john blamire – ceo falanx group limited steve heneghan – cto falanx assuria limited terry...
TRANSCRIPT
John Blamire – CEO Falanx Group LimitedSteve Heneghan – CTO Falanx Assuria Limited
Terry Pudwell – Director & Co-Founder Assuria LimitedTom Evans – COO Falanx Assuria Limited
Security Monitoring as a Managed Service
COMMERCIAL IN CONFIDENCE
The Threat
Steve Heneghan – CTO Falanx Assuria Limited
Cyber Security Challenges
Legal liability increasing
Business now has much greater legal
liability to employees and customers over the stewardship of
data and consequential loss
PCI-DSS, Sarbanes-Oxley (Basil II), HIPAA, DPA
Users represent
highest risk
Often not aware of responsibilities
Rarely made accountable for their
actions
Difficult to determine risk
What are - attacks, threats,
vulnerabilities?
Which are priority?
How to remediate?
Companies are ill prepared for
security incident
Time to spot
Time to fix
True impact on business
What is Cyber Security Monitoring• It is proactive defence that monitors:
- Human threat behaviour - Poor procedures - Technical threats - Technical vulnerabilities
• It does this by collecting disparate information system activity, filtering, correlating and analyzing the data to identify threats
• It provides a central Cyber Security Operations Centre (CSOC) that manages the monitoring and alerting of security related events
• Provides evidence of care following recognised good practice– Supports defence of reasonable use and care in stewardship of 3rd party data– Supports forensic investigations
Security Monitoring - where do you start?
• Compliance driven (Accreditation, Certification)?• Risk managed approach
– Risks (business)
– Threats (business translated to information, information systems and technology)
– Vulnerabilities
– Controls & Counter Measures
• Are there any standards?
Cost of Security Counter Measures
Cost of Breach
Baseline Security Monitoring• Good Practice Guide 13 (GPG-13) – Protective Monitoring• Published and mandated by UK Government
– CESG the Information Assurance arm of GCHQ– ‘the definitive voice on the technical aspects of Information
Security in Government’
• For different types of Government data GPG-13 defines:– What to RECORD, what to REPORT, what to ALERT
• It supports pro-active defence
• Audit logs are generated by almost everything in an IT infrastructure – Servers, workstations, applications– Databases, routers, switches, firewalls, etc.
• Audit logs include audit events - a record of actions completed– User logons, file deletions, configuration changes, etc.
• The analysis and correlation of the audit events can identify suspicious behaviour on systems either from humans or other systems
• 12 controls that define WHAT not HOW
Baseline Security Monitoring
Record (Log) the relevant thingsPolicy• Information Security•Acceptable Usage•Legal/Regulatory
Infrastructure•Firewalls, IDS/IPS, VPN’s•Switches, Routers, Network Devices•DNS Requests, Packets, Connections
Server / EUC•Connections, Authentication, Errors•Processes, Daemons, Ports•Changes, Patches, Software, Registry
Applications•Connections, Malformed Requests•Authentication, Errors•Changes
Not Just Internal - Combine Intelligence
Business
Internal Know
ledge
Business Logic
Feeds
Vendors
Blacklists/W
hitelists
Vulnerability F
eeds
Malw
are Feeds
IOC
Feeds
Communities
CE
RT
CIS
P
Industry
Peer G
roups
Understand Your Business & Go Anomaly Hunting
IP / DNS
Short random domains?
Timing / Frequency / Size
High count on limited hosts
Burst activity after other event
HTTP Headers / User Agents / Content
Domain Age
Unusual Service Usage
Processes
New / Unknown
Short file names
Executable in tmp
Rare Executables
Runtime Execution
Injection / Hiding / Obfuscation
Account Activity
System / Service Accounts
Success vs Failure
New privileged accounts
Empty log
Interpret what to Record, Report and Alert
Record• Relevant events vs all
events• Start small but
meaningful – critical systems/boundary device
Report• Realistic actionable items:
• Top 10 failed URL requests vs top 10,000
• All failed user log-ins vs failed admin log-ins vs key user log-ins
Alert• Distinguish between
Alerts:• That require immediate
action (e.g. Breach)• Require action at some
point soon (e.g. policy exception)
• Configure auditing on systems and devices.
• Classify servers, workstations and devices
• Securely collect the logs and analyse as required for the recording profile
•Requirements – which recording profile is applicable?
•Which devices are in scope?
• Alert as required• Report as
required• Are the recording
profile requirements being met? Reports and
AlertsRequirements
Scope
Configure auditing and log manager
Collect and analyse
Iterative and On-Going
Events Alerts
Managed Service Security Monitoring Components
Client Estate
(Data Sets)
Monitoring Toolset
Events
Alerts
Client
PotentialIncidents
ConfirmedIncidents
False Positives
FalsePositives
Automation, Experience and Knowledge
Monitoring Toolset
Security Monitoring Architecture designed in• Automated Build and deploy of
CSOC components• Provides key components pre-
integrated for security monitoring services
• Integrates with external agencies where required
• Segregates data between customers and between different assurance levels
• Allows secure, auditable remote access for Analysts and Support Partners
• Provides ability to self monitor
16
Benefits of Protective Monitoring• Non-intrusive• A single cyber security picture of your IT networks, platforms and
policies• Helps identify and protect your key assets and information• Captures who is accessing your systems and information• Identifies non-compliances:
– Regulatory requirements, standards and local policies of configuration and acceptable usage
• Reduces probability of attack / misuse• Reduces impact of an attack / misuse• Provides forensic evidence to support legal or regulatory
investigation
Terry Pudwell – Director and Co-Founder Assuria Limited
Security Monitoring Targets• People (end users, partners, 3rd parties)
– Use of applications, credentials, USB devices, Web surfing, email, file permissions, dates/times, resource usage etc.
