Date post: | 23-Sep-2014 |
Category: |
Technology |
View: | 732 times |
Download: | 2 times |
Visual Security Event AnalysisVisual Security Event Analysis
Raffael Marty, GCIA, CISSPArcSight Inc.
02/14/06 – HT2-103
Raffael Marty, GCIA, CISSPArcSight Inc.
02/14/06 – HT2-103
IP addresses and host names showingup in graphs and descriptions were
obfuscated/changed. The addresses are completely random and any resemblancewith well-known addresses or host names
are purely coincidental.
Disclaimer
● Raffael Marty, GCIA, CISSP
● Strategic Application Solutions @ ArcSight, Inc.
● Intrusion Detection Research @ IBM Research
● IT Security Consultant @ PriceWaterhouse Coopers
● Open Vulnerability and Assessment Language (OVAL) board member
● Speaker at Various Security Conferences
● Passion for Visual Security Event Analysis
see http://afterglow.sourceforge.net
Who Am I?
Table Of Contents
• The Security Monitoring Challenge
• Solving Event Overload - Today
— Normalization
— Prioritization
— Correlation
• Visual Security Event Analysis
— Situational Awareness
— Real-time Monitoring
— Forensic and Historical Analysis
A Picture is Worth a Thousand Log Entries
Detect the Expected & Discover the Unexpected
Detect the Expected & Discover the Unexpected
Make Better DecisionsMake Better Decisions
Reduce Analysis and Response TimesReduce Analysis and Response Times
?
Typical Security Monitoring Challenges
“ I wish I could see prioritized and relevant information!”
“ How can we prioritize and communicate efficiently?” ??
Accuracy
Efficiency
… and do it all cost effectively
Complexity
Reporting“ How can I
demonstrate compliance?”
?“ How can I manage this flood
of data?”
Raw events
Normal
Audit trail
Failed attacks
False alarms
Pre-attacksAttack
formationVerified
breachesPolicy
violations
Identified vulnerabilities
Misuse
Potential breaches
Tens of millions per day Millions
per dayLess than
1 million per month A few thousand
per month
The Needle in the Haystack
Security information / events
Insider Threat
Compliance
Defense in Depth
Solving Event Overload - Today
Data Analysis Components
Intelligence
• Collection, Normalization, and Aggregation• Risk-based Prioritization with Vulnerability and Asset Information• Real-time Correlation across event sources
— Rule-based Correlation
— Statistical Correlation
• Advanced Analytics— Pattern Detection
Event Normalization and Categorization
Jun 01 2005 00:00:12: %PIX-3-106011: Deny inbound (No xlate) udp src outside:10.50.215.97/6346 dst outside:204.110.228.254/6346Jun 01 2005 00:00:12: %PIX-6-305011: Built dynamic TCP translation from isp:10.50.107.51/1967 to outside:204.110.228.254/62013Jun 01 2005 00:00:12: %PIX-6-302013: Built outbound TCP connection 2044303174 for outside:213.189.13.17/80 (213.189.13.17/80) to isp:10.50.107.51/1967 (204.110.228.254/62013)Jun 02 2005 12:16:03: %PIX-6-106015: Deny TCP (no connection) from 10.50.215.102/15605 to 204.110.227.16/443 flags FIN ACK on interface outside
Sample Raw Pix Events:
Jun 02 2005 12:16:03: %PIX-6-106015: Deny TCP (no connection) from 10.50.215.102/15605 to 204.110.227.16/443 flags FIN ACK on interface outside
Categorization:Normalization:
Risk-based Prioritization
Windows Systems
Unix/Linux/AIX/Solaris
SecurityDevice
SecurityDevice
SecurityDevice
SecurityDevice
Mainframe& Apps
Mainframe& Apps
DatabasesDatabases
Agents
EventEvent
Collector
Prioritized Event
Prioritized Event
VulnerabilityScanner
VulnerabilityScanner
Agents
Asset Information
Asset Information
Model ConfidenceModel Confidence RelevanceRelevanceSeveritySeverity
Asset CriticalityAsset CriticalityAgent SeverityAgent Severity
Event Correlation
• Most overused and least well-defined concept in ESM.
