20141105 AWS Blackbelt 시리즈 - Cost Explorer & AWS Trust Advisor (한국어)
1 - Security Blackbelt - Data Mapping and Dynamic Lists - Norbert
-
Upload
ryan-belicov -
Category
Documents
-
view
219 -
download
0
Transcript of 1 - Security Blackbelt - Data Mapping and Dynamic Lists - Norbert
-
7/28/2019 1 - Security Blackbelt - Data Mapping and Dynamic Lists - Norbert
1/31
Security Blackbelt TrainingBrainShare EMEA 2010
Norbert Klasen
Senior Consultant
-
7/28/2019 1 - Security Blackbelt - Data Mapping and Dynamic Lists - Norbert
2/31
Novell, Inc. All rights reserved.2
Agenda
Business Data Mappings
Dynamic Lists and Correlation Rules
iTrac
-
7/28/2019 1 - Security Blackbelt - Data Mapping and Dynamic Lists - Norbert
3/31
Business Data Mappings
-
7/28/2019 1 - Security Blackbelt - Data Mapping and Dynamic Lists - Norbert
4/31
Novell, Inc. All rights reserved.4
Data Translation
Add information not present in event generated bysource
Lookup information in a table
Collector
CSV files
legacy: TRANSLATE()
JavaScript: lookup()
e.g. Severity, Taxonomy, descriptive names for numericconstants, DNS resolution
-
7/28/2019 1 - Security Blackbelt - Data Mapping and Dynamic Lists - Norbert
5/31
Novell, Inc. All rights reserved.5
Mapping Service
Mappings are applied by Event Router in CollectorManager
das_query distributes (delta) maps to CollectorManagers
Map data is cached on Collector Managers
CSV file on $ESEC_HOME/data/map_data
-
7/28/2019 1 - Security Blackbelt - Data Mapping and Dynamic Lists - Norbert
6/31
Novell, Inc. All rights reserved.6
Point in Time
Data is always injected at the time an event isprocessed by Sentinel
No updates if a relation changes
-
7/28/2019 1 - Security Blackbelt - Data Mapping and Dynamic Lists - Norbert
7/31
Novell, Inc. All rights reserved.7
Map Definition
Map definition Column name
Column data type
> Rage support
Key checkbox
Separator
Event Configuration
External
Referenced from map
> Boolean
> Value from map
-
7/28/2019 1 - Security Blackbelt - Data Mapping and Dynamic Lists - Norbert
8/31
SCC Demo
-
7/28/2019 1 - Security Blackbelt - Data Mapping and Dynamic Lists - Norbert
9/31
Novell, Inc. All rights reserved.9
Use Case 1 Identity Tracking
Who did it?
Correlate events from various systems that relate to thesame person
Inject identity information into events
person identity accounts
Account names
(Init|Target)UserName
(Init|Target)UserDomain Possibly multiple nameforms per account
-
7/28/2019 1 - Security Blackbelt - Data Mapping and Dynamic Lists - Norbert
10/31
Novell, Inc. All rights reserved.10
Novell IDM Integration
ID Vault (IDM)
Sentinel Driver (IDM)
JMS Message Bus (Sentinel)
ID Vault Collector (Sentinel) Identity API (Sentinel)
Identity and Account DB Tables/Views (Sentinel)
AccountIdentity Mapping Table (Sentinel)
Mapping Service (Sentinel)
-
7/28/2019 1 - Security Blackbelt - Data Mapping and Dynamic Lists - Norbert
11/31
Novell, Inc. All rights reserved.11
Other Integrations
Generic Identity Collector
Microsoft Active Directory (work in progress)
Build your own using the SDK
-
7/28/2019 1 - Security Blackbelt - Data Mapping and Dynamic Lists - Norbert
12/31
Novell, Inc. All rights reserved.12
Account Identity Map
Keys MSSPCustomerName
UserName
UserDomain
Applied to Initiator and Target
Values
Identity GUID
FullName Department
-
7/28/2019 1 - Security Blackbelt - Data Mapping and Dynamic Lists - Norbert
13/31
Novell, Inc. All rights reserved.13
Result
Active View
Identity Browser
Correlation Rules
Reports
-
7/28/2019 1 - Security Blackbelt - Data Mapping and Dynamic Lists - Norbert
14/31
SCC Demo
-
7/28/2019 1 - Security Blackbelt - Data Mapping and Dynamic Lists - Norbert
15/31
Novell, Inc. All rights reserved.15
Use Case 2 Assets
What does this server do? Is it critical?
Inject asset information into events
Hostname
MAC
Category
Description
Product
Criticality
Owner
Location
-
7/28/2019 1 - Security Blackbelt - Data Mapping and Dynamic Lists - Norbert
16/31
Novell, Inc. All rights reserved.16
Asset Map
Keys MSSPCustomerName
IP
Applied to Initiator, Target, Observer, and Reporter
Values
Class
Criticality
Department (Function)
AssetID
-
7/28/2019 1 - Security Blackbelt - Data Mapping and Dynamic Lists - Norbert
17/31
Novell, Inc. All rights reserved.17
Integrations
Generic Asset Collector (CSV)
Build your own using the SDK
-
7/28/2019 1 - Security Blackbelt - Data Mapping and Dynamic Lists - Norbert
18/31
SCC Demo
-
7/28/2019 1 - Security Blackbelt - Data Mapping and Dynamic Lists - Norbert
19/31
Novell, Inc. All rights reserved.19
Use Case 2 Advisor
Is an attack directed at a vulnerable system Correlate attacks with vulnerabilities
Load scan results into Sentinel Subscribe to Advisor feed
Connect IDS
-
7/28/2019 1 - Security Blackbelt - Data Mapping and Dynamic Lists - Norbert
20/31
Novell, Inc. All rights reserved.20
IsExploitWatchList Map
Keys MSSPCustomerName
DeviceAttackName
DeviceName (e.g. Snort)
TargetIP
Values
Vulnerability (flag 0 or 1)
-
7/28/2019 1 - Security Blackbelt - Data Mapping and Dynamic Lists - Norbert
21/31
Dynamic Lists and Correlation Rules
-
7/28/2019 1 - Security Blackbelt - Data Mapping and Dynamic Lists - Norbert
22/31
Novell, Inc. All rights reserved.22
Dynamic Lists
Lists of Elements Distributed Caching and Loockup
Correlation Engines
List Attributes
Transient/Persistant Elements
Time to Live
Maximum Size
Elements can be added and removed manually orautomatically
Action
Inlist operator
-
7/28/2019 1 - Security Blackbelt - Data Mapping and Dynamic Lists - Norbert
23/31
Novell, Inc. All rights reserved.23
Use Case Effected By Exploit
Detects users who may be at risk for having theiraccount information stolen by the attacker that hasexploited the asset, which may in turn enable theattacker to compromise other systems.
Prerequisite: Advisor Put exploited asset on dynamic list
Create alarm if user logs into such an asset
-
7/28/2019 1 - Security Blackbelt - Data Mapping and Dynamic Lists - Norbert
24/31
SCC Demo
-
7/28/2019 1 - Security Blackbelt - Data Mapping and Dynamic Lists - Norbert
25/31
iTrac
-
7/28/2019 1 - Security Blackbelt - Data Mapping and Dynamic Lists - Norbert
26/31
Novell, Inc. All rights reserved.26
iTrac Definitions
IncidentActionable condition
Action
Preconfigured step
Template
Definition of steps to be taken in response to an incident
Interactive and automated actions
Process Specific instance of a template that is used actively track an
incident
-
7/28/2019 1 - Security Blackbelt - Data Mapping and Dynamic Lists - Norbert
27/31
Novell, Inc. All rights reserved.27
ITrac Template Components
Steps Manual Step (user interaction)
Command Step (launch script)
Mail Step
Decision Step (branch)
Transitions
Activities
Variables
-
7/28/2019 1 - Security Blackbelt - Data Mapping and Dynamic Lists - Norbert
28/31
Novell, Inc. All rights reserved.28
Use Case Access to Exploited Asset
ITRAC TemplateAccess to Exploitet Asset
Correlation Rule
IdT-Affected By Exploits
Creates Incident with attached workflow
-
7/28/2019 1 - Security Blackbelt - Data Mapping and Dynamic Lists - Norbert
29/31
SCC Demo
-
7/28/2019 1 - Security Blackbelt - Data Mapping and Dynamic Lists - Norbert
30/31
-
7/28/2019 1 - Security Blackbelt - Data Mapping and Dynamic Lists - Norbert
31/31
Unpublished Work of Novell, Inc. All Rights Reserved.
This work is an unpublished work and contains confidential, proprietary, and trade secret information of Novell, Inc.Access to this work is restricted to Novell employees who have a need to know to perform tasks within the scopeof their assignments. No part of this work may be practiced, performed, copied, distributed, revised, modified,translated, abridged, condensed, expanded, collected, or adapted without the prior written consent of Novell, Inc.Any use or exploitation of this work without authorization could subject the perpetrator to criminal and civil liability.
General Disclaimer
This document is not to be construed as a promise by any participating company to develop, deliver, or market aproduct. It is not a commitment to deliver any material, code, or functionality, and should not be relied upon inmaking purchasing decisions. Novell, Inc. makes no representations or warranties with respect to the contentsof this document, and specifically disclaims any express or implied warranties of merchantability or f itness for anyparticular purpose. The development, release, and timing of features or functionality described for Novell productsremains at the sole discretion of Novell. Further, Novell, Inc. reserves the right to revise this document and tomake changes to its content, at any time, without obligation to notify any person or entity of such revisions orchanges. All Novell marks referenced in this presentation are trademarks or registered trademarks of Novell, Inc.in the United States and other countries. All third-party trademarks are the property of their respective owners.