Security Information Managers: State of the Art. Joel M Snyder Senior Partner Opus One

Similar documents
Top 10 use cases of HP ArcSight Logger

Network Security: Firewall, VPN, IDS/IPS, SIEM

Optimizing Security for Situational Awareness

Improving Your Network Defense. Joel M Snyder Senior Partner Opus One

ForeScout Extended Module for ArcSight

ForeScout Extended Module for HPE ArcSight

Snare v6 - Feature Summary

Cisco Security Monitoring, Analysis and Response System 4.2

Log Management Delivers Intelligence with Speed

This article explains how to configure NSRP-Lite for a NS50 firewall to a single WAN.

Network Security. Kitisak Jirawannakool Electronics Government Agency (public organisation)

Global Information Assurance Certification Paper

ScreenOS Message Log Reference Guide

IBM Security QRadar SIEM Version Getting Started Guide

Chapter 8 roadmap. Network Security

Security Automation. Challenge: Automatizzare le azioni di isolamento e contenimento delle minacce rilevate tramite soluzioni di malware analysis

ForeScout Extended Module for Splunk

CIS Top 20 #12 Boundary Defense. Lisa Niles: CISSP, Director of Solutions Integration

Unit 4: Firewalls (I)

Securing CS-MARS C H A P T E R

Russian Cyber Attack Warning and Impact on AccessEnforcer UTM Firewall

Configuring Anomaly Detection

ArcSight Activate Framework

IC32E - Pre-Instructional Survey

High Availability Synchronization PAN-OS 5.0.3

Chair for Network Architectures and Services Department of Informatics TU München Prof. Carle. Network Security. Chapter 8

Integrate Cisco Sourcefire

Network Security Platform Overview

User Role Firewall Policy

Lessons from the Lab: NAC Framework Testing

The following topics describe how to configure traffic profiles:

ProCurve Network Immunity

Working With Configuration Files

Firewalls. Firewall. means of protecting a local system or network of systems from network-based security threats creates a perimeter of defense

WhatsConfigured v3.1 User Guide

1. How will NAC deal with lying clients?

Configuring Anomaly Detection

REMOTE ACCESS SSL BROWSER & CLIENT

OSSIM Fast Guide

Defense-in-Depth Against Malicious Software. Speaker name Title Group Microsoft Corporation

TCP/IP Filtering. Main TCP/IP Filtering Dialog Box. Route Filters Button. Packet Filters Button CHAPTER

SIEM FOR BEGINNERS Everything You Wanted to Know About

IT Services IT LOGGING POLICY

Available Commands CHAPTER

SIEM FOR BEGINNERS EVERYTHING YOU WANTED TO KNOW ABOUT LOG MANAGEMENT BUT WERE AFRAID TO ASK.

tcp-map through type echo Commands

2. INTRUDER DETECTION SYSTEMS

Best practices with Snare Enterprise Agents

CIS Controls Measures and Metrics for Version 7

The following topics describe how to configure correlation policies and rules.

Network Security Monitoring with Flow Data

BOLSTERING DETECTION ABILITIES KENT KNUDSEN JUNE 23, 2016

CIS Controls Measures and Metrics for Version 7

Connection Logging. Introduction to Connection Logging

McAfee Network Security Platform

Log Correlation Engine 3.4 Log Normalization Guide July 29, 2010 (Revision 3)

Behavior-Based IDS: StealthWatch Overview and Deployment Methodology

NGFW Security Management Center

Connection Logging. About Connection Logging

CSE 565 Computer Security Fall 2018

Asset and network modeling in HP ArcSight ESM and Express

Foundstone 7.0 Patch 6 Release Notes

Chapter 4. Network Security. Part II

Security analytics: From data to action Visual and analytical approaches to detecting modern adversaries

CSE 565 Computer Security Fall 2018

Comodo cwatch Network Software Version 2.23

Cisco Stealthwatch. Internal Alarm IDs 7.0

Monitoring network bandwidth on routers and interfaces; Monitoring custom traffic on IP subnets and IP subnets groups; Monitoring end user traffic;

Proxy server is a server (a computer system or an application program) that acts as an intermediary between for requests from clients seeking

Managing Latency in IPS Networks

ForeScout Agentless Visibility and Control

Firepower Threat Defense Cluster for the Firepower 4100/9300

Means for Intrusion Detection. Intrusion Detection. INFO404 - Lecture 13. Content

Snort: The World s Most Widely Deployed IPS Technology

DoS Attacks Malicious Code Attacks Device Hardening Social Engineering The Network Security Wheel

Log Correlation Engine 3.2 Log Normalization Guide May 19, 2009 (Revision 1)

Seqrite Unified Threat Management

Global Information Assurance Certification Paper

Scrutinizer Flow Analytics

McAfee Network Security Platform Administration Course

firewall { all-ping enable broadcast-ping disable ipv6-receive-redirects disable ipv6-src-route disable ip-src-route disable log-martians enable name

M1000, M2000, M3000. eprism Installation Guide

IDS: Signature Detection

ISO27001 Preparing your business with Snare

McAfee Enterprise Security Manager 10.3.x Release Notes

The IDP system generates logs for device events and security events. Table 1 summarizes options for viewing and managing logs.

