mnescot controls monitoring
TRANSCRIPT
Drupal Security Controls and Monitoring
Mike Nescot, JBS International
Drupal Security Controls and Monitoring
Mike Nescot, JBS International
http://drupal.jbsinternational.com
Information Systems Logging and Monitoring
Security Controls
• FISMA Standard: SP-53 Rev 4
SP800-53 Rev 4 Security Controls: 18 Families
• Access Control• Awareness & Training• Audit & Accountability• Security Assessment & Authorization• Configuration Management• Contingency Planning• Identification & Authorization• Incident Response• Maintenance
SP800-53 Rev 4 Security Controls: 18 Families (con.)
• Media Protection• Physical and Environmental Protection• Planning• Personnel Security• Risk Assessment• System and Services Acquistion• System & Communications Protection• System & Information Integrity• Program Management
SP800-53 Rev 4 Privacy Controls: 8 Families (FEA)
• Authority & Purpose• Accountability, Audit, & Risk Management• Data Quality & Integrity• Data Minimization & Retention• Individual Participation & Redress• Security• Transparency• Use Limitation
Anatomy of a Control
• Account Management• Control count: from 198 to 267, or 600 to 850• More tailoring guidance, overlays, focus on
assurance controls, strategic, privacy
SANS Top 20
• Inventory of Authorized and Unauthorized Devices• Inventory of Authorized and Unauthorized Software• Secure Configurations for Hardware & Software on Laptops,
Workstations, & Servers• Continuous Vulnerability Assessment and Remediation• Malware Defense• Application Software Security• Wireless Device Control• Data Recovery Capability• Security Skills Assessment & Training• Secure Configurations for Firewalls, Routers, & Switches
SANS Top 20 (cont)
• Limitation & Control of Network Ports, Protocols, & Services• Controlled Use of Administrative Privileges• Boundary Defense• Maintenance, Monitoring, & Analysis of Audit Logs• Controlled Access Based on Need to Know• Account Monitoring & Control• Data Loss Prevention• Incident Response & Management• Secure Network Engineering• Penetration Testing & Team Exercises
SANS Top 20
The five critical tenets of an effective cyber defense system as reflected in the Critical Controls are:• Offense informs defense: Use knowledge of actual attacks for
defense• Prioritization: Invest first in controls that will provide the
greatest risk reduction and protection • Metrics: Establish common metrics to measure effectiveness• Continuous monitoring: Test and validate the effectiveness
of current security measures.• Automation: Automate defenses, achieve reliable, scalable,
and continuous measurements
State of Required Security Controls
• Newly updated: NIST SP-53 Rev 4 • SANS Top 20 Controls• Build it Right (SDLC), Continuous Monitoring• 2011: NIST SP 800-137
Information Systems Continuous Monitoring (ISCM)
• Maintaining ongoing awareness of information security, vulnerabilities, and threats to support organizational risk management decisions.
• From compliance driven to data driven risk management
Conventional
• Hostile cyber attacks• Natural disaster• Structural failures• Human errors of omission or commission• Strong Foundation
Advanced Persistent Threat
• Significant expertise• Multiple attack vectors• Establishes footholds
Continuous Asset Evaluation, Situational Awareness, and Risk
Scoring (CAESARS)
• Reference Architecture: Security Automation Standards
• Data Sources• Data Collection• Data Storage & Analysis• Consumer Presentation• Decisions
CAESARS Subsystems
• Sensor (Assets, devices, servers, devices, appliances)
• Database Sub (repository of configuration and inventory baselines)
• Analysis/Scoring• Presentation (variety of views, query
capabilities)
CAESARS
The end goal of CAESARS FE is to enable enterprise CM by presenting a technical reference model that allows organizations to aggregate collected data from across a diverse set of security tools, analyze that data, perform scoring, enable user queries, and provide overall situational awareness.
