Home Page Icon
Home Page
Table of Contents for
Cover
Close
Cover
by Martin Nystrom, Chris Fry
Security Monitoring
Preface
What This Book Is Not
What This Book Is
Conventions Used in This Book
Using Code Examples
Safari® Books Online
Comments and Questions
Acknowledgments
1. Getting Started
A Rapidly Changing Threat Landscape
Failure of Antivirus Software
Why Monitor?
The Miscreant Economy and Organized Crime
Insider Threats
Challenges to Monitoring
Vendor Promises
Operational Realities
Volume
Privacy Concerns
Outsourcing Your Security Monitoring
Monitoring to Minimize Risk
Policy-Based Monitoring
Why Should This Work for You?
Open Source Versus Commercial Products
Introducing Blanco Wireless
2. Implement Policies for Monitoring
Blacklist Monitoring
Anomaly Monitoring
Policy Monitoring
Monitoring Against Defined Policies
Management Enforcement
Types of Policies
Regulatory Compliance Policies
Example: COBIT configuration control monitoring
Example: SOX monitoring for financial apps and databases
Example: Monitoring HIPAA applications for unauthorized activity
Example: ISO 17799 monitoring
Example: Payment Card Industry Data Security Standard (PCI DSS) monitoring
Employee Policies
Example: Unique login for privileged operations
Example: Rogue wireless devices
Example: Direct Internet connection from production servers
Example: Tunneled traffic
Policies for Blanco Wireless
Policies
Data Protection Policy
Server Security Policy
Implementing Monitoring Based on Policies
Conclusion
3. Know Your Network
Network Taxonomy
Network Type Classification
External networks
Internal networks
IP Address Management Data
Network Telemetry
NetFlow
Exporting NetFlow for collection
Performance considerations for NetFlow collection
Where to collect NetFlow
OSU flow-tools
Identifying infected hosts participating in botnets
Flow aggregation
Repudiation and nonrepudiation
Choosing a NetFlow collector
SNMP
MRTG
MRTG example
Routing and Network Topologies
The Blanco Wireless Network
IP Address Assignment
NetFlow Collection
Routing Information
Conclusion
4. Select Targets for Monitoring
Methods for Selecting Targets
Business Impact Analysis
Revenue Impact Analysis
Expense Impact Analysis
Legal Requirements
Regulatory compliance
Example: Gramm-Leach Blilely Act
Example: Payment Card Industry Data Security Standard
Example: Standards for critical infrastructure protection
Contractual obligation
Sensitivity Profile
Systems that access personally identifiable information (PII)
Systems that access confidential information
Systems that access classified information
Risk Profile
Risk assessments
Visibility Profile
Practical Considerations for Selecting Targets
Recommended Monitoring Targets
Choosing Components Within Monitoring Targets
Example: ERP System
Gathering Component Details for Event Feeds
Server IP addresses and hostnames
“Generic” user IDs
Administrator user IDs
Database details
Access controls
Blanco Wireless: Selecting Targets for Monitoring
Components to Monitor
Data Protection Policy
Server Security Policy
Conclusion
5. Choose Event Sources
Event Source Purpose
Event Collection Methods
Event Collection Impact
Host logs
Network IDS
NetFlow
Application logs
Database logs
Network ACL logs
Choosing Event Sources for Blanco Wireless
Conclusion
6. Feed and Tune
Network Intrusion Detection Systems
Packet Analysis and Alerting
Network Intrusion Prevention Systems
Intrusion Detection or Intrusion Prevention?
