brian albrecht, mis, cissp senior knowledge...
TRANSCRIPT
Brian Albrecht, MIS, CISSPSenior Knowledge Engineer LogRhythm, Inc. [email protected]
Case Study Case Study Case Study Case Study “Disgruntled Employee Data Breach”“Disgruntled Employee Data Breach”“Disgruntled Employee Data Breach”“Disgruntled Employee Data Breach”
Council of Community Health Clinics (CCC), hacked by former employee
� Employee resigned following a bad review
� Accessed corporate server through RDP connection
� Server contained personally identifiable medical data
� Former employee disabled the automatic backup process; later deleted patient data
Consequences to the organizationConsequences to the organization
� Significant fines if breach had occurred after January 1, 2009 (SB 541 and AB 211)
� Loss of patient data could have led to loss of life
� Patients had to wait hours to see doctors
Consequences to Ex-employee
� Convicted and sentenced to more than 5 years in prison
� Forced to pay more than $400,000 in restitution
Claburn, Thomas Network engineer gets five years for destroying former employer’s data http://www.informationweek.com/news/security/attacks/showArticle.jhtml?articleID=208403740 June, 2008 (accessed 12 August 2009)
Introduction to SIEM TechnologyIntroduction to SIEM TechnologyIntroduction to SIEM TechnologyIntroduction to SIEM Technology
What is a Security Information Event Manager?
Gartner’s Definition: “SIEM solutions analyze security event data in real time to identify threats, and analyze and report on log data for compliance monitoring.”
Goal: to give the user(s) the on-demand ability to utilize real time and historical records of activity for all nodes in an enterprise network.
Objectives:
� Allow for identification of security breaches and attempts through increased awareness.
� Diagnostic identification and remediation of errors and critical events.
� Collection and reporting on data relevant to auditing of GRC requirements.
Compliance Compliance Compliance Compliance And beyond.......And beyond.......And beyond.......And beyond.......
�A layered approach to security is absolutely necessary to protect
sensitive payment card data – without ongoing vigilance or a
comprehensive security strategy, organizations may be just a
PCI Security Standards
Council Statement on Recent
Data Breaches
comprehensive security strategy, organizations may be just a
change control away from noncompliance.
Validation to the principles and practices mandated in the PCI DSS
plays an integral part in an organization’s security posture, but basic
monitoring and logging cannot be set aside after a security
assessment is complete. Reports by forensics companies
suggest that this is an area of weakness among organizations.
What Happens WITHOUT What Happens WITHOUT What Happens WITHOUT What Happens WITHOUT Protective Monitoring?Protective Monitoring?Protective Monitoring?Protective Monitoring?
The ProcessThe ProcessThe ProcessThe Process
Collect Logs from Log Sources (Software, Appliances, Switches, Routers, Firewalls, etc.)
Extract Meaningful Information from Logs
Enrichment of Log Information (Correlation, Geo-Information, Locality, etc.)
Presentation and Tools (Alarms, Reports, Presentation and Tools (Alarms, Reports, Investigations, Visualization, etc.)
The The The The Challenge: Challenge: Challenge: Challenge:
CollectCollectCollectCollect, Organize & Analyze Millions of these…, Organize & Analyze Millions of these…, Organize & Analyze Millions of these…, Organize & Analyze Millions of these…
11 28 2005 17:12:24 10.1.1.4 id=firewall
sn=0006B11F3B34 time="2005-11-28 17:14:08" sn=0006B11F3B34 time="2005-11-28 17:14:08"
fw=216.160.188.116 pri=6 c=1024 m=537 msg="Connection
Closed" n=219550 src=10.1.1.22:138:LAN dst=10.1.1.255
proto=udp/netbios-dgm sent=229 rcvd=0
…PER DAY
…and these……and these……and these……and these…
11/28/2005 5:46 PM TYPE=Warning USER= COMP=SHIRE
SORC=RemoteAccess CATG=(0) EVID=20189 MESG=The user matt
connected from 67.172.139.201 but failed an authentication
attempt due to the following reason: %The user must change his
or her password.
11 28 2005 17:12:24 10.1.1.4 id=firewall sn=0006B11F3B34 time="2005-11-28 17:14:08"
fw=216.160.188.116 pri=6 c=1024 m=537 msg="Connection Closed" n=219550 src=10.1.1.22:138:LAN
dst=10.1.1.255 proto=udp/netbios-dgm sent=229 rcvd=0
11/28/2005 11:56 AM TYPE=Information USER=SECIOUS\andy.grolnick COMP=DELL600SC SORC=Print
CATG=(0) EVID=10 MESG=Document 203, PODNOTICE (TA 204163) - 2005-11-28-10-58-04.PDF owned by
Nov 27 18:35:19 HelmsDeep sshd[12767]: Failed password for root from 192.168.1.2 port 1298 ssh2
11/28/2005 7:05 AM TYPE=Error USER= COMP=ELVIS
SORC=Application Hang CATG=(0) EVID=1002 MESG=Hanging
application notepad.exe, version 5.2.3790.1830, hang module hungapp,
version 0.0.0.0, hang address 0x00000000.
