Upload
vantram
View
216
Download
0
Embed Size (px)
Citation preview
infotex
Top Three Issues and Questions in Network Monitoring________________________________________________________Dan Hadaway and Sean Waugh of infotex
Auditors now know why we can’t monitor event logs, but guess what, they don’t care!! So let’s open the hood of the managed security service provider, as Dan defines monitoring strategy. Meanwhile, what should we be asking ourselves as we enhance our processes? What should we be doing to monitor our network, beyond the MSSP? What open source tools are worth the time and what applications are worth the money? Sean will help us create a tactical plan!
infotexinfotex
Developing a Network Monitoring Architecture!
Dan Hadaway CRISCManaging Partner, infotex
from the
IT Risk Management Training Series
Sean Waugh CISSP, MCSALead Technical Auditor, infotex
infotex
Top 3 Issuesand Questions(in Network Monitoring!)
revised for the
OBL 2014 Technology Conference
infotexinfotex
Top Three Questions
1. Why Monitor?
2. What should we monitor?
3. How should we monitor?
infotexinfotex
Top Three Issues
1. Team approach to monitoring(Connect technical to non-technical)
2. Outsourcing Vs. In-house Monitoring
3. Documentation of Monitoring Processes
infotexinfotex
Why?
• Risk Mitigation• Team Confidence• Compliance
infotexinfotex
Why?
• Ensure risk mitigation is on track.• Ensure critical controls are working.• Ensure threats are not exploiting
vulnerabilities.
infotexinfotex
Why (not?)
• Likelihood increases • Reputation decreases• Unauthorized access• Change Management• Denial of Service (DoS)• Compliance Deficiencies
infotex
infotexinfotex
Why monitor our networks?
infotexinfotex
Why Monitor?
• m.infotex.com/hackingteam
infotexinfotex
Think it’ll stop soon?
infotexinfotex
Why Monitor
• m.infotex.com/hackingteam
• m.infotex.com/kidsrhackers
infotexinfotex
FireEye Warned Them!
infotexinfotex
FireEye Warned Them!
infotexinfotex
FireEye Warned Them!
• m.infotex.com/pickupthephone
infotexinfotex
infotexinfotex
Issue #1: Team Approach
• Network Monitoring must be accompanied by technical and non-technical controls.
infotexinfotex
Issue #2: Who Monitors?
• Outsource Security Monitoring• Keep Performance Monitoring In-
house
infotexinfotex
Issue #2: Who Monitors?
• Outsource Security Monitoring–24x7x365 requires 21 shifts.–The bad guys work when you are NOT
there.–Segregation of Duties–Proper training and awareness of latest
attack vectors, malware derivations, and stealth methodds.
infotexinfotex
Issue #2: Who Monitors?
• Keep Performance Monitoring In-house- Awareness is 9/10’s of the battle.- Performance / Reliability occurs during
normal business hours!- Knowing your network is a deliverable
of network monitoring.- Design it to act as a check on your
MSSP.
infotexinfotex
Who watches the watcher?
• The Incident Response Team should be reviewing network monitoring reports regularly to ensure that alerts are properly “cleared.”
infotexinfotex
What quality control stats?
• What “metrics” can management monitor?
infotexinfotex
Who watches the watcher?
• MSSP Due Diligence–Order the FFIEC TSP ROE–Order the SSAE-16 SOC2 Report–See the insurance certificate!–Question them on Awareness Training
• Policies• Actual training or CBT?• Social Engineering Tests
infotexinfotex
3PM Tools for MSSPs
• my.infotex.com/obl041014
• promo code: OBLTC2014!
infotexinfotex
Issue #3: Documentation
• Why documentation?–Normal reasons:
• Establish objectives• Clearly define roles.• Manage expectations.• Ease turnover situations
infotexinfotex
Issue #3: Documentation
• Why documentation?–Unique reasons:
• We’re often in a panic during an incident.• We need to declare monitoring as a control
in our risk assessments.• We need to ensure a multi-disciplinary
approach.• Legal Risk Mitigation (otherwise put: CYA)
infotexinfotex
Issue # 3: Documentation
• Before we document, we need to understand what to document.
