What makes a Security Incident different from other IT incidents?
Security Incidents
-
Upload
belsis -
Category
Economy & Finance
-
view
989 -
download
3
description
Transcript of Security Incidents
Building an Building an Enterprise Enterprise IT Security IT Security ManagemeManagement Systemnt System
Belsis A. MeletisBelsis A. MeletisInformation Security ConsultantInformation Security Consultant
MPhil / MSc / BScMPhil / MSc / BScCWNA/CWSP, C|EH, CCSA, CWNA/CWSP, C|EH, CCSA, Network+, ISO27001LANetwork+, ISO27001LA
Information EnterprisesInformation Enterprises
Enterprises base their correct operation almost Enterprises base their correct operation almost solely on Information. To maximise the efficient solely on Information. To maximise the efficient handling of information, they use complex IS/IT handling of information, they use complex IS/IT infrastructures. infrastructures.
These infrastructures can be These infrastructures can be localisedlocalised or be or be intergalactic, intergalactic, allowing users to access them allowing users to access them locally or remotely.locally or remotely.
New technologies like mobile devices and PDAs New technologies like mobile devices and PDAs enhance the complexity of these even further.enhance the complexity of these even further.
Information Security for Information Security for enterprisesenterprises
Security threats targeting Security threats targeting these infrastructures can these infrastructures can be internal or external.be internal or external.
Adversaries use a Adversaries use a number of techniques to number of techniques to attack corporate attack corporate information for fun and information for fun and profitprofit
Examples of such include Examples of such include computer viruses, Denial computer viruses, Denial of Services attacks, of Services attacks, buffer overflows and buffer overflows and social engineeringsocial engineering
Security ArchitecturesSecurity Architectures
To provide adequate security for the modern To provide adequate security for the modern enterprise, security architectures need to be enterprise, security architectures need to be deployed.deployed.
These include security technologies, tools and These include security technologies, tools and policies that interoperate to provide “total” security.policies that interoperate to provide “total” security.
These These mustmust work transparently from the rest of the work transparently from the rest of the system and be able to follow the enterprise's system and be able to follow the enterprise's culture and future changes. culture and future changes.
Managing Security Managing Security ArchitecturesArchitectures
Ethernet
Antivirus
IDS
Ethernet
IDS File ServerData
Remote Client
Radius
Router
Remote Client Remote Client
Local Client
Local Client
Local Client
Internet
Enterprise Security Management Console
Firewall
Firewall
Firewall
Web Server
DMZ
Email Server
TThere are a number of security here are a number of security products products that that allowallow experts to experts to provide central management provide central management over large security over large security architectures. architectures.
Unfortunately the models Unfortunately the models behind these products fail to behind these products fail to interoperate with the existent interoperate with the existent enterprise models. enterprise models.
Most of Most of these products these products handle handle only specific parts of the only specific parts of the enterprise security architecture. enterprise security architecture. An example of this is the An example of this is the enterprise security history which enterprise security history which is a vital part of any modern is a vital part of any modern security infrastructure but most security infrastructure but most current products do not current products do not incorporate it in their models.incorporate it in their models.
Our Proposal Our Proposal We propose the use of a new enterprise model. The We propose the use of a new enterprise model. The
Enterprise IT Security Data Model.Enterprise IT Security Data Model.
The new model will be used as the base for the The new model will be used as the base for the development of an ESM software package.development of an ESM software package.
The new model differs from existing ones in that it includes The new model differs from existing ones in that it includes the description of the totality of an enterprise security the description of the totality of an enterprise security architecture, including the enterprise’s security history.architecture, including the enterprise’s security history.
The proposed model includes clear links to the rest The proposed model includes clear links to the rest enterprise modelling frameworks, to allow interoperability enterprise modelling frameworks, to allow interoperability with the rest enterprise business products. To succeeded in with the rest enterprise business products. To succeeded in this the new development follows the Zachman framework.this the new development follows the Zachman framework.
Proposed ModelProposed Model The main entities of The main entities of
the model are :the model are :
Departmental StructureDepartmental Structure Employee InfrastructureEmployee Infrastructure Information Information
InfrastructureInfrastructure IT infrastructureIT infrastructure physical securityphysical security IT SecurityIT Security RisksRisks Security PolicySecurity Policy Security HistorySecurity History
Enterprise Departmental
Structure
Enterprise EmployeeInfrastructure
EnterpriseInformation
Infrastructure
Enterprise ITinfrastructure
Enterprise ITSecurity
Enterprisephysical security
EnterpriseSecurity History
Enterprise SecurityPolicy
Enterprise ITinfrastructure
Enterprise SecurityPolicy
EnterpriseInformation
Infrastructure
Enterprise ITInfrastructure
Enterprise Risks
Recording Incident HistoryRecording Incident History The The incident history incident history
modelmodel has been has been decomposed and decomposed and tested.tested.
The incident history The incident history
was selected due to the was selected due to the fact the current ESM fact the current ESM products neglect this products neglect this important part of important part of security.security.
An earlier version of the An earlier version of the incident model was incident model was presented at the presented at the IFIP/Secc 2002 in Cairo.IFIP/Secc 2002 in Cairo.
Deploying the ESM system.Deploying the ESM system. The implementation The implementation
followfollowss the logical and the logical and physical distribution that physical distribution that an enterprise follows.an enterprise follows.
CORBA has been CORBA has been extensively proposed for extensively proposed for accessing distributed accessing distributed data models. data models.
CORBA will bring to the CORBA will bring to the system the required system the required transparency, efficiency transparency, efficiency and securityand security
The system incorporates The system incorporates an NLIDB server. The an NLIDB server. The server will allow for the server will allow for the easy execution of smart easy execution of smart queriesqueries
Web Client
1) Authenticate with X.509
CSIRT Web Server
2) Download JavaApplet
NLIDB
3) Execute user natural English query
4)Execute SQL Query DBMS
5) Find Data
6) Return Result
7) Return Results
8) Return Formatted Result
ORB
Security Management Console
TCP/IP
HTTP
Security DataBaseSecurity Device
Deploying the ESM systemDeploying the ESM system
Using CORBA security specialist can access and Using CORBA security specialist can access and manage the system, throughout a web based manage the system, throughout a web based interface or using specific clients that are interface or using specific clients that are integrated into the management console.integrated into the management console.
The CORBA’s Security Service can provide The CORBA’s Security Service can provide adequate security for the purpose of this system. adequate security for the purpose of this system.
CORBA’s architecture allows security expert to CORBA’s architecture allows security expert to change specific security processes without change specific security processes without affecting the rest of the system.affecting the rest of the system.
The inclusion of an NLIDB server allows experts to The inclusion of an NLIDB server allows experts to execute smart queries on the security execute smart queries on the security architecture using plain English language.architecture using plain English language.
ConclusionsConclusions This research aims in the development of a new This research aims in the development of a new
ESM product. ESM product.
The new product will differ substantially from the The new product will differ substantially from the existent ones in that it manages the totality of the existent ones in that it manages the totality of the security architecture and by providing clear links security architecture and by providing clear links with the rest of the enterprises models.with the rest of the enterprises models.
Until not the base for the development of this Until not the base for the development of this product has been developed. Some work has also product has been developed. Some work has also been done in the way the product will be deployed.been done in the way the product will be deployed.
Thank YouThank You