INF526: Secure Systems Administration

Risk ManagementReview – Group Project Demos

Prof. Clifford Neuman

Lecture 1527 April 2017OHE100C

Final ExamThe Final exam for Informatics 526 will be held

Monday May 8th, 2017

2PM to 4PM

in

VHE 214

Exam will be Open Book / Open NoteI will post a single combined slide deck

reduced to 6 slides per page..

1

INF526:Risk Management in System Administration

Student Presentation

Edward M Guerrero

Overview

• What is Risk Management• Your Role in Risk Management• Identifying Risks• Risk Analysis• Risk Treatment

3

What is Risk Management?

• First lets define what a “risk” is– The effect of uncertainty on objectives

• Cross the street successfully• Invest in stocks• Go on a vacation• Playing sports

– Probability of a harmful event and eventuality that a threat exists that is more or less predictable may affect the objectives of an organization

• More common definition• Fires, Hackers, Theft, Floods, Meteor

4

What is Risk Management?

• As focusing on potential problems, we seek to manage what may or may not happen

• Understanding that risk has two main characteristics– Its level of uncertainty (If you’re 100% positive it can

occur its not a risk)– The level of loss (known as impact as well)

• Also understanding risk as it pertains to your business and job function is important too

5

What is Risk Management?– Be careful with risk perception

• Experts and idiots suffer from the same risks

6

Your Role in Risk Management– NIST 800-30: “IT Security practitioners are responsible for proper

implementation of security requirements in their IT systems. As changes occur in the existing IT environment, the security practitioners must support or use the risk management process to identify and assess new potential risks and implement new security controls as needed to safeguard their IT systems

• That means you architect systems with risk in mind, and you make changes with risk in mind.

7

Your Role in Risk Management

• Secure System Administration (Addition)– Risk analysis reoccurs in the SDLC– Decisions on controls will be based on risk analysis

• Vulnerability Management (Ongoing)– Know what vulnerabilities exist in the context of your

business– Risk analysis will dictate priority of remediation

• Change Management (Changes)– Know how changes in your environment affect the

security of it– Risk analysis will dictate whether patching is

neccesary

8

Identifying Risks

• The process of finding, recognizing and recording risks

• Once a risk is identified, you should also identify any existing controls you may already have in place

• Identification methods can include:– Interviews– Documentation Review– Scanning Tools– Crowdsourced Intel (Blogs, Gov’t, Security News)

9

Identifying Risks

• Pair threats/vulnerabilities to its source and devise the action to exploit

• Threat source is simply the element(s) in which a risk can arise from

10

Risk Analysis

• Develop the understanding of the risk as it pertains to your system

• Consists of determining consequences and their probabilities and also taking into account current controls with their current effectiveness

• Once the analysis is complete and you’ve determined the level of risk, determine the priority.

11

Risk Analysis

• Using a Risk Matrix or Heat Map (or any good visualization tool)

• Plot your risks dealingwith those with thatyou have deemedsevere threats

12

Risk Treatment

• Risk treatment involves selecting and agreeing to one or more of the options to change either the probability of occurrence, the impact of the risk, or both

• This process is ongoing and is typically reviewed over time since new threats arise constantly

• Options:– Avoidance, Acceptance, Remove, Mitigation, Transfer– Name of options varies by framework

13

Risk Treatment

• For the scope of IT System Administration we will only focus on Acceptance, Avoidance, and Mitigation– Acceptance: The risk is already within an acceptable

range. Document and proceed with project/tasks– Avoidance: The risk is too high to implement a system

or make a change, so either don’t or change process– Mitigation: The risk is NOT in an acceptable range so

changes must be made, or extra controls must be put into place

14

Risk Treatment

• When controls are to be placed due to the mitigation of risk, you must conduct a cost benefit analysis

• Be careful on what controls you choose, too much and you waste money and manpower, too little and you’re still at risk.

• Choose the correct controls based upon the threats that you identified, sourcing the wrong controls can do more damage than good

15

Risk Treatment

16

Risk Treatment

17

Risk Treatment

18

Types of Technical and Management Controls

• Supporting Technical– MAC, DAC, Cryptographic Keys, EPS

• Preventative Technical– Authentication, Authorization, Nonrepudiation,

Protected Comms• Detection and Recovery Technical

– Audit, Intrusion Detection, Virus Detection, Integrity

19

Types of Technical and Management Controls

• Preventative Management– Assign security responsibility, Conduct security

awareness and technical training• Detection Management

– Implement personnel security controls (background checks, investigations), Perform system audits

• Recovery Management– Provide continuity of support and develop, test, and

maintain the continuity of operations plan– Establish incident response

20

Conclusion

• Risk management will very well be a part of your job descriptions as you progress in Cyber Security

• Understand various frameworks that involve risk– ISO 31000, NIST 800-30, COSO– NIST geared more toward IT and systems

• Think outside the box

21

Project Report Outs

• Presentations by two groups on second scenario.

