SlideShare une entreprise Scribd logo

Drupal Security Controls and Monitoring with SCAP and SIEM

Télécharger en tant que PPTX, PDF
M
mnescot
Technologie
1  sur  51
Drupal Security Controls and Monitoring Mike Nescot, JBS International
Drupal Security Controls and Monitoring Mike Nescot, JBS International http://drupal.jbsinternational.com
Information Systems Logging and Monitoring
Security Controls • FISMA Standard: SP-53 Rev 4
SP800-53 Rev 4 Security Controls: 18 Families • Access Control • Awareness & Training • Audit & Accountability • Security Assessment & Authorization • Configuration Management • Contingency Planning • Identification & Authorization • Incident Response • Maintenance
SP800-53 Rev 4 Security Controls: 18 Families (con.) • Media Protection • Physical and Environmental Protection • Planning • Personnel Security • Risk Assessment • System and Services Acquistion • System & Communications Protection • System & Information Integrity • Program Management
SP800-53 Rev 4 Privacy Controls: 8 Families (FEA) • Authority & Purpose • Accountability, Audit, & Risk Management • Data Quality & Integrity • Data Minimization & Retention • Individual Participation & Redress • Security • Transparency • Use Limitation
Anatomy of a Control • Account Management • Control count: from 198 to 267, or 600 to 850 • More tailoring guidance, overlays, focus on assurance controls, strategic, privacy
SANS Top 20 • Inventory of Authorized and Unauthorized Devices • Inventory of Authorized and Unauthorized Software • Secure Configurations for Hardware & Software on Laptops, Workstations, & Servers • Continuous Vulnerability Assessment and Remediation • Malware Defense • Application Software Security • Wireless Device Control • Data Recovery Capability • Security Skills Assessment & Training • Secure Configurations for Firewalls, Routers, & Switches
SANS Top 20 (cont) • Limitation & Control of Network Ports, Protocols, & Services • Controlled Use of Administrative Privileges • Boundary Defense • Maintenance, Monitoring, & Analysis of Audit Logs • Controlled Access Based on Need to Know • Account Monitoring & Control • Data Loss Prevention • Incident Response & Management • Secure Network Engineering • Penetration Testing & Team Exercises
SANS Top 20 The five critical tenets of an effective cyber defense system as reflected in the Critical Controls are: • Offense informs defense: Use knowledge of actual attacks for defense • Prioritization: Invest first in controls that will provide the greatest risk reduction and protection • Metrics: Establish common metrics to measure effectiveness • Continuous monitoring: Test and validate the effectiveness of current security measures. • Automation: Automate defenses, achieve reliable, scalable, and continuous measurements
State of Required Security Controls • Newly updated: NIST SP-53 Rev 4 • SANS Top 20 Controls • Build it Right (SDLC), Continuous Monitoring • 2011: NIST SP 800-137
Information Systems Continuous Monitoring (ISCM) • Maintaining ongoing awareness of information security, vulnerabilities, and threats to support organizational risk management decisions. • From compliance driven to data driven risk management
Conventional • Hostile cyber attacks • Natural disaster • Structural failures • Human errors of omission or commission • Strong Foundation
Advanced Persistent Threat • Significant expertise • Multiple attack vectors • Establishes footholds
Continuous Asset Evaluation, Situational Awareness, and Risk Scoring (CAESARS) • Reference Architecture: Security Automation Standards • Data Sources • Data Collection • Data Storage & Analysis • Consumer Presentation • Decisions
CAESARS Subsystems • Sensor (Assets, devices, servers, devices, appliances) • Database Sub (repository of configuration and inventory baselines) • Analysis/Scoring • Presentation (variety of views, query capabilities)
CAESARS The end goal of CAESARS FE is to enable enterprise CM by presenting a technical reference model that allows organizations to aggregate collected data from across a diverse set of security tools, analyze that data, perform scoring, enable user queries, and provide overall situational awareness.
Establish • Metrics: number and severity of vulnerabilities, unauthorized access attempts, contingency plan testing results, risk scores for configuration • Monitoring and assessment frequencies: volatility, impact levels, identified weaknesses, threat info, vulnerabilit info, assessment results, strategic reviews, reporting requirements
Logging vs. Auditing vs. Monitoring • Logging: Collecting event records • Event: single occurance involinvg an attempted state chabge • Message: what a system does or generates in response to request or stimulus • Timestamp, source, data • Auditing: System is behaving as expected, compliance • Monitoring: Situational awareness • Log all you can, but alert on what you must respond (monitor as little as you need)
Logging Formats and Standards • Syslog • XML (SCAP) • Relational Database • NoSQL Database (Hadoop, MongoDB) • Binary (Windows Event Log)
NIST: Security Automation Domains • Vulnerability Management • Patch Management • Event Management • Incident Management • Malware Detection • Asset Management • Configuration Management • Network Management • License Mangement • Information Management • Software Assurnce
Monitoring Targets: Objects System Boundary • Web Server Status • Database Server Status • Operating System • File system changes (HIDS) • Network Traffic • Network Devices (Firewalls, routers, switches) • Vulnerabilities • Drupal application(s)
Monitoring Targets: Metrics • Adverse Events • Performance & Reliability • Configuration Compliance • Authorized devices and services • Vulnerabilities • Risk
Minimize Monitoring • Cloud & virtualization • Integrate development, design, operations, acquisition • Centralized, Application-Centric View
Integration: Continuous Continuum • Continuous Quality Improvement • Continuous Integration • Continuous Delivery • Continuous Design • Continuous Monitoring
From Standard Monitoring :
To Focused, Application-Centric Monitoring:
Security Monitoring Capability Levels • Centralized Logging • Infrastructure Monitoring • Security Information and Event Management (SIEM): Risk Assessment • Real-Time Intelligent Query
Drupal Monitoring Assets • Watchdog: SQL, MongoDB or Syslog • Infrastructue: Nagios Module/Plugin Infrastructure Monitoring – Production Check/Monitor • SIEM: OSSIM Plugin (Watchdog) SIEM • Search Enhancements: Logstash Module,log collection, centralization, parsing, storage and search
Network & Infrastructure Monitoring (Nagios) • monitoring and alerting • servers • switches • applications • Services • Status: availability, load, physical condition
Security Information and Event Management (SIEM) • Intrusion Detection • Anomaly Detection • Vulnerability Detection • Discovery, Learning and Network Profiling systems • Inventory systems Incident Reporting & Responese
Open Source Security Information Management (OSSIM) • Asset Discovery • Vulnerability Assessment • Threat Detection • Behavioral Monitoring • Security Intelligence
OSSIM Components • Snort (Network Intrusion Detection System) • • Ntop (Network and usage Monitor) • • OpenVAS (Vulnerability Scanning) • • P0f (Passive operative system detection) fingerprint OS • • Pads (Passive Asset Detection System) complements SNORT with context • • Arpwatch (Ethernet/Ip address parings monitor) • • OSSEC (Host Intrusion Detection System) • • Osiris (Host integrity Monitoring) • • Nagios (Availability Monitoring) • • OCS (Inventory)
Drupal Monitoring Assets • Watchdog: logdb/SQL, MongoDB or Syslog • Infrastructure: Nagios Module/Plugin Infrastructure Monitoring – Production Check/Monitor • SIEM: OSSIM Plugin (Watchdog) SIEM • Search Enhancements: Logstash Module: log collection, centralization, parsing, storage and search
Core Nagios Monitoring • Pending Drupal version update • Pending Drupal module updates • Unwritable 'files' directory • Pending updates to the database schema • Status of Cron • Number of published nodes. • Number of active users
Drupal Monitoring Assets • Watchdog: SQL, MongoDB or Syslog • Infrastructure: Nagios Module/Plugin Infrastructure Monitoring – Production Check/Monitor • SIEM: OSSIM Plugin (Watchdog) SIEM • Search Enhancements: Logstash Modulelog collection, centralization, parsing, storage and search
OSSIM
OSSIM, Nagios
LogStash, Kibana, Elasticsearch
Software Defined Defined Infrastructure • SDIM: Machine Configuration (Virtualization, Chef & Puppet), AWS, VMWare & OpenStack • SDN: Software Defined Networking • SDS: Software Defined Storage • Software Defined Drupal Security?
Configuration & Patch Management Security Content Automation Protocol (SCAP) • Specifications for Security Data (baselines, xccdf, oval) • Checklist Repository (USCGB) • NIST Validated Commercial tools • OpenSCAP • RH Satellite, Spacewalk
SCAP Workbench
Thank You!!! Comments, Questions, Criticism? http://drupal.jbsinternational.com mnescot@jbsinterntional.com

