Virtual Security Operations Center Portal Reports User Guide. October, 2016

Transcription

1 Virtual Security Operations Center Portal Reports User Guide October, 2016 Copyright IBM Corporation 2010, 2013, 2014, 2016

2 Table of Contents OVERVIEW... 3 REPORTING HIGHLIGHTS... 3 REPORT DASHBOARD... 4 GENERATING REPORTS... 6 SCHEDULE REPORTS... 7 CUSTOMIZING REPORTS WITH CSV... 8 GENERAL SERVICE RELATED... 9 SERVICE LEVEL AGREEMENT REPORT... 9 SERVICE OVERVIEW REPORT SECURITY MANAGER OVERVIEW REPORT IDS/IPS SENSORS REPORTS ATTACK METRICS ATTACKS ON CRITICAL ASSETS IP INTELLIGENCE REPORT: PREVENTED ATTACK REPORT EVENT COUNTS REPORTING IDS/IPS SENSOR EVENT COUNTS BY IP SUMMARY IDS /IPS EVENT TREND VULNERABILITY MANAGEMENT REPORTS ENTERPRISE HOME PAGE CONTENT MANAGEMENT REPORTS URL FILTERING CATEGORY FIREWALL REPORTS FIREWALL SERVICE OVERVIEW TOTAL FIREWALL CONNECTIONS TRAFFIC ANALYSIS DENIED TRAFFIC ANALYSIS TRAFFIC ANALYSIS WEB ACTIVITY BY WEBSITE SUSPICIOUS HOST CORRELATION REPORT LOG MANAGEMENT, SYSTEM ACTIVITY, AND PCI COMPLIANCE REPORTS SYSTEM ACTIVITY EVENT DETAILS DAILY SUMMARY REPORT Page 2 of 32

3 Overview This document helps you take advantage of the Reporting features in the IBM Security Services Managed Security Services (MSS) Customer Portal, sometimes referred to as the Virtual Security Operations Center. Use this guide to learn about basic navigation of the Report Dashboard, or to facilitate in-depth analysis to support your Security organization. Report templates include descriptions and use cases to help you better understand the various industry standard templates and best practices available to you. Reporting Highlights Security Event and Trend Statistics Firewall Traffic and Utilization Statistics Threat and Vulnerability Research Threat and Vulnerability Mitigation Audit Compliancy Workload Prioritization Suspicious Host Detection IP Intelligence (security analytics) PCI Compliancy Statistical Overview of Your Services Note: Feature sets may vary based on the MSS services you have subscribed to. Appropriate Service and Service level subscription is required. Page 3 of 32

4 Report Dashboard The Portal Report Dashboard contains many industry standard report templates that you can customize by device, device groups, and time intervals. Click a report template hyperlink to configure report criteria and generate a report. The report templates can facilitate research, vulnerability assessment, threat mitigation, workload prioritization and delegation, and help address audit compliancy requirements. Page 4 of 32

5 The report templates are grouped into several categories: General Service Related Reports on statistics associated with your subscribed services IDS/IPS Sensors Reports on sensor statistics Vulnerability Management Reports associated with your VMS Service Content Management Reports related to web content, anti-virus, and anti-spam Firewall Reports on FW statistics Log Management Reports associated with your SELM Service Compliance Reports associated with PCI compliance Alerts Report of the alerts and counts associated with your SELM Service The Portal allows you to save report criteria for future use, and to export a report in PDF and CSV formats. You can schedule reports at fixed time intervals by selecting one of the calendar icons shown below. The scheduling feature also allows you to reports automatically to various members in your organization. Page 5 of 32

6 Generating Reports Step 1: Select the desired time interval from the drop down. Note you also have the option to select from a saved report. Step 2: Select the desired device or device group. Note you also have the option to report on inactive devices. Step 3: Select the desired report options including amount and format. Note you also have options to enable, Resolve DNS, Trending and Group by Network. Note: To save the report, check the box entitled Save this criteria. Step 4: Populate or Select any filters. Note: You do not have to select any filters to generate a report. Step 5: Select, Submit Query on the lower right hand side. Page 6 of 32

