtering/ from the Device View. Figure 11-1 Main Configuration Dialog Box Route Filters Button This button brings up a
More informationSIEM FOR BEGINNERS Everything You Wanted to Know About
SIEM FOR BEGINNERS Everything You Wanted to Know About Log Management But were Afraid to Ask www.alienvault.com A Rose By Any Other Name SLM/LMS, SIM, SEM, SEC, SIEM Although the industry has settled on
More informationIT Services IT LOGGING POLICY
IT LOGGING POLICY UoW IT Logging Policy -Restricted- 1 Contents 1. Overview... 3 2. Purpose... 3 3. Scope... 3 4. General Requirements... 3 5. Activities to be logged... 4 6. Formatting, Transmission and
More informationAvailable Commands CHAPTER
CHAPTER 2 This chapter contains the Cisco IPS 6.2 commands listed in alphabetical order. It contains the following sections:. anomaly-detection load, page 2-4 anomaly-detection save, page 2-5 banner login,
More informationSIEM FOR BEGINNERS EVERYTHING YOU WANTED TO KNOW ABOUT LOG MANAGEMENT BUT WERE AFRAID TO ASK.
SIEM FOR BEGINNERS EVERYTHING YOU WANTED TO KNOW ABOUT LOG MANAGEMENT BUT WERE AFRAID TO ASK www.alienvault.com A Rose By Any Other Name SLM/LMS, SIM, SEM, SEC, SIEM Although the industry has settled on
More informationtcp-map through type echo Commands
CHAPTER 31 31-1 tcp-map Chapter 31 tcp-map To define a set of TCP normalization actions, use the tcp-map command in global configuration mode. The TCP normalization feature lets you specify criteria that
More information2. INTRUDER DETECTION SYSTEMS
1. INTRODUCTION It is apparent that information technology is the backbone of many organizations, small or big. Since they depend on information technology to drive their business forward, issues regarding
More informationBest practices with Snare Enterprise Agents
Best practices with Snare Enterprise Agents Snare Solutions About this document The Payment Card Industry Data Security Standard (PCI/DSS) documentation provides guidance on a set of baseline security
More informationCIS Controls Measures and Metrics for Version 7
Level One Level Two Level Three Level Four Level Five Level Six 1.1 Utilize an Active Discovery Tool Utilize an active discovery tool to identify devices connected to the organization's network and update
More informationThe following topics describe how to configure correlation policies and rules.
The following topics describe how to configure correlation policies and rules. Introduction to and Rules, page 1 Configuring, page 2 Configuring Correlation Rules, page 5 Configuring Correlation Response
More informationNetwork Security Monitoring with Flow Data
Network Security Monitoring with Flow Data IT Monitoring in Enterprises NPMD (Network Performance Monitoring & Diagnostics) SNMP basics Flow data for advanced analysis and troubleshooting Packet capture
More informationBOLSTERING DETECTION ABILITIES KENT KNUDSEN JUNE 23, 2016
BOLSTERING DETECTION ABILITIES KENT KNUDSEN JUNE 23, 2016 Overview Current Threats Where we fail Cyber Security Lifecycle Key Areas to Continuously Monitor Security Metrics Where to prioritize Security
More informationCIS Controls Measures and Metrics for Version 7
Level 1.1 Utilize an Active Discovery Tool 1.2 Use a Passive Asset Discovery Tool 1.3 Use DHCP Logging to Update Asset Inventory 1.4 Maintain Detailed Asset Inventory 1.5 Maintain Asset Inventory Information
More informationConnection Logging. Introduction to Connection Logging
The following topics describe how to configure the Firepower System to log connections made by hosts on your monitored network: Introduction to, page 1 Strategies, page 2 Logging Decryptable Connections
More informationMcAfee Network Security Platform
McAfee Network Security Platform 9.2 (Quick Tour) McAfee Network Security Platform [formerly McAfee IntruShield ] is a combination of network appliances and software that accurately detects and prevents
More informationLog Correlation Engine 3.4 Log Normalization Guide July 29, 2010 (Revision 3)
Log Correlation Engine 3.4 Log Normalization Guide July 29, 2010 (Revision 3) The newest version of this document is available at the following URL: http://cgi.tenablesecurity.com/lce_3.4_log_analysis.pdf
