Centralized Security Event Management Chris Workman Associate Director

  • Slides: 20
Download presentation
Centralized Security Event Management Chris Workman Associate Director, UGA Office of Information Security, CISSP

Centralized Security Event Management Chris Workman Associate Director, UGA Office of Information Security, CISSP Alex Merck Security Analyst, UGA Office of Information Security

Problems we face Attacks > defense 80, 000 devices on our network ~50, 000

Problems we face Attacks > defense 80, 000 devices on our network ~50, 000 users SOC staff of 4. 5 UGA IT is decentralized ~160 departments Departmental IT contacts have different skill levels 2

Threat Severe x Vulnerability Critical x Impact Sensitive, Restricted Critical High Internal High-Priority Elevated

Threat Severe x Vulnerability Critical x Impact Sensitive, Restricted Critical High Internal High-Priority Elevated Medium Public Supportive Low None 3

Response SIEM • Security Information and Event Manager Centralized Services • Anti. Virus •

Response SIEM • Security Information and Event Manager Centralized Services • Anti. Virus • Vulnerability Scanner • DLP • Firewall 4

Anti. Virus IDP Fire. Eye Firewall SNORT Bro DNS Departmental devices • Ne. Xpose

Anti. Virus IDP Fire. Eye Firewall SNORT Bro DNS Departmental devices • Ne. Xpose • Departmental Nessus Impact • • Vulnerabilities Threats Intelligence is needed to weigh risks • ASSETs • DLP • SSNCap • Manual reporting 5

Incident Actions Notification Alarm Ignore True Positive Unknown False Positive 6

Incident Actions Notification Alarm Ignore True Positive Unknown False Positive 6

7

7

8

8

9

9

Notification 2012 -02 -09 17: 58: 52 128. 192. x. 6 0. 0 2012

Notification 2012 -02 -09 17: 58: 52 128. 192. x. 6 0. 0 2012 -02 -06 13: 18: 56 128. 192. x. 6 98. 139. 135. 21 Office. Scan Virus: Failed to Clean or Quarantine Mal_Hifrm snort: "ET DROP Known Bot C&C Server Traffic TCP (group 243) " Malicious Domain Lookup img 717. imageshack. us malicious domain aggressive 2012 -02 -01 13: 05: 25 207. 171. 162. 95 128. 192. x. 6 snort: "SPECIFIC-THREATS Microsoft IE malformed iframe buffer overflow attempt 2012 -02 -01 14: 48: 36 128. 192. x. 6 0. 0 10

Alarms 11

Alarms 11

12

12

Correlation Directive 13

Correlation Directive 13

Multi-tenancy 14

Multi-tenancy 14

Resulting Actions Notice of incident sent to department or student Repeat offenders blocked SOC

Resulting Actions Notice of incident sent to department or student Repeat offenders blocked SOC Incident Response Team handles critical incidents • • Containment Remediation Resolution Closure 15

Measuring Success • Incidents identified up from ~150/month 24 months ago to ~350/month •

Measuring Success • Incidents identified up from ~150/month 24 months ago to ~350/month • Critical incidents still between one and two per month, but turnaround time reduced from 5 days to 1. 5; due to data availability, forensics capability 16

Sharing Directives Business logic based on incidents • Question/answer pair incident Vendor agnostic •

Sharing Directives Business logic based on incidents • Question/answer pair incident Vendor agnostic • SIEM log correlation, and resulting action 17

How do we get there? Selecting a SIEM Use cases Functionality • Look at

How do we get there? Selecting a SIEM Use cases Functionality • Look at vendors • Off-the-shelf features • Ability for customization • Automated alerts to departments • Elevated alerts to SOC • Multi-tenancy • Designate logs sources • AV, SNORT • DLP 18

Questions?

Questions?

Contact Info Chris Workman • Associate Director, UGA Office of Information Security, CISSP •

Contact Info Chris Workman • Associate Director, UGA Office of Information Security, CISSP • cworkman@uga. edu Alex Merck • Security Analyst, UGA Office of Information Security • alexm@uga. edu 20

Workman Product Line MSA 2008 Workman Harness KeyWorkman Product Line MSA 2008 Workman Harness Key
SPORT EVENT SPORT EVENT Single event Multi EventSPORT EVENT SPORT EVENT Single event Multi Event
SISTEMAS DISTRIBUDOS Centralized vs Distributed ComputingSystems Centralized vsSISTEMAS DISTRIBUDOS Centralized vs Distributed ComputingSystems Centralized vs
Defining Centralized Accounting Pairs Concept Defining Centralized AccountingDefining Centralized Accounting Pairs Concept Defining Centralized Accounting
Event Management Manual Event dan Manual Operasi EventEvent Management Manual Event dan Manual Operasi Event
Security Management Security Management Security Management is theSecurity Management Security Management Security Management is the
Chris Jordan Art Chris Jordan Seattleite Chris JordanChris Jordan Art Chris Jordan Seattleite Chris Jordan
ABOUT CHRIS DLACEY ABOUT CHRIS DLACEY Chris wasABOUT CHRIS DLACEY ABOUT CHRIS DLACEY Chris was
ABOUT CHRIS DLACEY ABOUT CHRIS DLACEY Chris wasABOUT CHRIS DLACEY ABOUT CHRIS DLACEY Chris was
Event Generator Event Generators Information needed Event GeneratorEvent Generator Event Generators Information needed Event Generator
Event Planning Event Planning An event planner isEvent Planning Event Planning An event planner is
3 Mouse Event Action Event Mouse Event Action3 Mouse Event Action Event Mouse Event Action
Event Handling Model of AWT Event object EventEvent Handling Model of AWT Event object Event
Index Event Handling Events Event Source Event ListenerIndex Event Handling Events Event Source Event Listener
Mouse Event Handling in CCLI Event Mouse EventMouse Event Handling in CCLI Event Mouse Event
boolean on Touch Event Motion Event event booleanboolean on Touch Event Motion Event event boolean
event C event B event A BDDs onevent C event B event A BDDs on
Catastrophic Event Catastrophic Event An event that resultsCatastrophic Event Catastrophic Event An event that results
GUI Event Handling Event kejadian Event kejadian yangGUI Event Handling Event kejadian Event kejadian yang