Centralized Security Event Management Chris Workman Associate Director
- Slides: 20
Centralized Security Event Management Chris Workman Associate Director, UGA Office of Information Security, CISSP Alex Merck Security Analyst, UGA Office of Information Security
Problems we face Attacks > defense 80, 000 devices on our network ~50, 000 users SOC staff of 4. 5 UGA IT is decentralized ~160 departments Departmental IT contacts have different skill levels 2
Threat Severe x Vulnerability Critical x Impact Sensitive, Restricted Critical High Internal High-Priority Elevated Medium Public Supportive Low None 3
Response SIEM • Security Information and Event Manager Centralized Services • Anti. Virus • Vulnerability Scanner • DLP • Firewall 4
Anti. Virus IDP Fire. Eye Firewall SNORT Bro DNS Departmental devices • Ne. Xpose • Departmental Nessus Impact • • Vulnerabilities Threats Intelligence is needed to weigh risks • ASSETs • DLP • SSNCap • Manual reporting 5
Incident Actions Notification Alarm Ignore True Positive Unknown False Positive 6
7
8
9
Notification 2012 -02 -09 17: 58: 52 128. 192. x. 6 0. 0 2012 -02 -06 13: 18: 56 128. 192. x. 6 98. 139. 135. 21 Office. Scan Virus: Failed to Clean or Quarantine Mal_Hifrm snort: "ET DROP Known Bot C&C Server Traffic TCP (group 243) " Malicious Domain Lookup img 717. imageshack. us malicious domain aggressive 2012 -02 -01 13: 05: 25 207. 171. 162. 95 128. 192. x. 6 snort: "SPECIFIC-THREATS Microsoft IE malformed iframe buffer overflow attempt 2012 -02 -01 14: 48: 36 128. 192. x. 6 0. 0 10
Alarms 11
12
Correlation Directive 13
Multi-tenancy 14
Resulting Actions Notice of incident sent to department or student Repeat offenders blocked SOC Incident Response Team handles critical incidents • • Containment Remediation Resolution Closure 15
Measuring Success • Incidents identified up from ~150/month 24 months ago to ~350/month • Critical incidents still between one and two per month, but turnaround time reduced from 5 days to 1. 5; due to data availability, forensics capability 16
Sharing Directives Business logic based on incidents • Question/answer pair incident Vendor agnostic • SIEM log correlation, and resulting action 17
How do we get there? Selecting a SIEM Use cases Functionality • Look at vendors • Off-the-shelf features • Ability for customization • Automated alerts to departments • Elevated alerts to SOC • Multi-tenancy • Designate logs sources • AV, SNORT • DLP 18
Questions?
Contact Info Chris Workman • Associate Director, UGA Office of Information Security, CISSP • cworkman@uga. edu Alex Merck • Security Analyst, UGA Office of Information Security • alexm@uga. edu 20
- Chris workman the office
- What is an associate director
- Private security
- Workman approved by god
- Breit workman
- Workman need not be ashamed
- Farienhight
- A workman approved by god
- Centralized multinational financial management
- Centralized image management
- Difference between near miss and unsafe condition
- Simple and compound events examples
- Independent or dependent
- Dependent events examples
- 5 w's of event management
- Bridge breaks in central java the text tells us about
- Language features of news item text
- Palmers six images of change management
- National special security event list
- Centralized leadership
- Centralized shared memory architecture