• (introducing Sean Waugh!)
infotexinfotex
The what and how of it!
infotexinfotex
Question #2!
What should we be monitoring?
infotexinfotex
What to Monitor?
• Network route & device health• Application & system functionality• Performance metrics• Critical events• Malicious activity
infotexinfotex
Network Route & Device Health
Who:• WAN links (MPLS, Fiber, VPN)• Critical servers, routers & firewalls
What:• Real-time state information• Long term uptime trends
infotexinfotex
Application & System Functionality
Who:• L.O.B. services and applications• Customer facing interfaces
What:• Services running?• Data output checks• Not just functioning, but properly
infotexinfotex
Performance Metrics
Who:• Critical network devices & servers• New applications and features
What:• Bandwidth & latency monitoring• System resource usage• Troubleshooting stability issues
infotexinfotex
Critical Events
Who:• Authentication failures• System errors
What:• Tracking and follow through• Graduated alerts based on severity
infotexinfotex
Malicious Activity
Who:• Malware infections• Social engineering attacks• Naughty internal users
What:• Real-time notifications• Automated response
infotexinfotex
Open Source vs Commercial
Open Source• Zero upfront cost• Requires technically
knowledgeable IT staff• Setup/Implementation
can take longer
Commercial• Higher initial cost• Better technical
support• Sometimes easier
setup/configuration
infotexinfotex
Enterprise vs Piecemeal
Enterprise• All-in-One approach to
network monitoring• Higher upfront cost
and setup time• Central management
Piecemeal• Individual tools for
specific purposes• Allows slower rollout
focused on prioritized concerns
• No central management interface
• Will have some overlap between tools
infotexinfotex
Question #3
How?
infotexinfotex
The Tools!!
Open-Source• Nagios• Zabbix• Cacti• NtopNG• Icinga• Wireshark
Commercial• Groundwork• MonitorIT• OpManager• Solarwinds• Splunk
infotexinfotex
Nagios
• http://www.nagios.org/• Network device and service monitoring
– Displays current status and historical uptime– Sends real-time alerts via email and SMS
• Status changes can also trigger custom scripts– Tracks alert acknowledgement by user
• Can also schedule planned downtime– Initial setup can be time consuming– Free
• Also has a commercial version with added features
infotexinfotex
Nagios
infotexinfotex
Nagios
infotexinfotex
Zabbix
• http://www.zabbix.com/• Availability and performance monitor
– Track CPU, memory, disk usage– Data gathering supports SNMP, custom scripts
• Custom scripts allow you to gather almost anything– Sends real-time alerts via email and SMS– Tracks alert acknowledgement by user– Supports auto-discovery for easy configuration
• Requires agent install on clients for full features– Free
infotexinfotex
Zabbix
infotexinfotex
Zabbix
infotexinfotex
Cacti
• http://www.cacti.net/• Network and performance monitor
– Track CPU, memory, disk usage– Show inbound/outbound traffic statistics
• Including interface errors and dropped packets– Data gathering supports SNMP, custom scripts
• Custom scripts allow you to gather almost anything– Initial setup can be time-consuming– Free
infotexinfotex
Cacti
infotexinfotex
Cacti
infotexinfotex
NtopNG
• http://www.ntop.org/products/ntop/• Web-based bandwidth monitoring tool
– Displays traffic sorted by protocol– Displays traffic sorted by source & destination– Persistent statistics for trend analysis– Geo-location of hosts– Runs on all platforms (*nix, Windows, OSX)– Very easy setup and maintenance– Free
infotexinfotex
NtopNG
infotexinfotex
NtopNG
infotexinfotex
Icinga
• https://www.icinga.org/• Network device and service monitoring
– Actually a fork of Nagios development• Basic log file consolidation and processing• Send commands to multiple hosts simultaneously• Classic and Web 2.0 interfaces
– Displays current status and historical uptime– Sends real-time alerts via email and SMS– Free
infotexinfotex
Icinga
infotexinfotex
Icinga
infotexinfotex
Wireshark
• http://www.wireshark.org/• Network protocol analyzer & sniffer
