Management & Reporting

You are currently browsing the archive for the Management & Reporting category.

Security Models – Polices, Standards & Procedures

November 15, 2008 in Article, Management & Reporting | No comments

The area of my job that I probably dislike the most is policies.  I like technology and finding ways to make things possible that weren’t possible before; enabling businesses to become more efficient in their day-to-day work by streamlining cumbersome security strategies into slicker operating methodologies.  Network security is an excellent arena for someone who loves technology because of the ever changing environment but a constantly changing environment brings challenges with it and the biggest of all is ensuring that when you’re business adapts to meet the challenge, it adapts in a manner that is controlled, directed, managed and monitored.  To do that in my job you need a Security Model to operate within. 

Image displaying how a security model compises various elements.

Security Model by SecuraNET

With new and improved technologies being released every day there are pressures to keep pace with them but without structure you are soon left with a myriad of solutions that are unsupportable and working independently making them difficult to administer and a burden to maintain.  When you have the proper framework in place to direct your efforts in the appropriate direction, that is when things start coming together and improving.  Security Models are comprised of a number of different elements, all of which you will hear banded around loosely at meetings.  The diagram below shows how they slot together to create a security model.  The policy is the “why”, standards and baselines are the “what”, and procedures and guidelines are the “how” of the security model.

Policies

The policy, as you can perhaps interpret from the name, is put in place to police the user’s actions.  Its purpose is to define how information is managed and dissipated throughout your business and there will usually be polices for key areas.  For instance, a common example would be an Acceptable Use Policy that outlines the acceptable use of IT equipment.  The aim of the policy is to define the end results and not necessarily the means.  The policy may refer to standards, procedures or guidelines and are enforceable which can result in disciplinary action should a member of staff breach them.

Standards & Baselines

A standard is written to describe the mandatory rules that must be followed to adhere with the policy.  For example, there will be a standard specified for the allocation of IP addresses that a company uses that may define a specified range for use.  They are usually specific to a system or procedure and employees must follow these standards.  They are usually industry recognized best practices.  ISO27002 is the current ISO standard for Information Security Management.  Standards usually describe the baselines for the minimum level of compliance that must be met in order to meet the standards requirements.

Procedures & Guidelines

Without procedures it would be very hard to enforce a policy.  With procedures we can effectively instruct the employee into acting in a deliberate manner when carrying out certain tasks.  In reference to the earlier example of issuing an IP address range, there may be an IP Address Allocation procedure that instructs the employee to update certain documents with the new details and communicate the details to certain parties.  In contrast, guidelines are recommendations that are set out to help comply with the policies objectives by providing a structure or framework to work against.  They are meant to guide the employee into acting in a manner that is supportive of the policy or model and in a way that helps them comply better with the standards.  There are usually frequent references to the guidelines within the policy document.

There are various ways to interpret how the elements work together, I feel that the policy is a seperate entity but standards and baselines work together to determine the levels of adherence while guidelines and procedures give us the methods in which to acheive these levels so that we may adhere to the policy and work under the model as a whole.   This area certainly isn’t my forte but I hope you find the article helpful.

CS-MARS attacks!

October 15, 2008 in Article, Management & Reporting, Vendor Specific | No comments

Cisco’s new(ish) flagship security event management platform is beginning to make its mark but I wanted to know what it brought to the table that made it different from the rest of the solutions available.

Security Information Management (SIM) platforms are used to provide a central repository for security devices to send any events generated to.  Most SIM offerings have a web front end that allows network security staff access to view all of the logs generated by devices on their network.  SIMs offer excellent benefits to an organization by allowing security events to be viewed from a single source, the SIM will have the necessary disk space to store these events while making them available for analysis and reporting.  Another benefit to us that SIMs provide is that they can correlate event data to show any events received that share certain variables allowing us to recognize trends in the network between reporting devices.  The SIM can be configured to alert administrators if certain events are triggered however it is then up to the administrator to find a way of mitigating whatever is triggering the alerts.

The previous SIMs available before CS-MARS provided some excellent features that enabled network security staff to store, analyse and archive any events generated by devices configured to report to the SIM.  An added benefit is that SIMs can help organizations comply with legislation set out to ensure that companies secure data that is confidential such as in the healthcare sector or online stores that retain personal data of customers.

As you can see SIMs offer us a great deal of functionality but they were lacking in areas that hadn’t been ventured into before by other vendors.  CS-MARS (Cisco Security – Monitoring Analysis Response System) brought us the features that are other vendors lacked.  CS-MARS came about when Cisco purchased Protego Networks for $65M to extend the capability of Cisco’s self-defending network. Protego had embraced the concept of SIM but enhanced this by adding in STM (Security Threat Management) to the MARS product which Cisco has developed much further since acquiring it.  STM brings us new features to the SIM market allowing us to do things such as timely attack mitigation through mitigation advisories.  Also, because of the STM orientated design, MARS has better overall topology awareness which makes other things possible such as end-to-end network awareness to provide session awareness and date reduction by reducing millions of events down to hundreds.  MARS mitigation strategies employ the use of TCP resets, shuns, editing ACLs and rulebases.

In short, CS-MARS demonstrates an impressive range of new and innovative features in one solution that nothing else on the market can compare to.  Security event management, correlation and normalization of events combined with the option for attack mitigation advisories and immediate single click mitigation deployments places MARS in a class of it’s own.

Cisco Security Manager

July 23, 2008 in Article, Management & Reporting | No comments

I recently installed Cisco Security Manager for a client and up until then I had pretty limited experience with it as it’s still relatively fresh on the market. The install itself is very easy.  Next, next, next… almost. After a few teething problems with McAfee AV hanging the server it was all up and running and ready for devices to be added in. McAfee, by the way, was trying to scan the CSM database and couldn’t and that was what hung the machine. The only way around it was to exclude the folder where the database is and it worked fine after that.

For those of you who don’t know what Cisco Security Manager does it’s basically a replacement for the old Cisco VMS Works, in my opinion anyway – I’m not sure if Cisco market it as that. It has some pretty good features built into it that allow you to manage your security policies in a more uniform fashion across your network. The ability to copy policies from one device to another is a great way of adding extra layers of security throughout your network. I installed a Cisco 4260 IPS after the CSM server and I especially liked the benefit of copying signature polices between IPS’s as it saves a lot of time wasted on ensuring devices have the same signature set when inspecting segments that should have the same inspection policies applied.

I also added in a live Cisco ASA5540 to the device repository but it threw a lot of errors up so I have deleted it out for the time being as the customer is not looking to use CSM with his firewalls at the moment. We’ll also be installing CS-MARS in the near future and that can tie in with CSM so I’ll report back on how that goes.

Ian