CEHv6 Module 66 Security Convergence.pdf

8/9/2019 CEHv6 Module 66 Security Convergence.pdf

http://slidepdf.com/reader/full/cehv6-module-66-security-convergencepdf 1/23

t ca ac ng anCountermeasuresers on

Security Convergence



Module Objective

This module with familiarize you with:

• Security Convergence

• Challenges on Security Convergence

• RAMCAP

• Open Security Exchange (OSE)

• Enterprise Security Management (ESM)

•• Event Storage

EC-CouncilCopyright © by EC-Council

All Rights Reserved. Reproduction is Strictly Prohibited



Module Flow

(OSE)


Challenges on SecurityConver ence

Enterprise SecurityManagement (ESM)

Log Collection

RAMCAP

Event Storage






Convergence is a process of reusing and blending various technologies to create

It is the integration of security functions and information into a common IPnetwork

Security convergence can leverage technology to improve the performance ofthe security function both physically and logically

It is a three-pronged approach composed of technologies, security processes,and people





Challenges Confronting an Effective

Securit Conver ence Polic

Understanding the challenges inherent in the original Internet design

The ramifications of uncontrolled Internet growth and its effect on

The security issues involved with the Transmission Control

Evolution of the Internet as a global platform for security solutions is





Benefits of Using Risk Management in

Plannin IT Securit Administration

Benefits for adopting a proactive and

• Better demonstration of IT security investment to the board

• More meaningful demonstration of business riskmanagement to investors, especially the institutional

investors that largely dictate stock prices• Better emonstrat on o us ness r s management to

customers

• Better employee awareness





RAMCAP

Risk Analysis and Management for Critical Asset Protections a program n t ate y epartment o ome an

Security (DHS)

It is an innovative process for security policy based upon global riskassessment in collaboration with DHS

It promotes understanding of the various vulnerabilities that maylead attacker to select a particular target

It is composed of integrated steps to evaluate the threat potential, vulnerability, and possibility of a successful attack and its





Open Security Exchange (OSE)

OSE integrates various components of the security infrastructure

It is a cross-industry forum dedicated to merge physical and IT securitysolutions across an enterprise

It provides the enterprise with increased operational efficiencies andintelligent security

It specifies Physical Security Bridge to IT Security (PHYSBITS) to assist in theintegration of physical and IT security management

• Common administration of users, privileges, and credentials

• Common strong authentication for accessing physical facilities and cyber systems



t roug t e use o ua -purpose cre ent a s

• Common point of security management and event audit ability



CISO (Chief Information

CISO is typically focused on the issues involved with IT securityan IT r s management

within an organization that includes:

• n ormat on secur ty m ss on eve opment

• Information security office governance

• Information security policy development and management

• n ormat on secur ty tra n ng an awareness eve opment• Information security project portfolio development

• Supervision/management of ethical hackers and chief



ac er o cer



Elements of Building Secure

Elements of fully secured enterprise

• A sound, comprehensive enterprise protection architectureaugmented by a schema of well-documented, well-understood,and routinely practiced business processes

• A rigorous system for the detection, analysis of, and, when

appropriate, alert to and protection from threats to enterprise

• The ability to sustain continuity of operations during anyconceivable threat

• Rapid recovery mechanisms to restore full operations once a

threat is controlled• The ability to analyze and apply forensics to determine what

happens when an incident occurs and to incorporate lessons





Enterprise Security Management

Enter rise Securit Mana ement ESM is a eneral term that has been applied to security event monitoring and analysis solutions

ESM is an enhancement and combination of:

• n erpr se ven anagemen

• SIM Security Information Management

• SEM Security Event Management

The focus of ESM is to allow an analyst to monitor an organization’sinfrastructure in real time re ardless of roduct vendor and version





ESM Deployment Strategies

ESM solutions can be deployed in standard, high-availability, andgeographically dispersed configurations

Log collection appliances provide a solid solution for organizations toadopt an easy-to deploy appliance

In case there is no log aggregation strategy, it is possible to simply

send logs directly from the point devices to the ESM manager

To move logs from point devices to the ESM manager, deploy log



,managers



Convergence of Network Operations

Network operation centers (NOCs) and Security operation centerss are more ocuse on us ness mpac an ar ware an

software impact

epara on o u es an c ec s an a ances are mpor an concep sto maintain when any groups converge

e s concerne w eep ng ngs mov ng e c en y an eSOC is concerned with security, rendered through analysis within theESM





Log Collection

Log collection is important to increase operational efficiencies, reducerisk, and enhance an organization’s security posture

A log collection mechanism needs to be scalable, extensible, andflexible

ESM solution needs to be able to process the raw log data and turn itinto actionable information

Mechanism to collect logs is to simply send logs directly to the ESM

manager for processing

The Log collectors installed on various operating systems listen for



, , ,prepare them for transport



Log Normalization

In log normalization, each log data field is converted to a particulara a represen a on an ca egor ze cons s en y

Most common use of normalization is to store dates and times in a

Normalizing the data makes analysis and reporting much easier when

In Normalization, the logs need to be parsed without deleting anyinformation b default

Log parsing is the process of extracting data from a log so that theparsed values can be used as input for another logging process





Log Severity

ac og source may ave a un que sever ty eve ass gne to t

logs, asset information, business relevance, and other factors can

yield an overall priority score within most ESMs

Device severity captures the language used by the data source todescribe its interpretation of the danger posed by a particular log

Connector severity is the translation of device severity into a





Log Time Correction

In an idealistic situation, everything would be synced with theetwor me rotoco an t e ev ce wou get ts t me

from a reliable source

Most ESM connectors are configurable to allow for time correction





Log Categorization

A methodology for describing logs, which enables analysts to understandthe real significance of a particular log as reported from different devices

is called categorization

Categorization can be applied to several other fields within a log besidesthe actual field expressing the content of the log

It includes detailing the log’s behavior, which techniques it uses, itsoutcome, and various other categories





Event Storage

-, ,its advanced features

For ata management, ac ups, an ata restoration, many ESM so utionsdivide the stored events into logical segments

egar ess o t e ata e ng store o ne or on ne, s ut zescompression and indexing techniques to save space and reduce search timesrespectively

ESMs feature hashing of the database partitions to ensure that a tape loadedfrom several years ago has content that matches what was backed up





Discovering and

events that an analyst may not have been specifically looking for

An analyst may desire to run a pattern discovery sweep across anhour, day, month, or more of the historic data in search of patterns

Interactive discovery reports are dynamic and allow an analyst oreven a nontechnical individual to review and manipulate the data

Events can be displayed in various graphical representations, sectionscan be highlighted, and the output can be easily shared and reviewed



among var ous n v ua s per orm ng an nvest gat on



Discovering and Interacting with

o etect rau u ent act v ty an anoma es n user s e av or, you

need to analyze more than just intrusion detection system data

,(ILP) products go through the content as it crosses the network

E-mail transactions generally are not analyzed in real time; they have been used as part of forensic investigations





Intelligent Platform Management

IPMI is a standard for monitoring and managing computersystems

They are out-of-band interfaces, meaning that even if a systemis powered down, communication is still possible

• Packet format

• Sensor codes

• How to retrieve information





Summary

Security convergence can leverage technology to improve theper ormance o e secur y unc on

Security convergence is the identification of security risks andinterde endencies between business functions and rocesses withinthe enterprise

RAMCAP is an innovative process for security policy based upong o a r s assessment n co a orat on w t

Enterprise Security Management (ESM) is a general term that has

een app e to secur ty event mon tor ng an ana ys s so ut ons



Documents

CEHv6 Module 66 Security Convergence.pdf