22

Material for Final Exam• Focus will be material you have used in completing your

group projects.– i.e. the material you will use in deploying systems once you enter the

cyber security workforce.• Comprehensive, but with more emphasis on

material since the second mid-term exam.

23

Material for Final Exam• Quick Overview of material before Quiz 2

24

Role of Admnistrator• Administration

– Selection of components (purchases of products)– Architecture – how the pieces fit together– Installation and configuration– Security Testing– Operation– Monitoring– Repair and Maintenance– Threat response

• (Think in terms of minimization)

25

Positive and Negative Requirements

• Functional requirements are positive.– This is what most developers focus on– And why are systems are not secure.– Functionality over security

• Security requirements tend to be negative– What should not be possible (conf and integ)– But availability is a positive requirement

• How do we test for negative requirements– absence of evidence is not evidence of absence

16

Information Flow and Containment

• Understand your applicationsInformation Flow:–What is to be protected–Against which threats–Who needs to access which apps–From where must they access it

• You will minimize allowed flows, reducing attack surface.

16

Component Selection• What systems do you need

–System or VM for different classes of protection domains.

• Network Components – To interconnect– To Segregate

• Management Components– Special tools for management and security

• You will manage the flow of data• Competing issues to balance in terms of

minimization.

16

Configuration Management

• Catalog of systems– What is approved for connection

• Catalog of software– What is approved for use– Patch management

• Configuration checkers• Change detectors

– E.g. tripwire, AFIK

• Ensure continued minimization

16

System Administration

• What must be administered:– User accounts – Least Privilege– Software– Servers– Storage– Network (next slide)– Keys– Monitoring– Logs and Audit

• Core principles– Minimization

30

Network Administration

• Creation of network protection domains– Firewalls– VLANs– VPNs for access– Ipsec– Wireless Management

• Network Monitoring• Network Admission Control• Reduction of attack surface

31

Administration vs Development

• Different stages in system life cycle– Administration is concerned with installation, interconnection, configuration,

operation, and decommissioning– Administration is concerned with the environment– Development addresses the idea architecture of the system

• Depends on assumptions

• Security fails when environmental assumptions are violated.– Let’s brainstorm on examples of such assumptions that led to security

failures when they no longer held.

32

Your Oganizations Security Policy

• First step – Establish an Organization Security Policy– Generally accepted Principles and Practices – NIST 800-14

http://csrc.nist.gov/publications/nistpubs/800-14/800-14.pdf

– Guidance in writing a security policywww.GIAC.org/paper/gsec/734/system-security-policy/101613

• First question for security auditors• It will guide you in creating categories of data and user

• Reduction of attack surface is one way to think of the security policies that are effective.

33

Points of Policy

16

• By Axiomatics - Axiomatics, CC BY 3.0, https://commons.wikimedia.org/w/index.php?curid=48397652

Plan Your Attacks

• It is important to think like an attacker to best assess your defenses.– Look for the overlooked

• Attackers seek out the weakest links,the forgotten window

– Consider environmental assumptions• Incorrect assumptions create vulnerabilities

– Weak systems may be used as stepping stones• That forgotten system that is unpatched is compromised,

then the attacker pivots and attacks from within.– Check the integrity of your defenses

• Attackers may disable defensive measures

35

Attack-Defense Tree Example

36

STRIDE

• Acronym for categories of threats:

37

Threat Security Property at RiskSpoofing AuthenticationTampering IntegrityRepudiation Non-repudiationInformation disclosure ConfidentialityDenial of service AvailabilityElevation of privilege Authorization

Meaning of Each Threat Class

• Spoofing : Impersonating something or someone else

• Tampering : Modifying data or code • Repudiation : Claiming to have not performed

an action • Information Disclosure : Exposing information

to someone not authorized to see it• Denial of Service : Deny or degrade service to

users• Elevation of Privilege : Gain capabilities

without proper authorization

38

STRIDE Steps

• Decompose system into components– May need to recurse down to necessary level of detail

