Embed Size (px)
Citation preview
Three Phases of Security
Security Analyst: Tools of the Trade Patrick Lane, M.Ed., Security+, Network+, CISSP, MCSE Senior Manager, Product Development Product Manager for: CompTIA Security+ CompTIA Cybersecurity Analyst (CSA+) CompTIA Advanced Security PracCConer (CASP) CompTIA Server+
Agenda
1. Why have security analyst skills become so important? 2. What tools do security analysts use? 3. How does a SIEM work – unified security management? 4. How is threat intelligence integrated? 5. Real-‐world examples
Splunk: Database hack discovered LogRhythm: Financial server hack discovered AlienVault: Bruteforce aYack discovered
Why have security analyst skills become so important?
1
• Wake up call for the IT security world
• Brought widespread aYenCon to the “Advanced Persistent Threat”
• Demonstrated that tradiConal security tools, such as firewalls and anC-‐virus, do not alone protect networks
• Recent high profile aYacks at Yahoo! and DemocraCc NaConal CommiYee (DNC)
Seminal Event: Target Hack of 2014
Planning Malware
Introduc>on
Command &
Control
Lateral Movement
Target Iden>fica>on
Exfiltra>on (AGack Event)
Retreat
The Advanced Persistent Threat (APT) CharacterisCcs:
§ Never stop § Oaen highly coordinated / state sponsored § Bad actors lurk on systems and networks § Hard to detect
We must apply behavioral analy>cs to the IT security market to improve the overall state of IT security.
• We must focus on network behavior in an organizaCon’s interior network
• We must idenCfy network anomalies that indicate bad behavior
We must train IT security professionals security analyst skills, which include:
ü Threat management ü Vulnerability management ü Cyber incident response ü Security and architecture tool sets
Lessons Learned
39,920 48,947
58,456
109,819
10,000
30,000
50,000
70,000
90,000
110,000
130,000
2012 2013 2014 2015
Informa>on Security Analysts
TOTAL NUMBER OF JOB POSTINGS: Security Analyst Job Role
Source: Burning Glass Technologies Labor Insights, January 2016
175% increase from 2012 to 2015. Data for U.S. only, but
reflects an interna>onal need.
AddiConal Indicators
The U.S. Bureau of Labor StaCsCcs predicts that informaCon security analysts will be the fastest growing job category, with 37% overall growth between 2012 and 2022.*
* CompTIA, Trends in InformaCon Security 2015
In an analysis of recent U.S. Bureau of Labor StaCsCcs data, informaCon security analysts saw an 8% bump in growth over the first three months of 2016. That’s a new BLS record.**
** U.S. Bureau of Labor StaCsCcs data
8 in 10 managers indicate that IT
security cerCficaCons are very valuable (38%) or valuable (42%) in terms of validaCng security-‐related knowledge/
skills or evaluaCng job candidates.***
*** InternaConal Trends in Cybersecurity, CompTIA, 2016
CompTIA Cybersecurity Analyst (CSA+) Cer>fica>on Developed to address the need for IT Security Analysts.
As aYackers have learned to evade tradiConal signature-‐based soluCons, an analyCcs-‐based approach has become extremely important. CSA+ applies behavioral
analyCcs to the IT security market to improve the overall state of security.
(Quick AdverCsement)
Exam available February 15, 2017
What tools do security analysts use? 2
Tools of the Trade – Open Source
Open source so^ware Descrip>on URL
Wireshark Network protocol analyzer / packet capture tool
hGps://www.wireshark.org
Bro and/or Snort Network intrusion detecCon systems (NIDS)
hGps://www.bro.org hGps://www.snort.org
AlienVault Open Source SIEM (OSSIM) with Open Threat Exchange (OTX)
Security InformaCon and Event Management (SIEM) soaware
hGps://www.alienvault.com/products/ossim
Security InformaCon and Event Management (SIEM) soaware
• All about logs – To constantly aggregate and analyze internal and external network logs – To quickly prevent breaches or perform incident response using these logs
• What does it address? – Threat management – Incident response – Compliance
• 80% of SIEMs are funded to close a compliance gap • Security OperaCons Center (SOC)
– Security Analyst, SOC Analyst, Vulnerability Analyst, Cybersecurity Specialist – Threat Intelligence Analyst, Security Engineer
Tools of the Trade – Vendor Specific Vendor-‐specific so^ware Descrip>on URL
Intel Security / MacAfee Enterprise Security Manager
SIEM, threat detecCon
hGp://www.mcafee.com/us/products/enterprise-‐security-‐manager.aspx
Dell/EMC RSA Security AnalyCcs and RSA NetWitness Suite
SIEM, threat detecCon
hGp://www.emc.com/securityanaly>cs/sa.htm hGps://www.rsa.com/en-‐us/products-‐services/threat-‐detec>on-‐and-‐response
Splunk Enterprise Security SIEM, threat detecCon
hGps://www.splunk.com/en_us/products/premium-‐solu>ons/splunk-‐enterprise-‐security.html
AlienVault Unified Security Management (USM)
SIEM, threat detecCon
hGps://www.alienvault.com/products
Tools of the Trade – Vendor Specific
Vendor-‐specific so^ware Descrip>on URL
HPE Security ArcSight ESM SIEM, threat detecCon
hGp://www8.hp.com/us/en/so^ware-‐solu>ons/siem-‐security-‐informa>on-‐event-‐management/
IBM Security QRadar SIEM SIEM, threat detecCon
hGp://www-‐03.ibm.com/so^ware/products/en/qradar-‐siem/
LogRhythm Unified Security Intelligence Plarorm
SIEM, threat detecCon
hGps://logrhythm.com/products/security-‐intelligence-‐pladorm/
SIEM Example
How does a SIEM work – unified security management?
