Juan M.

Quintero SEC 572 You Decide 3 Wk 5 The CISO has a meeting with the CIO at the end of this week. We at the Information Security Department have provided the CISO with information about the 2 projects we have chosen to prioritize in order to improve the overall security posture of the organization. The two projects selected are: Security Event Correlation, Monitoring and Reporting; and Improved remote employee authentication. We have chosen these two projects for several reasons. First the two selected projects are connected, as both will complement one another as well as share resources and cost less. Secondly the proposed projects will serve as enhancements to the improvements that have been made in the past weeks (discussed in the previous you decide papers) to the overall security of the network. These two projects will fit into our network vision of defense in depth. First we will discuss the proposed project for Security Event Correlation, Monitoring, and Reporting. Information security incidents can be characterized as the lack of availability, integrity, and/or confidentiality of data. Tremendous amounts of research and development resources have been spent towards insuring information availability, integrity and confidentiality. This research has led to the development of security devices such as Firewalls, IDS, strong authentication and access control mechanisms, VPNs and PKI. Organizations worldwide are implementing these technologies to prevent

or detect an information security incident. These security devices provide logging and alerting of known and possibly unknown security events that occur on a network infrastructure. Unfortunately, despite all of these technological advances and, most companies do not monitor the information coming from these devices. Is almost as if you have a Rocket Ship in the garage, yet youre driving a Ford Fiesta because you are too lazy to read the manual and learn how to fly the Rocket Ship. Since security device logging can be extensive and difficult to interpret. Due to the size of the logs, it is very time consuming to manually review them. In our organizations, a dedicated staff of information technology personnel is not available to continuously monitor logs and alerts or network. We simply lack the man power. Currently system administrators use routine maintenance to review security information. This limited monitoring of enterprise security leaves our organization blind to information attacks targeted at their corporate networks in between admin checks. Security logs provide details about the activity on a corporate information technology infrastructure. This activity includes valid business applications, external attacks using the Internet and internal attacks by employees. The next advance in enterprise security monitoring will be to capture the knowledge and analytical capabilities of human security experts for the development of an intelligent system that performs event correlation from the logs and alerts of multiple security technologies.

For example if our organization has a screening router outside of the firewall that protects the corporate network and a security event monitoring system with reliable artificial intelligence. The monitoring system would start detecting logs where the access control lists or packet screens on the screening router were denying communications from a certain IP address. Because the intelligent system is actually intelligent, it will begin detailed monitoring of the firewall logs and logs of any publicly accessible servers for any communications destined for or originating from the IP address. If the system determines that there was malicious communication, the system will have the capability to modify the router access control lists or the firewall configuration to deny any communication destined for or originating from the IP address. In this example, the access control lists deny logs from the router triggering the intelligent system to literally look for suspicious activity from a certain IP address. Using event correlation the reaction mechanism has more time to monitor and react to an attacker. If the system did not correlate events, the system would only detect an event that had already occurred based on a known attack signature or the system might even read a malicious attack as normal traffic. If the intelligent system begins detecting multiple failed logins to an NT server by the president of the company, then what happens? It would be useful for this technology to determine where these failed logins were originating from and look for suspicious activity from this IP and/or user for some designated timeframe. If our intelligent system determined that the failed logins originated from a user other

than the president of the company, it could begin to closely monitor for a period of time all actions by this suspicious user who could be impersonating the president. This monitoring could include card readers, PBXs or voice mail access, security alarms from secured doors and gates and access to other servers. If the monitoring system were not correlating events the user impersonating the company president would probably bypass all access control and security monitoring devices because the user's actions appear as normal activity. We are currently looking into ESM products from Symantec. Price is forthcoming. Secondly we would like to talk about improving the remote access capabilities and putting to use the TACACS+ capabilities that we deployed earlier. TACACS+ provides authorization, authentication and accountability. In addition to using the system to monitor internal usage, we would like to extend the capabilities to allow many of our employees to be able to function partially or entirely from a remote location. The logging received from the TACACS+ plus will hopefully be fed into the ESM for better monitoring. We will use VPN for remote access and make sure that we enforce strong authentication rules using PKI and SSL, as well as issue secured machines to those which have to access privileged files from a remote location. Products from Symantec as well as Cisco are being researched for these purposes. The proposed project will not only allow for better overall security, but also will address man power issues currently plaguing the Information Security Department by lowering their burden. The new

remote access capabilities will allow the company to expand and be more versatile. Company leaders will be well informed from anywhere and employees can be productive from remote locations. The idea of sending some of the workforce to work from home can now be entertained, something which has the potential to save the company money. These two projects are not only an improvement to the companys network infrastructure, but an improvement to the organization as a whole. References: http://www.cisco.com/networkers/nw00/pres/2403.pdf http://www.symantec.com/security_response/securityupdates/list.jsp?fid =esm http://www.computerworld.com/s/article/107459/Remote_authentication_Di fferent_types_and_uses?taxonomyId=17&pageNumber=3 http://www.computerworld.com/s/article/83396/Event_Correlation