• Analyze each component for susceptibility to each relevant type of threat

• Develop countermeasures until no component has susceptibility

• Is system secure?– Maybe, but probably not– Due to emergent properties of composition

• Does this give higher assurance?– Yes, because flaw in one component affects entire

system

39

Data Flow Diagram (DFD)

• Used to graphically represent a system and its components

• Standard set of elements:– Data flows– Data stores– Processes– Interactors

• One more for threat modeling:– Trust boundaries

40

Relevant Threats for Elements

41

Interactors Process Data Store

Data Flow

Spoofing x xTampering x x xRepudiation x x *

Information disclosure x x x

Denial of Service x x x

Elevation of Privilege x* Logs held in data stores are usually the mitigation against a repudiation threat. Data stores often come under attack to allow for a repudiation attack to work.

Mitigation Choices in Reality

• Redesign– Change the design to eliminate threats– E.g., reduce elements that touch a trust boundary

• Use standard mitigations– Firewalls, validated authentication systems, …

• Use custom mitigations– If you are a gambling sort of person

• Accept risk– If you think risk is low, or too expensive to mitigate

42

What is an Adversarial Security Plan?• An adversarial security plan enables an entity to develop

an awareness of their networks and systems in order to protect data, safeguard their operations, and guard their infrastructure.

• Purposes:– Predicting intentions and future actions of malicious entities– Limit attack surface– Assist in developing a containment architecture in case of

breach

43

Goals of Attackers: Methodology• Attackers generally implement the following

methodology:1. Reconnaissance Information gathering, What/ Who is the target?

2. Scanning/ Enumerating What is the attack surface? Ex: Access points/ open ports, live

hosts, accounts, policies, etc.3. Gaining Access Breaching systems, executing malicious software

4. Maintaining Access Establishing backdoors, unpatched systems

5. Clearing Evidence Decoy traffic, log manipulation, obfuscation of identity

44

Virtualization and Administration

• Issues affecting administration of virtual machines– Containment– Side Channels– Throwaway mentality– Stateless machines– Privileged remote access– Less physical or siloed specialization– Relationship to cloud computing

45

Stateless Virtualizaton

• Tendency to store persistent data on separate services such as NAS.

• Those external services must be considered part of attack surface.

• Local state such as logs might be lost, use network based monitoring.

46

Privileges and Virtualizaton

• Inherent privleges used to be based on access to console and the physical machine.

• Console access is “remote” when using virtual machines, and thus such access may be available without true physical access.

47

Virtualizaton and the Cloud

• What happens when you “outsource” administration of your VMs.– Policy on assignment to providers– Accreditation of providers– Need visibility through “information points” in policy

evaluation.– Side channels an issue for multi-tenancy.

48

Scanning (cont.)

• Network Scanning– Tool to find out active host on the network– You select the range of IP addresses and start

scanning over the network.– It provides the information Network devices including

FTP servers and workstations.

• Tools:– Advance IP scanner (Windows, Mac and Linux)– Network Mapper (Nmap, ZenMap)– Nessus

49

Scanning (cont.)

• Port Scanning– Tool to find out which number of ports are accessible

on a server or a host.– Port scanning identifies open doors to a hosts.– Nmap classifies port in these States:

• Open• Closed• Filtered• Unfiltered

50

Business Continuity Plan• The processes and procedures that are carried out by an organization to ensure

that essential business functions continue to operate during and after a disaster.• This type of planning enables them to re-establish services to a fully functional

level as quickly and smoothly as possible.• BCP mostly covers Non-IT aspects of business.• It includes identification of the resources that are needed to maintain the

business continuity, such as:– Critical personnel– Key business processes– Recovery of vital records– Critical suppliers identification– Contacts of key vendors and clients.– Standby Equipment– Legal Help– Financials– Alternate infrastructure– Alternate accommodation, etc.

51

Material by Vini GuptaMS Student Summer 2016

Intrusion Response Planning

What is an intrusion or incident?– An action likely to lead to grave consequences

especially in diplomatic matters– Consequences can affect

company revenue andbusiness

– Incident examples• Virus• Malicious code• Trojan horse• Espionage

52

Material by Reshma RavindranMS Student Summer 2016

Incident Response Plan

Response: An act of responding. Something constituting a reply or a reaction.

– The activity or inhibition of previous activity of an organism or any of its parts resulting from stimulation

– The output of a transducer or detecting device resulting from a given input.

– Action taken to prevent or recover from an intrusion occurrence or breach.

