richard bejtlich / [email protected] senior engineer managed network security opertations ball...
TRANSCRIPT
![Page 1: Richard Bejtlich / rbejtlich@saball.com Senior Engineer Managed Network Security Opertations Ball Aerospace & Technologies Corp. San Antonio, TX 24 Oct](https://reader035.vdocument.in/reader035/viewer/2022062716/56649de85503460f94ae2a76/html5/thumbnails/1.jpg)
Richard Bejtlich / [email protected] Engineer
Managed Network Security Opertations
Ball Aerospace & Technologies Corp.San Antonio, TX
24 Oct 01
Entering the Security Arena
![Page 2: Richard Bejtlich / rbejtlich@saball.com Senior Engineer Managed Network Security Opertations Ball Aerospace & Technologies Corp. San Antonio, TX 24 Oct](https://reader035.vdocument.in/reader035/viewer/2022062716/56649de85503460f94ae2a76/html5/thumbnails/2.jpg)
Introduction
• Bejtlich = 'bate-lik"
• Senior engineer for managed network security operations, BATC (2001-)
• Former captain at US Air Force Computer Emergency Response Team (1998-2001)
• Student of network-based intrusion detection, computer forensics
• http://bejtlich.net
![Page 3: Richard Bejtlich / rbejtlich@saball.com Senior Engineer Managed Network Security Opertations Ball Aerospace & Technologies Corp. San Antonio, TX 24 Oct](https://reader035.vdocument.in/reader035/viewer/2022062716/56649de85503460f94ae2a76/html5/thumbnails/3.jpg)
Outline
• Philosophy
• Planning
• Prevention
• Detection
• Response
• Personnel development• Thank you to Dreamworks LLC and Universal Studios for Gladiator photos
![Page 4: Richard Bejtlich / rbejtlich@saball.com Senior Engineer Managed Network Security Opertations Ball Aerospace & Technologies Corp. San Antonio, TX 24 Oct](https://reader035.vdocument.in/reader035/viewer/2022062716/56649de85503460f94ae2a76/html5/thumbnails/4.jpg)
How can we best defend the empire against the barbarians of
the North?
Philosophy
![Page 5: Richard Bejtlich / rbejtlich@saball.com Senior Engineer Managed Network Security Opertations Ball Aerospace & Technologies Corp. San Antonio, TX 24 Oct](https://reader035.vdocument.in/reader035/viewer/2022062716/56649de85503460f94ae2a76/html5/thumbnails/5.jpg)
Philosophy
• What is security?
• Preservation of confidentiality, integrity, and availability of an organization's resources
• Why does security matter?
• Owners must trust their resources to do business
• Customers avoid organizations they don't trust
• Regulators disallow business without safeguards
![Page 6: Richard Bejtlich / rbejtlich@saball.com Senior Engineer Managed Network Security Opertations Ball Aerospace & Technologies Corp. San Antonio, TX 24 Oct](https://reader035.vdocument.in/reader035/viewer/2022062716/56649de85503460f94ae2a76/html5/thumbnails/6.jpg)
Philosophy
• How can security be achieved?
• Plan by developing a security policy
• Prevent exploitation where possible
• Detect exploitation when it happens
• React to exploitation, then resume operations
• Constantly assess the tools and processes implementing these steps
• Ensure your people are qualified
![Page 7: Richard Bejtlich / rbejtlich@saball.com Senior Engineer Managed Network Security Opertations Ball Aerospace & Technologies Corp. San Antonio, TX 24 Oct](https://reader035.vdocument.in/reader035/viewer/2022062716/56649de85503460f94ae2a76/html5/thumbnails/7.jpg)
Who wants to write a security policy? Anyone? Anyone?
Planning
![Page 8: Richard Bejtlich / rbejtlich@saball.com Senior Engineer Managed Network Security Opertations Ball Aerospace & Technologies Corp. San Antonio, TX 24 Oct](https://reader035.vdocument.in/reader035/viewer/2022062716/56649de85503460f94ae2a76/html5/thumbnails/8.jpg)
Planning
• Security cannot be achieved without policy
• Written policy recommended, but not always needed in small, simple operations
• Without a written policy, it is difficult to enforce your security objectives
• Every computing resource is a manifestation of your security policy
![Page 9: Richard Bejtlich / rbejtlich@saball.com Senior Engineer Managed Network Security Opertations Ball Aerospace & Technologies Corp. San Antonio, TX 24 Oct](https://reader035.vdocument.in/reader035/viewer/2022062716/56649de85503460f94ae2a76/html5/thumbnails/9.jpg)
Planning
• What should a security policy discuss?