Availability
Nonhardware sources of downtime
NIPS and network bandwidth
Span of control
NIDS Deployment Framework
Analyze
Design
DMZ design
Data center design
Extranet design
Deploy
Tune and Manage
Tune at the sensor
Tune at the SIM
Network variables
Tuning with host variables
Custom signatures
System Logging
Key Syslog Events
Authentication events
Authorization events
Daemon status events
Security application events
Syslog Templates
Key Windows Log Events
Windows authentication
Windows authorization
Windows process status events
Windows domain controller events
Windows security application events
Application Logging
Database Logging
Collecting Syslog
NetFlow
OSU flow-tools NetFlow Capture Filtering
OSU flow-tools flow-fanout
Blanco’s Security Alert Sources
NIDS
Syslog
Apache Logs
Database Logs
Antivirus and HIDS Logs
Network Device Logs
NetFlow
Conclusion
7. Maintain Dependable Event Sources
Maintain Device Configurations
Create Service Level Agreements
Back It Up with Policy
SLA Sections
Automated Configuration Management
Monitor the Monitors
Monitor System Health
Monitor system load
Monitor memory
Monitor disk space
Monitor network performance
Monitor the NIDS
Monitor traffic feeds (uplinks)
Monitor sensor processes
Monitor alerts
Monitor Network Flow Collection
Monitor system health
Monitor traffic feeds from routers
Monitor collector network configuration
Monitor collection directories
Monitor collection processes
Maintain flow retention
Monitor Event Log Collectors
Monitor system health
Monitor collection processes
Monitor collection directories (logs)
Monitor network traffic
Audit configurations
Maintain log retention
Monitor Databases
Monitor Oracle
Maintain Oracle systemwide audit settings
Monitor Oracle audit events
Maintain Oracle audit settings on objects
Monitor administrative privileges
Monitor MySQL Servers
Automated System Monitoring
Traditional Network Monitoring and Management Systems
How system monitoring works
How to Monitor the Monitors
Monitoring with Nagios
System Monitoring for Blanco Wireless
Monitor NetFlow Collection
Monitor Collector Health
Disk space
Permissions
Load
Memory
Swap space
Monitor Collection Processes
Continuous flows
Processes
Monitor Flows from Gateway Routers
Monitor Event Log Collection
Monitor collector health
Verify disk space
Ensure permissions
Monitor collection processes
Maintain continuous logs
Monitor collection from servers
Monitor NIDS
Monitor device health
Monitor traffic feeds
Check sensor processes
Monitor alert generation
Monitor Oracle Logging
Monitor Antivirus/HIDS Logging
Conclusion
8. Conclusion: Keeping It Real
What Can Go Wrong
Create Policy
Ryan monitors the risky venture
Pam discovers network abuse by an extranet partner
Know Your Network
Michael monitors an acquisition
Helen adds context to the NIDS
Choose Targets for Security Monitoring
Pam and the failed pilot
Choose Event Sources
Donald monitors high-risk employees
Feed and Tune
Janet and the career-limiting false positive
Dwight overwhelms the event collectors
Maintain Dependable Event Sources
Lyle and the broken NetFlow collectors
Marian and the threatening note
Case Studies
KPN-CERT
Policies
Network
Monitoring targets
Event sources
Maintenance
An approach to protect customer data
Northrop Grumman
Policies
Network topology, metadata, and monitoring targets
Event sources
Maintenance
A dynamic-threat-oriented security team
Real Stories of the CSIRT
Stolen Intellectual Property
Targeted Attack Against Employees
Bare Minimum Requirements
Policy
Policy 1: Allowed network activity
Policy 2: Allowed access
Policy 3: Minimum access standards
Know the Network
Step 1: Set up an IPAM solution
Step 2: Document basic IP demarcations
Select Targets for Effective Monitoring
Choose Event Sources
NIDS alerts
Network flows
Server logs
Feed and Tune
Set up a Security Information Manager (SIM)
Deploy the NIDS
Point NetFlow at the SIM
Configure server logs
Maintain Dependable Event Sources
Conclusion
A. Detailed OSU flow-tools Collector Setup
Set Up the Server
Configuring NetFlow Export from the Router
B. SLA Template
Service Level Agreement: Information Security and Network Engineering
Overview
Service Description
Scope
Roles and Responsibilities
NetEng responsibilities
InfoSec responsibilities
Service Operations
Requesting service
Hours of operation
Response times
Escalations
Maintenance and service changes
Agreement Dates and Changes
Supporting Policies and Templates
Approvals, Terminations, and Reviews
Approvals
Terminations
Reviewers
C. Calculating Availability
Index
About the Authors
Colophon
Copyright
Search in book...
Toggle Font Controls
Playlists
Add To
Create new playlist
Name your new playlist
Playlist description (optional)
Cancel
Create playlist
Sign In
Email address
Password
Forgot Password?
Create account
Login
or
Continue with Facebook
Continue with Google
Sign Up
Full Name
Email address
Confirm Email Address
Password
Login
Create account
or
Continue with Facebook
Continue with Google
Next
Next Chapter
Security Monitoring
Add Highlight
No Comment
..................Content has been hidden....................
You can't read the all page of ebook, please click
here
login for view all page.
Day Mode
Cloud Mode
Night Mode
Reset