Lecture 15 – Dataflow Analysis Eran Yahav 1 yahave/tocs2011/compilers-lec15.pptx.
INF526: Secure Systems Administration Risk … › USC › INF526 › Sp17-INF526-Lec15.pdfDecoy...
Transcript of INF526: Secure Systems Administration Risk … › USC › INF526 › Sp17-INF526-Lec15.pdfDecoy...
INF526: Secure Systems Administration
Risk ManagementReview – Group Project Demos
Prof. Clifford Neuman
Lecture 1527 April 2017OHE100C
Final ExamThe Final exam for Informatics 526 will be held
Monday May 8th, 2017
2PM to 4PM
in
VHE 214
Exam will be Open Book / Open NoteI will post a single combined slide deck
reduced to 6 slides per page..
1
INF526:Risk Management in System Administration
Student Presentation
Edward M Guerrero
Overview
• What is Risk Management• Your Role in Risk Management• Identifying Risks• Risk Analysis• Risk Treatment
3
What is Risk Management?
• First lets define what a “risk” is– The effect of uncertainty on objectives
• Cross the street successfully• Invest in stocks• Go on a vacation• Playing sports
– Probability of a harmful event and eventuality that a threat exists that is more or less predictable may affect the objectives of an organization
• More common definition• Fires, Hackers, Theft, Floods, Meteor
4
What is Risk Management?
• As focusing on potential problems, we seek to manage what may or may not happen
• Understanding that risk has two main characteristics– Its level of uncertainty (If you’re 100% positive it can
occur its not a risk)– The level of loss (known as impact as well)
• Also understanding risk as it pertains to your business and job function is important too
5
What is Risk Management?– Be careful with risk perception
• Experts and idiots suffer from the same risks
6
Your Role in Risk Management– NIST 800-30: “IT Security practitioners are responsible for proper
implementation of security requirements in their IT systems. As changes occur in the existing IT environment, the security practitioners must support or use the risk management process to identify and assess new potential risks and implement new security controls as needed to safeguard their IT systems
• That means you architect systems with risk in mind, and you make changes with risk in mind.
7
Your Role in Risk Management
• Secure System Administration (Addition)– Risk analysis reoccurs in the SDLC– Decisions on controls will be based on risk analysis
• Vulnerability Management (Ongoing)– Know what vulnerabilities exist in the context of your
business– Risk analysis will dictate priority of remediation
• Change Management (Changes)– Know how changes in your environment affect the
security of it– Risk analysis will dictate whether patching is
neccesary
8
Identifying Risks
• The process of finding, recognizing and recording risks
• Once a risk is identified, you should also identify any existing controls you may already have in place
• Identification methods can include:– Interviews– Documentation Review– Scanning Tools– Crowdsourced Intel (Blogs, Gov’t, Security News)
9
Identifying Risks
• Pair threats/vulnerabilities to its source and devise the action to exploit
• Threat source is simply the element(s) in which a risk can arise from
10
Risk Analysis
• Develop the understanding of the risk as it pertains to your system
• Consists of determining consequences and their probabilities and also taking into account current controls with their current effectiveness
• Once the analysis is complete and you’ve determined the level of risk, determine the priority.
11
Risk Analysis
• Using a Risk Matrix or Heat Map (or any good visualization tool)
• Plot your risks dealingwith those with thatyou have deemedsevere threats
12
Risk Treatment
• Risk treatment involves selecting and agreeing to one or more of the options to change either the probability of occurrence, the impact of the risk, or both
• This process is ongoing and is typically reviewed over time since new threats arise constantly
• Options:– Avoidance, Acceptance, Remove, Mitigation, Transfer– Name of options varies by framework
13
Risk Treatment
• For the scope of IT System Administration we will only focus on Acceptance, Avoidance, and Mitigation– Acceptance: The risk is already within an acceptable
range. Document and proceed with project/tasks– Avoidance: The risk is too high to implement a system
or make a change, so either don’t or change process– Mitigation: The risk is NOT in an acceptable range so
changes must be made, or extra controls must be put into place
14
Risk Treatment
• When controls are to be placed due to the mitigation of risk, you must conduct a cost benefit analysis
• Be careful on what controls you choose, too much and you waste money and manpower, too little and you’re still at risk.