53

Material by Reshma RavindranMS Student Summer 2016

Material for Final Exam• Quick Overview of material since Quiz 2

54

Secure Network Administration

• Secure Host Administration provides fine-grained control of access to a hosts resources.

• Secure Network administration assists in controlling access at a coarse level of granularity– Not to records or files, but to computers and subnets.– At most, limits access to services (by port)– Confines access to zones– Is a second line of defense, and useful as stop-gap when

vulnerabilities in host infrastructure are discovered.

55

Elements of Secure Network Administration

– Policy• Tells you what access is authorized• Should follow analysis of application information flow

requirements.• Can also specify specific flows that are disallowed.

– Containment• Many tools to contain information. • Not all effective.• Most available tools support DAC, but MAC is more

effective.– Monitoring

• Important to discover unintended paths that are exploited• Important to discover insider threats

56

Network Containment Tools

• Firewall– Network, Host, Embedded, Application

• Virtual Private Network– Encrypted Tunnels between zones

• IPSec– Encryption and Integrity between hosts

• Virtual LANS– Layer 2 separation

• Encryption– Supports other forms of containment

57

Firewalls• Network Based

– Protects (or not) entire network. Chewy on inside.– Statefull vs stateless– Limited basis on which to make decisions.

• Host Based– Controls access to resources on single host

• Embedded– On interface card, but managed separately

• Distributed– Single policy (next) implemented at multiple PEP

• Application– No routing of packets, just recreation of application messages.

Examples: DNS, Web, Email – configuration.

58

IPSec and IPv6 Security• IP Security (IPsec) and the security features in

IPv6 essentially move VPN support into the operating system and lower layers of the protocol stack.

• Security is host to host, or host to network, or network to network as with VPN’s– Actually, VPN’s are rarely used host to host, but if the

network had a single host, then it is equivalent.• IPSec Implementations also implement a Host

Based firewall (Policies on acceptable connections)

16

60

IPSec Goals

• Authentication of hosts– Verify the source of IP packets– Prevention of replays

• Verify integrity of packets– Through use of hashes and cryptography

• Ensure confidentiality of packets• Protect the payload

• Enforce Policy on communication of endpoints.

61

IPSec Architecture

ESP AH

IKE

IPSec Security Policy

Encapsulating SecurityPayload

Authentication Header

The Internet Key Exchange

62

IPsec Architecture

Tunnel Mode

Router Router

Transport Mode

63

Various Packet Formats

IP header TCP header dataOriginal

Tunnelmode IP header TCP header dataIP header IPSec header

Transportmode

Tunnelmode TCP header dataIP header IPSec header

64

Authentication Header (AH)

• Provides source authentication– Protects against source spoofing

• Provides data integrity• Protects against replay attacks

– Use monotonically increasing sequence numbers– Helps Protect against dos attacks

• NO protection for confidentiality!

65

AH Packet Details

Authentication Data

Sequence Number

Security Parameters Index (SPI)

Nextheader

Payloadlength

Reserved

Old IP header (only in Tunnel mode)

TCP header

New IP header

Authenticated

Data

EncapsulatedTCP or IP packe

Hash of everythingelse

66

Encapsulating Security Payload (ESP)• Provides all that AH offers, and• in addition provides data

confidentiality–Uses symmetric key encryption

67

ESP Details

• Same as AH:– Use 32-bit sequence number to counter replaying

attacks– Use integrity check algorithms

• Only in ESP:– Data confidentiality:

• Uses symmetric key encryption algorithms to encrypt packets

68

ESP Packet Details

Authentication Data

Sequence NumberSecurity Parameters Index (SPI)

Nextheader

Payloadlength

Reserved

TCP headerAuthenticated

IP header

Initialization vector

DataPad Pad length Next

EncryptedTCP packet

69

Internet Key Exchange (IKE)

• Exchange and negotiate security policies • Establish security sessions

– Identified as Security Associations• Key exchange• Key management• Can be used outside IPsec as well

70

IPsec/IKE Acronyms

• Security Association (SA)– Collection of attribute associated with a connection– Is asymmetric!

