tag:blogger.com,1999:blog-4088979.post1491932285982511185..comments2023-10-16T06:06:25.012-04:00Comments on TaoSecurity Blog: Network Security Monitoring Case StudyRichard Bejtlichhttp://www.blogger.com/profile/13512184196416665417noreply@blogger.comBlogger11125tag:blogger.com,1999:blog-4088979.post-52343704322930288652009-06-16T06:47:49.018-04:002009-06-16T06:47:49.018-04:00This comment has been removed by a blog administrator.Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-4088979.post-7364671019591383402007-07-17T09:50:00.000-04:002007-07-17T09:50:00.000-04:00Show him what you see. I wouldn't expect a C-leve...Show him what you see. I wouldn't expect a C-level executive to understand a firewall log or snort alert, but if you showed him something simpler, say your FTP logs with their multitudinous logon attempts, <I>that</I> is something they will understand. Hopefully something like that will give them an idea of what you're up against.Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-4088979.post-33189208744306057742007-07-12T03:35:00.000-04:002007-07-12T03:35:00.000-04:00Very good post and comments. I'm in much the same...Very good post and comments. I'm in much the same position as Richard's friend. I've got to convince management that it's not enough to slap together a security measure and then check off the audit item. The systems need ongoing monitoring, follow up and adjustment to make them effective. The comments in here have given me some things to think about and better yet, ideas on how to strengthen my case to management. Thanks to everyone for their thoughts.<BR/><BR/>JasonJason Woodhttps://www.blogger.com/profile/01154638200146139984noreply@blogger.comtag:blogger.com,1999:blog-4088979.post-77048514817134769272007-07-11T17:43:00.000-04:002007-07-11T17:43:00.000-04:00This common problem with all small and Mid-Size co...This common problem with all small and Mid-Size companies. The miss estimate the business priorities. He said the business has other priorities for the IT teams, for that to convince the management how monitoring is important you have to show them the relation between having monitoring system and their business objectives. <BR/><BR/>John Rodenbiker’s comment is worth attention, Risk Management is important especially when you speaking with ‘C’ level. Most of Middle-size companies always looking for IT Security Management (which includes monitoring and reviewing) as un-necessary in the current state but in the future they may consider it. <BR/><BR/>To convince them, talking from their business prospective and preparing answers of their expected questions. <BR/><BR/>I agree that IT Security is business enabler but also that is lead to be ROI. Why we implement Security system? We do it for CIA trialing. Which means increase you business process availability which lead to indirect ROI. <BR/><BR/>Kind Regards,<BR/><BR/>Ayman M. GalalAyman Galalhttps://www.blogger.com/profile/04547298315949282932noreply@blogger.comtag:blogger.com,1999:blog-4088979.post-36133137670957455512007-07-11T16:28:00.000-04:002007-07-11T16:28:00.000-04:00Interesting Presentation Roland.Cisco referencing ...Interesting Presentation Roland.<BR/><BR/>Cisco referencing QRadars statistical and behavioural based anomaly-detection. Cisco seriously lacks presence in this space.Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-4088979.post-88227452953730971162007-07-11T16:07:00.000-04:002007-07-11T16:07:00.000-04:00funny, somewhere around the world someone wrote a ...funny, somewhere around the world someone wrote a letter i could ve written some time ago...<BR/><BR/>well to answer you question, i did what you proposed. i delivered quick wins, closed holes, burried some mistakes of other ppl,too... but i guess what got me the farthest was extended paperwork. <BR/><BR/>once i realized our management didnt understand the technical problems and their implications, i played it a way they understood: every time i wanted something i delivered a whole bunch of alternatives (sometimes a real phallanx), that way they realized they could rely on my judgment -cause i oviously thought it through.<BR/>cost me much time i d liked to ve spent on more productive things, but i get more and more feedback saying i did good in talking their language.<BR/>...oh and one side effect was also very nice: since i emphasized the elaboration of alternatives that much, my colleagues learnt to not bother me with ill-conceived stuff but are recollecting on efficient work<BR/><BR/>good luckAnonymousnoreply@blogger.comtag:blogger.com,1999:blog-4088979.post-36363386038990221752007-07-11T14:39:00.000-04:002007-07-11T14:39:00.000-04:00This guy is in the exact same position that I was ...This guy is in the exact same position that I was in in my last full time position. My advice - look for a pain point that monitoring will help resolve and sell it as a way to resolve that pain point.<BR/><BR/>In my last full time gig there were two pain points:<BR/><BR/>1. The company was DOSing itself from internally infected machines causing resource outages which disrupted manufacturing which cost the company money.<BR/><BR/>2. Employee infractions (porn) in one of our foreign manufacturing plants causing issues with local law enforcement.<BR/><BR/>After putting in the basic infrastructure to resolve those two issues I was able to gather additional metrics and show management the benefits of having the tools in place. <BR/><BR/>Gather allies and get them to spread the same message. <BR/><BR/>And lastly - keep a journal. When it comes to renew the support contract you can show your management what your infrastructure has done for the company.yoshihttps://www.blogger.com/profile/00081974018229308110noreply@blogger.comtag:blogger.com,1999:blog-4088979.post-27233462620117051022007-07-11T10:39:00.000-04:002007-07-11T10:39:00.000-04:00"It's important to remember that there is no retur..."It's important to remember that there is no return on security investment."<BR/><BR/>That's true and is definitely the wrong way to determine the value of risk mitigation.<BR/><BR/>The proper way is to compare replacement cost to prevention cost and probability of loss. <BR/><BR/>The best way to convince management, especially executive management, to do anything related to risk mitigation is with a risk assessment. The risk assessment process defines the value of the assets in question, the risk factor posed to the assets (that is, the probability of loss), and the cost of mitigation.