• Choose the correct controls based upon the threats that you identified, sourcing the wrong controls can do more damage than good
15
Risk Treatment
16
Risk Treatment
17
Risk Treatment
18
Types of Technical and Management Controls
• Supporting Technical– MAC, DAC, Cryptographic Keys, EPS
• Preventative Technical– Authentication, Authorization, Nonrepudiation,
Protected Comms• Detection and Recovery Technical
– Audit, Intrusion Detection, Virus Detection, Integrity
19
Types of Technical and Management Controls
• Preventative Management– Assign security responsibility, Conduct security
awareness and technical training• Detection Management
– Implement personnel security controls (background checks, investigations), Perform system audits
• Recovery Management– Provide continuity of support and develop, test, and
maintain the continuity of operations plan– Establish incident response
20
Conclusion
• Risk management will very well be a part of your job descriptions as you progress in Cyber Security
• Understand various frameworks that involve risk– ISO 31000, NIST 800-30, COSO– NIST geared more toward IT and systems
• Think outside the box
21
Project Report Outs
• Presentations by two groups on second scenario.
22
Material for Final Exam• Focus will be material you have used in completing your
group projects.– i.e. the material you will use in deploying systems once you enter the
cyber security workforce.• Comprehensive, but with more emphasis on
material since the second mid-term exam.
23
Material for Final Exam• Quick Overview of material before Quiz 2
24
Role of Admnistrator• Administration
– Selection of components (purchases of products)– Architecture – how the pieces fit together– Installation and configuration– Security Testing– Operation– Monitoring– Repair and Maintenance– Threat response
• (Think in terms of minimization)
25
Positive and Negative Requirements
• Functional requirements are positive.– This is what most developers focus on– And why are systems are not secure.– Functionality over security
• Security requirements tend to be negative– What should not be possible (conf and integ)– But availability is a positive requirement
• How do we test for negative requirements– absence of evidence is not evidence of absence
16
Information Flow and Containment
• Understand your applicationsInformation Flow:–What is to be protected–Against which threats–Who needs to access which apps–From where must they access it
• You will minimize allowed flows, reducing attack surface.
16
Component Selection• What systems do you need
–System or VM for different classes of protection domains.
• Network Components – To interconnect– To Segregate
• Management Components– Special tools for management and security
• You will manage the flow of data• Competing issues to balance in terms of
minimization.
16
Configuration Management
• Catalog of systems– What is approved for connection
• Catalog of software– What is approved for use– Patch management
• Configuration checkers• Change detectors
– E.g. tripwire, AFIK
• Ensure continued minimization
16
System Administration
• What must be administered:– User accounts – Least Privilege– Software– Servers– Storage– Network (next slide)– Keys– Monitoring– Logs and Audit
• Core principles– Minimization
30
Network Administration
• Creation of network protection domains– Firewalls– VLANs– VPNs for access– Ipsec– Wireless Management
• Network Monitoring• Network Admission Control• Reduction of attack surface
31
Administration vs Development
• Different stages in system life cycle– Administration is concerned with installation, interconnection, configuration,
operation, and decommissioning– Administration is concerned with the environment– Development addresses the idea architecture of the system
• Depends on assumptions
• Security fails when environmental assumptions are violated.– Let’s brainstorm on examples of such assumptions that led to security
failures when they no longer held.
32
Your Oganizations Security Policy
• First step – Establish an Organization Security Policy– Generally accepted Principles and Practices – NIST 800-14
http://csrc.nist.gov/publications/nistpubs/800-14/800-14.pdf
– Guidance in writing a security policywww.GIAC.org/paper/gsec/734/system-security-policy/101613
• First question for security auditors• It will guide you in creating categories of data and user
• Reduction of attack surface is one way to think of the security policies that are effective.