• One SA for inbound traffic, another SA for outbound traffic• Similar to ciphersuites in SSL

• Security Association Database (SADB)– A database of SAs

71

IPsec/IKE Acronyms

• Security Parameter Index (SPI)– A unique index for each entry in the SADB– Identifies the SA associated with a packet

• Security Policy Database (SPD)– Store policies used to establish SAs

72

How They Fit Together

SPD

SADBSA-2

SPI

SPI

SA-1

73

SPD and SADB Example

From To Protocol Port PolicyA B Any Any AH[HMAC-MD5]

Tunnel Mode

Transport Mode

AC

B

A’s SPD

From To Protocol SPI SA RecordA B AH 12 HMAC-MD5 key

A’s SADB

D

From To Protocol Port Policy Tunnel DestAny Any ESP[3DES] D C’s SPD

From To Protocol SPI SA RecordESP 14 3DES key

C’s SADB

Asub Bsub

Asub Bsub

What is a VLAN?

• A virtual local area network (VLAN) is a group of hosts with a common set of requirements that communicate as if they were attached to the same broadcast domain regardless of their physical location.

74

VLAN-based LAN

• By utilizing VLANs, the same users can be spread out over various geographical locations and still remain in their same IP subnet (broadcast domain).

75

Network Policy Management

• Telling containment technologies what to allow• Coordinated policy management is important• Commercial Tools to Manage Multiple Firewalls

– E.g. Redseal Networks http://www.redsealnetworks.com/files/RedSeal_Corporate_Brochure_02172014.pdf

– Many other Tools• Distributed Firewalls

– Distributed Embedded Firewalls• Adventium Labs

• One PAP and PSP, but multiple PEPs and PDPs– Firewall on network cards, but not managed by host,

instead managed centrally.

76

Configuration ManagementA process for consistently establishing and maintaining the characteristics of the components of a system relevant for the proper functioning of a system.

– Proper functioning includes:• Security• Updates and security patches.• Detection and prevention of unauthorized changes.

– Components includes all system assets:• Hardware• Software• Credentials• Licenses

– Characteristics includes:• Accounts• Settings• Polices.

77

Purpose of CM• To Maintain Consistency of a system and its attributes

with a technical baseline over the systems life.

• CM is part of system’s security assurance cycle.

• Reduce the management workload for a collection of systems.

• Reduce the attack surface of a collection of systems by reducing the differences between individual systems within the collection.

It Starts with an Inventory

• Catalog of systems– What is approved for connection

• Prevent access by uncatalogued systems– For each system:

• Serial Number, Tag, MACs, IPs• Location, Owner, Admin• Make/Model, Hardware Features• Include routers, hubs, printers, other network

attached items.• Purpose• Software (OS, patches, applications, etc)

16

It Starts with an Inventory

• Catalog of software– What is approved for use

• Detect unauthorized installs– For each system:

• Name, Version, Patch Level• Checksum• License information• System requirements• Security considerations/implications

• Anything else

16

Technical Aspects of CM• Dependency Managers

– Linux package managers• Patch Management

– Software update options– Software update center (linux)– Windows updates– App Stores

• Special Tools– Secuinia, others (later)

• New attack vectors– When to update

16

Automated Tools Detection: Tripwire• Open source and enterprise developed by Tripwire, Inc.

– Two versions, Open Source Version is not mainained or upgraded

• Detect changes to file system objects

• When first initialized, scans the file system and stores information in a database. Later, the same files are scanned and the results compared against the stored values in the database. Changes are reported to the user by emails.

16

Slide by Fumiko UeharaINF526 Students Summer 2016

File Integrity Monitoring• Act of validating the integrity of operating

system and application software files• Calculate file signatures (Hash values)

and compare it to baseline• Should be performed periodically

16

Slide by Fumiko UeharaINF526 Students Summer 2016

Open Source Integrity Tools• Tripwire (some versions)

– runs on Linux• AFICK

– Another File Integrity ChecKer– Perl based, deployment on Windows, Linux,

Unix, Solaris.• AIDE

– Advanced Intrusion Detection Environment– runs on Linux

16

Slide by Fumiko UeharaINF526 Students Summer 2016

Where Detection Occurs

• Events visible in the network– New network peer entities is evidence– Significant change in frequency or bandwidth is evidence

• Events on the Compromised System– Changes to system binaries are evidence of subversion– Changes to accounts and privileges are evidence– Changes to the running processes and CPU share are

evidence– Creation of new files are evidence

• The above are anomalies and an administrators role is to sort though them.

85

Events Visible in the Network• Network Monitoring uses a system to monitor a computer

network for abnormalities and notifies an administrator or other system components when an issue is identified.– Enterprise health monitoring

• Network Monitoring tools allow usto see the devices connected toour network and traffic betweenthem.

• Packet analyzers can capture network traffic for viewing through an event management system.

• Such data is useful for intrusion detection.