7 Schedule Reports After you have customized (named) and saved your reports you can set up auto reporting. Step 1: Select the desired report name. Step 2: Schedule the report by selecting the appropriate recurrence pattern (Hourly, Daily, etc.). Step 3: Schedule the appropriate recurrence range. Note the calendar icons for specific end date assistance. Step 4: Select the appropriate report format (PDF, HTML or CSV). Step 5: Verify and / or edit the recipient fields. Step 6: Click Create Schedule on the lower right. Best Practice Tip: If you need to delegate work within your security team, or adhere to audit compliancy requirements, use the report delivery options to archive reports to a centralized mailbox. Page 7 of 32

8 Customizing Reports with CSV You can open a CSV (comma separated value) report in Microsoft Excel. It is a powerful and versatile format. It allows you to combine data from multiple sources, and use macros and other Excel tools to manipulate the data and create multiple views of it. Using Excel Pivot Tables to Create Custom Reports from a CSV File The pivot table feature in Microsoft Excel allows you to manipulate report data in many different ways, essentially creating multiple reports from one exported CSV file. For more information about how to use Excel to manipulate portal report data, refer to the video, Exporting Portal Data and Using Excel to Manipulate Data and Create Pivot Tables (10 minutes), which is available in the Portal Media Library. Page 8 of 32

9 General Service Related Reports General Service Related reports can help you research, track, and document ticketing information, including Service Level Agreement binded tickets and security incident details. These reports can assist in audit compliancy initiatives. There are three types of service related reports: Service Level Agreement, Service Overview and Security Manager Report Service Level Agreement Report Report shows charts and statistics on SLA eligible tickets and associated response time. Graphs will track various types of tickets including suspected outages, maintenance and general inquires. Page 9 of 32

10 Service Overview Report The Service Overview report shows graphs and charts summarizing SLA eligible tickets, ticket type breakdown and a six-month trend. Page 10 of 32

11 Security Manager Overview Report The Security Manager Overview report shows the total security event count and security incident statistics. The report also includes a detailed Security Incident (ticket) breakdown, which can assist in organization and workload prioritization. Page 11 of 32

12 IDS/IPS Sensors Reports IDS/IPS sensor reports provide statistical threat analysis information about security event threats impacting your network. Use these reports to gather statistics on security events by source and destination, as well as assist in researching attack trends. You also can use these reports for tuning initiatives. Attack Metrics This report requires security events from IBM appliances. It displays several graphs of data, detailing the numbers and types of attacks detected during the past 30 days. This report can help identify abnormalities within your network. To view more detailed information, click a graph and plot points to generate drill-in reporting. Click a graph for drill-in research capabilities. Page 12 of 32

13 Explanation of Attack Types The attack types included in the Attack Metrics report, along with brief descriptions and examples, are listed below. Protocol Signature A large number of these events in a short time period could indicate an attack. Example: TLS_Weak_Cipher_Suite Servers and clients use X.509 certificates when establishing communication using Secure Sockets Layer (SSL). An SSL server that allows weak ciphers (with key-lengths less than 128-bits) could allow a remote attacker to obtain sensitive information. Suggested Action: Consult server documentation to disable weak ciphers. Pre-Attack Probe An attempt to gain access to a computer and its files through a known or probable weak point in the computer system. Example: Ping_Sweep As a prelude to an attack, subnets are often swept with ICMP or other packets that elicit known responses from active hosts. This sort of probe is used to enumerate active hosts on the subnet, and identify potential attack targets. Normal hosts on a network should never engage in sweeps unless they are performing network monitoring or management tasks. Suggested Action: Always filter inbound ICMP (other than replies to outbound requests) through your firewall or filtering router, if possible. If a stateful inspection filter is not available inbound, then block all ICMP outbound to prevent replies from reaching the attacker. Unauthorized Access Attempt This usually denotes suspicious activity on a system, or failed attempts to access a system, by a user or who does not have access. Example: SSH_Brute_Force This event detects an excessive number of very short SSH sessions initiated by a single client to one or more servers within a specified timeframe. It may indicate a username/password guessing attack, or a DoS attack. To qualify as this type of attack, a session must have completed encryption negotiations so that a login may be attempted, and the time elapsed from the first encrypted client data until the TCP session ends with a TCP FIN or server RST must be less than the setting for pam.login.ssh.short.session.time (default 4 seconds). The signature is tunable via the pam.login.ssh.count p (default 12) and the pam.login.ssh.interval setting (default 60 seconds). This signature also detects an excessive number of SSH Server Identifications from an SSH server within a specified timeframe. This may indicate a username/password guessing attack. The signature is tunable via the pam.login.ssh.count, pam.login.ssh.interval and pam.ssh.server.bruteforce.chars settings. Page 13 of 32