33
Points of Policy
16
• By Axiomatics - Axiomatics, CC BY 3.0, https://commons.wikimedia.org/w/index.php?curid=48397652
Plan Your Attacks
• It is important to think like an attacker to best assess your defenses.– Look for the overlooked
• Attackers seek out the weakest links,the forgotten window
– Consider environmental assumptions• Incorrect assumptions create vulnerabilities
– Weak systems may be used as stepping stones• That forgotten system that is unpatched is compromised,
then the attacker pivots and attacks from within.– Check the integrity of your defenses
• Attackers may disable defensive measures
35
Attack-Defense Tree Example
36
STRIDE
• Acronym for categories of threats:
37
Threat Security Property at RiskSpoofing AuthenticationTampering IntegrityRepudiation Non-repudiationInformation disclosure ConfidentialityDenial of service AvailabilityElevation of privilege Authorization
Meaning of Each Threat Class
• Spoofing : Impersonating something or someone else
• Tampering : Modifying data or code • Repudiation : Claiming to have not performed
an action • Information Disclosure : Exposing information
to someone not authorized to see it• Denial of Service : Deny or degrade service to
users• Elevation of Privilege : Gain capabilities
without proper authorization
38
STRIDE Steps
• Decompose system into components– May need to recurse down to necessary level of detail
• Analyze each component for susceptibility to each relevant type of threat
• Develop countermeasures until no component has susceptibility
• Is system secure?– Maybe, but probably not– Due to emergent properties of composition
• Does this give higher assurance?– Yes, because flaw in one component affects entire
system
39
Data Flow Diagram (DFD)
• Used to graphically represent a system and its components
• Standard set of elements:– Data flows– Data stores– Processes– Interactors
• One more for threat modeling:– Trust boundaries
40
Relevant Threats for Elements
41
Interactors Process Data Store
Data Flow
Spoofing x xTampering x x xRepudiation x x *
Information disclosure x x x
Denial of Service x x x
Elevation of Privilege x* Logs held in data stores are usually the mitigation against a repudiation threat. Data stores often come under attack to allow for a repudiation attack to work.
Mitigation Choices in Reality
• Redesign– Change the design to eliminate threats– E.g., reduce elements that touch a trust boundary
• Use standard mitigations– Firewalls, validated authentication systems, …
• Use custom mitigations– If you are a gambling sort of person
• Accept risk– If you think risk is low, or too expensive to mitigate
42
What is an Adversarial Security Plan?• An adversarial security plan enables an entity to develop
an awareness of their networks and systems in order to protect data, safeguard their operations, and guard their infrastructure.
• Purposes:– Predicting intentions and future actions of malicious entities– Limit attack surface– Assist in developing a containment architecture in case of
breach
43
Goals of Attackers: Methodology• Attackers generally implement the following
methodology:1. Reconnaissance Information gathering, What/ Who is the target?
2. Scanning/ Enumerating What is the attack surface? Ex: Access points/ open ports, live
hosts, accounts, policies, etc.3. Gaining Access Breaching systems, executing malicious software
4. Maintaining Access Establishing backdoors, unpatched systems
5. Clearing Evidence Decoy traffic, log manipulation, obfuscation of identity
44
Virtualization and Administration
• Issues affecting administration of virtual machines– Containment– Side Channels– Throwaway mentality– Stateless machines– Privileged remote access– Less physical or siloed specialization– Relationship to cloud computing
45
Stateless Virtualizaton
• Tendency to store persistent data on separate services such as NAS.
• Those external services must be considered part of attack surface.
• Local state such as logs might be lost, use network based monitoring.
46
Privileges and Virtualizaton
• Inherent privleges used to be based on access to console and the physical machine.
