Security Information Management

New approaches

Eurosec 2006

David Bizeul - CISSP

SIM/SEM state of art Correlation : difficulties Correlation mode and new approaches Algorithms and principles

Synopsys

Today, information is Everywhere Unclassified In multiple formats

How to unify data? How to consolidate date? How to analyze data ?

Security information

Security All interesting security information

Real threat Risk evolution Unavailability

Information Vulnerability audit report Inventory base Trend report

Event Logs Network flows

Management Regulation conformity Centralized data management

SIM / SEM differences

Rapprochement SIM et SEM

Visibility Information standardization Data consolidation Results analysis

Regulation compliance Bâle II SOX

Security team initialization SOC CSIRT

Help security team to post analyze

Investment trends/ dashboards

SIM, why ?

Multiple collectors Centralized management Reaction processes Multi-layered views

SIM principles

SIM/SEM state of art Correlation : difficulties Correlation mode and new approaches Algorithms and principles

Synopsys

Standardization

Know the event type Information taxonomy

Many editors Huge load of work

Logging types SNMP, Syslog Different editor formats

Standardize Place data field in different containers Some data may be lost

15;29Aug2005;14:00:59;62.229.98.130;account;accept;;daemon;inbound;tcp;141.176.125.66;145.58.30.9;http;2736;3;0:00:04;29Aug2000 14:00:07;18;6400;http://teletekst.nos.nl/cgi-bin/tt/nos/page/m/650;

Timestamp : 1123359609Sensortype : firewallSensorid : 14Action : acceptSource :141.176.125.66Destination : 145.58.30.9

SPort : 2736DPort : 80Information : http://teletekst.nos.nl/cgi-bin/tt/nos/page/m/650

Volumetry

Correct visibility != Send everything Useless consumption (network, storage, memory….) Necessity to act early (product config, local agent , collector) Some componants are useless (accept proxy log )

50 EPS = 1000 EPS E_SNMP_antivirus != E_log_IDS

Real time correlation = Sytem calculation Context = memory RAM Database

Storage Heavy disk space

Correlation and Aggregation

Aggregation Anonymisation issue Bad standardization issue

Correlation rules IP src : spoofing and anonymization issue Sliding windows…. Hell direction Vulnerability : IDS avoidance

Corrélation statistique Prendre son temps

Efficient alarm

Good and early configuration to obtain an adapted result

SIM/SEM state of art Correlation : difficulties Correlation mode and new approaches Algorithms and principles

Synopsys

Severity

Before standardization

After standardization

Result

Alert severity drop fw.reject 5/10

Asset weigh 10.0.10.150 Business Zone 3/4

Atomic alarmmedium severity

Rules

Stateless Statefull

Alarme std

IF Adress=A

IF TYPE=fw.reject AND

TYPE=proxy.accept

Atomic alarmmedium severity

Atomic alarm medium severity

Correlated alarmhigh severity

Context

severity+1

severity+1

Context

Time analisys Window = Attack time

Atomic alarmmedium severity

Start

Atomic alarmminor severity

Context improvement

Atomic alarmmedium severity

Newcontext

Time

Atomic alarmmedium severity

IP addresses

Vulnerability correlation

Statistical

Scenario

Risk

Predictable

Correlation approaches

First steps

Real view

Mathematical analysis

Security analisys

Close to business

Active tool

time

Multi hosting supervision

Each site may have its own collector and analyzer

Centralized SOC

Centralized or multiple supervision

Statistical correlation

EPS Threshold

Auto learningMobile average / varianceNever Before seen approch

Evolutions Constant issues

Hard to define thresholdNew application, special event….

Vulnérability correlation

Between a vulnerability scanner and a detection engine

Asset identificationRisk correlation Manual/auto mode for assets

Evolutions

Constant issues

Internal scanners hard to be acceptedNecessary updates

Scenario correlation

Rule based correlation

Complete defined product databaseBusiness rules builtCompliance rules integratedPredictable mode/ non finite state automate

Evolutions

Constant issue

StandardizationForgotten scenario What if step in scenario defeated

Threat visibility IDS (CVE, bugtraq….) Antivirus

Vulnérability visibility Vulnerability audit / scanner

Asset identication and values Via internal scanner

Risk defined as : R=Threat * Vulnerability * Impact Alert severity or even risk assesment can be defined into a

product

Dynamic risk analysis

Product feature

Automatic or manual detection mode or

Business knowledge

Manual SOC/MSSP 24/24

Automatic Threat responses CIDF

Risk Mitigation

SIM/SEM state of art Correlation : difficulties Correlation mode and new approaches Algorithms and principles Conclusion

Synopsys

50 % new IDS/IPS solutions use SIM/SEM to deploy

Many security composants standardized

Combinated correlation modes

Nearest with business goals

Advanced features

All inclusive possibilities

Evolutions and trends

SIM and Enterprise Goal

Events refered as security policy leakage

Sécurity information

Security alarm

Reaction processes

Security componants

SIM

Supervision

TechnicalOrganisation

Relevance

Risk mitigation

Special thanks

Questions

© DEVOTEAM GROUPThis document is not to be copied or

reproduced in any way without Devoteam express permission. Copies of this document must be accompanied by title, date and this

copyright notice.

CONTACT

Contact Member David Bizeul

www.devoteam.com

AUSTRIA

BELGIUM

CZECH REPUBLIC

DENMARK

FRANCE

MOROCCO

MIDDLE EAST

NETHERLANDS

SPAIN

SWITZERLAND

UNITED KINGDOM

Authors David BizeulE-mail david.bizeul@devoteam.comDate of release 20/02/2006File Info Evolutions SIM