|
SE-550
DETECTING SECURITY BREACHES
1
Day
Tuition: $595
Target Audience:
System Administrators, Security Auditors, IT Managers
Prerequisites:
-
Intermediate or Advanced Network and
Systems Admin experience
-
Network Intrusion Protection course
-
Intrusion Detection with Snort
(recommended)
As a result of completing this course, the
student will be able to:
·
Choose
auditing parameters that balance information and resource usage
·
Detect
malicious processes
·
Detect changed
registry kets
·
Understand how
to use a honeypot as a defensive tool
Student Materials:
-
Binder of printed overheads & labs
-
Reference Book: TBA
Monitoring Overview
-
What is a Security Breach?
-
Available Monitoring Methods
-
Real-time vs. Historical Data
-
Detection Limitations and False Positives
-
Resource Limitations
File
System Verification
-
MD5 checksums
-
Detecting Hidden files
-
Tripwire tool
-
Lab – Malware detection with Tripwire
Registry Verification
-
Detecting Hidden Keys
-
Real-time monitoring with Regmon tool
-
Lab - Registry modification detection
Running Processes Verification
-
Detecting Hidden Processes
-
Kernel-mode Process Verification
-
Lab – Detecting Process Injection with
Inzider
Monitoring Audit Logs
-
What Should I Log?
-
Windows Event Logs
-
Centralized Logging and Analysis
-
Alert Reponse
-
Lab – Event log analysis and alerts
Detecting Malicious Network Activity
·
Traffic Monitoring
with IDS
·
Discovering Covert
Tunnels
·
Honeypots
·
Lab – Honeypot
deployment
Summary List of Lab Exercises/Tools:
·
Tripwire file
system verification
·
Regmon tool
·
Inzider tool
·
Analyzing audit
logs
·
Honeypot
deployment and trial enticement |