Recommandé

Mnescot cms security
Mnescot cms securityMnescot cms security
Mnescot cms securitymnescot
 
Drupal sec
Drupal secDrupal sec
Drupal secmnescot
 
WordPress Security - A Hacker's Guide - WordCamp 2019 Islamabad
WordPress Security - A Hacker's Guide - WordCamp 2019 IslamabadWordPress Security - A Hacker's Guide - WordCamp 2019 Islamabad
WordPress Security - A Hacker's Guide - WordCamp 2019 IslamabadRF Studio
 
RSA Conference 2010 San Francisco
RSA Conference 2010 San FranciscoRSA Conference 2010 San Francisco
RSA Conference 2010 San FranciscoAditya K Sood
 
Continuous Integration and Quality Development
Continuous Integration and Quality DevelopmentContinuous Integration and Quality Development
Continuous Integration and Quality DevelopmentGareth Davies
 
Protecting Against Web App Attacks
Protecting Against Web App AttacksProtecting Against Web App Attacks
Protecting Against Web App AttacksAlert Logic
 
Web & Cloud Security in the real world
Web & Cloud Security in the real worldWeb & Cloud Security in the real world
Web & Cloud Security in the real worldMadhu Akula
 
Slides for the #JavaOne Session ID: CON11881
Slides for the #JavaOne Session ID: CON11881Slides for the #JavaOne Session ID: CON11881
Slides for the #JavaOne Session ID: CON11881Masoud Kalali
 

Recommandé

Mnescot cms security
Mnescot cms securityMnescot cms security
Mnescot cms securitymnescot
 
Drupal sec
Drupal secDrupal sec
Drupal secmnescot
 
WordPress Security - A Hacker's Guide - WordCamp 2019 Islamabad
WordPress Security - A Hacker's Guide - WordCamp 2019 IslamabadWordPress Security - A Hacker's Guide - WordCamp 2019 Islamabad
WordPress Security - A Hacker's Guide - WordCamp 2019 IslamabadRF Studio
 
RSA Conference 2010 San Francisco
RSA Conference 2010 San FranciscoRSA Conference 2010 San Francisco
RSA Conference 2010 San FranciscoAditya K Sood
 
Continuous Integration and Quality Development
Continuous Integration and Quality DevelopmentContinuous Integration and Quality Development
Continuous Integration and Quality DevelopmentGareth Davies
 
Protecting Against Web App Attacks
Protecting Against Web App AttacksProtecting Against Web App Attacks
Protecting Against Web App AttacksAlert Logic
 