3
OSSIM • AlienVault Open Source SIEM (OSSIM) – free, but no support • AlienVault USM is commercial version ($32K). What it does:
– External Data Sources: applicaCons and devices that generate events – Sensors: collect and normalize events – Server: conducts risk assessment, correlaCon direcCves and storage of
events in an SQL database (SIEM) – Storage: events are digitally signed and Cme stamped in a massive
storage system, usually NAS or SAN, called Logger, that includes an addiConal database for forensics.
– Web Interface -‐ provides a reporCng system, metrics, reports, dashboards, CckeCng system, vulnerability management system, real-‐Cme network informaCon
Source: LogRhythm’s Unified Security Intelligence PlaAorm
OSSIM InstallaCon • OSSIM .ISO image includes Linux Debian, OSSIM, and OSSIM
agent soaware – AlienVault_OSSIM_64bits_5.3.2.iso (630 MB) – hYps://www.alienvault.com/products/ossim
• Implement on virtual machine • Needs power – AWS or Azure recommended
OSSIM Agents and Plug Ins • SIEMs work best in a large organizaCon with mulCple network devices,
such as firewalls, IDS/IPS, anC-‐virus, web servers, etc. • To collect logs from hosts
– Install agents, such as OSSEC (Linux) and Snare (Windows) • To connect data-‐sources to OSSIM server
– Install plug-‐ins (XML-‐based configuraCon file) at data source – Plug-‐ins integrated into many security tools:
• CheckPoint, Cisco, Citrix, Exchange, IIS, Syslog, Wmi, Nessus, AnC-‐virus (Sophos, Symantec, McAfee, Avast), OSSEC, Snare
• Apache, Snort, Ntop, Nmap, OpenVAS, P0f, Pads, Arpwatch, OSSEC, Osiris, Nagios, OCS, Kismet
CorrelaCon • Separates SIEM from IDS/IPS using intelligence • Reduces false posiCves • Calculates mulCple input events and alarms into a more
manageable number of events to address • Cross CorrelaCon
– Works only with events that have defined desCnaCon IP addresses – Checks IP address in database to determine any vulnerabiliCes – Changes the reliability value of the event, which is used to calculate
risk – Removes a lot of alarms
CorrelaCon (cont’d)
• CorrelaCon DirecCve – Generates an alarm by following rules – Rules wriYen in XML (there can be thousands – most preconfigured) – Analyze mulCple events and decide whether to raise an alarm or not
• E.g., mulCple login aYempts into a web server using SSH – Capable of idenCfying zero-‐day aYacks, since it uses rules based on
behavior
Risk CalculaCon • OSSIM data management:
– Raw logs – Events – Alarms – Tickets
• Raw logs are sent to OSSIM server and normalized • The logs become events • Alarms are raised when the risk value of event is ≥1 on a scale to 10.
[ASSET VALUE(0-‐5)*PRIORITY(0-‐5)*RELIABILITY(0-‐10)] /25 = RISK OF THE EVENT(0-‐10)
• Tickets are manually or automaCcally created in OSSIM aaer reviewing alarms. Assigned to appropriate personnel.
ReporCng
• Highly scalable • Easy to use • Schedule reports
and e-‐mail
How is threat intelligence integrated?
4
Threat Intelligence
Source: hBps://www.alienvault.com/products
Source: hBps://www.alienvault.com/products
Source: hBps://www.alienvault.com/products
Real world examples 5
LogRhythm: Financial Server Hack Discovered
Source: hBps://logrhythm.com/products/security-‐intelligence-‐plaAorm/
Source: hBps://logrhythm.com/products/security-‐intelligence-‐plaAorm/
Splunk: Database Hack Discovered
Source: hBps://www.splunk.com/en_us/products/premium-‐soluJons/splunk-‐enterprise-‐security.html
Source: hBps://www.splunk.com/en_us/products/premium-‐soluJons/splunk-‐enterprise-‐security.html
AlienVault: Bruteforce aYack discovered
Source: hBps://www.alienvault.com/products
Source: hBps://www.alienvault.com/products
Thank You QuesCons?