More informationBehavior-Based IDS: StealthWatch Overview and Deployment Methodology
Behavior-Based IDS: Overview and Deployment Methodology Lancope 3155 Royal Drive, Building 100 Alpharetta, Georgia 30022 Phone: 770.225.6500 Fax: 770.225.6501 www.lancope.com techinfo@lancope.com Overview
More informationNGFW Security Management Center
NGFW Security Management Center Release Notes 6.4.0 Revision B Contents About this release on page 2 System requirements on page 2 Build version on page 3 Compatibility on page 4 New features on page 5
More informationConnection Logging. About Connection Logging
The following topics describe how to configure the Firepower System to log connections made by hosts on your monitored network: About, page 1 Strategies, page 2 Logging Decryptable Connections with SSL
More informationCSE 565 Computer Security Fall 2018
CSE 565 Computer Security Fall 2018 Lecture 19: Intrusion Detection Department of Computer Science and Engineering University at Buffalo 1 Lecture Outline Intruders Intrusion detection host-based network-based
More informationAsset and network modeling in HP ArcSight ESM and Express
Asset and network modeling in HP ArcSight ESM and Express Till Jäger, CISSP, CEH EMEA ArcSight Architect, HP ESP Agenda Overview Walkthrough of asset modeling in ArcSight ESM More inside info about the
More informationFoundstone 7.0 Patch 6 Release Notes
Foundstone 7.0 Patch 6 Release Notes These release notes describe the changes and updates for Foundstone 7.0, patch 6. This application installs only the patch needed to update the Foundstone system. Foundstone
More informationChapter 4. Network Security. Part II
Chapter 4 Network Security Part II CCNA4-1 Chapter 4-2 Introducing Network Security Securing Cisco Routers CCNA4-2 Chapter 4-2 Router Security Issues The Role of Routers in Network Security: Router security
More informationSecurity analytics: From data to action Visual and analytical approaches to detecting modern adversaries
Security analytics: From data to action Visual and analytical approaches to detecting modern adversaries Chris Calvert, CISSP, CISM Director of Solutions Innovation Copyright 2013 Hewlett-Packard Development
More informationCSE 565 Computer Security Fall 2018
CSE 565 Computer Security Fall 2018 Lecture 20: Intrusion Prevention Department of Computer Science and Engineering University at Buffalo 1 Lecture Overview Firewalls purpose types locations Network perimeter
More informationComodo cwatch Network Software Version 2.23
rat Comodo cwatch Network Software Version 2.23 Administrator Guide Guide Version 2.23.060618 Comodo Security Solutions 1255 Broad Street Clifton, NJ 07013 Table of Contents 1 Introduction to Comodo cwatch
More informationCisco Stealthwatch. Internal Alarm IDs 7.0
Cisco Stealthwatch Internal Alarm IDs 7.0 Stealthwatch Internal Alarm IDs Some previously used alarms are now obsolete and no longer listed in this file. 1 Host Lock Violation 5 SYN Flood 6 UDP Flood 7
More informationMonitoring network bandwidth on routers and interfaces; Monitoring custom traffic on IP subnets and IP subnets groups; Monitoring end user traffic;
NetVizura NetFlow Analyzer enables you to collect, store and analyze network traffic data by utilizing Cisco NetFlow, IPFIX, NSEL, sflow and compatible netflow-like protocols. It allows you to visualize
More informationProxy server is a server (a computer system or an application program) that acts as an intermediary between for requests from clients seeking
NETWORK MANAGEMENT II Proxy Servers Proxy server is a server (a computer system or an application program) that acts as an intermediary between for requests from clients seeking resources from the other
More informationManaging Latency in IPS Networks
Revision C McAfee Network Security Platform (Managing Latency in IPS Networks) Managing Latency in IPS Networks McAfee Network Security Platform provides you with a set of pre-defined recommended settings
More informationForeScout Agentless Visibility and Control
ForeScout Agentless Visibility and Control ForeScout Technologies has pioneered an agentless approach to network security that effectively helps address the challenges of endpoint visibility and control