Web & Cloud Security in the real world
Web & Cloud Security in the real worldWeb & Cloud Security in the real world
Web & Cloud Security in the real worldMadhu Akula
 
Slides for the #JavaOne Session ID: CON11881
Slides for the #JavaOne Session ID: CON11881Slides for the #JavaOne Session ID: CON11881
Slides for the #JavaOne Session ID: CON11881Masoud Kalali
 
BSidesNYC 2016 - An Adversarial View of SaaS Malware Sandboxes
BSidesNYC 2016 - An Adversarial View of SaaS Malware SandboxesBSidesNYC 2016 - An Adversarial View of SaaS Malware Sandboxes
BSidesNYC 2016 - An Adversarial View of SaaS Malware SandboxesJason Trost
 
Devbeat Conference - Developer First Security
Devbeat Conference - Developer First SecurityDevbeat Conference - Developer First Security
Devbeat Conference - Developer First SecurityMichael Coates
 
Modern Security Operations aka Secure DevOps @ All Day DevOps 2017
Modern Security Operations aka Secure DevOps @ All Day DevOps 2017Modern Security Operations aka Secure DevOps @ All Day DevOps 2017
Modern Security Operations aka Secure DevOps @ All Day DevOps 2017Madhu Akula
 
Secure JAX-RS
Secure JAX-RSSecure JAX-RS
Secure JAX-RSRudy De Busscher
 
Dark Insight: the Basic of Security - Alexander Obozinskiy
Dark Insight: the Basic of Security - Alexander ObozinskiyDark Insight: the Basic of Security - Alexander Obozinskiy
Dark Insight: the Basic of Security - Alexander ObozinskiyRuby Meditation
 
How Secure is Azure?
How Secure is Azure?How Secure is Azure?
How Secure is Azure?Lai Yoong Seng
 
LASCON 2014: Multi-Factor Authentication -- Weeding out the Snake Oil
LASCON 2014: Multi-Factor Authentication -- Weeding out the Snake OilLASCON 2014: Multi-Factor Authentication -- Weeding out the Snake Oil
LASCON 2014: Multi-Factor Authentication -- Weeding out the Snake OilDavid Ochel
 
ZeroNights2013 testing of password policy
ZeroNights2013 testing of password policyZeroNights2013 testing of password policy
ZeroNights2013 testing of password policyAnton Dedov
 
Austin CSS Slalom Presentation
Austin CSS Slalom PresentationAustin CSS Slalom Presentation
Austin CSS Slalom PresentationAlert Logic
 
Deep dive into Java security architecture
Deep dive into Java security architectureDeep dive into Java security architecture
Deep dive into Java security architecturePrabath Siriwardena
 
Access Control Pitfalls v2
Access Control Pitfalls v2Access Control Pitfalls v2
Access Control Pitfalls v2Jim Manico
 
Node JS reverse shell
Node JS reverse shellNode JS reverse shell
Node JS reverse shellMadhu Akula
 
Java Secure Coding Practices
Java Secure Coding PracticesJava Secure Coding Practices
Java Secure Coding PracticesOWASPKerala
 
Web security and OWASP
Web security and OWASPWeb security and OWASP
Web security and OWASPIsuru Samaraweera
 
Web hackingtools cf-summit2014
Web hackingtools cf-summit2014Web hackingtools cf-summit2014
Web hackingtools cf-summit2014ColdFusionConference
 
Jenkins Terraform Vault
Jenkins Terraform VaultJenkins Terraform Vault
Jenkins Terraform VaultShrivatsa Upadhye
 
State of OWASP 2015
State of OWASP 2015State of OWASP 2015
State of OWASP 2015tmd800
 
Problems with parameters b sides-msp
Problems with parameters b sides-mspProblems with parameters b sides-msp
Problems with parameters b sides-mspMike Saunders
 
Content Disarm Reconstruction and Cyber Kill Chain - Muhammad Sahputra
Content Disarm Reconstruction and Cyber Kill Chain - Muhammad SahputraContent Disarm Reconstruction and Cyber Kill Chain - Muhammad Sahputra
Content Disarm Reconstruction and Cyber Kill Chain - Muhammad Sahputraidsecconf
 
TechEvent 2019: Security 101 für Web Entwickler; Roland Krüger - Trivadis
TechEvent 2019: Security 101 für Web Entwickler; Roland Krüger - TrivadisTechEvent 2019: Security 101 für Web Entwickler; Roland Krüger - Trivadis
TechEvent 2019: Security 101 für Web Entwickler; Roland Krüger - TrivadisTrivadis
 
Open Source Incident Management - BSides DC 2017 Presentation
Open Source Incident Management - BSides DC 2017 PresentationOpen Source Incident Management - BSides DC 2017 Presentation
Open Source Incident Management - BSides DC 2017 PresentationChristopher Ensey
 
CNIT 160 4d Security Program Management (Part 4)
CNIT 160 4d Security Program Management (Part 4)CNIT 160 4d Security Program Management (Part 4)
CNIT 160 4d Security Program Management (Part 4)Sam Bowne
 

Contenu connexe

Tendances

BSidesNYC 2016 - An Adversarial View of SaaS Malware Sandboxes
BSidesNYC 2016 - An Adversarial View of SaaS Malware SandboxesBSidesNYC 2016 - An Adversarial View of SaaS Malware Sandboxes
BSidesNYC 2016 - An Adversarial View of SaaS Malware SandboxesJason Trost
 
Devbeat Conference - Developer First Security
Devbeat Conference - Developer First SecurityDevbeat Conference - Developer First Security
Devbeat Conference - Developer First SecurityMichael Coates
 
