lecture 11 - Security Monitoring

lecture 11 - Security Monitoring - Network Security CS 6823...

Info iconThis preview shows pages 1–9. Sign up to view the full content.

View Full Document Right Arrow Icon
CS 6823 - Network Security 1 Network Security CS 6823 – Lecture 11 Security Monitoring Keith O’Brien keith@keithobrien.org
Background image of page 1

Info iconThis preview has intentionally blurred sections. Sign up to view the full version.

View Full DocumentRight Arrow Icon
CS 6823 - Network Security Why is monitoring important? Actively base lining your network for normal actively and alerting on anomalies can detect a large number of intrusions Layered security is critical. Your defenses can fail and detection is your last line of defense. Sometime you want to “watch” the intrusion so as to build a case vs. simply killing the connection 2
Background image of page 2
CS 6823 - Network Security Why is monitoring important? Intruders are unpredictable Some intruders will be smarter than you Assume your defenses will eventually be penetrated give enough time and resources. Advantage that you have is that attackers eventually have to “move” to compromise systems During this “movement” they can be detected. 3
Background image of page 3

Info iconThis preview has intentionally blurred sections. Sign up to view the full version.

View Full DocumentRight Arrow Icon
CS 6823 - Network Security What do we want to collect and analyze? Indicators and Warnings From U.S. Army intelligence training document titled "Indicators in Operations Other Than War.” - indicator: "observable or discernible actions that confirm or deny enemy capabilities and intentions.” - Indications and Warnings (I&W): "the strategic monitoring of world military, economic and political events to ensure that they are not the precursor to hostile or other activities which are contrary to U.S. interests." 4 http://www.fas.org/irp/doddir/army/miobc/shts4lbi.htm 1 1
Background image of page 4
CS 6823 - Network Security How does this relate to Network Security Monitoring Indicators and Warnings is a process of strategic network monitoring that analyzes indicators and produces warnings. Indicators are the output of IDS/IPS, logging systems. Commonly called Alerts Note that most IDS products don’t focus on vulnerabilities just threats. 5 1
Background image of page 5

Info iconThis preview has intentionally blurred sections. Sign up to view the full version.

View Full DocumentRight Arrow Icon
CS 6823 - Network Security Collection, Analysis and Escalation Products such as IDSs perform the collection People provide the analysis. While some products makes an attempt at providing an analysis this typically needs to be done by people so as to provide proper context of the Alert Processes guide the escalation of events. Escalation is bringing the detected event to the attention of individuals who have the authority to response. Without response, detection is rarely relevant. 6
Background image of page 6
CS 6823 - Network Security Network Security Monitoring - Definition the collection, analysis, and escalation of indications and warnings to detect and respond to network intrusions 7
Background image of page 7

Info iconThis preview has intentionally blurred sections. Sign up to view the full version.

View Full DocumentRight Arrow Icon
CS 6823 - Network Security Policies for Security Monitoring If a security guard responded to every detected movement from a surveillance camera; would this make sense? Of course not. Likewise with Security Monitoring we must establish a policy to generate security events.
Background image of page 8
Image of page 9
This is the end of the preview. Sign up to access the rest of the document.

Page1 / 57

lecture 11 - Security Monitoring - Network Security CS 6823...

This preview shows document pages 1 - 9. Sign up to view the full document.

View Full Document Right Arrow Icon
Ask a homework question - tutors are online