• Console access is “remote” when using virtual machines, and thus such access may be available without true physical access.
47
Virtualizaton and the Cloud
• What happens when you “outsource” administration of your VMs.– Policy on assignment to providers– Accreditation of providers– Need visibility through “information points” in policy
evaluation.– Side channels an issue for multi-tenancy.
48
Scanning (cont.)
• Network Scanning– Tool to find out active host on the network– You select the range of IP addresses and start
scanning over the network.– It provides the information Network devices including
FTP servers and workstations.
• Tools:– Advance IP scanner (Windows, Mac and Linux)– Network Mapper (Nmap, ZenMap)– Nessus
49
Scanning (cont.)
• Port Scanning– Tool to find out which number of ports are accessible
on a server or a host.– Port scanning identifies open doors to a hosts.– Nmap classifies port in these States:
• Open• Closed• Filtered• Unfiltered
50
Business Continuity Plan• The processes and procedures that are carried out by an organization to ensure
that essential business functions continue to operate during and after a disaster.• This type of planning enables them to re-establish services to a fully functional
level as quickly and smoothly as possible.• BCP mostly covers Non-IT aspects of business.• It includes identification of the resources that are needed to maintain the
business continuity, such as:– Critical personnel– Key business processes– Recovery of vital records– Critical suppliers identification– Contacts of key vendors and clients.– Standby Equipment– Legal Help– Financials– Alternate infrastructure– Alternate accommodation, etc.
51
Material by Vini GuptaMS Student Summer 2016
Intrusion Response Planning
What is an intrusion or incident?– An action likely to lead to grave consequences
especially in diplomatic matters– Consequences can affect
company revenue andbusiness
– Incident examples• Virus• Malicious code• Trojan horse• Espionage
52
Material by Reshma RavindranMS Student Summer 2016
Incident Response Plan
Response: An act of responding. Something constituting a reply or a reaction.
– The activity or inhibition of previous activity of an organism or any of its parts resulting from stimulation
– The output of a transducer or detecting device resulting from a given input.
– Action taken to prevent or recover from an intrusion occurrence or breach.
53
Material by Reshma RavindranMS Student Summer 2016
Material for Final Exam• Quick Overview of material since Quiz 2
54
Secure Network Administration
• Secure Host Administration provides fine-grained control of access to a hosts resources.
• Secure Network administration assists in controlling access at a coarse level of granularity– Not to records or files, but to computers and subnets.– At most, limits access to services (by port)– Confines access to zones– Is a second line of defense, and useful as stop-gap when
vulnerabilities in host infrastructure are discovered.
55
Elements of Secure Network Administration
– Policy• Tells you what access is authorized• Should follow analysis of application information flow
requirements.• Can also specify specific flows that are disallowed.
– Containment• Many tools to contain information. • Not all effective.• Most available tools support DAC, but MAC is more
effective.– Monitoring
• Important to discover unintended paths that are exploited• Important to discover insider threats
56
Network Containment Tools
• Firewall– Network, Host, Embedded, Application
• Virtual Private Network– Encrypted Tunnels between zones
• IPSec– Encryption and Integrity between hosts
• Virtual LANS– Layer 2 separation
• Encryption– Supports other forms of containment
57
Firewalls• Network Based
– Protects (or not) entire network. Chewy on inside.– Statefull vs stateless– Limited basis on which to make decisions.
• Host Based– Controls access to resources on single host
• Embedded– On interface card, but managed separately
• Distributed– Single policy (next) implemented at multiple PEP
• Application– No routing of packets, just recreation of application messages.
Examples: DNS, Web, Email – configuration.
58
IPSec and IPv6 Security• IP Security (IPsec) and the security features in
IPv6 essentially move VPN support into the operating system and lower layers of the protocol stack.