Modern Security Operations aka Secure DevOps @ All Day DevOps 2017
Modern Security Operations aka Secure DevOps @ All Day DevOps 2017Modern Security Operations aka Secure DevOps @ All Day DevOps 2017
Modern Security Operations aka Secure DevOps @ All Day DevOps 2017Madhu Akula
 
Dark Insight: the Basic of Security - Alexander Obozinskiy
Dark Insight: the Basic of Security - Alexander ObozinskiyDark Insight: the Basic of Security - Alexander Obozinskiy
Dark Insight: the Basic of Security - Alexander ObozinskiyRuby Meditation
 
LASCON 2014: Multi-Factor Authentication -- Weeding out the Snake Oil
LASCON 2014: Multi-Factor Authentication -- Weeding out the Snake OilLASCON 2014: Multi-Factor Authentication -- Weeding out the Snake Oil
LASCON 2014: Multi-Factor Authentication -- Weeding out the Snake OilDavid Ochel
 
ZeroNights2013 testing of password policy
ZeroNights2013 testing of password policyZeroNights2013 testing of password policy
ZeroNights2013 testing of password policyAnton Dedov
 
Austin CSS Slalom Presentation
Austin CSS Slalom PresentationAustin CSS Slalom Presentation
Austin CSS Slalom PresentationAlert Logic
 
Deep dive into Java security architecture
Deep dive into Java security architectureDeep dive into Java security architecture
Deep dive into Java security architecturePrabath Siriwardena
 
Access Control Pitfalls v2
Access Control Pitfalls v2Access Control Pitfalls v2
Access Control Pitfalls v2Jim Manico
 
Node JS reverse shell
Node JS reverse shellNode JS reverse shell
Node JS reverse shellMadhu Akula
 
Java Secure Coding Practices
Java Secure Coding PracticesJava Secure Coding Practices
Java Secure Coding PracticesOWASPKerala
 
State of OWASP 2015
State of OWASP 2015State of OWASP 2015
State of OWASP 2015tmd800
 
Problems with parameters b sides-msp
Problems with parameters b sides-mspProblems with parameters b sides-msp
Problems with parameters b sides-mspMike Saunders
 
Content Disarm Reconstruction and Cyber Kill Chain - Muhammad Sahputra
Content Disarm Reconstruction and Cyber Kill Chain - Muhammad SahputraContent Disarm Reconstruction and Cyber Kill Chain - Muhammad Sahputra
Content Disarm Reconstruction and Cyber Kill Chain - Muhammad Sahputraidsecconf
 
TechEvent 2019: Security 101 für Web Entwickler; Roland Krüger - Trivadis
TechEvent 2019: Security 101 für Web Entwickler; Roland Krüger - TrivadisTechEvent 2019: Security 101 für Web Entwickler; Roland Krüger - Trivadis
TechEvent 2019: Security 101 für Web Entwickler; Roland Krüger - TrivadisTrivadis
 

Tendances (20)

BSidesNYC 2016 - An Adversarial View of SaaS Malware Sandboxes
BSidesNYC 2016 - An Adversarial View of SaaS Malware SandboxesBSidesNYC 2016 - An Adversarial View of SaaS Malware Sandboxes
BSidesNYC 2016 - An Adversarial View of SaaS Malware Sandboxes
 
Devbeat Conference - Developer First Security
Devbeat Conference - Developer First SecurityDevbeat Conference - Developer First Security
Devbeat Conference - Developer First Security
 
Modern Security Operations aka Secure DevOps @ All Day DevOps 2017
Modern Security Operations aka Secure DevOps @ All Day DevOps 2017Modern Security Operations aka Secure DevOps @ All Day DevOps 2017
Modern Security Operations aka Secure DevOps @ All Day DevOps 2017
 
Secure JAX-RS
Secure JAX-RSSecure JAX-RS
Secure JAX-RS
 
Dark Insight: the Basic of Security - Alexander Obozinskiy
Dark Insight: the Basic of Security - Alexander ObozinskiyDark Insight: the Basic of Security - Alexander Obozinskiy
Dark Insight: the Basic of Security - Alexander Obozinskiy
 
How Secure is Azure?
How Secure is Azure?How Secure is Azure?
How Secure is Azure?
 
LASCON 2014: Multi-Factor Authentication -- Weeding out the Snake Oil
LASCON 2014: Multi-Factor Authentication -- Weeding out the Snake OilLASCON 2014: Multi-Factor Authentication -- Weeding out the Snake Oil
LASCON 2014: Multi-Factor Authentication -- Weeding out the Snake Oil
 
ZeroNights2013 testing of password policy
ZeroNights2013 testing of password policyZeroNights2013 testing of password policy
ZeroNights2013 testing of password policy
 
Austin CSS Slalom Presentation
Austin CSS Slalom PresentationAustin CSS Slalom Presentation
Austin CSS Slalom Presentation
 
Deep dive into Java security architecture
Deep dive into Java security architectureDeep dive into Java security architecture
Deep dive into Java security architecture
 
Access Control Pitfalls v2
Access Control Pitfalls v2Access Control Pitfalls v2
Access Control Pitfalls v2
 
Node JS reverse shell
Node JS reverse shellNode JS reverse shell
Node JS reverse shell
 
Java Secure Coding Practices
Java Secure Coding PracticesJava Secure Coding Practices
Java Secure Coding Practices
 
Web security and OWASP
Web security and OWASPWeb security and OWASP
Web security and OWASP
 
