business productivity and automated security controls
Post on 24-Jun-2015
456 Views
Preview:
TRANSCRIPT
Optimizing Business Productivity Through Automated Security Controls
Heather Axworthy
Network Security Engineer
haxworthy@gmail.com
1© 2010 Heather L. Axworthy
Bio Ten Years Experience In Networks And Security
Secured Many Sensitive And Strategic Networks For Fortune 50 Companies
Sr. Security Engineer
Worked On Multiple IDS/IPS And Security Platforms
Really Good Cook, Tried Flying A Helicopter, And Love To Hike
Blog Http://Chickbits.Blogspot.Com
Linkedin: Http://Www.Linkedin.Com/In/Heatheraxworthy
Twitter: Haxworthy
2© 2010 Heather L. Axworthy
Global Financial Services Managed Security Services B2C Retailer
B2B Start-up Large University
Agenda
3© 2010 Heather L. Axworthy
1. Security Continuum
2. Where To Respond To A Threat?
3. Single Security-Strategy Risks
4. Protection & Costs
5. Deployment Considerations
6. Recommendations To Your Clients
7. What Is IPS?
8. Architecture And Deployment
9. Event Monitoring/Tuning
10. Ensuring Success
Security Continuum
© 2010 Heather L. Axworthy 4
Prevention Detection Response
IPS IDS & Desktop People
Security Continuum
© 2010 Heather L. Axworthy 5
Human Analogy Security AppliancesPREVENTION Skin:
Openings: Eyes, Nose, Mouth, Ears, Cuts, Etc.
Firewall:Open Ports (25, 80, 110, 443,etc.
DETECTION Immune System:Detects Organic Viruses
Intrusion Detection Systems (IDS): Watches Network Traffic – Alerts I.T. Staff
RESPONSE Antibodies:Mitigates & Eliminates An Organic Virus
Security Incident And Event Management (SIEM): Automates Threat Responses. Significant Human Effort Is Still Required
Security Assets
Equipment Processes People
•Firewall•IPS•IDS•Log monitoring
•Change Management•Vulnerability Management•Incident Response
•IT resources•User Awareness Training
© 2010 Heather L. Axworthy 6
Composition of Threat Response
© 2010 Heather L. Axworthy 7
Internet Traffic
Composition of Threat Response:Computers, IT, and Users
Security Involves Variable Human Interaction
Perimeter Security Block Malicious Traffic From Entering The Network.
– IPS Provides Active Blocking & Minimizes User Involvement, Reducing Response Urgency
– I.T. Employees Involved With Deployment And Maintenance
Intrusion Detection (IDS) Alerts I.T. To Malicious Traffic But Does Not Prevent It From Penetrating The Network.
– IDS Requires Higher IT Employee Interaction To React To Alerts.
Desktop Security Controls Involve The Highest Participation From Users.
© 2010 Heather L. Axworthy 8
Single Security-Strategy Risks
© 2010 Heather L. Axworthy 9
Single Security Strategy
Organizations Often Decide To Deploy Only One Security Technology
– Different Security Methods Are Not Equal– Each Provides Different Levels Of Protection
If You Deploy One Technology, It’s Best To Have A Proactive Technology Like IPS At The Perimeter.
– IPS Reduces The Amount Of Malicious Traffic That Gets To The End User
– Employees See Less Alerts – More Time To Focus On The Business
Previous Chart Illustrates Risk Levels For Deploying Only One Security Technology.
– For Example, Deploying Only Desktop Security Technologies Results In The Highest Risk Because The Threat Has Already Entered Your Network
User-centric Measures Are Inconsistent Because Users Do Not The Same Thing Every Time.
© 2010 Heather L. Axworthy 10
Protection & Equipment Costs
© 2010 Heather L. Axworthy 11
Protection & Equipment Costs
IPS Technologies Are Proactive– Higher Initial Cost – Higher Level Of Protection
IDS Technologies Are Reactive – Lower Initial Cost – Many Tools Are Open Source – Majority Of The Cost Is Hardware. – Protection Level Is Lower: IDS Only Alerts I.T. To Malicious Traffic And I.T.
Must Spend Large Amounts Of Time Investigating, Which Can Incur Extra Costs For Additional Response Training.
Desktop Security Is Reactive – Quantity Of Desktops Drive Costs. – Relatively Inexpensive SW– User-training Costs Must Be Considered
© 2010 Heather L. Axworthy 12
Deployment Considerations
© 2010 Heather L. Axworthy 13
criteria
partial
Recommendation To Your Clients
IPS….IDS….Desktop SW….Security Awareness Training….Log Management & Monitoring ????
© 2010 Heather L. Axworthy 14
Keep The Threats Out!
What is IPS?
IPS = Intrusion Prevention System/Service.
Designed To Be Deployed Inline.
Proactive Approach To Traffic Monitoring.
Preventing The Attack Packet From Penetrating Your Network.
15© 2010 Heather L. Axworthy
Architecture Capacity Planning – Biggest Mistake Purchasing Hardware That Is
Too “Small” For Your Network.
Look At The Traffic Load Of The Segments You Want To Monitor. If The Segments (vlans) You Want To Monitor Register Bandwidth In Excess Of 100MB Each, A Small 400MB Device Is Not Large Enough.
Most Devices Have A Maximum Throughput Which Is Often An Aggregate Of All Interfaces On The Device.
16© 2010 Heather L. Axworthy
Deployment
17© 2010 Heather L. Axworthy
Event Monitoring/Tuning
My Device Is In Place, What Do I Do Next?
Tuning – The Time Period When You Look At Your Events And Weed Out Any False Positives And Modify Signatures.
Best Practice Is At Least 30 Days Of Looking At Traffic On A Daily Basis.
This Will Enable You To Filter Out Signatures That Are “Noisy” And See Events That Show Valid Attacks.
Once Tuning Period Is Over, Put The Device Into Block “IPS” Mode.
18© 2010 Heather L. Axworthy
Ensuring Success
Company Buy-in, From Top Executive Management To End User. IPS Will Make “Us” More Secure.
Staffing Levels – Proper Staffing Must Be In Place To Support The IPS Device(s) And The Monitoring Of Events On A Daily Basis.
If The IPS Device Stops One Botnet Outbreak, Or A SQL Injection Attack, It Has Paid For Itself!
19© 2010 Heather L. Axworthy
Q & A
Heather Axworthy
Network Security Engineer
haxworthy@gmail.com
20© 2010 Heather L. Axworthy
top related