• People (trusted or privileged users) (e.g. system administrators)– Configuration changes, administration duties, use of security controls, implementing
new services, updated software, security patches
• People (oversight functions) (i.e. Audit the Auditors!)• Security devices/systems
– Network Firewalls, Web Application Firewalls, Anti Virus, IDS/IPS, Mobile Device Management, network devices, physical security etc.
• Operational systems– Business applications, databases, e-commerce, banking,
– Communications systems, financial control systems
SIEM technology underpins all of this• Security Information and Event Management (SIEM) provides visibility into and recording
of all activity which is of security interest or value:-– Collect, store and organise event and activity data from anything– Create secure, forensically sound audit trails– Correlate different events across the whole network– Search and report (on-demand) for forensic investigations– Monitor specific activities at source (where practical) and raise alerts in near real-time– Configurable, automated analysis, reporting & alerting– Generation of reports, alerts and alarms– Feed threat analysis results and data to SOC security analysts and external oversight systems.
Essential SIEM qualities• Ability to collect event and activity data from anything that is currently employed within IT and
control systems functions• Easily extensible to bring new environments, systems and devices into the monitoring service
(future proofing)• Easily deployable in all environments, including on-premise Data Centre, Public Cloud, Private
Cloud, Hybrid Cloud • Rapid deployment (initial results within days/weeks, not months/years!) • Log data enrichment through threat intelligence, geo-location, configuration data, vulnerability
state, patch state + + • Forensic integrity of log data (i.e. forensic chain of custody)• Resilient collection (i.e. guaranteed delivery of log data - no loss) • Pre-configured to meet Industry standards (e.g. GPG-13, ISO27001)• Integration with 3rd party solutions/services (e.g. ticketing systems)
Tom Evans – COO Falanx Assuria Limited
What’s in a CSOC?STRATEGY
Purpose of the CSOC
Compliance
Risk
“Customer”
ENVIRONMENT
Physical
Hosting of CSOC Tools
Data Storage
Security
STANDARDS
ISO/IEC:9001
2000027001
ITIL
IMS
TECHNOLOGY
SIEMTool
Ticketing
Databases
Licensing
Integration Services & Information Exchanges
What’s in a CSOC?PROCESSES
&PROCEDURES
Controls (GPG-13?)
Documentation
Operating plans
BC / DR
INTELLIGENCE&
KNOWLEDGE-BASE
Targeted intelligence
feeds?
Wide field of view
Experience & Skills driven?
STAFFING
In-house / external?
24 x 7 operations?
Clearances
Career progression
Motivation and the team
Senior Analysts:
A minimum of 5 years experience in the role
Shift Leader / team management responsibilities
GIAC Certified Intrusion Analyst or Incident Handler
Junior Analysts:
IT or IT Security degree.
Experience of working in IT support
Working towards MCSE, RHCT, CISSP, CCNA, etc.
GIAC SEC401: Security Essentials Bootcamp
Other:
CSOC Manager
Compliance Manager
Technology Lead / CTO
….. etc ….
What’s in a CSOC?
£Continuous Investment
Managing YOUR risk• How to do it? Monitor your estate and the wider context• CESG guide – Choosing a Service Delivery Model
• In house+ Intimate knowledge of estate and business processes
+ You have complete control
+ Assurance that no data leaves your boundary‒ Limited visibility of threat landscape‒ Recruitment and retention‒ Ongoing commitment to training‒ Length of time to establish‒ Cost £££
• Outsource‒ Data leaves your boundary‒ Relies on suitable knowledge transfer to understand your
risks
+ Dedicated security organization specializing in Monitoring
+ Investment into facility is borne by supplier
+ Expert advice and specialist services
+ Allows you to focus on your core business and invest in appropriate areas
+ Broader visibility across multiple customers
+ Utility model enables significant cost savings
+ Data available for transfer back at any time
In summary…• Ultimately the decision to monitor is either enforced (compliance) or risk driven• How to deliver against the requirements is your decision – we want you to be informed
• This isn’t fire and forget – The threat is constantly evolving
– Protect your critical data. Know what’s happening in your estate
– Whatever you choose, engage with the process for maximum value
– Start with the best practice, improve over time
– Focus on your incident response capability. Balance your budget and protect your brand.
– Review as your business changes, risks change and adapt as appropriate
Cyber Defence Solutions
Falanx Assuria LimitedEuropoint Centre5-11 Lavington StreetLondonSE1 0NZ
T: 00 44 (0) 20 7856 9457F: 00 44 (0) 20 7900 3387E: [email protected]
Assuria and Assuria Log Manager are registered trade marks of Assuria Limited