Web hackingtools cf-summit2014
Web hackingtools cf-summit2014Web hackingtools cf-summit2014
Web hackingtools cf-summit2014
 
Jenkins Terraform Vault
Jenkins Terraform VaultJenkins Terraform Vault
Jenkins Terraform Vault
 
State of OWASP 2015
State of OWASP 2015State of OWASP 2015
State of OWASP 2015
 
Problems with parameters b sides-msp
Problems with parameters b sides-mspProblems with parameters b sides-msp
Problems with parameters b sides-msp
 
Content Disarm Reconstruction and Cyber Kill Chain - Muhammad Sahputra
Content Disarm Reconstruction and Cyber Kill Chain - Muhammad SahputraContent Disarm Reconstruction and Cyber Kill Chain - Muhammad Sahputra
Content Disarm Reconstruction and Cyber Kill Chain - Muhammad Sahputra
 
TechEvent 2019: Security 101 für Web Entwickler; Roland Krüger - Trivadis
TechEvent 2019: Security 101 für Web Entwickler; Roland Krüger - TrivadisTechEvent 2019: Security 101 für Web Entwickler; Roland Krüger - Trivadis
TechEvent 2019: Security 101 für Web Entwickler; Roland Krüger - Trivadis
 

Similaire à Drupal Security Controls and Monitoring with SCAP and SIEM

Open Source Incident Management - BSides DC 2017 Presentation
Open Source Incident Management - BSides DC 2017 PresentationOpen Source Incident Management - BSides DC 2017 Presentation
Open Source Incident Management - BSides DC 2017 PresentationChristopher Ensey
 
CNIT 160 4d Security Program Management (Part 4)
CNIT 160 4d Security Program Management (Part 4)CNIT 160 4d Security Program Management (Part 4)
CNIT 160 4d Security Program Management (Part 4)Sam Bowne
 
HIPAA 101 Compliance Threat Landscape & Best Practices
HIPAA 101 Compliance Threat Landscape & Best PracticesHIPAA 101 Compliance Threat Landscape & Best Practices
HIPAA 101 Compliance Threat Landscape & Best PracticesHostway|HOSTING
 
SuprTEK Continuous Monitoring
SuprTEK Continuous MonitoringSuprTEK Continuous Monitoring
SuprTEK Continuous MonitoringTieu Luu
 
CNIT 160 4d Security Program Management (Part 4)
CNIT 160 4d Security Program Management (Part 4)CNIT 160 4d Security Program Management (Part 4)
CNIT 160 4d Security Program Management (Part 4)Sam Bowne
 
MIS: Information Security Management
MIS: Information Security ManagementMIS: Information Security Management
MIS: Information Security ManagementJonathan Coleman
 
Security Monitoring Course - Ali Ahangari
Security Monitoring Course - Ali AhangariSecurity Monitoring Course - Ali Ahangari
Security Monitoring Course - Ali AhangariAli Ahangari
 
SIEM enabled risk management , SOC and GRC v1.0
SIEM enabled risk management , SOC and GRC v1.0SIEM enabled risk management , SOC and GRC v1.0
SIEM enabled risk management , SOC and GRC v1.0Rasmi Swain
 
SOC Architecture Workshop - Part 1
SOC Architecture Workshop - Part 1SOC Architecture Workshop - Part 1
SOC Architecture Workshop - Part 1Priyanka Aash
 
Introduction to QRadar
Introduction to QRadarIntroduction to QRadar
Introduction to QRadarPencilData
 
501 ch 8 risk management tools
501 ch 8 risk management tools501 ch 8 risk management tools
501 ch 8 risk management toolsgocybersec
 
Cybersecurity Frameworks and You: The Perfect Match
Cybersecurity Frameworks and You: The Perfect MatchCybersecurity Frameworks and You: The Perfect Match
Cybersecurity Frameworks and You: The Perfect MatchMcKonly & Asbury, LLP
 
Lecture 10 intruders
Lecture 10 intrudersLecture 10 intruders
Lecture 10 intrudersrajakhurram
 
First 2015 szatmary-eric_defining-and-measuring-capability-maturity_20150625
First 2015 szatmary-eric_defining-and-measuring-capability-maturity_20150625First 2015 szatmary-eric_defining-and-measuring-capability-maturity_20150625
First 2015 szatmary-eric_defining-and-measuring-capability-maturity_20150625pladott1
 
Rethinking Security: The Cloud Infrastructure Effect
Rethinking Security: The Cloud Infrastructure EffectRethinking Security: The Cloud Infrastructure Effect
Rethinking Security: The Cloud Infrastructure EffectCloudPassage
 
CISSP Preview - For the next generation of Security Leaders
CISSP Preview - For the next generation of Security LeadersCISSP Preview - For the next generation of Security Leaders
CISSP Preview - For the next generation of Security LeadersNUS-ISS
 
Protecting Your IP with Perforce Helix and Interset
Protecting Your IP with Perforce Helix and IntersetProtecting Your IP with Perforce Helix and Interset
Protecting Your IP with Perforce Helix and IntersetPerforce
 
Delivering User Behavior Analytics at Apache Hadoop Scale : A new perspective...
Delivering User Behavior Analytics at Apache Hadoop Scale : A new perspective...Delivering User Behavior Analytics at Apache Hadoop Scale : A new perspective...
Delivering User Behavior Analytics at Apache Hadoop Scale : A new perspective...Cloudera, Inc.
 