<BR/><BR/>I've come to this knowledge via my experience consulting to community banks in the Upper Great Plains of the USA.<BR/><BR/>The executive management of these firms are notoriously stingy and conservative. Most are still old men who don't "get" technology. The younger ones who "get" technology don't necessarily "get" that new risk goes hand-in-hand with new services.<BR/><BR/>It was a chore convincing these people that there is value in securing the companies assets beyond simply being in compliance with Federal regulations.<BR/><BR/>The tool I have found that works best is the risk assessment. <BR/><BR/>For those not in the know, the essence of a risk assessment:<BR/>1. Inventory the assets within a given scope.<BR/>2. Assign a priority/value rating to the assets.<BR/>3. Identify the risks (threats and vulnerabilities) posed to those assets.<BR/>4. Assign a risk rating to the risks.<BR/>5. For each asset and risk pair, determine the combined, unmitigated risk (as if you were doing nothing to prevent the risk). This is a function of asset rating and risk rating.<BR/>6. Now inventory the actual mitigating factors you have in place for each asset and risk pair.<BR/>7. Finally, for each asset and risk pair assign a final risk rating that is a function of the unmitigated risk rating and the mitigating controls currently in place.<BR/><BR/>At the end of this process you have a tool that will help you plan what you need to do in your organization as well as a tool that can convince management that action needs to be taken.<BR/><BR/>I'll leave applying the risk assessment process to the example as an exercise for the reader since this comment is long enough already.<BR/><BR/>Two final things I want to address:<BR/>1. "I personally plan to do exactly what my friend did, namely starting with existing assets and showing quick wins to build momentum for more extensive visibility initiatives."<BR/><BR/>The "quick wins" strategy is a great short-term strategy when you've just started a new job. It can strengthen your reputation and credibility.<BR/><BR/>I just started a new job in February where there previously wasn't a strong centralized security focus. By quickly cleaning up outstanding issues from an independent pen test, encrypting all laptop hard drives, and reviewing and updating infosec policies I've established credibility to start getting more invasive and expensive in the next budget cycle. <BR/><BR/>It isn't a good long-term strategy because it usually turns into management by belief if you aren't very careful to establish the risk assessment process as the basis and justification for your efforts. <BR/><BR/>2. "I used convincing by fear."<BR/><BR/>This is a terrible strategy because eventually management will get sick and tired of it. They may just stop listening, which makes you very ineffective, or they may replace the squeaky wheel, which makes you unemployed.<BR/><BR/>Anyone who is currently using this strategy (and it is very, very commonly amongst infosec professionals) needs to start using the risk assessment process ASAP. It provides the tool necessary to give you visibility of what needs to be done and to convince management.<BR/><BR/>Feel free to contact me to learn more about the risk assessment process.<BR/>-- <BR/>John Rodenbiker, CISA<BR/>jrodenbiker@rodenbiker.netAnonymousnoreply@blogger.comtag:blogger.com,1999:blog-4088979.post-68961702713009023462007-07-11T09:25:00.000-04:002007-07-11T09:25:00.000-04:00I suggest you get into what Richard has stated man...I suggest you get into what Richard has stated many times, which is that prevention eventually fails. Go in detail as to why, such as what I would consider the top 3 reasons why prevention eventually fails.<BR/><BR/>1. Complexity - Computer networks, particularly the Internet is probably the largest and most complex thing man has made. The more complex something is, the less secure.<BR/><BR/>2. Connectivity - Every time you connect to the Internet you are usually just milliseconds away from every adversary around the world and it's just a matter of minutes before you start getting attacked. You also have to deal with the defenders dilemma where the bad guys only have to find and exploit one vulnerability, yet you have to find and fix them all.<BR/><BR/>3. People - The end users responsible for the security of the network aren't aware of the threats they face, making it impossible for them to defend against them.<BR/><BR/>Most of the people, products, and procedures in security focus on prevention, but prevention eventually fails so it's important to have something to fall back on. The saying "prevention is idea, detection is a must" is true. Incidents are a lot like fires in that the quicker you detect and respond to an incident, the less damage there will be, so early detection can actually be prevention.<BR/><BR/>Hope that helps.<BR/>- AdamAnonymousnoreply@blogger.comtag:blogger.com,1999:blog-4088979.post-30404303013571731022007-07-11T07:31:00.000-04:002007-07-11T07:31:00.000-04:00As sad as it sounds, at my previous employer where...As sad as it sounds, at my previous employer where I was employed as a network/security engineer, I used convincing by fear. I would cull some logs from the firewall of things getting through, print out a couple CVE and vulnerability announcements, and show them to management: "If we don't plug X hole, because it is showing Y information to external hacker, potentially causing Z effect, we are going to get hacked, if it hasn't happened already."<BR/><BR/>Normally I would receive a "do whatever it takes to plug the hole, and bring me an expense report" response because I was lucky enough to come to the table with enough information to show the whole train of attack, from external to internal. <BR/><BR/>I think if you go to management with enough information, in language they can understand, it's going to gain traction than more of a general 'the sky is falling, give me money' attitude. With the advent of open source tools, you can also bolster your position by saying how little it is going to cost the company.Unknownhttps://www.blogger.com/profile/03305790516383746613noreply@blogger.comtag:blogger.com,1999:blog-4088979.post-49589283459263258162007-07-11T03:01:00.000-04:002007-07-11T03:01:00.000-04:00One must have visibility into one's network traffi...One must have visibility into one's network traffic in order to exert control of one's network. I've a presentation on this subject here - http://homepage.mac.com/roland.dobbins/FileSharing5.html .Roland Dobbinshttps://www.blogger.com/profile/06517186494484977438noreply@blogger.com