Security Monitoring (e-book) Katowice

How well does your enterprise stand up against today's sophisticated security threats? In this book, security experts from Cisco Systems demonstrate how to detect damaging security incidents on your global network--first by teaching you which assets you need to monitor closely, and then by helping you develop targeted strategies and pragmatic techniques to protect them.Security Monitoring is based on the authors' years of experience conducting incident response to keep Cisco's global network secure. It offers six steps to improve network monitoring. These steps will help you:Develop Policies: define rules, regulations, and monitoring criteriaKnow Your Network: build knowledge of your infrastructure with network telemetrySelect Your Targets: define the subset of infrastructure to be monitoredChoose Event Sources: identify event types needed to discover policy violationsFeed and Tune: collect data, generate alerts, and tune systems using contextual informationMaintain Dependable Event Sources: prevent critical gaps in collecting and monitoring eventsSecurity Monitoring illustrates these steps with detailed examples that will help you learn to select and deploy the best techniques for monitoring your own enterprise network. Spis treści: Security Monitoring SPECIAL OFFER: Upgrade this ebook with OReilly Preface What This Book Is Not What This Book Is Conventions Used in This Book Using Code Examples Safari Books Online Comments and Questions Acknowledgments 1. Getting Started A Rapidly Changing Threat Landscape Failure of Antivirus Software Why Monitor? The Miscreant Economy and Organized Crime Insider Threats Challenges to Monitoring Vendor Promises Operational Realities Volume Privacy Concerns Outsourcing Your Security Monitoring Monitoring to Minimize Risk Policy-Based Monitoring Why Should This Work for You? Open Source Versus Commercial Products Introducing Blanco Wireless 2. Implement Policies for Monitoring Blacklist Monitoring Anomaly Monitoring Policy Monitoring Monitoring Against Defined Policies Management Enforcement Types of Policies Regulatory Compliance Policies Example: COBIT configuration control monitoring Example: SOX monitoring for financial apps and databases Example: Monitoring HIPAA applications for unauthorized activity Example: ISO 17799 monitoring Example: Payment Card Industry Data Security Standard (PCI DSS) monitoring Employee Policies Example: Unique login for privileged operations Example: Rogue wireless devices Example: Direct Internet connection from production servers Example: Tunneled traffic Policies for Blanco Wireless Policies Data Protection Policy Server Security Policy Implementing Monitoring Based on Policies Conclusion 3. Know Your Network Network Taxonomy Network Type Classification External networks Internal networks IP Address Management Data Network Telemetry NetFlow Exporting NetFlow for collection Performance considerations for NetFlow collection Where to collect NetFlow OSU flow-tools Identifying infected hosts participating in botnets Flow aggregation Repudiation and nonrepudiation Choosing a NetFlow collector SNMP MRTG MRTG example Routing and Network Topologies The Blanco Wireless Network IP Address Assignment NetFlow Collection Routing Information Conclusion 4. Select Targets for Monitoring Methods for Selecting Targets Business Impact Analysis Revenue Impact Analysis Expense Impact Analysis Legal Requirements Regulatory compliance Example: Gramm-Leach Blilely Act Example: Payment Card Industry Data Security Standard Example: Standards for critical infrastructure protection Contractual obligation Sensitivity Profile Systems that access personally identifiable information (PII) Systems that access confidential information Systems that access classified information Risk Profile Risk assessments Visibility Profile Practical Considerations for Selecting Targets Recommended Monitoring Targets Choosing Components Within Monitoring Targets Example: ERP System Gathering Component Details for Event Feeds Server IP addresses and hostnames Generic user IDs Administrator user IDs Database details Access controls Blanco Wireless: Selecting Targets for Monitoring Components to Monitor Data Protection Policy Server Security Policy Conclusion 5. Choose Event Sources Event Source Purpose Event Collection Methods Event Collection Impact Host logs Network IDS NetFlow Application logs Database logs Network ACL logs Choosing Event Sources for Blanco Wireless Conclusion 6. Feed and Tune Network Intrusion Detection Systems Packet Analysis and Alerting Network Intrusion Prevention Systems Intrusion Detection