How to Solve Your Top IT Security Reporting Challenges with AlienVault
How to Solve Your Top IT Security Reporting Challenges with AlienVaultHow to Solve Your Top IT Security Reporting Challenges with AlienVault
How to Solve Your Top IT Security Reporting Challenges with AlienVaultAlienVault
 

Similaire à Drupal Security Controls and Monitoring with SCAP and SIEM (20)

Open Source Incident Management - BSides DC 2017 Presentation
Open Source Incident Management - BSides DC 2017 PresentationOpen Source Incident Management - BSides DC 2017 Presentation
Open Source Incident Management - BSides DC 2017 Presentation
 
CNIT 160 4d Security Program Management (Part 4)
CNIT 160 4d Security Program Management (Part 4)CNIT 160 4d Security Program Management (Part 4)
CNIT 160 4d Security Program Management (Part 4)
 
HIPAA 101 Compliance Threat Landscape & Best Practices
HIPAA 101 Compliance Threat Landscape & Best PracticesHIPAA 101 Compliance Threat Landscape & Best Practices
HIPAA 101 Compliance Threat Landscape & Best Practices
 
SuprTEK Continuous Monitoring
SuprTEK Continuous MonitoringSuprTEK Continuous Monitoring
SuprTEK Continuous Monitoring
 
CNIT 160 4d Security Program Management (Part 4)
CNIT 160 4d Security Program Management (Part 4)CNIT 160 4d Security Program Management (Part 4)
CNIT 160 4d Security Program Management (Part 4)
 
MIS: Information Security Management
MIS: Information Security ManagementMIS: Information Security Management
MIS: Information Security Management
 
Security Monitoring Course - Ali Ahangari
Security Monitoring Course - Ali AhangariSecurity Monitoring Course - Ali Ahangari
Security Monitoring Course - Ali Ahangari
 
SIEM enabled risk management , SOC and GRC v1.0
SIEM enabled risk management , SOC and GRC v1.0SIEM enabled risk management , SOC and GRC v1.0
SIEM enabled risk management , SOC and GRC v1.0
 
SOC Architecture Workshop - Part 1
SOC Architecture Workshop - Part 1SOC Architecture Workshop - Part 1
SOC Architecture Workshop - Part 1
 
Introduction to QRadar
Introduction to QRadarIntroduction to QRadar
Introduction to QRadar
 
Tips on SIEM Ops 2015
Tips on SIEM Ops 2015Tips on SIEM Ops 2015
Tips on SIEM Ops 2015
 
501 ch 8 risk management tools
501 ch 8 risk management tools501 ch 8 risk management tools
501 ch 8 risk management tools
 
Cybersecurity Frameworks and You: The Perfect Match
Cybersecurity Frameworks and You: The Perfect MatchCybersecurity Frameworks and You: The Perfect Match
Cybersecurity Frameworks and You: The Perfect Match
 
Lecture 10 intruders
Lecture 10 intrudersLecture 10 intruders
Lecture 10 intruders
 
First 2015 szatmary-eric_defining-and-measuring-capability-maturity_20150625
First 2015 szatmary-eric_defining-and-measuring-capability-maturity_20150625First 2015 szatmary-eric_defining-and-measuring-capability-maturity_20150625
First 2015 szatmary-eric_defining-and-measuring-capability-maturity_20150625
 
Rethinking Security: The Cloud Infrastructure Effect
Rethinking Security: The Cloud Infrastructure EffectRethinking Security: The Cloud Infrastructure Effect
Rethinking Security: The Cloud Infrastructure Effect
 
CISSP Preview - For the next generation of Security Leaders
CISSP Preview - For the next generation of Security LeadersCISSP Preview - For the next generation of Security Leaders
CISSP Preview - For the next generation of Security Leaders
 
Protecting Your IP with Perforce Helix and Interset
Protecting Your IP with Perforce Helix and IntersetProtecting Your IP with Perforce Helix and Interset
Protecting Your IP with Perforce Helix and Interset
 
Delivering User Behavior Analytics at Apache Hadoop Scale : A new perspective...
Delivering User Behavior Analytics at Apache Hadoop Scale : A new perspective...Delivering User Behavior Analytics at Apache Hadoop Scale : A new perspective...
Delivering User Behavior Analytics at Apache Hadoop Scale : A new perspective...
 
How to Solve Your Top IT Security Reporting Challenges with AlienVault
How to Solve Your Top IT Security Reporting Challenges with AlienVaultHow to Solve Your Top IT Security Reporting Challenges with AlienVault
How to Solve Your Top IT Security Reporting Challenges with AlienVault
 

Dernier

DSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine TuningDSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine TuningLars Bell
 
Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Commit University
 
What is Artificial Intelligence?????????
What is Artificial Intelligence?????????What is Artificial Intelligence?????????
What is Artificial Intelligence?????????blackmambaettijean
 
The State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptxThe State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptxLoriGlavin3
 
Rise of the Machines: Known As Drones...
Rise of the Machines: Known As Drones...Rise of the Machines: Known As Drones...
Rise of the Machines: Known As Drones...Rick Flair
 
SALESFORCE EDUCATION CLOUD | FEXLE SERVICES
SALESFORCE EDUCATION CLOUD | FEXLE SERVICESSALESFORCE EDUCATION CLOUD | FEXLE SERVICES
SALESFORCE EDUCATION CLOUD | FEXLE SERVICESmohitsingh558521
 
DevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsDevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsSergiu Bodiu
 
Advanced Computer Architecture – An Introduction
Advanced Computer Architecture – An IntroductionAdvanced Computer Architecture – An Introduction
Advanced Computer Architecture – An IntroductionDilum Bandara
 
"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr BaganFwdays
 
Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!Manik S Magar
 
How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.Curtis Poe
 
"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii SoldatenkoFwdays
 
What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024Stephanie Beckett
 
How to write a Business Continuity Plan
How to write a Business Continuity PlanHow to write a Business Continuity Plan
How to write a Business Continuity PlanDatabarracks
 
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptxThe Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptxLoriGlavin3
 
Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 3652toLead Limited
 
The Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsThe Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsPixlogix Infotech
 
From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .Alan Dix
 
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024BookNet Canada
 
What is DBT - The Ultimate Data Build Tool.pdf
What is DBT - The Ultimate Data Build Tool.pdfWhat is DBT - The Ultimate Data Build Tool.pdf
What is DBT - The Ultimate Data Build Tool.pdfMounikaPolabathina
 

Dernier (20)

DSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine TuningDSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine Tuning
 
Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!
 