– Capture and analyze live or recorded traffic– Displays raw packet headers and payloads
• Supports deep inspection of almost all protocols• Decryption support for common protocols• Multitudes of filtering options
– Runs on all platforms (*nix, Windows, OSX)– Free
infotexinfotex
Wireshark
infotexinfotex
Groundwork
• http://www.gwos.com/• Unified monitoring suite
– Displays current status and historical uptime– Track CPU, memory, disk usage– Basic log file consolidation and processing– Sends real-time alerts via email and SMS
• Status changes can also trigger custom scripts– Free for <50 devices
• Commercial version for additional devices
infotexinfotex
Groundwork
infotexinfotex
MonitorIT
• http://www.goliathtechnologies.com/products/monitoring/
• Network device and performance monitor– Track CPU, memory, disk usage– Basic log file consolidation and processing– Custom dashboards and reporting options– Comprehensive virtual server monitoring
• Metrics from hypervisor hosts and virtual machines– Real-time exception alerts via email and SMS– Quick setup with pre-configured monitor rules
infotexinfotex
MonitorIT
infotexinfotex
MonitorIT
infotexinfotex
OpManager
• http://www.manageengine.com/network-monitoring/
• Unified monitoring suite– Availability and performance monitoring– Log collection and correlation– Comprehensive virtual server monitoring– Network bandwidth monitoring– Change and configuration management– Custom dashboards and reporting options– Real-time alerts via email and SMS
infotexinfotex
OpManager
infotexinfotex
OpManager
infotexinfotex
Solarwinds
• http://www.solarwinds.com/• Unified monitoring suite
– Availability and performance monitoring– Log collection and correlation– Network and firewall change management– Network bandwidth monitoring– Real-time alerts via email and SMS– Initial setup can be time consuming– Modules are sold seperately
infotexinfotex
Solarwinds
infotexinfotex
Solarwinds
infotexinfotex
Solarwinds Free Tools
• http://www.solarwinds.com/products/solarwinds_free_tools/– Many free tools available for basic tasks
• Firewall rules browser• Bandwidth monitor• Event log consolidator• Active Directory permissions analyzer• Active Directory administrator tools• Network SNMP monitor• IP address tracker
infotexinfotex
Splunk
• http://www.splunk.com/• Data consolidation and correlation engine
– Collects logs and performance metrics• Supports collecting output from custom scripts• Advanced search of live and historical data• Custom dashboards and reporting
– Time and transaction based correlation– Sends real-time alerts via email, SMS, SNMP– Initial setup can be time consuming– Free for <500Mb/day otherwise commercial
infotexinfotex
Splunk
infotexinfotex
What and How Summary!
• Take time to evaluate available options– Try demos and free tools– Solicit input from colleagues and vendors
• Focus on business and regulatory needs– Comprehensive suite vs. Individual tools– Support availability– Ease of setup– Licensing costs
infotexinfotex
Documentation!!!
• my.infotex.com/obl041014
• promo code: OBLTC2014!
infotexinfotex
IT Governance
AccessManagement
IncidentResponse
AssetManagement
BusinessContinuity
VendorManagement
TechnicalSecurity
Standards
Awareness
RiskManagement
infotexinfotex
IT Governance
AccessManagement
IncidentResponse
AssetManagement
BusinessContinuity
VendorManagement
TechnicalSecurity
Standards
Awareness
RiskManagement
Typical Incident Response Program
infotexinfotex
What you’ll find . . . .
• Incident Response Program– Incident Response Policy– Incident Response Plan
– Procedures– Intrusion Detection Procedure– Performance Monitoring Procedure– Change Control Procedure– Network/Server Build Configuration Standards
– Tools– Talking Points, Letter Templates– FIL 2005-27, Decision Trees
infotexinfotex
What you’ll find
infotexinfotex
Thank you
• Questions??
• Contact us!–Sean Waugh CISSP, MCSA
[email protected](800) 466-9939 ext. 801
–Dan Hadaway CRISC, CISA, [email protected](800) 466-9939 ext. 810