• Acceptable use of resources (CPU, bandwidth)
• Allow peer-to-peer (Gnutella, Napster), chat (IRC, AIM), remote control (VNC, pcAnywhere)?
• Prohibitions on installing software, especially tools which may be used to escalate privileges
• No reasonable expectation of privacy
• If management doesn't agree, forget it
![Page 10: Richard Bejtlich / rbejtlich@saball.com Senior Engineer Managed Network Security Opertations Ball Aerospace & Technologies Corp. San Antonio, TX 24 Oct](https://reader035.vdocument.in/reader035/viewer/2022062716/56649de85503460f94ae2a76/html5/thumbnails/10.jpg)
Planning
• Minimum preparation for incident response
• System administrator contact list; include names, titles, and numbers for home/cell phones
• Network provider contact list
• Management contact list (include PR and legal)
• Agree upon response prior to compromise
• Pursue and monitor with law enforcement help?
• Recover, secure, and press on?
![Page 11: Richard Bejtlich / rbejtlich@saball.com Senior Engineer Managed Network Security Opertations Ball Aerospace & Technologies Corp. San Antonio, TX 24 Oct](https://reader035.vdocument.in/reader035/viewer/2022062716/56649de85503460f94ae2a76/html5/thumbnails/11.jpg)
Planning
• Back-ups can save the day
• Copying critical files to tape, Zip, Jazz, CD-R
• Hard copies may be warranted
• Redundancy helps preserve availability
• Network connectivity (separate ISPs)
• Electricity (Uninterruptable Power Supplies)
• Hot spares (web servers, network devices)
![Page 12: Richard Bejtlich / rbejtlich@saball.com Senior Engineer Managed Network Security Opertations Ball Aerospace & Technologies Corp. San Antonio, TX 24 Oct](https://reader035.vdocument.in/reader035/viewer/2022062716/56649de85503460f94ae2a76/html5/thumbnails/12.jpg)
Sire, let me show you the latest offering from our security vendors.
Prevention
![Page 13: Richard Bejtlich / rbejtlich@saball.com Senior Engineer Managed Network Security Opertations Ball Aerospace & Technologies Corp. San Antonio, TX 24 Oct](https://reader035.vdocument.in/reader035/viewer/2022062716/56649de85503460f94ae2a76/html5/thumbnails/13.jpg)
Prevention
• Prevention is continous implemention of processes and tools to preserve security
• Prevention relies upon understanding user and customer needs
• Prevention demands appreciation of capabilities and intentions of intruders
• Balancing user needs vs. threats is key
![Page 14: Richard Bejtlich / rbejtlich@saball.com Senior Engineer Managed Network Security Opertations Ball Aerospace & Technologies Corp. San Antonio, TX 24 Oct](https://reader035.vdocument.in/reader035/viewer/2022062716/56649de85503460f94ae2a76/html5/thumbnails/14.jpg)
Prevention
• What exactly must be prevented?
• Confidentiality: exposure of information and resources to unauthorized parties
• Integrity: manipulation of information and resources by unauthorized parties
• Availability: preservation of ability of authorized parties to access information and resources
![Page 15: Richard Bejtlich / rbejtlich@saball.com Senior Engineer Managed Network Security Opertations Ball Aerospace & Technologies Corp. San Antonio, TX 24 Oct](https://reader035.vdocument.in/reader035/viewer/2022062716/56649de85503460f94ae2a76/html5/thumbnails/15.jpg)
Prevention
• Who constitutes the threat?