Monitoring the Device

Log Correlation Engine 3.0 Log Normalization Guide October 29, 2008 (Revision 1)

Network Security. Thierry Sans

Switch and Wireless LAN Controller Configuration Required to Support Cisco ISE Functions

Network Security Platform 8.1

Security Monitoring Engineer / (NY or NC) Director, Information Security. New York, NY or Winston-Salem, NC. Location:

Nortel Networks Optivity Policy Services

McAfee SIEM Port Usage by Appliance

: Administration of Symantec Endpoint Protection 14 Exam

History Page. Barracuda NextGen Firewall F

90% 191 Security Best Practices. Blades. 52 Regulatory Requirements. Compliance Report PCI DSS 2.0. related to this regulation

Dynamic Datacenter Security Solidex, November 2009

Enterprise IPv6 Deployment Security and other topics

NGFW Security Management Center

Transcription:

Security Information Managers: State of the Art Joel M Snyder Senior Partner Opus One jms@opus1.com

Definition: SIMs accept security information from multiple sources within the enterprise and analyze it to provide a higher level of understanding. SIM SEM SEIM SIEM ESM You-name-it 2

SYSLOG Windows SSH/Telnet Files Or, in pretty pictures Insight! Alerts! Reports! SNMP Archives! Databases 3

You have lots and lots of data You can collect from existing points You can add tools, such as IDS Your servers & workstations have useful data as well 4

Data Are Pretty Useless Without Analysis Collecting raw data doesn t help you very much unless your goal is filling up that SAN (50 switches * 1 event/hour + 4 firewalls * 10 log entry/second + 20 routers * 25 netflows/second + 10 servers * 1 event/minute + 1000 workstations * 1 event/hour+ 2 IDS sensors * 15 events/second) * 100 chars/entry * 24 hrs/day * 7 days/week = 32 Gbytes/week 5

Welcome to the World of SIM/SEM Grabbing all that data is just a starting point, though eiqnetworks CA Hightower netforensics OpenService Tenable Arcsight Consul Intellitactics NetIQ Protego (CSCO) Q1 Labs LogLogic E-Security (Novell) netforensics Network Intelligence (RSA/EMC) Symantec TriGeo 6

SIMs support a security information lifecycle Collect Forensics Normalize and Store Reporting Correlate/ Analyze Alert/ Respond 7

Collecting Is More Than Filling up Disks Data have to be collected Syslog (sure, pick the easy one) SNMP Traps Windows Event Logs and Performance Data Agent-full Agent-less Vulnerability analyzer reports/logs/data J. Random Log Files Anything Else You Can Imagine Data have to be normalized Data have to be stored and managed Forensics Reporting Collect Alert/ Respond Normalize & Store Correlate/ Analyze 8

Normalization and Storage Management are Hard Normalization: These are the same 14:55:20 accept fw1.opus1.com >eth1 product VPN-1 & Firewall-1 src 1.2.3.4 s_port 4523 dst 192.245.12.2 service http proto tcp rule 15 Jan 16 14:55:20 207.182.32.1 netscreen.opus1.com: Netscreen device_id=00351653456 systemnotification 00257(traffic): start_time="2005-01-16 14:55:19" duration=1 policy_id=0 service=http proto=6 src zone-trust dst zone=untrust action=permit sent=11903 rcvd-31454 src=1.2.3.4 dst=192.245.12.2 src_port=4523 dst_port=80 Storage: Data grow forever On-line Near-line Off-line 9

Most SIM products normalize fields, and apply a hierarchy 14:55:20 accept fw1.opus1.com >eth1 product VPN-1 & Firewall-1 src 1.2.3.4 s_port 4523 dst 192.245.12.2 service http proto tcp rule 15 Date/ Time Message Source IP Source Port Dest IP Dest Port Proto. Severity 14:55 Traffic accepted by firewall 1.2.3.4 4523 192.245.12.2 80 TCP INFO 14:55 IIS backslash evasion 1.2.3.4 4523 192.245.12.2 80 TCP WARNING 14:55:20 sfs2 SFIMS: [119:9:1] Snort Alert [Classification: Unknown] [Priority: 3] {TCP} 1.2.3.4:4523->192.245.12.2:80 10

The Hierarchy is Important to Unifying your View Attack Behavior Inferred Attack Resource Attack Network Attack Access Access->Application Access-> Daabase Access->Application Access-> File Transfer Access->Application Access-> Mail Access Access->Configuration Access Access->Core Access -> ICMP Redirect Access Access->File System Access->NFS Access Suspicious Behavior Authentication Suspicious Failed Authentication 11

Correlation and Analysis are where SIMs earn their keep Events/Log Data need to be prioritized Events/Log Data need to be combined to form a greater whole Events/Log Data need to be correlated so that particular patterns can be identified Events/Log Data/Flow Data need to be aggregated so that traffic and trend data can be brought out Forensics Reporting Collect Alert/ Respond Normalize & Store Correlate/ Analyze 12