• Security is host to host, or host to network, or network to network as with VPN’s– Actually, VPN’s are rarely used host to host, but if the
network had a single host, then it is equivalent.• IPSec Implementations also implement a Host
Based firewall (Policies on acceptable connections)
16
60
IPSec Goals
• Authentication of hosts– Verify the source of IP packets– Prevention of replays
• Verify integrity of packets– Through use of hashes and cryptography
• Ensure confidentiality of packets• Protect the payload
• Enforce Policy on communication of endpoints.
61
IPSec Architecture
ESP AH
IKE
IPSec Security Policy
Encapsulating SecurityPayload
Authentication Header
The Internet Key Exchange
62
IPsec Architecture
Tunnel Mode
Router Router
Transport Mode
63
Various Packet Formats
IP header TCP header dataOriginal
Tunnelmode IP header TCP header dataIP header IPSec header
Transportmode
Tunnelmode TCP header dataIP header IPSec header
64
Authentication Header (AH)
• Provides source authentication– Protects against source spoofing
• Provides data integrity• Protects against replay attacks
– Use monotonically increasing sequence numbers– Helps Protect against dos attacks
• NO protection for confidentiality!
65
AH Packet Details
Authentication Data
Sequence Number
Security Parameters Index (SPI)
Nextheader
Payloadlength
Reserved
Old IP header (only in Tunnel mode)
TCP header
New IP header
Authenticated
Data
EncapsulatedTCP or IP packe
Hash of everythingelse
66
Encapsulating Security Payload (ESP)• Provides all that AH offers, and• in addition provides data
confidentiality–Uses symmetric key encryption
67
ESP Details
• Same as AH:– Use 32-bit sequence number to counter replaying
attacks– Use integrity check algorithms
• Only in ESP:– Data confidentiality:
• Uses symmetric key encryption algorithms to encrypt packets
68
ESP Packet Details
Authentication Data
Sequence NumberSecurity Parameters Index (SPI)
Nextheader
Payloadlength
Reserved
TCP headerAuthenticated
IP header
Initialization vector
DataPad Pad length Next
EncryptedTCP packet
69
Internet Key Exchange (IKE)
• Exchange and negotiate security policies • Establish security sessions
– Identified as Security Associations• Key exchange• Key management• Can be used outside IPsec as well
70
IPsec/IKE Acronyms
• Security Association (SA)– Collection of attribute associated with a connection– Is asymmetric!
• One SA for inbound traffic, another SA for outbound traffic• Similar to ciphersuites in SSL
• Security Association Database (SADB)– A database of SAs
71
IPsec/IKE Acronyms
• Security Parameter Index (SPI)– A unique index for each entry in the SADB– Identifies the SA associated with a packet
• Security Policy Database (SPD)– Store policies used to establish SAs
72
How They Fit Together
SPD
SADBSA-2
SPI
SPI
SA-1
73
SPD and SADB Example
From To Protocol Port PolicyA B Any Any AH[HMAC-MD5]
Tunnel Mode
Transport Mode
AC
B
A’s SPD
From To Protocol SPI SA RecordA B AH 12 HMAC-MD5 key
A’s SADB
D
From To Protocol Port Policy Tunnel DestAny Any ESP[3DES] D C’s SPD
From To Protocol SPI SA RecordESP 14 3DES key
C’s SADB
Asub Bsub
Asub Bsub
What is a VLAN?
• A virtual local area network (VLAN) is a group of hosts with a common set of requirements that communicate as if they were attached to the same broadcast domain regardless of their physical location.
74
VLAN-based LAN
• By utilizing VLANs, the same users can be spread out over various geographical locations and still remain in their same IP subnet (broadcast domain).
75
Network Policy Management
• Telling containment technologies what to allow• Coordinated policy management is important• Commercial Tools to Manage Multiple Firewalls
– E.g. Redseal Networks http://www.redsealnetworks.com/files/RedSeal_Corporate_Brochure_02172014.pdf
– Many other Tools• Distributed Firewalls
– Distributed Embedded Firewalls• Adventium Labs
• One PAP and PSP, but multiple PEPs and PDPs– Firewall on network cards, but not managed by host,
instead managed centrally.