14 Backdoors Hidden programs that attackers use to access your computer without your knowledge or consent. Example: RDP_Brute_Force This signature detects worms, such as Win32/Morto, that allow unauthorized access to an affected computer. These worms spread by trying to compromise administrator passwords for Remote Desktop connections on a network. Example: NetController_TCP_Request This signature detects a request on port 6969/TCP that may indicate a NetController backdoor running on your network. Suggested Action: Use an up-to-date antivirus program to scan the target computer to determine if it is infected with a backdoor program. If the program detects a backdoor, follow its instructions to disinfect and repair the computer. Denial of Service An attack that attempts to prevent legitimate users from accessing information or services. By targeting a user s computer and its network connection, or the computers and network of the site a user is trying to access, an attacker may be able to prevent a user from accessing , websites, or online accounts for banking or other services that rely on the affected computer or network. Example: Smurf_Attack In a Smurf denial-of-service (DoS) attack, ICMP echo request (ping) packets addressed to an IP broadcast address cause a large number of responses. When each host on the subnet replies to the same ping request, the large number of responses can consume all available network bandwidth, especially if data is appended to the ping request. This can prevent legitimate traffic from being transmitted during the attack. This attack is frequently used against third parties, where an attacker forges the target's source address in a Smurf attack against a different target. At the extreme, this attack can simultaneously disable both targets. Windows systems do not respond to broadcast pings. However, this does not mean that all Microsoft networks are invulnerable to Smurf attacks. Suggested Action: Reconfigure your perimeter router or firewall to block ICMP echo requests on the internal network, and block ICMP echo replies from entering the network. This prevents an internal attacker from using your network to mount a SMURF attack against another target. It also prevents an external attacker from targeting your hosts. However, neither of these actions will stop internal SMURF attacks. Page 14 of 32

15 Network An attack that uses various types of network traffic and protocols for malicious activities. Example: HTTP_eDirectory_Multiple_Connection Novell edirectory is vulnerable to a denial of service, caused by an error in the dhost.exe service when processing Connection headers. By sending multiple HTTP requests containing specially-crafted "Connection" headers, a remote attacker could exploit this vulnerability to consume all available CPU resources, resulting in a denial of service. Suggested Action: Refer to Novell Security Alert Document ID: for patch, upgrade or suggested workaround information. Example: ICMP_Redirect ICMP redirects detected on a network or targeted at hosts with weak TCP/IP stack implementations have been shown to cause system failures and other adverse effects. Some versions of NetWare, Windows, and embedded systems like Microware OS-9 have been shown to be susceptible to attacks using ICMP redirects. An attacker could forge ICMP Redirect packets, and possibly alter the host routing tables and subvert security, by causing traffic to flow on a path the network manager did not intend. Caution: Various networked, embedded controllers may hang or shut down, if they receive an ICMP redirect with an invalid Code. If your network contains controllers attached to automation equipment, manufacturing equipment, HVAC (Heating, Ventilation, and Air Conditioning) equipment, and medical equipment, do not perform ICMP redirects. Host Sensor Exploits and general host activity that is only visible from the local host and not through the analysis of network traffic. Example: Security_disabled_local_group_changed This signature detects a Windows event log message indicating that the local distribution group has been changed. Suggested Action: Please check whether the changes that were made to the local distribution group are allowed. Status/Control Messages Information related to the operation of the security product. Example: License_Notice This event indicates that something of notice has happened to the current license state of one or more of the licensable modules. This could be generated by the installation of a license or change to any part of a license, including count, usage or maintenance dates. Suggested Action: For information events, no particular action is required. Page 15 of 32