More informationFirepower Threat Defense Cluster for the Firepower 4100/9300
Firepower Threat Defense Cluster for the Firepower 4100/9300 Clustering lets you group multiple Firepower Threat Defense units together as a single logical device. Clustering is only supported for the
More informationMeans for Intrusion Detection. Intrusion Detection. INFO404 - Lecture 13. Content
Intrusion Detection INFO404 - Lecture 13 21.04.2009 nfoukia@infoscience.otago.ac.nz Content Definition Network vs. Host IDS Misuse vs. Behavior Based IDS Means for Intrusion Detection Definitions (1) Intrusion:
More informationSnort: The World s Most Widely Deployed IPS Technology
Technology Brief Snort: The World s Most Widely Deployed IPS Technology Overview Martin Roesch, the founder of Sourcefire and chief security architect at Cisco, created Snort in 1998. Snort is an open-source,
More informationDoS Attacks Malicious Code Attacks Device Hardening Social Engineering The Network Security Wheel
CCNA4 Chapter 4 * DoS Attacks DoS attacks are the most publicized form of attack and also among the most difficult to eliminate. DoS attacks prevent authorized people from using a service by consuming
More informationLog Correlation Engine 3.2 Log Normalization Guide May 19, 2009 (Revision 1)
Log Correlation Engine 3.2 Log Normalization Guide May 19, 2009 (Revision 1) The newest version of this document is available at the following URL: http://cgi.tenablesecurity.com/lce_3.2_log_analysis.pdf
More informationSeqrite Unified Threat Management
Seqrite Unified Threat Management 2.1 Release Notes July 2, 2018 Seqrite Unified Threat Management www.seqrite.com Copyright Information Copyright 2018 Quick Heal Technologies Ltd. All Rights Reserved.
More informationGlobal Information Assurance Certification Paper
Global Information Assurance Certification Paper Copyright SANS Institute Author Retains Full Rights This paper is taken from the GIAC directory of certified professionals. Reposting is not permited without
More informationScrutinizer Flow Analytics
Scrutinizer Flow Analytics TM Scrutinizer Flow Analytics Scrutinizer Flow Analytics is an expert system that highlights characteristics about the network. It uses flow data across dozens or several hundred
More informationMcAfee Network Security Platform Administration Course
McAfee Network Security Platform Administration Course Education Services administration course The McAfee Network Security Platform Administration course from McAfee Education Services is an essential
More informationfirewall { all-ping enable broadcast-ping disable ipv6-receive-redirects disable ipv6-src-route disable ip-src-route disable log-martians enable name
firewall { all-ping enable broadcast-ping disable ipv6-receive-redirects disable ipv6-src-route disable ip-src-route disable log-martians enable name WAN_IN { default-action drop description "WAN to internal"
More informationM1000, M2000, M3000. eprism Installation Guide
M1000, M2000, M3000 eprism Installation Guide Preface 3 CHAPTER 1 Pre-Installation Tasks 5 eprism Deployment 6 Network Modifications 8 Firewall Configuration 9 DNS Configuration for Mail Routing 10 Hardware
More informationIDS: Signature Detection
IDS: Signature Detection Idea: What is bad, is known What is not bad, is good Determines whether a sequence of instructions being executed is known to violate the site security policy Signatures: Descriptions
More informationISO27001 Preparing your business with Snare
WHITEPAPER Complying with ISO27001 Preparing your business with Snare T he technical controls imposed by ISO (International Organisation for Standardization) Standard 27001 cover a wide range of security
More informationMcAfee Enterprise Security Manager 10.3.x Release Notes
McAfee Enterprise Security Manager 10.3.x Release Notes Contents Installation information What's new in update 10.3.3 Resolved issues in update 10.3.3 Migrating from Flash to HTML Installation information
More informationThe IDP system generates logs for device events and security events. Table 1 summarizes options for viewing and managing logs.