86

Deployment of Network MonitoringSwitch Spanning Port• Can miss traffic during burst

periodsNetwork Tap• Usually a temporary /emergency

solution• Not commonly found, used when

options A&C not possibleInline• Makes all network connectivity

dependent on sensor healthOther• Bottom line, your network

monitoring device must be deployed in a way that enables it to see/monitor all relevant traffic.

87

Slide by Josh McCameyINF526 Summer 2016

Summary of Network MonitoringThere are multiple focuses of Network Monitoring

– Focus on Health– Internally vs. Externally Geared– All play a role in Secure Systems Administration

Works either via actively inquiring about network devices or passively observing– Ping and inquiries– Packet Inspection/Recording/Analysis

Many different ways for admins to interact with systems and receive notifications– Advanced Visualization– Notifications, Automated Response

A tool for every use case (including frameworks to build your own)Can be as high-level or as granular as you needClose relationship between monitoring and IDS/Forensics

88

Slide by Josh McCameyINF526 Summer 2016

Intrusion Detection

• Signature Based– Specific characteristics of known attacks and attack tools

are maintained, and network based IDS’s scant traffic looking for these patterns.

– Host based IDS’s scan system looking for these patterns.– Administrator installs IDS and keeps signatures up-to-

date.• Anomaly Based

– In the examples from the previous slide many anomalous events will be normal or innocuous.

– Administrator must add to patters of normal events or biome overwhelmed with false positives.

89

Visualizing the Data

• Security Incident Event Management (SIEM)– Collects data from many sources

• Host, network, and application– Converts data into a common database format– Enables search and analysis of the collected data– Provide visualization tools that allow one to push down on

and query for statistics from its database of events.– Examples: Snort, many many commercial products

• Qradar, OSSIM, others

90

Monitoring from the Outside

• If sensors on affected system, send data to SIEM as soon as possible.– Actions leading to a breach are moved off system before

breach compromises reporting.• Monitor from Host OS/Hypervisor

– Breach of guest does not affect such reporting.• Monitor network activity through appliance or

embedded device.– Requires compromise of separate device to subvert

reporting.

91

Taking Action

• The purpose of intrusion detection is to provide the administrator with actionable intelligence.– Actions are taken based on that insight.

• Actions– Shut down the affected systems– Restore to a known state– Block access from parts of the internet

• Some actions can be taken automatically– Simply closing a vulnerability might be too late.

92

SIEM and Beyondhttp://www.networkworld.com/article/3145408/security/goodbye-siem-hello-soapa.html

Security Operations and Analytics (Platform Architecture)

An evolution, not something different. Its all about detection in one form or another.

Intrusion detection – originally monolithic.SIEM – Management of data about incidents and events.

Rules defined processing to identify current state and intrusions.Provided ability to push down on the data to investigate.

Analytics are the tools (including big data) that allow us to reason about the collected data.

93

What is SIEM CurrentlyWhile originally expanded as “Security Incident and Event Management”, many currently expand the acronym as “Security Information and Event Management”.

– That is because most of the activities revolve around the management of security information.

• Collecting data from logs• Collecting data from sensors• Creating a common format to represent such data• Storing such data

– User interfaces for visualizing this stored data– Simple rules/signatures for prompting notification

94

What is SIEM useful for• It is the evolved state of previous work in intrusion

detection.• It is very useful for manual forensics, as a central

repository of all “artifacts”.• It is a source of data that may be used for more

advanced detection and diagnosis.

95

Enter SOAPADo we need a new name? NoDid we need a new name when SIEM came around? NoBut, marketers always want something new so…

Security Operations and Analytics Platform Architecture– Goal is to support AI, Machine Learning, Neural

Networks, and similar “Big Data”, “Data Science”, and “Data Analytics” to provide insight on the data.

96

Accreditation and Acceptance Testing

• Accreditation is used to rely on a third party to assess the security of a system for a particular application or environment.

• Acceptance Testing is a set of test that you perform yourself before agreeing that a system has been deployed/implemented according to your system requirements.

Report Out for Teams• Each group should prepare a report describing:

– User documentation for their application (high level)– Their network and server architecture (what servers are on what VM’s and

how they are interconnected)– A risk assessment/vulnerability analysis enumerating the risks, explaining the

mitigation of those risks, and listing those threats that are not defended against (i.e. where you accept the risks).

– A description of the steps taken for pen testing of your system.• Each group will have 20 minutes to present, and then 20 minutes to

demonstrate their project. We will have 20 minutes following the presentations and demonstrations for limited pen-testing.

98