76
Configuration ManagementA process for consistently establishing and maintaining the characteristics of the components of a system relevant for the proper functioning of a system.
– Proper functioning includes:• Security• Updates and security patches.• Detection and prevention of unauthorized changes.
– Components includes all system assets:• Hardware• Software• Credentials• Licenses
– Characteristics includes:• Accounts• Settings• Polices.
77
Purpose of CM• To Maintain Consistency of a system and its attributes
with a technical baseline over the systems life.
• CM is part of system’s security assurance cycle.
• Reduce the management workload for a collection of systems.
• Reduce the attack surface of a collection of systems by reducing the differences between individual systems within the collection.
It Starts with an Inventory
• Catalog of systems– What is approved for connection
• Prevent access by uncatalogued systems– For each system:
• Serial Number, Tag, MACs, IPs• Location, Owner, Admin• Make/Model, Hardware Features• Include routers, hubs, printers, other network
attached items.• Purpose• Software (OS, patches, applications, etc)
16
It Starts with an Inventory
• Catalog of software– What is approved for use
• Detect unauthorized installs– For each system:
• Name, Version, Patch Level• Checksum• License information• System requirements• Security considerations/implications
• Anything else
16
Technical Aspects of CM• Dependency Managers
– Linux package managers• Patch Management
– Software update options– Software update center (linux)– Windows updates– App Stores
• Special Tools– Secuinia, others (later)
• New attack vectors– When to update
16
Automated Tools Detection: Tripwire• Open source and enterprise developed by Tripwire, Inc.
– Two versions, Open Source Version is not mainained or upgraded
• Detect changes to file system objects
• When first initialized, scans the file system and stores information in a database. Later, the same files are scanned and the results compared against the stored values in the database. Changes are reported to the user by emails.
16
Slide by Fumiko UeharaINF526 Students Summer 2016
File Integrity Monitoring• Act of validating the integrity of operating
system and application software files• Calculate file signatures (Hash values)
and compare it to baseline• Should be performed periodically
16
Slide by Fumiko UeharaINF526 Students Summer 2016
Open Source Integrity Tools• Tripwire (some versions)
– runs on Linux• AFICK
– Another File Integrity ChecKer– Perl based, deployment on Windows, Linux,
Unix, Solaris.• AIDE
– Advanced Intrusion Detection Environment– runs on Linux
16
Slide by Fumiko UeharaINF526 Students Summer 2016
Where Detection Occurs
• Events visible in the network– New network peer entities is evidence– Significant change in frequency or bandwidth is evidence
• Events on the Compromised System– Changes to system binaries are evidence of subversion– Changes to accounts and privileges are evidence– Changes to the running processes and CPU share are
evidence– Creation of new files are evidence
• The above are anomalies and an administrators role is to sort though them.
85
Events Visible in the Network• Network Monitoring uses a system to monitor a computer
network for abnormalities and notifies an administrator or other system components when an issue is identified.– Enterprise health monitoring
• Network Monitoring tools allow usto see the devices connected toour network and traffic betweenthem.
• Packet analyzers can capture network traffic for viewing through an event management system.
• Such data is useful for intrusion detection.
86
Deployment of Network MonitoringSwitch Spanning Port• Can miss traffic during burst
periodsNetwork Tap• Usually a temporary /emergency
solution• Not commonly found, used when
options A&C not possibleInline• Makes all network connectivity
dependent on sensor healthOther• Bottom line, your network
monitoring device must be deployed in a way that enables it to see/monitor all relevant traffic.