16 Suspicious Activity Activity that indicates unusual system behavior or network traffic, due to various causes, such as possible threats by attackers, user errors, or malfunctioning equipment. Example: Suspicious_ActiveX_Installer This signature detects attempts to install suspicious ActiveX controls. This may indicate an attempt to install spyware on the victim's computer. This signature may be configured to ignore specific vendors by using the pam.activex.whitelist tuning parameter. Suggested Action: If the indicated software is found to be installed and not desired, uninstall it from your system. Use an up-to-date antivirus or spyware removal program to determine if the target computer is host to a spyware program. Attacks on Vulnerable Assets The Attacks on Vulnerable Assets report requires subscription to the Vulnerability Management Service (VMS) and allows you to view correlated vulnerability and IDPS data for greater insight into potential security risk areas in your network. The report summarizes the timeframe, asset and source IP, CVE / NIST database links and vulnerability severity. Access the IP intelligence feature by clicking on the, Source or Asset IP hyperlinks. CVE (Common Vulnerabilities and Exposures) NIST (National Vulnerability Database within the National Institute of Standards and Technology) This report can further assist with documenting vulnerabilities and workload prioritization. Note: Customers with IDPS only can run the report but they will be prompted that this report is only available if vulnerability scan (VMS) data is available. Hyperlink to NIST CVE database Page 16 of 32

17 The Attacks on Critical Assets report also includes security event names, an event count summary and the source, or Attacker, IP address. To generate more information on the event and threat, click a security event name link. Clicking the Source IP hyperlink generates the IP Intelligence report. Clicking an IPS count link launches the Active Analyzer view, which further summarizes associated activity, and provides access to additional research and filtering options. Page 17 of 32

18 IP Intelligence Report The IP Intelligence report provides an even deeper analysis of individual IP addresses, including their Geo-IP location, summaries of firewall events and IDPS events, and whois information. This report also includes a risk profile, vulnerability scan results, and associated ticket summaries (if available) for any of your assets that are targeted by an attack. Note: Risk and vulnerability information for your targeted assets is populated from Asset Center data that you have uploaded to the Portal. Page 18 of 32

19 Prevented Attack Report The Prevented Attacks report provides statistics on blocked security events, including a graph and a list of associated signatures. This report is useful for showing how your sensors are protecting your network, as well as potentially flagging legitimate blocked traffic. Clicking a signature hyperlink gives you access to research options, including security information, the sources and destinations, and the associated sensors. Page 19 of 32

20 Event Counts Reporting The various Event Counts reports are excellent for threat analysis investigation. They can help you quickly identify trends by sensors, and by top sources and destinations, impacting your network. You also can generate reports based on Security events. Page 20 of 32

21 IDS/IPS Sensor Event Counts by IP Summary IDS/IPS Sensor Event Counts by IP Summary assists you in threat analysis by trending top activity per sensor with associated event names and IP addresses. Attack trending statistics can help your security team focus protection and remediation efforts. To see additional research options, including device details and logs, click an IP hyperlink. Page 21 of 32

22 IDS/IPS Event Trend The Event Trend report compares events and trends for the current period with the previous period, and lists any security incidents. Clicking a signature hyperlink provides access to additional research options. Side-by-side event trending Page 22 of 32

23 Vulnerability Management Reports Vulnerability Management (VMS) reports provide different ways to look at the vulnerabilities associated with your site and asset data. Report templates provide a range of views from business-centric perspectives to detailed technical assessments. You can learn more about the identified vulnerabilities and how to remediate them, or you can just list the services that are running on your network assets. You can create a report on a site, but reports are not tied to sites. You can parse assets in a report any number of ways, from a single asset to all of your scanned enterprise assets. For more information about Vulnerability Management Service reports, please reference the VMS Reporting Guide available in the Portal Media Library. Enterprise Home Page Page 23 of 32

24 Content Management URL Filtering Category Content Management templates allow you to research and document a summary of your network s top web traffic by Category and Client (IP address). Each category will chart Blocked (red) and Allowed (green) traffic. The reports are useful for identifying inappropriate and unauthorized Internet use. Page 24 of 32

25 Below is the full view of the URL Filtering Category Summary, including trending information. To view logs, click a category name hyperlink and select, View these logs. This generates a log query, with the associated traffic, and allows you to further research and document web traffic. Page 25 of 32

