Managing Security Messaging

							Managing Security Messaging
Making Sense of the Spaghetti
Objectives

At the conclusion of this presentation participants will be able to:
• Define the Goals of Security Messaging Management
• Define the Scope of a Security Messaging Project
• Define Which Messages to Collect and Why
• Understand Potential Sources of Messages
• Understand Options for Message Processing
• Define Rule Sets Criteria
• Event Processing
• Monitor the Messaging Environment (KPIs)
• Upgrading/On-boarding of new hardware/software




BT Professional Services            2
Goals of Security Messaging Management

Common Goals of Security Messaging Management Projects:

• Centrally Capture Security Related Events
• Create Standardized Escalation Procedures for Security Events




BT Professional Services         3
Scoping of a Security Messaging Project

What criteria should be considered when scoping a security
 messaging project?

• Geographic Areas
         – US, Europe, APAC, etc.
• Business Areas
         – Back Office but not Manufacturing for example
• Technology Areas
         –      Network Equipment (Routers, Switches, IDS, Firewalls, Etc.)
         –      Servers (Windows, Unix, etc.)
         –      Databases (Sybase, Oracle, Access, etc.)
         –      SAN




BT Professional Services                           4
Message Collection

What messages should be collected?

The Great Debate

• Operationally Relevant vs. Security Relevant




BT Professional Services         5
Message Collection - continued

Common security relevant messages collected are:
• Access Control Messages
         – Successful/failed logins, Administrator logins.
         – Use of backup or local accounts, Invalid SNMP string used, & account lockouts.
• Changes to Security Parameters
         – Changes to encryption parameters, lowering logging levels, disabling security
           features, etc.
• ID Administration Activities
         – User additions, modifications and deletions.
• Security Services Events
         – IDS Events, Firewall Events, Anti-Virus platforms, etc.
         – Cold Start/Warm Starts




BT Professional Services                        6
Potential Message Sources

Where do these messages come from?

Common message sources include:
• Syslog
• SNMP Traps
• Event Logs
• Log Databases
• Messaging Tool Plug-ins




BT Professional Services     7
Message Gathering

How to document the messages to gather?

• Proper preparation requires gathering sample messages from all
  chosen platforms.
• Sample syslog, snmp, log messages from each and every platform
  for each and every message should be gathered.




BT Professional Services        8
Information Lifecycle and Processing Overview

What is the lifecycle for processing security relevant messages?

• All messages must be:
         –      Transported
         –      Stored
         –      Processed
         –      Analyzed or Reported
         –      Archived




BT Professional Services               9
Message Transport

How and when are messages transported?

Key message transport considerations:
• Centralization
• Bandwidth
• Frequency




BT Professional Services        10
Message Storage

How and where are messages stored?

Key message storage considerations:
• Filtering
• Verbosity
• Location
• Retention Time




BT Professional Services       11
Message Processing

How do I process all of these messages?

There are several commercial tools available to process the
  messages gathered. Some examples are:

•     Arcsight
•     Loglogic
•     SenSage
•     Network Intelligence
•     Q1 Labs




BT Professional Services         12
Message Analysis - Real Time Event Processing

What real time event processing rules need to be created?

• This is specific to each organization and requires referring back to
  original goals of the project.
• This may include defining rules to capture events such:
         – Brute Force Login Attempts
         – System Reboots
         – Disabling key security parameters




BT Professional Services                       13
Message Analysis - Reporting Processing

What reports need to be created?

• Some events do not require real-time analysis but instead should
  be reported on. This is specific to each organization and requires
  referring back to original goals of the project.
• Common reports may include :
         – Disallowed use of Console/terminal ports
         – Disallowed use of local/backup/emergency accounts




BT Professional Services                     14
Real-time Event Processing – Alert, Alert, Alert

When an event is detected what should be done?

It is important to define:
• What criteria is used to classify the severity of security events?
• Who is expected to investigate?
• What action should be taken?
• What time should be expected for a response?

• What’s learned from the event?
• Are changes needed as a result of the event?




BT Professional Services            15
Monitoring the Security Messaging Environment

What monitoring of the security messaging environment is needed?

Key things to monitor are:
• Are all Inventory Assets being monitored?
• Are messages being received from all “In Scope” devices regularly




BT Professional Services         16
New Hardware/Software Assimilation

What about new hardware or new OS/IOS versions?

For security monitoring to remain current, it is important that testing
  of security messaging become a part of acceptance testing of all
  new hardware and software versions.




BT Professional Services            17
Conclusion

• The process of creating a comprehensive security messaging
  program is a large undertaking involving representation from many
  areas of the organization.
• It is extremely complex and time consuming to deploy.
• In order to be successful a good deal of up front planning is
  needed as are dedicated resources.


Good luck!!




BT Professional Services         18
BT Professional Services   19