What is Artificial Intelligence?????????
What is Artificial Intelligence?????????What is Artificial Intelligence?????????
What is Artificial Intelligence?????????
 
The State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptxThe State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptx
 
Rise of the Machines: Known As Drones...
Rise of the Machines: Known As Drones...Rise of the Machines: Known As Drones...
Rise of the Machines: Known As Drones...
 
SALESFORCE EDUCATION CLOUD | FEXLE SERVICES
SALESFORCE EDUCATION CLOUD | FEXLE SERVICESSALESFORCE EDUCATION CLOUD | FEXLE SERVICES
SALESFORCE EDUCATION CLOUD | FEXLE SERVICES
 
DevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsDevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platforms
 
Advanced Computer Architecture – An Introduction
Advanced Computer Architecture – An IntroductionAdvanced Computer Architecture – An Introduction
Advanced Computer Architecture – An Introduction
 
"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan
 
Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!
 
How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.
 
"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko
 
What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024
 
How to write a Business Continuity Plan
How to write a Business Continuity PlanHow to write a Business Continuity Plan
How to write a Business Continuity Plan
 
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptxThe Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
 
Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365
 
The Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsThe Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and Cons
 
From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .
 
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
 
What is DBT - The Ultimate Data Build Tool.pdf
What is DBT - The Ultimate Data Build Tool.pdfWhat is DBT - The Ultimate Data Build Tool.pdf
What is DBT - The Ultimate Data Build Tool.pdf
 

