E hi l HHacking
ki and
d
Countermeasures
V i 6
Version
Module LXVI
Security Convergence
Module Objective
Security Convergence
Challenges on Security Convergence
RAMCAP
Open Security Exchange (OSE)
Enterprise Security Management (ESM)
Log Collection
Event Storage
Copyright by EC-Council
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Module Flow
Enterprise Security
Management (ESM)
Challenges on Security
Convergence
g
Log Collection
RAMCAP
Event Storage
g
Copyright by EC-Council
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Security Convergence
Copyright by EC-Council
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Challenges Confronting an Effective
Securityy Convergence
g Policyy
Copyright by EC-Council
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Benefits of Using Risk Management in
Planningg IT Securityy Administration
Copyright by EC-Council
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
RAMCAP
Copyright by EC-Council
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Open Security Exchange (OSE)
IInformation
f ti security
it mission
i i d development
l t
Information security office governance
Information security policy development and management
I f
Information
i security
i training
i i and d awareness ddevelopment
l
Information security project portfolio development
Supervision/management of ethical hackers and chief
h k officer
hacker ffi
Copyright by EC-Council
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Elements of Building Secure
Operations
Elements of fully secured enterprise
operations include:
Copyright by EC-Council
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Enterprise Security Management
(ESM)
Enterprise
e p se Secu
Securityy Management
a age e ((ESM)S ) iss a ge
general
e a term
e that
a has
as
been applied to security event monitoring and analysis solutions
EEM EEnterprise
t i EEventt M
Managementt
SIM Security Information Management
SEM Security Event Management
SIEM Security Information and Event Management
Copyright by EC-Council
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
ESM Deployment Strategies
To move logs from point devices to the ESM manager, deploy log
connectors at any natural aggregation points,
points such as device
managers
Copyright by EC-Council
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Convergence of Network Operations
and Security Operations
Network operation centers (NOCs) and Security operation centers
(SOC ) are more ffocused
(SOCs) d on business
b i iimpactt th
than h
hardware
d and
d
software impact
Separation
S ti off duties
d ti and d checks
h k anddbbalances
l are iimportant
t t concepts
t
to maintain when any groups converge
The NOC is
Th i concernedd with
ith keeping
k i thi
things moving
i efficiently
ffi i tl andd th
the
SOC is concerned with security, rendered through analysis within the
ESM
Copyright by EC-Council
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Log Collection
ESM solution needs to be able to process the raw log data and turn it
into actionable information
Normalizing the data makes analysis and reporting much easier when
multiple log formats are in use
Log parsing is the process of extracting data from a log so that the
parsed values can be used as input
p p for another logging
gg g pprocess
Copyright by EC-Council
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Log Severity
E h log
Each l source may h
have a unique
i severity
it llevell assigned
i d tto it
The severity of what the point device discovered correlated with other
logs, asset information, business relevance, and other factors can
yield an overall priority score within most ESMs
Copyright by EC-Council
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Log Time Correction
Copyright by EC-Council
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Log Categorization
Copyright by EC-Council
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Event Storage
For data
d management, b backups,
k anddddata restoration,
i many ESM solutions
l i
divide the stored events into logical segments
Regardless
R dl off th
the data
d t bbeing
i stored
t d offline
ffli or online,
li ESM
ESMs utilizes
tili
compression and indexing techniques to save space and reduce search times
respectively
ESMs feature hashing of the database partitions to ensure that a tape loaded
from several years ago has content that matches what was backed up
Copyright by EC-Council
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Discovering and
Interacting with Patterns
Copyright by EC-Council
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Discovering and Interacting with
Patterns: Data Sources
To detect
T d t t ffraudulent
d l t activity
ti it andd anomalies
li iin users
bbehavior,
h i you
need to analyze more than just intrusion detection system data
Copyright by EC-Council
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Intelligent Platform Management
Interface (IPMI) Standard
Packet format
Other communication mechanisms
Sensor codes
How to retrieve information
Copyright by EC-Council
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Summary
Copyright by EC-Council
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited