Report Blog Entry
CREDITS: The following notes were from a lecture originally created by Schweitzer Engineering Laboratories This is all for study purposes only. THESE WERE PUBLISHED WITH PERMISSION AS WELL.
Anomalies and Events
Subcategories
DE.AE-1: A baseline of network operations and expected data flows for users and systems is established and managed.
DE.AE-2: Detected events are analyzed to understand attack targets and methods
DE.AE-3: Event data are collected and correlated from multiple sources and sensors
DE.AE-4: Impact of events is determined
DE.AE-5:Incident alert thresholds are established
Revisiting Data Flows
- Baselines for expected network traffic are as important as baselines for system assets.
- OT Network Data flows should model minimal, predictable, ICS traffic.
- Any traffic outside of data flows is anomalous and deserving of attention.
Definitions
Intrusion Detection System
a monitoring system that detects suspicious activities and generates alerts when they are detected.
Based upon these alerts, a security operations center (SOC) analyst or
incident responder can investigate the issue and take the appropriate
actions to remediate the threat.
IDS Implementations
Inline
- Network connections physically pass through IDS devices.
- Can be a feature of a next-gen firewall
Passive
- Traffic is mirrored/spanned to IDS
Types of IDS
- Network Intrusion Detection System: Monitors and analyzes traffic coming to and from all network devices.
- Host Intrusion Detection System: Operates from a specific endpoint
- Signature-based Intrusion System: Monitors packets moving through a network and compares them to a database of known attack signatures or attributes.
- Anomaly-Based Intrusion Detection System: Monitors ongoing network traffic and analyzing them against a baseline.
Intrusion Prevention System
Software that has all the capabilities of an intrusion detection system and can also attempt to stop possible incidents.
- Application-layer and below.
- Can be integrated into next-gen firewalls.
IPS Implementations
Placement is key
- Processing network traffic is computationally expensive.
- Deep packet analysis can take time which can impact network performance.
IPS on OT Networks
- Emphasis on availability.
Security Information and Event Monitoring (SIEM)
Network hardware and applications generate security events.
SIEM resources provide real-time analysis.
- Pattern detection
- Trend detection
Big picture monitoring.
SEIM Tools
SIEM- Security Information and Event Management.
- SolarWinds SIEM Security and Monitoring
- Salesforce
- Splunk Enterprise SIEM
- EventTracker
- Rapid7
Configuration
None of the previously described tools are set-and-forget
Configuration and tuning is needed based on environment
- A critical alert for one company may be a non-event for another.
- Thresholds and impact of events need to determine and inform alerting or response functions.
Security Continuous Monitoring
Subcategories
DE.CM-1: The network is monitored to detect potential cybersecurity events
DE.CM-2: The physical environment is monitored to detect potential cybersecurity events
DE.CM-3: Personnel activity is monitored to detect potential cybersecurity events
DE.CM-4: Malicious code is detected
DE.CM-5: Unauthorized mobile code is detected
DE.CM-6: External service provider activity is monitored to detect potential cybersecurity events
DE.CM-7: Monitoring for unauthorized personnel, connections, devices, and software is performed
DE.CM-8: Vulnerability scans are performed
Definitions
Continuous Monitoring
Maintaining ongoing awareness to support organizational risk decisions
Physical Security Monitoring
Designed to protect persons and property.
- Preparation, detection, deterrence, delay, and defense.
Involves the use of multiple layers of interdependent systems.
- CCTV surveillance, security guards, protective barriers.
Logical Security Monitoring
Network Traffic Monitoring
IDS/IPS
Network Activity Monitoring
Centralized authentication and associated non-repudiation
Field Device Monitoring
System logs, eventds, security gateway command logging.
Security Operations Centrer/SCADA Control Center.
Vulnerability Scanning
Active Scanning- Sends transmissions to the networks nodes, examine the responses they receive to evaluate whether a specific node represents a weak point within the network.
Passive Scanning- identify the active operating systems, applications, and ports throughout a network, monitor activity to determine the networks vulnerabilities.
- Log Ingesting
- Pcaps
Detection Process
Subcategories
DE.DP-1:Roles and responsibilities for detection are well defined to ensure accountability
DE.DP-2: Detection activities comply with all applicable requirements
DE.DP-3: Detection processes are tested
DE.DP-4: Event detection information is communicated
DE.DP-5: Detection processes are continuously improved
Detection Processes
Processes are structured steps designed to accomplish the objective of meeting the stated policy.
Detect attacks, indicators of compromise, and unauthorized local, network, and remote connections.
- Identify unauthorized use of the system.
- Analyze detected events and anomalies.
- Notify appropriate parties of detected anomalous activity.
- Adjust the level of system monitoring activity when there is a change in risk
Personal Security Training
People are usually recognized as one of the weakest links in securing systems
Teach people the skills that will enable them to perform their jobs more securely.
Most effective when targeted at a specific audience.
- Physically protecting an area and equipment
- Logically Protecting passwords
- Reporting security violations or incidents
Detect Example- OPNsense on SEL-3355
Next-Generation firewall with deep-packet inspection
- Live firewall log view
Integrated IDS/IPS
Thanks for reading!
I am sorry for completely forgetting to publish the rest of these! I am finishing these blogs up now :P
Comments
Displaying 0 of 0 comments ( View all | Add Comment )