or Intrusion Prevention? Availability Nonhardware sources of downtime NIPS and network bandwidth Span of control NIDS Deployment Framework Analyze Design DMZ design Data center design Extranet design Deploy Tune and Manage Tune at the sensor Tune at the SIM Network variables Tuning with host variables Custom signatures System Logging Key Syslog Events Authentication events Authorization events Daemon status events Security application events Syslog Templates Key Windows Log Events Windows authentication Windows authorization Windows process status events Windows domain controller events Windows security application events Application Logging Database Logging Collecting Syslog NetFlow OSU flow-tools NetFlow Capture Filtering OSU flow-tools flow-fanout Blancos Security Alert Sources NIDS Syslog Apache Logs Database Logs Antivirus and HIDS Logs Network Device Logs NetFlow Conclusion 7. Maintain Dependable Event Sources Maintain Device Configurations Create Service Level Agreements Back It Up with Policy SLA Sections Automated Configuration Management Monitor the Monitors Monitor System Health Monitor system load Monitor memory Monitor disk space Monitor network performance Monitor the NIDS Monitor traffic feeds (uplinks) Monitor sensor processes Monitor alerts Monitor Network Flow Collection Monitor system health Monitor traffic feeds from routers Monitor collector network configuration Monitor collection directories Monitor collection processes Maintain flow retention Monitor Event Log Collectors Monitor system health Monitor collection processes Monitor collection directories (logs) Monitor network traffic Audit configurations Maintain log retention Monitor Databases Monitor Oracle Maintain Oracle systemwide audit settings Monitor Oracle audit events Maintain Oracle audit settings on objects Monitor administrative privileges Monitor MySQL Servers Automated System Monitoring Traditional Network Monitoring and Management Systems How system monitoring works How to Monitor the Monitors Monitoring with Nagios System Monitoring for Blanco Wireless Monitor NetFlow Collection Monitor Collector Health Disk space Permissions Load Memory Swap space Monitor Collection Processes Continuous flows Processes Monitor Flows from Gateway Routers Monitor Event Log Collection Monitor collector health Verify disk space Ensure permissions Monitor collection processes Maintain continuous logs Monitor collection from servers Monitor NIDS Monitor device health Monitor traffic feeds Check sensor processes Monitor alert generation Monitor Oracle Logging Monitor Antivirus/HIDS Logging Conclusion 8. Conclusion: Keeping It Real What Can Go Wrong Create Policy Ryan monitors the risky venture Pam discovers network abuse by an extranet partner Know Your Network Michael monitors an acquisition Helen adds context to the NIDS Choose Targets for Security Monitoring Pam and the failed pilot Choose Event Sources Donald monitors high-risk employees Feed and Tune Janet and the career-limiting false positive Dwight overwhelms the event collectors Maintain Dependable Event Sources Lyle and the broken NetFlow collectors Marian and the threatening note Case Studies KPN-CERT Policies Network Monitoring targets Event sources Maintenance An approach to protect customer data Northrop Grumman Policies Network topology, metadata, and monitoring targets Event sources Maintenance A dynamic-threat-oriented security team Real Stories of the CSIRT Stolen Intellectual Property Targeted Attack Against Employees Bare Minimum Requirements Policy Policy 1: Allowed network activity Policy 2: Allowed access Policy 3: Minimum access standards Know the Network Step 1: Set up an IPAM solution Step 2: Document basic IP demarcations Select Targets for Effective Monitoring Choose Event Sources NIDS alerts Network flows Server logs Feed and Tune Set up a Security Information Manager (SIM) Deploy the NIDS Point NetFlow at the SIM Configure server logs Maintain Dependable Event Sources Conclusion A. Detailed OSU flow-tools Collector Setup Set Up the Server Configuring NetFlow Export from the Router B. SLA Template Service Level Agreement: Information Security and Network Engineering Overview Service Description Scope Roles and Responsibilities NetEng responsibilities InfoSec responsibilities Service Operations Requesting service Hours of operation Response times Escalations Maintenance and service changes Agreement Dates and Changes Supporting Policies and Templates Approvals, Terminations, and Reviews Approvals Terminations Reviewers C. Calculating Availability Index About the Authors Colophon SPECIAL OFFER: Upgrade this ebook with OReilly