Security Monitoring

1. Getting Started . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1
A Rapidly Changing Threat Landscape 3
Failure of Antivirus Software 4
Why Monitor? 5
The Miscreant Economy and Organized Crime 6
Insider Threats 6
Challenges to Monitoring 7
Vendor Promises 7
Operational Realities 7
Volume 8
Privacy Concerns 8
Outsourcing Your Security Monitoring 8
Monitoring to Minimize Risk 9
Policy-Based Monitoring 9
Why Should This Work for You? 9
Open Source Versus Commercial Products 9
Introducing Blanco Wireless 10
2. Implement Policies for Monitoring . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11
Blacklist Monitoring 12
Anomaly Monitoring 16
Policy Monitoring 16
Monitoring Against Defined Policies 17
Management Enforcement 18
Types of Policies 18
Regulatory Compliance Policies 19
Employee Policies 24
Policies for Blanco Wireless 28
Policies 29
Implementing Monitoring Based on Policies 30

3. Know Your Network . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33
Network Taxonomy 33
Network Type Classification 34
IP Address Management Data 37
Network Telemetry 40
NetFlow 40
SNMP 55
Routing and Network Topologies 56
The Blanco Wireless Network 57
IP Address Assignment 57
NetFlow Collection 57
Routing Information 58
Conclusion 58
4. Select Targets for Monitoring . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 61
Methods for Selecting Targets 62
Business Impact Analysis 63
Revenue Impact Analysis 64
Expense Impact Analysis 64
Legal Requirements 65
Sensitivity Profile 67
Risk Profile 69
Visibility Profile 74
Practical Considerations for Selecting Targets 75
Recommended Monitoring Targets 77
Choosing Components Within Monitoring Targets 78
Example: ERP System 78
Gathering Component Details for Event Feeds 79
Blanco Wireless: Selecting Targets for Monitoring 81
Components to Monitor 82
Conclusion 83
5. Choose Event Sources . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 85
Event Source Purpose 85
Event Collection Methods 87
Event Collection Impact 89
Choosing Event Sources for Blanco Wireless 99
Conclusion 100
6. Feed and Tune . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 101
Network Intrusion Detection Systems 101

Packet Analysis and Alerting 102
Network Intrusion Prevention Systems 102
Intrusion Detection or Intrusion Prevention? 103
NIDS Deployment Framework 108
Analyze 108
Design 110
Deploy 114
Tune and Manage 116
System Logging 121
Key Syslog Events 124
Syslog Templates 126
Key Windows Log Events 127
Application Logging 132
Database Logging 133
Collecting Syslog 136
NetFlow 139
OSU flow-tools NetFlow Capture Filtering 141
OSU flow-tools flow-fanout 142
Blanco’s Security Alert Sources 143
NIDS 143
Syslog 145
Apache Logs 145
Database Logs 146
Antivirus and HIDS Logs 146
Network Device Logs 146
NetFlow 146
Conclusion 146
7. Maintain Dependable Event Sources . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 147
Maintain Device Configurations 149
Create Service Level Agreements 149
Back It Up with Policy 150
SLA Sections 151
Automated Configuration Management 152
Monitor the Monitors 153
Monitor System Health 154
Monitor the NIDS 155
Monitor Network Flow Collection 157
Monitor Event Log Collectors 161
Monitor Databases 164
Monitor Oracle 164
Monitor MySQL Servers 166
Automated System Monitoring 167