xianshield

Presentation on how to prevent gaps in your security monitoring infrastructure. This was presented with Dave Schwartzburg at Triangle InfoSecCon and has been submitted for acceptance to FIRST 2009 in Kyoto, Japan.

Security events such as user activity logs, network intrusion detection system (NIDS) alerts, server logs, and network device records are indispensable footprints that allow security investigators to trace activity and monitor problems. Without reliable event sources, monitoring is a futile exercise-there is no way to discern between the lack of activity and unrecorded activity. Security professionals must monitor interruptions in event sources to help ensure reliable and accurate metrics, preserve investigative integrity, and provide assurance that attackers cannot hide in event gaps.

This presentation details how the Cisco Computer Security Incident Response Team (CSIRT) uses open-source tools to improve integrity in its security monitoring. It introduces tools and processes to keep security events continually recorded, including how to maintain proper device configurations, how to maintain agreements with support staff, and how to monitor event feeds for gaps.

This presentation discusses techniques for building a successful computer security monitoring system.  In this preso, Cisco CSIRT engineers describe their approach, topology, challenges, and lessons learned in the process. This highly practical session illustrates security monitoring with Cisco Intrusion Prevention System (IPS) version 5 and 6, Cisco Security Monitoring, Analysis and Response (MARS) solution version 4, Netflow v7, and syslog. Cisco CSIRT engineers describe how the global solution was deployed, tuned, and lessons learned.