Securing your network
Update December 11th: I’m in the middle of testing OSSIM, and messing around a bit with several other things, like flow-inspector. I’m still gathering my thoughts, since this project is clearly a beast.
What are we stopping?
Data exfiltration and host zombification. That’s it.
Read these things:
I’m not a CSO, nor do I have a PhD in Engineering, so I’ll leave most of theory here to other folks.
The following list is a few items you should skim so that you have an idea of what I’m trying to do:
- Endpoint Security Fundamentals
- Endpoint Security Management Buyers Guide
- CSIS: 20 Critical Security Controls
- NSA: Manageable Network Plan
- Mandiant Webinar: State of the Hack: Control-Alt-Delete: (Re)Booting a Security Program
In addition to theory, I’ve come across a thorough list of products:
Endpoint Security Management Buyer’s Guide:
I suggest writing notes, as I wrote up notes/a list of actionable questions and expanding the below list in reaction. To be honest, my network isn’t gigantic, nor do I have much of a budget to work with, so I find this “CONSOLIDATE ALL THE CONSOLES!” concept elusive in the open source “market.” However, it is giving me a great and real reference point to start in on this gigantic task. I think the paper is a little idealistic for me, with the resources I have at hand; but it’s great for theory, and to understand how much larger environments’ security operations work.
The page list:
Part 1: Raise your awareness
Part 2: The Console
Part 2.a: Configure AlienVault’s OSSIM as your primary security console
Upcoming list (clearly the order is not relevant):
Part 2: Server and endpoint security
Part 2.a: Anti-virus (why? how? who? discuss filter drivers, cite i/o tests; Anti-malware analysis, virustotal, av-test.org, that virus sample site…)
Part 2.b: Malicious Executable (Using SRP/AppLocker, El Jefe, checksum based whitelisting, and guaranteeing that it runs properly)
Part 2.c: Patch Management (WSUS + Local Update Publisher)
Part 2.d: Integrity monitoring (aka configuration management and integrity checks; using Foreman+RunDeck+Puppet, using hg, [maybe cover cloning? (FOG?)], OSSEC and Samhain)
Part 2.e: Encryption (why? how? who? truecrypt, discuss filter drivers, cite i/o tests)
Part 2.f: Sandboxing (EMET, unrealistic QubesOS)
Part 2.g: Device control (native device control, disable registry write abilities (WriteProtect key), talk about mass storage and MTP, end point DLP, MyDLP, OpenDLP)
Part 2.h: Asset access control: intranet site authentication, Windows file ACL auditing (with MACE).
Part 3: network security
Part 3.0: network isolation/segmentation
Part 3.a: Firewalls. Proxies.
Part 3.b: Network intrusion detection/prevention (snort+sguil+squert+snorby, +acarm-ng, sagan, maybe OSSIM?)
Part 3.c: Flow capture (argus, ntop)
Part 3.d: Worm infection detection and tarpitting (dionea, honeyd, nova)
Part 3.e: Switch configuration (802.1X, PacketFence, anti-spoofing, proper VLAN configs)
Part 3.f: Network service configuration (cover DHCP whitelisting, DNS-SEC, multicast and pim routing)
Part 5: Incident response (isolation mechanisms, argus, flow-inspector, redline, El Jefe, considering and writing extensions to redline for additional log (follow XML schema))
Part 6: “Active defense” is the new cool thing to do. Just wanted to mention it: ADHD distro.