Cross-event Correlation is the most common type to consider Sometimes a single event is what you care about Sometimes you want multiple events Jan 16 14:37:30 207.182.32.1 netscreen.opus1.com: NetScreen device_id=00351653456 system-warning- 00515: duration=0 start_time="2005-01- 16 14:37:04" netscreen: Admin User "netscreen" logged in for Web(https) management (port 443) from 12.146.232.2:3473. (2005-01-16 14:34:32) 14:55:20 accept fw1.opus1.com >eth1 product VPN-1 & Firewall-1 src 1.2.3.4 s_port 4523 dst 192.245.12.2 service http proto tcp rule 15 resource=http://192.245.12.2/scripts/..%%35c../winnt/system32/cmd.exe?/c+dir 14:55:22 accept fw1.opus1.com >eth0 product VPN-1 & Firewall-1 src 192.245.12.2 s_port 69 dst 1.2.3.4 service tftp proto udp rule 18 Unauthorized Access to Administrative Services Successful NIMDA causing victim to TFTP down virus 13

Correlation and Analysis can also bring together different data sources sflow Record sflow Record sflow Record Firewall Data VA Data IDS Data Host Information DNS & NetBIOS names Operating System MAC & IP Addresses VLAN Tag Attributes Criticality Notes Addt l User-specified Host Profile Protocols L3: IP, etc. L4: TCP, UDP, etc. Services Ports and Protocols Banners 010 1010 0101 010 Manager Configuration Client Applications Vulnerabilities 14

Flow Data are a nice Bonus SYN SYN-ACK ACK Data Data FIN FIN-ACK ACK 15

With Correlation and Analysis, You Want Alerting Alerting has a bad name (and well it should) Poor alerting was invented by the pager companies as a way to sell minutes Alerting requires very flexible thinking and configuration Time-of-day differences Rate limiting Different profile Forensics Reporting Collect Normalize & Store Correlate/ Analyze Alert/ Respond 16

Correlation and Alerts Form Business Rules This is the heart of SIM You explain: what is important to you what you want to do about it The SIM sorts through the pile of poop Experienced consulting helps a lot here 17

Business Rules Are Not Hard to Write Track Compromised Systems IF (attack signature towards a system) AND THEN WITHIN 10 MINUTES (ICMP rate towards same system goes over 5/minute) THEN ALERT Keep Backups of Diskless Devices IF (Cisco syslog shows configuration was changed) THEN Launch Script to Backup Config 18

Good SIMs also come with a pile of business rules and auto-correlation Rule HT11 Inactive Reporting Asset Notification HT12 Attack Followed by Account Change HT13 Attack Followed by Service Change Description Rule HT11 reports inactivity from Reporting Assets during a given time frame. Rule HT11 determines if a Reporting Asset has stopped reporting. Rule HT12 monitors Windows, Linux, and Solaris operating systems (OSs) and other assets for account changes that occur directly after attacks. Rule HT13 monitors Windows, Linux, and Solaris operating systems (OSs) and other assets for service changes (additions, deletions, or modifications) that occur directly after attacks. This rule will also monitor for key words in a URL string and the direction of traffic between assets and non-assets. 19

Some Brave Souls like Active Response Anatomy of a Self-Inflicted Denial of Service Attack 2. SIM decides to block all traffic from 192.58.128.30 for 1 hr. SIM 1. IPS or system reports login failures from 192.58.128.30. (User can t remember password to his web server.) 20

So What Happens Next? 1. Traffic is blocked to user s web server. User can no longer get to web server from his home cable modem. 2. User assumes web server is dead. User VPNs into remote power system and cycles power to device. 3. User is impatient. Device is fsck-ing disk 5 minutes later when user cycles power again. 4. Now web server is truly dead. 21

Even if you like it, Active Response is harder than it sounds????? Attack from the Internet: where does the block go? Attack from within: where does the block go? How long to block? 22

Once the Data Are There, Managing Them Is a Part of the Job Forensics Reporting Archiving Companies are coming under more and more compliance regimes which require not only keeping 3 to 7 years worth of logs but the ability to retrieve data from those archives quickly and flexibly Forensics Reporting Collect Normalize & Store Correlate/ Analyze Alert/ Respond 23

Reporting Is More Than Making C- series Execs Happy Performance analysis is useful data for you And of course pretty pictures are nice for management 24

Forensics Are a Natural Follow-on to Any Pile of Data This system was attacked by X. Who else has X attacked? System Y generated a log message. How many times has this happened this year? Alert Z happened. Wht other alerts happen every time Z happens? Event M is happening. What went on just prior to this starting? 25

Picking a SIM Means Looking at Each Requirement How does it collect and store data? Can it integrate with a variety of network elements? Does it talk to a VA scanner (if you care)? How smart is it regarding hosts (if you care)? How are business rules expressed? How does it correlate and analyze data? How flexible is it in alerting? If you want active response Does it work? What are the forensics capabilities? Can it support your data retention requirements? Does it have useful reports? Useful to you Useful to management 26

Thanks! Joel Snyder Senior Partner Opus One jms@opus1.com

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback