Given a scenario, review security architecture and make recommendations to implement compensating controls.CompTIA Cybersecurity Analyst (CySA+) Certification Exam Objectives Version 3.0
Security Data Analytics
Data analytics allows analysts to take a large data set and through software make sense of the data.
Data Aggregation and Correlation
SIEM systems can help look at correlation between events in the data. An example is a spike in SYN packets happening during a DoS attack.
Risk management lends itself to trend analysis. Historical data is used to show variance from established baselines.
Shows data over time to see anomalies and other information that would be missed looking at data only at the time it happened.
Automation is nice, but sometimes you need to know how to look at the logs and make your own inferences.
Firewall logs can be intimidating, but generally follow a similar format across vendors.
<time> <action> <firewall> <interface> <product> <source> <source port> <destination> <destination port/service> <protocol> <translation> <rule>
- Time: Local time on the monitoring station
- Action: Accept, deny or drop
- Firewall: IP or hostname of the device
- Interface: Interface where the packet was seen
- Product: Software running on the firewall.
- Source: Source IP of the packet
- Source Port: Source Port of the packet
- Destination: Destination IP of the packet
- Service (Destination Port): Destination port or service of the packet.
- Protocol: TCP/UDP generally
- Translation: New source or destination if NAT is used
- Rule: The rule number that caused the log entry.
7:33:10 deny firewall1 OUTSIDE Firewall-Prod 220.127.116.11 3473 10.44.4.4 443 TCP xlatedst 18.104.22.168 rule 6
Syslog messages have a standard format. Syslog packets are limited to 1024 bytes.
May 4 13:37:01.010: %SEC-6-IPACCESSLOGP: list ACL12-IN permitted tcp 192.0.2.5(12345) -> 198.51.100.3(443), 1 packet
The above would be an example security related syslog message. Syslog is a very flexible format so depending on the device messages may look different. In the above example, the facility would be SEC or security and the severity (not necessarily a measure of security severity) is 6 which means Informational. Below are the various severity levels for syslog messages.
- 0 Emergency: System is unusable or severely affected
- 1 Alert: Immediate action is required
- 2 Critical: Critical events
- 3 Error: Error messages from applications or the OS
- 4 Warning: Warning messages from applications or the OS
- 5 Notice: Normal condition, but significant
- 6 Informational: Informational messages for routine activities
- 7 Debug: Debugging messages for troubleshooting.
Logs on servers and other devices keep track of authentication successes, failures and related events like lockouts. In Windows environments, event ID 4625 can be used to filter to authentication events.
Like authentication logs, these logs are kept on devices and can be sources of information. Often they will be shipped to a SIEM for easier review and correlation.
Defense in Depth
Defense in depth refers to using multiple layers of security. Some refer to this as belt and suspenders.
Often security analysts refer to people as the weak link in security because they are unpredictable. There are ways to take this “weak link” and make it stronger for defense in depth.
- Training: INFOSEC training comes in three parts and all three are important. First, there is Security Awareness, that is the what. This helps colleagues understand what the threats are. Then there is Security Training which covers how to deal with the threat. Finally, there is Security education which covers why.
- Dual Control: For critical functions, two people must participate. For example, one person can submit a request and another must approve it.
- Separation of Duties: No one person has the rights and access to do the operation alone. An example would be two employees that both know part of a code required to do a task.
- Third Party/Consultants: Third-party consultants are a risk that must be accounted for in policy and contracts.
- Cross-Training: Training colleagues on multiple roles allows for the job to be completed if the primary colleague for a role is either unable or unwilling to complete it.
- Mandatory Vacation: Some companies take cross training to another level by mandating vacation. This provides an opportunity for the colleague that is cross-trained to do the role. It also may identify if any fraud is being done by changing who does the role.
- Succession Planning: Proper succession planning identifies candidates to succeed key employees and a plan to train these individuals in advance.
Defense in depth requires processes to be in place within an organization. There are several key areas around processes to be understood.
- Continual Improvement: Security never sits still and analyst must always work to improve it. A process of Plan, Do, Check and Act should be implemented.
- Scheduled Reviews/Retirement of Processes:
- What controls are being used?
- How can they be improved?
- Are they still necessary?
- Are there new issues?
- Which controls can be added for the new issues?
Technology solutions are the back bone of defense in depth.
- Automated Reporting: Vulnerability scanning tools can automatically report on their findings. These can be tailored to the audience.
- Technical Report: Comprehensive report for analysts and engineers.
- Change Report: Presents only changes from previous scans
- Executive Report: Decision making graphs and information.
- Senior Executive Report: Nontechnical decision making information.
- Security Appliances: IPS/IDS, Firewalls, SIEM and encryption devices
- Security Suites: Collection of security utilities in a single tool
- Outsourcing: Security as a Service through a third party might be appropriate for smaller organizations that cannot afford the expertise in house. These agreements must be thoroughly reviewed.
- Cryptography: Cryptography comes in many forms and strengths, these must be used to provide confidentiality and integrity of data. The cryptography used should be evaluated against current best practices for key length, encryption algorithm
Other Security Considerations
- Network Design: Placement of security tools within the network is important. SIEMs should be central and NIDS/NIPS should be placed at important choke points.
- Network Segmentation: VLANs segment at layer 2 and subnets segment at layer 3. In addition tools like private VLANs (PVLANs) can be used for further segmentation.