After a serious IT security incident is discovered, the priority is to shut it down and recover quickly in a cost-effective manner. However, management will want to find the root of the problem so that they have a place to point the finger, but this is often easier said than done.
Security incidents require a time and labor-intensive investigation to uncover cybercrime techniques and sift through massive amounts of data. Incidents that involve a privileged account prove to be even more challenging as authorized insiders or external hackers who have hijacked credentials can modify or delete logs to cover their tracks.
Sophisticated and well-funded cyber criminals often target privileged accounts because they hold the keys to the kingdom, allowing criminals to steal data on a massive scale, disrupt critical infrastructure and install malware. Under the guise of privileged users, attackers can lurk within systems for months, gaining more and more information and escalating their privileges before they are even discovered.
In addition to deliberate attacks, human error is also a factor to consider during an investigation. For example, an inexperienced administrator may have accidentally misconfigured a core firewall, turning a quick resolution into an overwhelming investigation. IT staff members often use shared accounts such as “administrator” or “root”, making it extremely difficult to determine exactly who did what. With this degree of uncertainty, it is easy to start the blame game between parties.
One way to simultaneously combat the threat of external hackers and human error is to collect relevant and reliable data on privileged user sessions. This allows investigators to easily reconstruct user sessions and can reduce both the time and cost of investigations.
In addition to user session monitoring and management, having an incident management process in place will be critical to ensure quick and effective identification of a threat source.
The Incident Management Process
To identify an incident and respond quickly, organizations need to develop a multi-step management process that they can consistently rely on. For starters, the NIST and the CERT/CC has outlined a step by step process for incident management by ISO 27002. These encourage a consistent approach, especially for those organizations under strict compliance regulations. Businesses are expected to regularly define, and in the case of a security event, execute an incident response procedure. They must establish that they are capable of taking action when critical assets are endangered.
The CERT/CC concept has four components. First, an incident is reported or otherwise detected (detection component). Second, the incident is assessed, categorized, prioritized and is queued for action (triage component). Thirdly, they must conduct research on the incident to determine what has occurred and who is affected (analysis component). Finally, specific actions are taken to resolve the incident (incident response component). Essentially, organizations need to find a process like this that they can implement and reference in the case of a security breach.
Identifying andAcquiring DataSources
Deep investigations require organizations to first identify and then collect the data in question. This is the first step in any forensic process. Data sources may include security logs, operations logs and remote access logs that have been created on servers. They can also span client machines, operating systems, databases, and network and security devices. Investigations that involve privileged accounts could also include session recordings, or playable audit trails that can be critical in uncovering what has happened.
Once the data is in sight, the analyst must then acquire it. Some log management tools will centrally collect, filter, normalize and store log data from a wide range of sources to simplify the process. For cases involving privilege misuse, data must also be collected from privileged session recordings.
With all the data in hand, it must then be verified to ensure its integrity. This might include protecting against tampering through the use of encrypted, time-stamped and digitally signed data.
Examination and Analysis
During an investigation, each piece of data must be closely examined in order to extract relevant information. By combining log data with session recording metadata, the examination of privileged account incidents can be expedited dramatically.
Once the most critical information has been extracted, the analysis process begins. Through machine learning, organizations can analyze privileged user behavior and detect when behavior falls outside their normal operating parameters. When combined with replayable audit trails showing logins, commands, windows or text entered from any session, this can provide a full picture of the suspicious activity. With all of these elements, analysts can create a full timeline of events for the reporting phase.
Reporting and Resolution
Once all of the data is analyzed, the laborious reporting process can begin. Rapid investigations and the ability to make quick, informed decisions can be challenging and require real-time data about the context of a suspicious event. In these scenarios, access to risk-based scoring of alerts, quick search and easily interpreted evidence can expedite the process.
In today’s fast-moving threat landscape, organizations must have capabilities in place to secure critical assets by managing and monitoring privileged accounts and access. Alongside a robust incident management process, businesses can be prepared for when an incident occurs, and with access to the right data, along with the ability to easily sort through it, they will be empowered to quickly uncover the source of the incident and future-proof systems.
Log management plays a serious role in identifying IT security incidents. Whether you are attacked by a sophisticated cyber criminal or experience a breach due to human error, it is crucial that you get to the heart of the problem quickly and efficiently.
Open Source Software: The Mega List A jaw-dropping 1,000+ open source software tools. Open source software for, well, everything: Desktop, security, multimedia, small businesses, enterprises, education....
December 19, 2012
By Cynthia Harvey
Throughout the year, Datamation publishes guides to open source software in a variety of different categories, such as security, cloud computing, big data, small businesses, mobility and even games. It's become an annual tradition to compile all those open source apps we've featured into one gigantic list.
Our 2012 guide is longer than ever before with a jaw-dropping 1000+ open source apps in all. As usual, we've divided the list into categories and then alphabetized the projects within each category.
Whether you're a long-time Linux fan or a Windows or OS X user who's curious about the open source phenomenon, you're sure to find something new, interesting and useful.
1. Edoceo Imperium
Designed for small and mediu…
Mengenal Fungsi Dan Komponen Panel Listrik Panel Listrik – Electrical switchboard atau lebih kita kenal dgn panel listrik terbentuk berdasarkan susunan komponen listrik yg sengaja disusun dalam sebuah papan control, sehingga dapat memudahkan penggunaanya. Tuk lebih mengenal fungsi dari panel listrik kita telebih dahulu mengenal komponen- komponen panel listrik dan harus memahami fungsi dari bagian-bagaian listrik itu sendiri Berikut beberapa komponen panel listrik beserta fungsinya yang perlu anda ketahui:
MCB, yg singkatan dari ( Miniature Circuit Board) merupakan komponen panel listrik yang berfungsi sebagai switch pembatas arus akibat dari kenaikan daya /tegangan yg melebihi batas dan atau hubung singkat. Komponen panel listrik ini biasanya terbatas pada arus nominal kecil sampai dgn kurang dari 100 Ampere. Bentuknya ada yg satu pole (satu input dan satu output), ada yg dua pole, tiga pole hingga empat pole.
MCCB, MCCB singkatan dari Moulded Case Circuit Breaker. Circuit Breaker pemb…
Membangun Ruang Server merupakan kegiatan yang tidak dapat dianggap remeh. Untuk sebagian kita menganggap ruang server hanyalah tempat dimana perangkat server disimpan dengan baik. Tapi pada dasarnya, ruang server adalah ruangan yang bisa dikatakan merupakan juga data center dalam ukuran kecil, maka seyogyanya kita juga mengikuti standar untuk pembangunan ruang data center.
Ukuran ruang server umumnya akan sangat bergantung dari kegunaan dan kapasitas penampungan yang direncanakan. Oleh karena itu, ruang server dapat berukuran dari sangat kecil (minimal 2 meter x 2 meter) hingga ruang yang cukup besar.
Kalau kita bicara kegunaannya, umumnya ruang server digunakan untuk :
Menampung perangkat server (baik ukuran tower / rackmounted). Server bisa diasumsikan PC Server juga.Menampung perangkat jaringan, umumnya dalam hal ini minimal switch yang digunakan untuk koneksi ke server atau koneksi ke user.Menampung perangkat sumber daya catuan cadangan (atau kita mengenal istilah UPS)