business productivity and automated security controls

Optimizing Business Productivity Through Automated Security Controls

Heather Axworthy

Network Security Engineer

[email protected]

1© 2010 Heather L. Axworthy

Bio Ten Years Experience In Networks And Security

Secured Many Sensitive And Strategic Networks For Fortune 50 Companies

Sr. Security Engineer

Worked On Multiple IDS/IPS And Security Platforms

Really Good Cook, Tried Flying A Helicopter, And Love To Hike

Blog Http://Chickbits.Blogspot.Com

Linkedin: Http://Www.Linkedin.Com/In/Heatheraxworthy

Twitter: Haxworthy


Global Financial Services Managed Security Services B2C Retailer

B2B Start-up Large University

http://chickbits.blogspot.com/

http://www.linkedin.com/in/heatheraxworthy

Agenda


1. Security Continuum

2. Where To Respond To A Threat?

3. Single Security-Strategy Risks

4. Protection & Costs

5. Deployment Considerations

6. Recommendations To Your Clients

7. What Is IPS?

8. Architecture And Deployment

9. Event Monitoring/Tuning

10. Ensuring Success

Security Continuum

© 2010 Heather L. Axworthy 4

Prevention Detection Response

IPS IDS & Desktop People

Security Continuum


Human Analogy Security AppliancesPREVENTION Skin:

Openings: Eyes, Nose, Mouth, Ears, Cuts, Etc.

Firewall:Open Ports (25, 80, 110, 443,etc.

DETECTION Immune System:Detects Organic Viruses

Intrusion Detection Systems (IDS): Watches Network Traffic – Alerts I.T. Staff

RESPONSE Antibodies:Mitigates & Eliminates An Organic Virus

Security Incident And Event Management (SIEM): Automates Threat Responses. Significant Human Effort Is Still Required

Security Assets

Equipment Processes People

•Firewall•IPS•IDS•Log monitoring

•Change Management•Vulnerability Management•Incident Response

•IT resources•User Awareness Training


Composition of Threat Response


Internet Traffic

Composition of Threat Response:Computers, IT, and Users

Security Involves Variable Human Interaction

Perimeter Security Block Malicious Traffic From Entering The Network.

– IPS Provides Active Blocking & Minimizes User Involvement, Reducing Response Urgency

– I.T. Employees Involved With Deployment And Maintenance

Intrusion Detection (IDS) Alerts I.T. To Malicious Traffic But Does Not Prevent It From Penetrating The Network.

– IDS Requires Higher IT Employee Interaction To React To Alerts.

Desktop Security Controls Involve The Highest Participation From Users.


Single Security-Strategy Risks


Single Security Strategy

Organizations Often Decide To Deploy Only One Security Technology

– Different Security Methods Are Not Equal– Each Provides Different Levels Of Protection

If You Deploy One Technology, It’s Best To Have A Proactive Technology Like IPS At The Perimeter.

– IPS Reduces The Amount Of Malicious Traffic That Gets To The End User

– Employees See Less Alerts – More Time To Focus On The Business

Previous Chart Illustrates Risk Levels For Deploying Only One Security Technology.

– For Example, Deploying Only Desktop Security Technologies Results In The Highest Risk Because The Threat Has Already Entered Your Network

User-centric Measures Are Inconsistent Because Users Do Not The Same Thing Every Time.


Protection & Equipment Costs


Protection & Equipment Costs

IPS Technologies Are Proactive– Higher Initial Cost – Higher Level Of Protection

IDS Technologies Are Reactive – Lower Initial Cost – Many Tools Are Open Source – Majority Of The Cost Is Hardware. – Protection Level Is Lower: IDS Only Alerts I.T. To Malicious Traffic And I.T.

Must Spend Large Amounts Of Time Investigating, Which Can Incur Extra Costs For Additional Response Training.

Desktop Security Is Reactive – Quantity Of Desktops Drive Costs. – Relatively Inexpensive SW– User-training Costs Must Be Considered


Deployment Considerations


criteria

partial

Recommendation To Your Clients

IPS….IDS….Desktop SW….Security Awareness Training….Log Management & Monitoring ????


Keep The Threats Out!

What is IPS?

IPS = Intrusion Prevention System/Service.

Designed To Be Deployed Inline.

Proactive Approach To Traffic Monitoring.

Preventing The Attack Packet From Penetrating Your Network.


Architecture Capacity Planning – Biggest Mistake Purchasing Hardware That Is

Too “Small” For Your Network.

Look At The Traffic Load Of The Segments You Want To Monitor. If The Segments (vlans) You Want To Monitor Register Bandwidth In Excess Of 100MB Each, A Small 400MB Device Is Not Large Enough.

Most Devices Have A Maximum Throughput Which Is Often An Aggregate Of All Interfaces On The Device.


Deployment


Event Monitoring/Tuning

My Device Is In Place, What Do I Do Next?

Tuning – The Time Period When You Look At Your Events And Weed Out Any False Positives And Modify Signatures.

Best Practice Is At Least 30 Days Of Looking At Traffic On A Daily Basis.

This Will Enable You To Filter Out Signatures That Are “Noisy” And See Events That Show Valid Attacks.

Once Tuning Period Is Over, Put The Device Into Block “IPS” Mode.


Ensuring Success

Company Buy-in, From Top Executive Management To End User. IPS Will Make “Us” More Secure.

Staffing Levels – Proper Staffing Must Be In Place To Support The IPS Device(s) And The Monitoring Of Events On A Daily Basis.

If The IPS Device Stops One Botnet Outbreak, Or A SQL Injection Attack, It Has Paid For Itself!


Q & A

Heather Axworthy

Network Security Engineer

[email protected]


business productivity and automated security controls

Education

security technology

security engineer

security assets

desktop security controls

security awareness training

different security methods

single securitystrategy

traffic monitoring