Enterprise security incident response and detection

Question

I have a decent understand and experience with securing and setting up smaller networks, although absolutely no enterprise experience. I understand at such a large scale there are different technologies for managing the sheer number of machines and the complicated topology.

What security technologies are unique to enterprise environments? Firewalls would not count as they are prevalent in non enterprise environments as well.

At a guess I would think there would be heightened monitoring and aggregated logging which could be centralized, perhaps a way to quickly isolate compromised machines from the rest of the network (on the fly vlans?)...what else?

I am not asking about more sophisticated versions of technology, as obviously an enterprise firewall with have more features/functionality than one for a small business.

I have looked at devices like the Cisco MARS and ArcSight...which seem to do centralized log aggregation and reporting prediction....are these the only examples of technologies specific to enterprise environments?

How much additional information would administrators have at their disposal from such unique technologies, compared to what standard logging and reporting tools.

This question, including many of the questions in it, appear to be a repeat of this other SE question -- http://security.stackexchange.com/questions/3092/security-operation-center-soc — atdre, Jun 05 '11 at 17:37
@atdre, not interested in stuff for a SOC or suggestions relating to that, interested specifically in differences in enterprise security from smaller environments, unique to enterprise environments. For example a firewall would be part of the answer to the SOC question, but not to my question. — Sonny Ordell, Jun 05 '11 at 18:09
@ Sonny: Yes, that question discusses the problems of the cost of SIEM as it relates to smaller organizations. You should really check it out. — atdre, Jun 05 '11 at 18:24
@atdre, it's a different question to what I'm asking is my point. There may be some cross over in the answers, but my question is certainly not a repeat. — Sonny Ordell, Jun 06 '11 at 03:37
@ Sonny: I'm not going to answer it again. See if someone else does — atdre, Jun 06 '11 at 13:09
@atdre, as I said, they are different questions. I am interested in stuff unique to enterprise, which stuff in a SoC is not. — Sonny Ordell, Jun 07 '11 at 23:18
@atdre, you know that in a SOC there are things not unique to an enterprise environment, which is what I am asking about. Not sure why you are not understanding my that. — Sonny Ordell, Jun 09 '11 at 09:46
@ Sonny: Get over yourself. I never used the word SOC. The person with that question did. My answer applies to both. Use your brain to replace "SOC" with "Enterprise Incident Response" — atdre, Jun 09 '11 at 17:01
@atdre, your answer is irrelevant to my question. If you can't see that I'm sorry, but please stop insisting it is. — Sonny Ordell, Jun 09 '11 at 17:11
@ Sonny: No, you are wrong. 1) My answer discusses unique Enterprise-grade and SMB/SOHO-grade incident response/detection technologies, 2) My answer discusses the cost of these technologies, 3) My answer discussed custom controls for client-side technology that would minimize the rate and impact of incident response — atdre, Jun 09 '11 at 17:15
@atdre, your answer mentioned technologies in passing, but does not give an a comprehensive list. Your answer is also far more general with a lot of suggestions for policies and strategy, when I am only interested in the technology. I have edited my question to be more clear. I have read your answer several times and it is not at all the answer to my question, I'm sorry. — Sonny Ordell, Jun 09 '11 at 17:21

score 4 · Answer 1 · answered Jun 23 '11 at 16:29

From your title it appears you are asking what security incident response and detection technologies are unique to large enterprise environments?

Unique technology:

A central Security Information and Event Management (SIEM) system - large organizations need to be able to centrally gather logs and alerts from a large number of disparate systems (e.g. firewalls, AV, platforms, databases, applications) for correlation and monitoring. A smaller organization may get away with configuring email alerts or reviewing logs
A central incident tracking and workflow system - something like Remedy or better to log security incidents, manage ownership, allocate tasks and track to completion. A smaller organization may use email or a spreadsheet for this

People and process:

A 24 x 7 Security Operations Center (SOC) consisting of shift workers or follow the sun geographic pool of people
Formal security incident rehearsals both on paper and full on red team / blue team exercises

Just about everything also needs more powerful models, clusters, horizontal growth capability to cope with the scale and redundancy and geographic distribution needs that smaller organizations will not have.

Unique security technology outside of incident response and detection that you see more in larger organizations due both to scale, complexity and regulatory and audit requirements (probably not a complete list):

Data loss prevention
Email encryption
Removable media control
Identity and access management
Configuration compliance and file integrity monitoring e.g. Tripwire
Single sign-on
Web access management (e.g. Siteminder)
Federated identity
automated security source code analysis and application vulnerability scanning
hardware security modules
internal Certificate Authority (CA)
backup encryption / decryption appliance
DDOS filtering service
Dedicated IPS (i.e. not in a UTM)

score 1 · Accepted Answer · answered Jun 23 '11 at 16:12

1

What security technologies are unique to enterprise environments? Firewalls would not count as they are prevalent in non enterprise environments as well.

There is nothing that is 'unique' to an enterprise environment. There various levels and certain 'hindrances' to software being deployed outside these environments (I.E. cost) but it doesn't mean you won't see it happen.

I am not asking about more sophisticated versions of technology, as obviously an enterprise firewall with have more features/functionality than one for a small business.

That really though is what an 'enterprise' solution is... a more sophisticated version of technology used at a consumer level.

Take a look at things like spiceworks, which handles network management, and then intrusion detection systems like Snort and Suricata. (Note: I'm telling you free versions of this sort of software so you can play with them!) The 'commercial' versions of such things will do the same sort of tasks.. just on a larger/better scale.

Another 'enterprise' solution is hardware/circuit level firewalls built into switches and/or routers.

answered Jun 23 '11 at 16:12

what about things like ArcSight and such? What would be an equivilant threat detection system for a SOHO environment? – Sonny Ordell Jun 27 '11 at 16:26
@Sonny ArcSight is a very large application/service that does a large variety of tasks related to Intrusion Detection (et cetera) and compiles them under one 'software suite'. I can't think of anything that rivals all the features of ArcSight, but you can fairly easily find programs/services for any one (or a few) of ArcSight's features. Take look at Snort (as I mentioned above) and also Snorby. EDIT: Good luck finding what you need! – Jun 27 '11 at 18:36
not actually needing anything just wondering what goes on in more complex environments. So things like ArcSight don't have unique technologies as such, just much better versions of what is at a lower level? – Sonny Ordell Jun 27 '11 at 18:44
@Sonny I can't speak with any certainty of knowing the inner workings of something like ArcSight, but I'm fairly certain it all boils down to the same concepts/methodologies.. just implemented in slightly different ways and with greater/lesser resources. – Jun 27 '11 at 18:45

Enterprise security incident response and detection

2 Answers2