Security Information Managers: State of the Art. Joel M Snyder Senior Partner Opus One

Transcription

1 Security Information Managers: State of the Art Joel M Snyder Senior Partner Opus One jms@opus1.com

2 Definition: SIMs accept security information from multiple sources within the enterprise and analyze it to provide a higher level of understanding. SIM SEM SEIM SIEM ESM You-name-it 2

3 SYSLOG Windows SSH/Telnet Files Or, in pretty pictures Insight! Alerts! Reports! SNMP Archives! Databases 3

4 You have lots and lots of data You can collect from existing points You can add tools, such as IDS Your servers & workstations have useful data as well 4

5 Data Are Pretty Useless Without Analysis Collecting raw data doesn t help you very much unless your goal is filling up that SAN (50 switches * 1 event/hour + 4 firewalls * 10 log entry/second + 20 routers * 25 netflows/second + 10 servers * 1 event/minute workstations * 1 event/hour+ 2 IDS sensors * 15 events/second) * 100 chars/entry * 24 hrs/day * 7 days/week = 32 Gbytes/week 5

6 Welcome to the World of SIM/SEM Grabbing all that data is just a starting point, though eiqnetworks CA Hightower netforensics OpenService Tenable Arcsight Consul Intellitactics NetIQ Protego (CSCO) Q1 Labs LogLogic E-Security (Novell) netforensics Network Intelligence (RSA/EMC) Symantec TriGeo 6

7 SIMs support a security information lifecycle Collect Forensics Normalize and Store Reporting Correlate/ Analyze Alert/ Respond 7

8 Collecting Is More Than Filling up Disks Data have to be collected Syslog (sure, pick the easy one) SNMP Traps Windows Event Logs and Performance Data Agent-full Agent-less Vulnerability analyzer reports/logs/data J. Random Log Files Anything Else You Can Imagine Data have to be normalized Data have to be stored and managed Forensics Reporting Collect Alert/ Respond Normalize & Store Correlate/ Analyze 8

9 Normalization and Storage Management are Hard Normalization: These are the same 14:55:20 accept fw1.opus1.com >eth1 product VPN-1 & Firewall-1 src s_port 4523 dst service http proto tcp rule 15 Jan 16 14:55: netscreen.opus1.com: Netscreen device_id= systemnotification 00257(traffic): start_time=" :55:19" duration=1 policy_id=0 service=http proto=6 src zone-trust dst zone=untrust action=permit sent=11903 rcvd src= dst= src_port=4523 dst_port=80 Storage: Data grow forever On-line Near-line Off-line 9

10 Most SIM products normalize fields, and apply a hierarchy 14:55:20 accept fw1.opus1.com >eth1 product VPN-1 & Firewall-1 src s_port 4523 dst service http proto tcp rule 15 Date/ Time Message Source IP Source Port Dest IP Dest Port Proto. Severity 14:55 Traffic accepted by firewall TCP INFO 14:55 IIS backslash evasion TCP WARNING 14:55:20 sfs2 SFIMS: [119:9:1] Snort Alert [Classification: Unknown] [Priority: 3] {TCP} :4523-> :80 10

11 The Hierarchy is Important to Unifying your View Attack Behavior Inferred Attack Resource Attack Network Attack Access Access->Application Access-> Daabase Access->Application Access-> File Transfer Access->Application Access-> Mail Access Access->Configuration Access Access->Core Access -> ICMP Redirect Access Access->File System Access->NFS Access Suspicious Behavior Authentication Suspicious Failed Authentication 11

12 Correlation and Analysis are where SIMs earn their keep Events/Log Data need to be prioritized Events/Log Data need to be combined to form a greater whole Events/Log Data need to be correlated so that particular patterns can be identified Events/Log Data/Flow Data need to be aggregated so that traffic and trend data can be brought out Forensics Reporting Collect Alert/ Respond Normalize & Store Correlate/ Analyze 12

13 Cross-event Correlation is the most common type to consider Sometimes a single event is what you care about Sometimes you want multiple events Jan 16 14:37: netscreen.opus1.com: NetScreen device_id= system-warning : duration=0 start_time=" :37:04" netscreen: Admin User "netscreen" logged in for Web(https) management (port 443) from :3473. ( :34:32) 14:55:20 accept fw1.opus1.com >eth1 product VPN-1 & Firewall-1 src s_port 4523 dst service http proto tcp rule 15 resource= 14:55:22 accept fw1.opus1.com >eth0 product VPN-1 & Firewall-1 src s_port 69 dst service tftp proto udp rule 18 Unauthorized Access to Administrative Services Successful NIMDA causing victim to TFTP down virus 13