Drupal Security Controls and Monitoring with SCAP and SIEM

  • 1. Drupal Security Controls and Monitoring Mike Nescot, JBS International
  • 2. Drupal Security Controls and Monitoring Mike Nescot, JBS International http://drupal.jbsinternational.com
  • 4. Security Controls • FISMA Standard: SP-53 Rev 4
  • 5. SP800-53 Rev 4 Security Controls: 18 Families • Access Control • Awareness & Training • Audit & Accountability • Security Assessment & Authorization • Configuration Management • Contingency Planning • Identification & Authorization • Incident Response • Maintenance
  • 6. SP800-53 Rev 4 Security Controls: 18 Families (con.) • Media Protection • Physical and Environmental Protection • Planning • Personnel Security • Risk Assessment • System and Services Acquistion • System & Communications Protection • System & Information Integrity • Program Management
  • 7. SP800-53 Rev 4 Privacy Controls: 8 Families (FEA) • Authority & Purpose • Accountability, Audit, & Risk Management • Data Quality & Integrity • Data Minimization & Retention • Individual Participation & Redress • Security • Transparency • Use Limitation
  • 8. Anatomy of a Control • Account Management • Control count: from 198 to 267, or 600 to 850 • More tailoring guidance, overlays, focus on assurance controls, strategic, privacy
  • 9. SANS Top 20 • Inventory of Authorized and Unauthorized Devices • Inventory of Authorized and Unauthorized Software • Secure Configurations for Hardware & Software on Laptops, Workstations, & Servers • Continuous Vulnerability Assessment and Remediation • Malware Defense • Application Software Security • Wireless Device Control • Data Recovery Capability • Security Skills Assessment & Training • Secure Configurations for Firewalls, Routers, & Switches
  • 10. SANS Top 20 (cont) • Limitation & Control of Network Ports, Protocols, & Services • Controlled Use of Administrative Privileges • Boundary Defense • Maintenance, Monitoring, & Analysis of Audit Logs • Controlled Access Based on Need to Know • Account Monitoring & Control • Data Loss Prevention • Incident Response & Management • Secure Network Engineering • Penetration Testing & Team Exercises
  • 11. SANS Top 20 The five critical tenets of an effective cyber defense system as reflected in the Critical Controls are: • Offense informs defense: Use knowledge of actual attacks for defense • Prioritization: Invest first in controls that will provide the greatest risk reduction and protection • Metrics: Establish common metrics to measure effectiveness • Continuous monitoring: Test and validate the effectiveness of current security measures. • Automation: Automate defenses, achieve reliable, scalable, and continuous measurements
  • 12. State of Required Security Controls • Newly updated: NIST SP-53 Rev 4 • SANS Top 20 Controls • Build it Right (SDLC), Continuous Monitoring • 2011: NIST SP 800-137
  • 13. Information Systems Continuous Monitoring (ISCM) • Maintaining ongoing awareness of information security, vulnerabilities, and threats to support organizational risk management decisions. • From compliance driven to data driven risk management
  • 14. Conventional • Hostile cyber attacks • Natural disaster • Structural failures • Human errors of omission or commission • Strong Foundation
  • 15. Advanced Persistent Threat • Significant expertise • Multiple attack vectors • Establishes footholds
  • 16. Continuous Asset Evaluation, Situational Awareness, and Risk Scoring (CAESARS) • Reference Architecture: Security Automation Standards • Data Sources • Data Collection • Data Storage & Analysis • Consumer Presentation • Decisions
  • 17. CAESARS Subsystems • Sensor (Assets, devices, servers, devices, appliances) • Database Sub (repository of configuration and inventory baselines) • Analysis/Scoring • Presentation (variety of views, query capabilities)
  • 18.
  • 19. CAESARS The end goal of CAESARS FE is to enable enterprise CM by presenting a technical reference model that allows organizations to aggregate collected data from across a diverse set of security tools, analyze that data, perform scoring, enable user queries, and provide overall situational awareness.
  • 20. Establish • Metrics: number and severity of vulnerabilities, unauthorized access attempts, contingency plan testing results, risk scores for configuration • Monitoring and assessment frequencies: volatility, impact levels, identified weaknesses, threat info, vulnerabilit info, assessment results, strategic reviews, reporting requirements
  • 21. Logging vs. Auditing vs. Monitoring • Logging: Collecting event records • Event: single occurance involinvg an attempted state chabge • Message: what a system does or generates in response to request or stimulus • Timestamp, source, data • Auditing: System is behaving as expected, compliance • Monitoring: Situational awareness • Log all you can, but alert on what you must respond (monitor as little as you need)
  • 22. Logging Formats and Standards • Syslog • XML (SCAP) • Relational Database • NoSQL Database (Hadoop, MongoDB) • Binary (Windows Event Log)
  • 23. NIST: Security Automation Domains • Vulnerability Management • Patch Management • Event Management • Incident Management • Malware Detection • Asset Management • Configuration Management • Network Management • License Mangement • Information Management • Software Assurnce
  • 24. Monitoring Targets: Objects System Boundary • Web Server Status • Database Server Status • Operating System • File system changes (HIDS) • Network Traffic • Network Devices (Firewalls, routers, switches) • Vulnerabilities • Drupal application(s)
  • 25. Monitoring Targets: Metrics • Adverse Events • Performance & Reliability • Configuration Compliance • Authorized devices and services • Vulnerabilities • Risk
  • 26. Minimize Monitoring • Cloud & virtualization • Integrate development, design, operations, acquisition • Centralized, Application-Centric View
  • 27. Integration: Continuous Continuum • Continuous Quality Improvement • Continuous Integration • Continuous Delivery • Continuous Design • Continuous Monitoring
  • 29.
  • 31.
  • 32. Security Monitoring Capability Levels • Centralized Logging • Infrastructure Monitoring • Security Information and Event Management (SIEM): Risk Assessment • Real-Time Intelligent Query
  • 33. Drupal Monitoring Assets • Watchdog: SQL, MongoDB or Syslog • Infrastructue: Nagios Module/Plugin Infrastructure Monitoring – Production Check/Monitor • SIEM: OSSIM Plugin (Watchdog) SIEM • Search Enhancements: Logstash Module,log collection, centralization, parsing, storage and search
  • 34. Network & Infrastructure Monitoring (Nagios) • monitoring and alerting • servers • switches • applications • Services • Status: availability, load, physical condition
  • 35. Security Information and Event Management (SIEM) • Intrusion Detection • Anomaly Detection • Vulnerability Detection • Discovery, Learning and Network Profiling systems • Inventory systems Incident Reporting & Responese
  • 36. Open Source Security Information Management (OSSIM) • Asset Discovery • Vulnerability Assessment • Threat Detection • Behavioral Monitoring • Security Intelligence
  • 37. OSSIM Components • Snort (Network Intrusion Detection System) • • Ntop (Network and usage Monitor) • • OpenVAS (Vulnerability Scanning) • • P0f (Passive operative system detection) fingerprint OS • • Pads (Passive Asset Detection System) complements SNORT with context • • Arpwatch (Ethernet/Ip address parings monitor) • • OSSEC (Host Intrusion Detection System) • • Osiris (Host integrity Monitoring) • • Nagios (Availability Monitoring) • • OCS (Inventory)
  • 38. Drupal Monitoring Assets • Watchdog: logdb/SQL, MongoDB or Syslog • Infrastructure: Nagios Module/Plugin Infrastructure Monitoring – Production Check/Monitor • SIEM: OSSIM Plugin (Watchdog) SIEM • Search Enhancements: Logstash Module: log collection, centralization, parsing, storage and search
  • 39.
  • 40. Core Nagios Monitoring • Pending Drupal version update • Pending Drupal module updates • Unwritable 'files' directory • Pending updates to the database schema • Status of Cron • Number of published nodes. • Number of active users
  • 41.
  • 42. Drupal Monitoring Assets • Watchdog: SQL, MongoDB or Syslog • Infrastructure: Nagios Module/Plugin Infrastructure Monitoring – Production Check/Monitor • SIEM: OSSIM Plugin (Watchdog) SIEM • Search Enhancements: Logstash Modulelog collection, centralization, parsing, storage and search
  • 43. OSSIM
  • 46.
  • 47. Software Defined Defined Infrastructure • SDIM: Machine Configuration (Virtualization, Chef & Puppet), AWS, VMWare & OpenStack • SDN: Software Defined Networking • SDS: Software Defined Storage • Software Defined Drupal Security?
  • 48.
  • 49. Configuration & Patch Management Security Content Automation Protocol (SCAP) • Specifications for Security Data (baselines, xccdf, oval) • Checklist Repository (USCGB) • NIST Validated Commercial tools • OpenSCAP • RH Satellite, Spacewalk
  • 51. Thank You!!! Comments, Questions, Criticism? http://drupal.jbsinternational.com mnescot@jbsinterntional.com