Establish
• Metrics: number and severity of vulnerabilities, unauthorized access attempts, contingency plan testing results, risk scores for configuration
• Monitoring and assessment frequencies: volatility, impact levels, identified weaknesses, threat info, vulnerabilit info, assessment results, strategic reviews, reporting requirements
Logging vs. Auditing vs. Monitoring
• Logging: Collecting event records• Event: single occurance involinvg an attempted state
chabge• Message: what a system does or generates in response
to request or stimulus• Timestamp, source, data• Auditing: System is behaving as expected, compliance• Monitoring: Situational awareness• Log all you can, but alert on what you must respond
(monitor as little as you need)
Logging Formats and Standards
• Syslog• XML (SCAP)• Relational Database• NoSQL Database (Hadoop, MongoDB)• Binary (Windows Event Log)
NIST: Security Automation Domains
• Vulnerability Management• Patch Management• Event Management• Incident Management• Malware Detection• Asset Management• Configuration Management• Network Management• License Mangement• Information Management• Software Assurnce
Monitoring Targets: Objects System Boundary
• Web Server Status• Database Server Status• Operating System• File system changes (HIDS)• Network Traffic • Network Devices (Firewalls, routers,
switches)• Vulnerabilities• Drupal application(s)
Monitoring Targets: Metrics
• Adverse Events • Performance & Reliability• Configuration Compliance • Authorized devices and services • Vulnerabilities • Risk
Minimize Monitoring
• Cloud & virtualization• Integrate development, design, operations,
acquisition• Centralized, Application-Centric View
Integration: Continuous Continuum
• Continuous Quality Improvement• Continuous Integration• Continuous Delivery• Continuous Design• Continuous Monitoring
From Standard Monitoring :
To Focused, Application-Centric
Monitoring:
Security Monitoring Capability Levels
• Centralized Logging• Infrastructure Monitoring• Security Information and Event Management
(SIEM): Risk Assessment• Real-Time Intelligent Query
Drupal Monitoring Assets
• Watchdog: SQL, MongoDB or Syslog• Infrastructue: Nagios Module/Plugin
Infrastructure Monitoring– Production Check/Monitor
• SIEM: OSSIM Plugin (Watchdog) SIEM• Search Enhancements: Logstash Module,log
collection, centralization, parsing, storage and search
Network & Infrastructure Monitoring (Nagios)
• monitoring and alerting • servers• switches • applications • Services• Status: availability, load, physical condition
Security Information and Event Management (SIEM)
• Intrusion Detection• Anomaly Detection• Vulnerability Detection• Discovery, Learning and Network Profiling systems• Inventory systemsIncident Reporting & Responese
Open Source Security Information Management (OSSIM)
• Asset Discovery• Vulnerability Assessment• Threat Detection• Behavioral Monitoring• Security Intelligence
OSSIM Components
• Snort (Network Intrusion Detection System)• • Ntop (Network and usage Monitor)• • OpenVAS (Vulnerability Scanning)• • P0f (Passive operative system detection) fingerprint OS• • Pads (Passive Asset Detection System) complements SNORT
with context• • Arpwatch (Ethernet/Ip address parings monitor)• • OSSEC (Host Intrusion Detection System)• • Osiris (Host integrity Monitoring)• • Nagios (Availability Monitoring)• • OCS (Inventory)
Drupal Monitoring Assets
• Watchdog: logdb/SQL, MongoDB or Syslog• Infrastructure: Nagios Module/Plugin
Infrastructure Monitoring– Production Check/Monitor
• SIEM: OSSIM Plugin (Watchdog) SIEM• Search Enhancements: Logstash Module: log
collection, centralization, parsing, storage and search
Core Nagios Monitoring
• Pending Drupal version update• Pending Drupal module updates• Unwritable 'files' directory• Pending updates to the database schema• Status of Cron• Number of published nodes.• Number of active users
Drupal Monitoring Assets
• Watchdog: SQL, MongoDB or Syslog• Infrastructure: Nagios Module/Plugin
Infrastructure Monitoring– Production Check/Monitor
• SIEM: OSSIM Plugin (Watchdog) SIEM• Search Enhancements: Logstash Modulelog
collection, centralization, parsing, storage and search
OSSIM
OSSIM, Nagios
LogStash, Kibana, Elasticsearch
Software Defined Defined Infrastructure
• SDIM: Machine Configuration (Virtualization, Chef & Puppet), AWS, VMWare & OpenStack
• SDN: Software Defined Networking• SDS: Software Defined Storage• Software Defined Drupal Security?
Configuration & Patch Management
Security Content Automation Protocol (SCAP)
• Specifications for Security Data (baselines, xccdf, oval)
• Checklist Repository (USCGB)• NIST Validated Commercial tools• OpenSCAP • RH Satellite, Spacewalk
SCAP Workbench
Thank You!!!
Comments, Questions, Criticism?
http://drupal.jbsinternational.com