26 Firewall Firewall reporting will assist you in traffic analysis, rule analysis and policy optimization. This will not only improve the performance of your network, but alert you to suspicious activity that warrants further investigation. Firewall Service Overview The Firewall Service Overview report shows a list of top sources and destinations, including top web- and nonweb-related traffic. There is also a connections table that can help you identify anomalies. Page 26 of 32

27 Total Firewall Connections Traffic Analysis Denied The traffic analysis denied report details the top source and destination IPs, with port, count, and trending percentage. Spikes in dropped traffic may represent various types of scanning or other malicious intent. Page 27 of 32

28 Traffic Analysis Use the Traffic Analysis report to identify high trending valid and invalid traffic. Invalid traffic could potentially be spambot traffic. A spike in traffic from workstations could be a sign of an infection. Traffic Analysis Web Activity by Website Traffic analysis by web activity (by website) report will detail top outbound web destinations by source and destination IP with trending information. In today s world, port 80 is used for many types of malicious traffic, including infections and C&C control of botnets. Attackers use this port because it is one of the most open TCP ports in any corporate firewall. Using our traffic analysis report, you can help keep an eye on the most popular websites visited, and also the country they belong to. For example, if you are a US company and notice a large amount of traffic to a server in China, it would be something worth investigating. Page 28 of 32

29 Protocol Usage helps to breakdown top firewall traffic and may identify suspicious protocol usage. This can be useful in detecting new outbreaks like the Morto worm, which spreads over 3389/tcp. Suspicious Host Correlation Report The Suspicious Host Correlation report uses logs from your devices to identify suspicious communication from within your network to known malicious or botnet hosts. The intelligence used to identify this traffic comes from IBM X-Force Research, IP reputation data, and trusted third parties. For the Suspicious Host dashboard, your logs are analyzed and referenced with IBM s suspicious host intelligence near-real-time results. Use this report to help flag potential threats, and the Suspicious Host dashboard for further research and mitigation assistance. Page 29 of 32

30 Log Management, System Activity, and PCI Compliance The Log Management, System Activity and Payment Card Industry (PCI) report templates are associated with the Security Event and Log Management (SELM) service. SELM provides a series of reports in the Log Management report section that tie combinations of system activity events occurring on designated devices to specific PCI requirements. Each report gives a summary of events by device (with drill down to log detail), a summary of alerts triggered by those events (with drill down to alert detail), and a summary of tickets for the events and devices (with drill down to ticket detail). Note: Alert details are available for only the last 30 days. System Activity Event Details This report generates system activity event log information, including counts and detailed information on the log. Page 30 of 32

31 Daily Summary Report IBM recommends that you subscribe to the Daily Summary Report located under Settings/My Profile ( Notifications). You will receive an with important information, including the Current Internet Security Assessment and an active ticket summary. This can be useful to document and address audit compliancy, as well as assist you in work prioritization. Page 31 of 32

32 Copyright IBM Corporation 2010, 2013, 2014, 2016 IBM Global Technical Services Route 100 Somers, NY Produced in the United States of America October 2016 IBM, the IBM logo and ibm.com, X-Force, Express and Express Advantage are trademarks of International Business Machines Corporation in the United States, other countries, or both. If these and other IBM trademarked terms are marked on their first occurrence in this information with a trademark symbol ( or ), these symbols indicate U.S. registered or common law trademarks owned by IBM at the time this information was published. Such trademarks may also be registered or common law trademarks in other countries. A current list of IBM trademarks is available on the Web at Copyright and trademark information at ibm.com/legal/copytrade.shtml. Other company, product or service names may be trademarks or service marks of others. References in this publication to IBM products or services do not imply that IBM intends to make them available in all countries in which IBM operates. The customer is responsible for ensuring compliance with legal requirements. It is the customer s sole responsibility to obtain advice of competent legal counsel as to the identification and interpretation of any relevant laws and regulatory requirements that may affect the customer s business and any actions the reader may have to take to comply with such laws. IBM does not provide legal advice or represent or warrant that its services or products will ensure that the customer is in compliance with any law or regulation.