• Disgruntled, curious, and former users
• Competitors collecting business intelligence
• Foreign intelligence services
• Pranksters
• Technologically literate activists
• Forces of nature
![Page 16: Richard Bejtlich / rbejtlich@saball.com Senior Engineer Managed Network Security Opertations Ball Aerospace & Technologies Corp. San Antonio, TX 24 Oct](https://reader035.vdocument.in/reader035/viewer/2022062716/56649de85503460f94ae2a76/html5/thumbnails/16.jpg)
Prevention
• Risk = vulnerability X threat X recovery cost
• A new vulnerability for Windows 2000 appears: you run Solaris, so vulnerability is zero
• A new vulnerability for Windows 2000 appears: no one knows how to exploit it, so threat is zero
• It takes zero effort to resume operations after compromise: recovery cost is zero
• Taken collectively, risk is generally not zero
![Page 17: Richard Bejtlich / rbejtlich@saball.com Senior Engineer Managed Network Security Opertations Ball Aerospace & Technologies Corp. San Antonio, TX 24 Oct](https://reader035.vdocument.in/reader035/viewer/2022062716/56649de85503460f94ae2a76/html5/thumbnails/17.jpg)
Prevention
• Core principles
• Grant users the least amount of privilege necessary to perform their work
• Implement multiple, independent levels of defense which do not "fail open"
• Learn of new vulnerabilities and apply countermeasures in a timely manner
• Prevent what you can and detect everything else
![Page 18: Richard Bejtlich / rbejtlich@saball.com Senior Engineer Managed Network Security Opertations Ball Aerospace & Technologies Corp. San Antonio, TX 24 Oct](https://reader035.vdocument.in/reader035/viewer/2022062716/56649de85503460f94ae2a76/html5/thumbnails/18.jpg)
Prevention
• Core technologies
• Screening/filtering routers
• Firewalls
• Virtual Private Networks
• Authentication services
• Anti-virus applications
• Technology is only as useful as the operator who configures and uses it
![Page 19: Richard Bejtlich / rbejtlich@saball.com Senior Engineer Managed Network Security Opertations Ball Aerospace & Technologies Corp. San Antonio, TX 24 Oct](https://reader035.vdocument.in/reader035/viewer/2022062716/56649de85503460f94ae2a76/html5/thumbnails/19.jpg)
We detect clouds over Rome. Does this augur a dark future?
Detection
![Page 20: Richard Bejtlich / rbejtlich@saball.com Senior Engineer Managed Network Security Opertations Ball Aerospace & Technologies Corp. San Antonio, TX 24 Oct](https://reader035.vdocument.in/reader035/viewer/2022062716/56649de85503460f94ae2a76/html5/thumbnails/20.jpg)
Detection
• Prevention will never be 100% successful
• Ignorance is not bliss. Ignorance causes:
• Systematic, long-term compromise
• Subtle manipulation of information for evil means
• Complete loss of confidence by users, customers
• Legal and financial losses in many cases
• Detection is not optional. How one performs detection is the question.
![Page 21: Richard Bejtlich / rbejtlich@saball.com Senior Engineer Managed Network Security Opertations Ball Aerospace & Technologies Corp. San Antonio, TX 24 Oct](https://reader035.vdocument.in/reader035/viewer/2022062716/56649de85503460f94ae2a76/html5/thumbnails/21.jpg)
Detection
• Detection should be implemented in layers, as prevention is. Detect at these locations:
• Network perimeter
• Demilitarized zone
• Bastion hosts
• Critical internal hosts
• User workstations, if managable
• Remote locations (e.g., home laptops)
![Page 22: Richard Bejtlich / rbejtlich@saball.com Senior Engineer Managed Network Security Opertations Ball Aerospace & Technologies Corp. San Antonio, TX 24 Oct](https://reader035.vdocument.in/reader035/viewer/2022062716/56649de85503460f94ae2a76/html5/thumbnails/22.jpg)
Detection
• Detection methodology
• Baseline your systems processes. Know what services should be active on each.
• Baseline your network traffic. Recognize normal internal and external patterns of use.
• Implement processes and tools to detect deviations from these baselines.
• Devote resources to these processes and tools
![Page 23: Richard Bejtlich / rbejtlich@saball.com Senior Engineer Managed Network Security Opertations Ball Aerospace & Technologies Corp. San Antonio, TX 24 Oct](https://reader035.vdocument.in/reader035/viewer/2022062716/56649de85503460f94ae2a76/html5/thumbnails/23.jpg)
Detection
• Detection technologies
• Router and firewall logs
• Network-based intrusion detection systems
• Host-based intrusion detection systems
• Anti-virus software
• Personal workstation intrusion detection systems
• Network traffic profiling software
• Human brains
![Page 24: Richard Bejtlich / rbejtlich@saball.com Senior Engineer Managed Network Security Opertations Ball Aerospace & Technologies Corp. San Antonio, TX 24 Oct](https://reader035.vdocument.in/reader035/viewer/2022062716/56649de85503460f94ae2a76/html5/thumbnails/24.jpg)
Detection
• Challenges to detection
• Staying current with attack methods and tools
• Numerous vulnerabilities discovered each week
• Intruders constantly devise ways to evade standard detection methods
• Do-it-yourself sensors are difficult to use
• Staffing sufficient numbers of appropriately trained and compensated personnel
![Page 25: Richard Bejtlich / rbejtlich@saball.com Senior Engineer Managed Network Security Opertations Ball Aerospace & Technologies Corp. San Antonio, TX 24 Oct](https://reader035.vdocument.in/reader035/viewer/2022062716/56649de85503460f94ae2a76/html5/thumbnails/25.jpg)
This is how WE deal with compromise, pal!
