Security Administration Tools and Practices - PowerPoint PPT Presentation

1 / 35
About This Presentation
Title:

Security Administration Tools and Practices

Description:

Symantec Anti-virus. Tripwire. Rootkit. Sebek. Bro. Bro (http://www.bro-ids.org/) is a NIDS. ... Nessus is a free comprehensive vulnerability scanning software. ... – PowerPoint PPT presentation

Number of Views:41
Avg rating:3.0/5.0
Slides: 36
Provided by: Amit61
Category:

less

Transcript and Presenter's Notes

Title: Security Administration Tools and Practices


1
Security Administration Tools and Practices
  • Amit Bhan
  • Usable Privacy and Security

2
Agenda
  • Security Administration
  • Purpose of Security Tools
  • Examples of Security Tools
  • Security Incident Manager (SIM)
  • Security Monitoring
  • Cases from the Field
  • Problems with Security Administration
  • Improvements

3
Security Administration?
  • is the process of maintaining a safe computing
    environment.
  • Purpose? Need?
  • Security Administrator
  • Responsibilities?

4
Purpose of Security Tools
  • Combining text and visuals
  • Reporting
  • Monitoring
  • Correlating
  • Simplify the life of a Security Administrator

5
Combining Text and Visuals
  • Size and complexity of networks
  • A System Administrator has a variety of
    responsibilities install, configure, monitor,
    debug and patch
  • Visualization vs. Perl Scripts
  • VisFlowConnect-IP (who is connecting to whom on
    my network?)
  • Other tools (discuss later)

6
Reporting
  • Many security tools have an in built capability
    for reporting
  • Why is reporting important?
  • Examples
  • Nessus (vulnerability information)
  • SIM (security incidents information)

7
Monitoring
  • Some security tools have live data feed for the
    network
  • Different types of monitoring
  • Network monitoring
  • Security event monitoring
  • Network Security Incident monitoring

8
Correlation
  • Correlation integrates the key security factors
    that are critical in determining the potential
    for significant damage within an organization.
    These factors are
  • Real time events from heterogeneous devices
  • Results of vulnerability scans and other sources
    of threat data
  • The value of the host, database or application to
    the organization.

9
Life of a Security Administrator
  • According to the paper Combining Text and Visual
    Interfaces for Security-System Administration,
    Security administrators are very conservative
    when it comes to technology adoption.
  • Why?

10
Security Admin Tools
  • Mentioned in Text
  • Bro
  • Nessus
  • Symantec Anti-virus
  • Tripwire
  • Rootkit
  • Sebek

11
Bro
  • Bro (http//www.bro-ids.org/) is a NIDS.
  • Bro supports signature analysis, and in fact can
    read Snort signatures. (Snort is one of the most
    popular NIDS available.)
  • Bro also performs (a limited form of) anomaly
    detection, looking for activity that resembles an
    intrusion.

12
Structure of Bro
13
Nessus
  • Nessus is a free comprehensive vulnerability
    scanning software.
  • Its goal is to detect potential vulnerabilities
    on the tested systems

14
Nessus Screenshot - 1
Nessus Screenshot - 1
15
Nessus Screenshot - 2
Nessus Screenshot - 2
16
Nessus Screenshot - 3
Nessus - Screenshot 3
17
Other tools
  • Security Incident Management System
  • ArcSight
  • Novell e-Security Sentinel
  • Network Incident Management System
  • Whatsup Gold
  • IBM Tivoli

18
ArcSight
  • Large Enterprises and Governments infrastructures
    are growing increasingly dynamic and complex
  • ArcSight ESM is an event management tool
  • Different capabilities filters, correlation,
    reporting, threat monitor, vulnerability
    knowledge base, asset information, risk
    management, zones, etc.

19
Architecture - ArcSight ESM
  • SmartAgents (residing on remote systems or on a
    separate layer)
  • Devices or Remote Systems (Firewalls, IDSs etc.)
  • Correlation engine
  • Central database
  • ArcSight Manager (console/browser)

20
Testing ArcSight
  • Real strength - analyzing huge volumes at data
  • When tested at an ISP that provided managed
    services to many corporate clients, generating
    millions of events a day (stress test), ArcSight
    had no hiccups.
  • Biggest advantage Scaling

21
ArcSight screenshot 1
22
ArcSight screenshot 2
23
ArcSight screenshot 3
24
e-Security Sentinel
  • Competitor of ArcSight, Network Intelligence,
    Symantec Security Information Manager
  • Event collector
  • Analyses and correlates events to determine if an
    event violates a predetermined condition or
    acceptable threshold.
  • Control Center Correlation Engine
  • Unlike Arcsight, e-Security Sentinel has an
    iScale Message Bus that is based on the Sonic
    JMS bus architecture.
  • Highly scalable
  • Doesnt rely on a relational database

25
E-Sentinel Screenshot 1
26
E-Security Screenshot 2
27
Cases from the Field
  • Security Checkup
  • Latest fixes/patches
  • Use of IDS regular scanning of network
  • Security Engineers need to be well informed
    (discussions on forums)

28
Case 1 - virus/worm/spyware on the network
29
Case 2 - false alarms
30
Case 3 - Real time network security monitoring
31
Case 4 - Security Scans
32
Problems with Security Administration
  • Integration is required
  • From firewalls to IDSs to Websense to
    vulnerability information to KB
  • Challenges
  • Too much to look at
  • No single standard data format
  • Out of sync system clocks
  • Correlation becomes difficult

33
Problems cont.
  • Information asymmetry
  • Use of manual tools (location, address books,
    information directories)
  • Process is slow because of very little
    integration
  • A problem in times of actual attacks
  • Critical factor - Time
  • New vulnerabilities - proactive work pays
  • Administrator motto - Know Thy Network

34
Improvements
  • New tools to help security administrators need to
    be developed
  • Standardization of event formats for easier
    integration
  • Application of data mining in event
    classification, analysis and noise reduction
  • Automated event stream processing
  • Improved information management tools

35
Questions
  • ?
  • ?
  • ?
  • ?
  • ?
  • ?
  • ?
  • ?
  • ?
  • ?
Write a Comment
User Comments (0)
About PowerShow.com