14 Correlation and Analysis can also bring together different data sources sflow Record sflow Record sflow Record Firewall Data VA Data IDS Data Host Information DNS & NetBIOS names Operating System MAC & IP Addresses VLAN Tag Attributes Criticality Notes Addt l User-specified Host Profile Protocols L3: IP, etc. L4: TCP, UDP, etc. Services Ports and Protocols Banners Manager Configuration Client Applications Vulnerabilities 14

15 Flow Data are a nice Bonus SYN SYN-ACK ACK Data Data FIN FIN-ACK ACK 15

16 With Correlation and Analysis, You Want Alerting Alerting has a bad name (and well it should) Poor alerting was invented by the pager companies as a way to sell minutes Alerting requires very flexible thinking and configuration Time-of-day differences Rate limiting Different profile Forensics Reporting Collect Normalize & Store Correlate/ Analyze Alert/ Respond 16

17 Correlation and Alerts Form Business Rules This is the heart of SIM You explain: what is important to you what you want to do about it The SIM sorts through the pile of poop Experienced consulting helps a lot here 17

18 Business Rules Are Not Hard to Write Track Compromised Systems IF (attack signature towards a system) AND THEN WITHIN 10 MINUTES (ICMP rate towards same system goes over 5/minute) THEN ALERT Keep Backups of Diskless Devices IF (Cisco syslog shows configuration was changed) THEN Launch Script to Backup Config 18

19 Good SIMs also come with a pile of business rules and auto-correlation Rule HT11 Inactive Reporting Asset Notification HT12 Attack Followed by Account Change HT13 Attack Followed by Service Change Description Rule HT11 reports inactivity from Reporting Assets during a given time frame. Rule HT11 determines if a Reporting Asset has stopped reporting. Rule HT12 monitors Windows, Linux, and Solaris operating systems (OSs) and other assets for account changes that occur directly after attacks. Rule HT13 monitors Windows, Linux, and Solaris operating systems (OSs) and other assets for service changes (additions, deletions, or modifications) that occur directly after attacks. This rule will also monitor for key words in a URL string and the direction of traffic between assets and non-assets. 19

20 Some Brave Souls like Active Response Anatomy of a Self-Inflicted Denial of Service Attack 2. SIM decides to block all traffic from for 1 hr. SIM 1. IPS or system reports login failures from (User can t remember password to his web server.) 20

21 So What Happens Next? 1. Traffic is blocked to user s web server. User can no longer get to web server from his home cable modem. 2. User assumes web server is dead. User VPNs into remote power system and cycles power to device. 3. User is impatient. Device is fsck-ing disk 5 minutes later when user cycles power again. 4. Now web server is truly dead. 21

22 Even if you like it, Active Response is harder than it sounds????? Attack from the Internet: where does the block go? Attack from within: where does the block go? How long to block? 22

23 Once the Data Are There, Managing Them Is a Part of the Job Forensics Reporting Archiving Companies are coming under more and more compliance regimes which require not only keeping 3 to 7 years worth of logs but the ability to retrieve data from those archives quickly and flexibly Forensics Reporting Collect Normalize & Store Correlate/ Analyze Alert/ Respond 23

24 Reporting Is More Than Making C- series Execs Happy Performance analysis is useful data for you And of course pretty pictures are nice for management 24

25 Forensics Are a Natural Follow-on to Any Pile of Data This system was attacked by X. Who else has X attacked? System Y generated a log message. How many times has this happened this year? Alert Z happened. Wht other alerts happen every time Z happens? Event M is happening. What went on just prior to this starting? 25

26 Picking a SIM Means Looking at Each Requirement How does it collect and store data? Can it integrate with a variety of network elements? Does it talk to a VA scanner (if you care)? How smart is it regarding hosts (if you care)? How are business rules expressed? How does it correlate and analyze data? How flexible is it in alerting? If you want active response Does it work? What are the forensics capabilities? Can it support your data retention requirements? Does it have useful reports? Useful to you Useful to management 26

27 Thanks! Joel Snyder Senior Partner Opus One