Goals of a Monitoring System

1
Goals of a Monitoring System

• Presented By
• John A. Slomski

2
Why Monitor?

• What you cant see may
• steal your proprietary data
• use your systems as zombies
• use your systems as email servers
• cripple your organization
• Not Seeing a Problem ? No Problem

3
Goals of a Monitoring System

• The Threat
• Monitoring Logging and Alerting
• Resources, Smaller and Larger Environments
• Built-in Features
• The Goals

4
The Threat

• External DoS, malicious scanning,
  hacking/cracking, etc
• Internal malicious or careless insider, etc
• Managing Instant Messaging (IM) and Peer-to-Peer
  (P2P) Threats in the Enterprise
  http//www.spywareguide.com/whitepapers/osterman.p
  df

5
Logging and Alerting

• Log activities which could be indicators of
  access violation, system intrusions, traffic
  indicating malicious or inappropriate software,
  inappropriate system usage (usage potentially
  detrimental to the organization)
• Logging and monitoring must (also) be reliable
  by providing complete, usable, and secure logs
  that are accessible to only a limited number of
  authorized individuals.
• 
  (Tudor 219)

6
Logging and Alerting

• Alerting!? Consider
• Is it important enough to know about immediately?
• DoS attacks, intrusions of critical systems and
  services, multiple login attempts against
  Administrator/Guest/Owner/SU type accounts, etc.

7
Logging and AlertingResources

• The Top 5 Essential Log Reports
• http//www.sans.org/resources/top5_logreports.pdf
  
• UNIX Security Checklist v2.0 (6.0 System
  Monitoring)
• http//www.cert.org/tech_tips/usc20.html
• The Security Monitoring and Attack Detection
  Planning Guide (Ch 2-Approaches to Security
  Monitoring)
• http//www.microsoft.com/technet/security/topics/a
  uditingandmonitoring/securitymonitoring/default.ms
  px

8
Monitoring Systems How Extensive/Comprehensive?
9
Monitoring SystemsHow Extensive/Comprehensive?

• It Depends

10
Monitoring SystemsHow Extensive/Comprehensive?

• Resources (, people, systems, applications)
  available for system/application set up,
  responding to alerts, reviewing logs, etc
• Smaller environments less expensive
  methods/tools, perhaps more manual tasks than for
  a larger environment
• Larger environments more expensive automated
  monitoring/logging/alerting tools
• Limited budgets?

11
Something is Better than NothingTake Advantage
of Built-in Features

• Eventquery.vbs (Win XP Prof, Server 2003)
• cscript c\windows\system32\EVENTQUERY.vbs /L
  security /FI "Datetime gt 08/15/06,020000PM"
  /FI "Id eq 680" /v gtgtFlLogins.txt FlLogins.txt
• /S ltsystemgt
• Eventcreate.exe inject events
• Eventtriggers.exe to trigger actions based on
  events in the Windows Event Logs
• Help to text file cscript c\windows\system32\EVE
  NTQUERY.vbs /? gt eventqueryNotes.txt

12
Monitoring SystemsThe Goals?

• Quickly react to immediate threats
• Identify shortfalls in security
• Enhance protection against potential threats
• Show compliance in protecting CIA
• Use what you have, and use it to convince
  management of where more is needed

13

• Questions?