IDP Logs Overview The IDP system generates logs for device events and security events. Device event logs are related to the operation of the IDP appliance. By default, the system logs events when it reaches
More informationMonitoring the Device
The system includes dashboards and an Event Viewer that you can use to monitor the device and traffic that is passing through the device. Enable Logging to Obtain Traffic Statistics, page 1 Monitoring
More informationLog Correlation Engine 3.0 Log Normalization Guide October 29, 2008 (Revision 1)
Log Correlation Engine 3.0 Log Normalization Guide October 29, 2008 (Revision 1) The ne west version of this document is available at the following URL: http://cgi.tenablesecurity.com/lce_3.0_log_analysis.pdf
More informationNetwork Security. Thierry Sans
Network Security Thierry Sans HTTP SMTP DNS BGP The Protocol Stack Application TCP UDP Transport IPv4 IPv6 ICMP Network ARP Link Ethernet WiFi The attacker is capable of confidentiality integrity availability
More informationSwitch and Wireless LAN Controller Configuration Required to Support Cisco ISE Functions
Switch and Wireless LAN Controller Configuration Required to Support Cisco ISE Functions To ensure Cisco ISE is able to interoperate with network switches and functions from Cisco ISE are successful across
More informationNetwork Security Platform 8.1
8.1.3.6-8.1.3.5 M-series Release Notes Network Security Platform 8.1 Revision A Contents About this release New features Enhancements Resolved issues Installation instructions Known issues Product documentation
More informationSecurity Monitoring Engineer / (NY or NC) Director, Information Security. New York, NY or Winston-Salem, NC. Location:
Position: Reports to: Location: Security Monitoring Engineer / (NY or NC) Director, Information Security New York, NY or Winston-Salem, NC Position Summary: The Clearing House (TCH) Information Security
More informationNortel Networks Optivity Policy Services
Sharon Fisher Product Report 7 January 2004 Nortel Networks Optivity Policy Services Summary Optivity Policy Services is system-level software for managing the traffic prioritization and network access
More informationMcAfee SIEM Port Usage by Appliance
McAfee SIEM Port Usage by Appliance Application Direction Port(s) Protocol Destination / Description ETM Enterprise Security Manager Active Directory out 389, 3268 tcp Active Directory. Port 3268 is used
More information: Administration of Symantec Endpoint Protection 14 Exam
250-428: of Symantec Endpoint Protection 14 Exam Study Guide v. 2.2 Copyright 2017 Symantec Corporation. All rights reserved. Symantec, the Symantec Logo, and Altiris are trademarks or registered trademarks
More informationHistory Page. Barracuda NextGen Firewall F
The Firewall > History page is very useful for troubleshooting. It provides information for all traffic that has passed through the Barracuda NG Firewall. It also provides messages that state why traffic
More information90% 191 Security Best Practices. Blades. 52 Regulatory Requirements. Compliance Report PCI DSS 2.0. related to this regulation
Compliance Report PCI DSS 2.0 Generated by Check Point Compliance Blade, on April 16, 2018 15:41 PM O verview 1 90% Compliance About PCI DSS 2.0 PCI-DSS is a legal obligation mandated not by government
More informationDynamic Datacenter Security Solidex, November 2009
Dynamic Datacenter Security Solidex, November 2009 Deep Security: Securing the New Server Cloud Virtualized Physical Servers in the open Servers virtual and in motion Servers under attack 2 11/9/09 2 Dynamic
More informationEnterprise IPv6 Deployment Security and other topics
Enterprise IPv6 Deployment Security and other topics 6. Slo IPv6 Summit 8 Nov, 2011 Ljubljana, Slovenia Ron Broersma DREN Chief Engineer SPAWAR Network Security Manager Federal IPv6 Task Force ron@spawar.navy.mil
More informationNGFW Security Management Center
NGFW Security Management Center Release Notes 6.4.4 Revision A Contents About this release on page 2 System requirements on page 2 Build version on page 3 Compatibility on page 5 New features on page 5
More information