Response
![Page 26: Richard Bejtlich / rbejtlich@saball.com Senior Engineer Managed Network Security Opertations Ball Aerospace & Technologies Corp. San Antonio, TX 24 Oct](https://reader035.vdocument.in/reader035/viewer/2022062716/56649de85503460f94ae2a76/html5/thumbnails/26.jpg)
Response
• Don't panic! Implement your plan.
• Contact response personnel by phone, not email
• Contain the intruder by isolating the victim host
• Decide if you want to recover or pursue
• If recovering: determine method of compromise, patch exploited system, then return to service
• If pursuing: augment detection, refine isolation, then return to service until objectives satisfied
![Page 27: Richard Bejtlich / rbejtlich@saball.com Senior Engineer Managed Network Security Opertations Ball Aerospace & Technologies Corp. San Antonio, TX 24 Oct](https://reader035.vdocument.in/reader035/viewer/2022062716/56649de85503460f94ae2a76/html5/thumbnails/27.jpg)
Response
• Response considerations
• System administrators may have more latitude for collection than law enforcement
• Reporting incidents to law enforcement helps the community at large and shows you treat exploitation seriously
• Evidence collected for prosecution must withstand intense scrutiny by defense lawyers
![Page 28: Richard Bejtlich / rbejtlich@saball.com Senior Engineer Managed Network Security Opertations Ball Aerospace & Technologies Corp. San Antonio, TX 24 Oct](https://reader035.vdocument.in/reader035/viewer/2022062716/56649de85503460f94ae2a76/html5/thumbnails/28.jpg)
We shall assemble a force to be reckoned with. Whom shall test
our defenses?
Personnel Development
![Page 29: Richard Bejtlich / rbejtlich@saball.com Senior Engineer Managed Network Security Opertations Ball Aerospace & Technologies Corp. San Antonio, TX 24 Oct](https://reader035.vdocument.in/reader035/viewer/2022062716/56649de85503460f94ae2a76/html5/thumbnails/29.jpg)
Personnel Development
• Your security is only as sound as the personnel planning and implementing your prevention, detection, and response
• UNIX administrators are not comfortable with Windows environments, and vice versa
• Training is a retention device, not a way for employees to learn-and-leave
• Lack of training = organizational suicide
![Page 30: Richard Bejtlich / rbejtlich@saball.com Senior Engineer Managed Network Security Opertations Ball Aerospace & Technologies Corp. San Antonio, TX 24 Oct](https://reader035.vdocument.in/reader035/viewer/2022062716/56649de85503460f94ae2a76/html5/thumbnails/30.jpg)
Personnel Development
• Reputable training mechanisms:
• Books: "My Picks" at http://bejtlich.net
• Conferences: http://www.sans.org
• Certifications: CISSP at http://www.isc2.org
• Mentoring and in-house programs
• Beware false prophets!
![Page 31: Richard Bejtlich / rbejtlich@saball.com Senior Engineer Managed Network Security Opertations Ball Aerospace & Technologies Corp. San Antonio, TX 24 Oct](https://reader035.vdocument.in/reader035/viewer/2022062716/56649de85503460f94ae2a76/html5/thumbnails/31.jpg)
I declare victory over the network intruders!
Conclusion
![Page 32: Richard Bejtlich / rbejtlich@saball.com Senior Engineer Managed Network Security Opertations Ball Aerospace & Technologies Corp. San Antonio, TX 24 Oct](https://reader035.vdocument.in/reader035/viewer/2022062716/56649de85503460f94ae2a76/html5/thumbnails/32.jpg)
Conclusion
• Security is a never-ending journey
• Any positive steps are better than nothing
• A small amount of effort can eliminate 80% of your vulnerabilities
• A moderate amount of effort can eliminate 90%
• A huge effort can eliminate 95%
• Nothing can eliminate the remaining 5%