87
Slide by Josh McCameyINF526 Summer 2016
Summary of Network MonitoringThere are multiple focuses of Network Monitoring
– Focus on Health– Internally vs. Externally Geared– All play a role in Secure Systems Administration
Works either via actively inquiring about network devices or passively observing– Ping and inquiries– Packet Inspection/Recording/Analysis
Many different ways for admins to interact with systems and receive notifications– Advanced Visualization– Notifications, Automated Response
A tool for every use case (including frameworks to build your own)Can be as high-level or as granular as you needClose relationship between monitoring and IDS/Forensics
88
Slide by Josh McCameyINF526 Summer 2016
Intrusion Detection
• Signature Based– Specific characteristics of known attacks and attack tools
are maintained, and network based IDS’s scant traffic looking for these patterns.
– Host based IDS’s scan system looking for these patterns.– Administrator installs IDS and keeps signatures up-to-
date.• Anomaly Based
– In the examples from the previous slide many anomalous events will be normal or innocuous.
– Administrator must add to patters of normal events or biome overwhelmed with false positives.
89
Visualizing the Data
• Security Incident Event Management (SIEM)– Collects data from many sources
• Host, network, and application– Converts data into a common database format– Enables search and analysis of the collected data– Provide visualization tools that allow one to push down on
and query for statistics from its database of events.– Examples: Snort, many many commercial products
• Qradar, OSSIM, others
90
Monitoring from the Outside
• If sensors on affected system, send data to SIEM as soon as possible.– Actions leading to a breach are moved off system before
breach compromises reporting.• Monitor from Host OS/Hypervisor
– Breach of guest does not affect such reporting.• Monitor network activity through appliance or
embedded device.– Requires compromise of separate device to subvert
reporting.
91
Taking Action
• The purpose of intrusion detection is to provide the administrator with actionable intelligence.– Actions are taken based on that insight.
• Actions– Shut down the affected systems– Restore to a known state– Block access from parts of the internet
• Some actions can be taken automatically– Simply closing a vulnerability might be too late.
92
SIEM and Beyondhttp://www.networkworld.com/article/3145408/security/goodbye-siem-hello-soapa.html
Security Operations and Analytics (Platform Architecture)
An evolution, not something different. Its all about detection in one form or another.
Intrusion detection – originally monolithic.SIEM – Management of data about incidents and events.
Rules defined processing to identify current state and intrusions.Provided ability to push down on the data to investigate.
Analytics are the tools (including big data) that allow us to reason about the collected data.
93
What is SIEM CurrentlyWhile originally expanded as “Security Incident and Event Management”, many currently expand the acronym as “Security Information and Event Management”.
– That is because most of the activities revolve around the management of security information.
• Collecting data from logs• Collecting data from sensors• Creating a common format to represent such data• Storing such data
– User interfaces for visualizing this stored data– Simple rules/signatures for prompting notification
94
What is SIEM useful for• It is the evolved state of previous work in intrusion
detection.• It is very useful for manual forensics, as a central
repository of all “artifacts”.• It is a source of data that may be used for more
advanced detection and diagnosis.
95
Enter SOAPADo we need a new name? NoDid we need a new name when SIEM came around? NoBut, marketers always want something new so…
Security Operations and Analytics Platform Architecture– Goal is to support AI, Machine Learning, Neural
Networks, and similar “Big Data”, “Data Science”, and “Data Analytics” to provide insight on the data.
96
Accreditation and Acceptance Testing
• Accreditation is used to rely on a third party to assess the security of a system for a particular application or environment.
• Acceptance Testing is a set of test that you perform yourself before agreeing that a system has been deployed/implemented according to your system requirements.
Report Out for Teams• Each group should prepare a report describing:
– User documentation for their application (high level)– Their network and server architecture (what servers are on what VM’s and
how they are interconnected)– A risk assessment/vulnerability analysis enumerating the risks, explaining the
mitigation of those risks, and listing those threats that are not defended against (i.e. where you accept the risks).
– A description of the steps taken for pen testing of your system.• Each group will have 20 minutes to present, and then 20 minutes to
demonstrate their project. We will have 20 minutes following the presentations and demonstrations for limited pen-testing.
98