• Combine multiple events through predefined rules
or analyze statistical properties of event streams
—Across devices
—Heavily utilizing event categorization
• Helps eliminate false positives
• Correlation is not prioritization!
—Can use priorities of individual events
• Simple Event Match
• Complex Multi-Event Match
Failed loginson Windows systems
Failed loginson UNIX systems
5 or more failed logins in a minutefrom same source
Attempted Brute Force Attack
Attempted Brute Force Attack +
Successful LoginSuccessful loginto Windows systems
Attempted Brute Force Attack
Four Types of Real-time Correlation
…3ram
jdoe
user
…3ram
jdoe
Four Types of Real-time Correlation
• Statistical
— Mathematical model
• Stateful
50% increasein traffic per port
and machine?
Traffic per port going to 10.0.0.2
userjdoeram…
Simple
Compex Correlation
Statistical
Manual Population
User on terminated employee list tries to login
Login attemptfrom user ram
Advanced Analytics - Pattern Detection
• Automatically detect repetitive event patterns
• Capability to detect new worms, malware, system misconfigurations, etc.
• Automatically create correlation rules to flag new occurrences of attack
Name Device Product
NETBIOS DCERPC Activation little endian bind attempting
Snort
NETBIOS DCERPC System Activity path overflow attempt litlen endian unicode
Snort
Tagged Packet Snort
SHELLCODE x86 NOOP Snort
NETBIOS DCERPC Remote activity bind attempt
Snort
Visual Security Event Analysis
Why a Visual Approach Helps
A picture tells more than a thousand log lines
Visual Approach – Benefits I
• Multiple views on the same data
• Selection and drill-down
Visual Approach – Benefits II
• Color by sifferent properties
Three Aspects of Visual Security Event Analysis
• Situational Awareness— What is happening in a specific business area
(e.g., compliance monitoring)
— What is happening on a specific network
— What are certain servers doing
• Real-Time Monitoring and Incident Response
— Capture important activities and take action
— Event Workflow
— Collaboration
• Forensic and Historic Investigation
— Selecting arbitrary set of events for investigation
— Understanding big picture
— Analyzing relationships - Exploration
— Reporting
Situational Awareness
Instant Awareness
Event Graph Dashboard
MMS CDRs
FromPhone#
ToPhone#
MSG Type
Geo Spatial Visualization
Real-time Monitoring
Real-time Monitoring – Detect Activity
Visual Detection
Assign to 2nd Level Analysis
Visual Investigation
Creation of new Filtersand Correlation Components
Real-timeData
Processing
Assign Ticket for Operations
Analysis Process
Forensic and Historical Analysis
Automatic Remediation
AutomaticAction
Beginning of Analyst’s shift
Visual Detection and Investigation
Visual Detection
Scan Events
Firewall Blocks
Scanning activity is displayed
Visual Investigation
Define New Correlation Rules and Filters
Assign for further analysis if
More than 20 firewall drops
from an external machine
to an internal machine
1. Rule
• Internal machines on white-list• connecting to active directory servers
2. Filter
3. Open a ticket for Operations to quarantine and clean infected machines
Real-time Analysis - Summary
• Benefits of Visual Analysis
— Visually driven process for investigating events
— Visual investigation helps
• getting a quick turn-around
• detected new and previously unknown patterns (i.e. incidents)
— Reduced event load for analysts by feeding gained knowledge back into analysis work-flow.
Forensic and Historical Analysis
Forensic and Historical Investigation
• Three Areas of Concern
— Defense in Depth
— Insider Threat
— Compliance
Defense In Depth - Port Scan Detection
Analysis - Port Scan?
Insider Threat – User Reporting
High ratio of failed logins
Insider Threat - Email Problems
2:00 < Delay < 10:00
Delay > 10:00
To Delay
To
Compliance – Business Reporting
• Attacks targeting internal systemsAttacks
Revenue Generating Systems
Compliance - Business Reporting
Summary
Detect the expected
& discover the unexpected
Make better decisions
Reduce analysis and response times