65.240.187.181 - - [28/Nov/2005:14:48:29 -0700] "GET / HTTP/1.1" 200 14544
"http://www.google.com/search?q=event+management&hl=en&lr=&start=10&sa=N" "Mozilla/4.0 (compatible;
MSIE 6.0; Windows NT 5.0; .NET CLR 1.1.4322)"
CATG=(0) EVID=10 MESG=Document 203, PODNOTICE (TA 204163) - 2005-11-28-10-58-04.PDF owned by
andy.grolnick was printed on Brother HL-1250 series via port LPT1:. Size in bytes: 124988; pages
printed: 1
Cryptic text records of server, application, workstation and network device activity
SIEM PhilosophySIEM PhilosophySIEM PhilosophySIEM Philosophy
Security Information Event Managers (SIEM) analyze data from multiple sources to determine problems more accurately than a single device� SIEMs provide “Safety in Numbers”
� Investigations: more detail mean more accuracy
� Scope is possible to determine instead of just action
Overall: the more sources of information, the more benefit the Overall: the more sources of information, the more benefit the SIEM gives
Maximizing SIEM effectiveness is determined by the SIEM Architecture and by its deployment
Where Logs are HarvestedWhere Logs are HarvestedWhere Logs are HarvestedWhere Logs are Harvested
Syslog Format (Industry recognized standard)
Flat Files (Apache, Bind, MS Exchange Tracking Logs, many…)
Database Tables (Oracle, Web Based Applications)
SNMP
Generated Reports (Vulnerability, Change Logs, etc.)
Web Pages, XML files (Netgear, Cisco LMS)
Custom Protocols (OPSEC LEA, SDEE, Netflow, etc.)Custom Protocols (OPSEC LEA, SDEE, Netflow, etc.)
Binary Formats
� Audit Logs (Solaris, Linux, etc.)
� Misc. structured formats (SAP)
API Based (Novell Netware, etc.)
Integrated agent tools
Automated InterpretationAutomated InterpretationAutomated InterpretationAutomated Interpretation
The SIEM’s ability to interpret log and event data is the single most important step
Capturing logs is not enough – they need to capture details (IP address, host name, user id, etc.)
The most desirable features of log collection would be:would be:
Enterprise-Wide Visibility & Awareness
Flexible Deployment & Configuration
Options
Advanced Data Management
Universal Customizable
ConsoleComprehensive Compliance Support
(Out-of-the-Box)
Extraction of Critical DataExtraction of Critical DataExtraction of Critical DataExtraction of Critical Data
Process of InterpretationProcess of InterpretationProcess of InterpretationProcess of Interpretation
Classifications � Audit, Security, Operations
Categories � Compromise, Malware, Denial of Service, Vulnerability, etc.
Log Event Type Log Event Type � Buffer Overflow Attempt, CVE #, etc.
Details: � IP Addresses, IDs, Ports, Traffic, etc.
Risk Ratings and Handling Policies
Enrichment of LogsEnrichment of LogsEnrichment of LogsEnrichment of Logs
All about applying Context:
� Does the log originate from a computer inside the network or outside of the network?
� Add entity definition: does the log come from “Engineering”, “Hong Kong”, or “3rd
Floor”, rather than 10.1.2.0/24, 10.11.14.0/24, or 10.100.0.0/16?
� Add geo-location: the log came from Kiev, Ukraine rather than 213.174.157.2. Use Latitude and Longitude to determine location on map.
� Use DNS servers to identify IP address or host name� Use DNS servers to identify IP address or host name
� Identify proper affected application using context from log source type, port number, or based on matched rule.
Providing context to logs creates new ways of identifying anomalies, such as knowing:
� When a very large file is transferred outside of the organization
� When a connection enters the organization from a foreign location where the company doesn’t have employees.
� When a rival company is probing the web site.
Case StudyCase StudyCase StudyCase Study““““BotBotBotBot Detection”Detection”Detection”Detection”
Telecom company recently deployed a SIEM solution
Soon after deployment, IDS traffic picked up internal port scans
Using SIEM aggregation and investigation tools, isolated the IP address of the host performing scans
� Performed an investigation on the specific host, monitored traffic� Performed an investigation on the specific host, monitored traffic
� Noticed unusual SMTP traffic coming from host
Putting all of the information together, determined that host machine had been infected by malware, was being used as a spambot
SIEM Advantage SIEM Advantage SIEM Advantage SIEM Advantage ““““BotBotBotBot Detection”Detection”Detection”Detection”
In the “Bot Detection” scenario, SIEM allowed organization to correlate events from several devices
Those involved were able to analyze the data gathered and parse out useful data only
Able to pull data from a previous time to create a timeline; analyze the trending of events over timetrending of events over time
Log/Event Management OverviewLog/Event Management OverviewLog/Event Management OverviewLog/Event Management OverviewData ArchitectureData ArchitectureData ArchitectureData Architecture
Logs
Raw log data collected and
automatically archived
Events
Logs having more
immediate operational,
security, or compliance
relevance.
Alerts
Events, or combination of
correlated events, requiring
immediate notification &
response.
“Effective LM/SEM functionality requires a cohesive integration accomplished only when architected as a single solution.”
What is an Event?What is an Event?What is an Event?What is an Event?
An Event is when a log is flagged as being important compared to other logs. Examples:
� Privileged User Login
� Malware discovered on a workstation
� Power failure
SIEM 2.0 requires Events to exist in some form so that the users can identify key issues quickly.
Events can be identified by meeting conditions based on extracted data or Events can be identified by meeting conditions based on extracted data or enriched data. Examples:
� Log Type
� Log Severity (Panic, Critical, Error, Warning, etc.)
� Location (rogue state list)
AlarmingAlarmingAlarmingAlarming
An alarm is an Event of higher note than a basic log or event, it adds the context of urgency.
When an alarm condition is met, direct notification is made by e-mail, text message, pager, etc.message, pager, etc.
Alarms can be considered a “Call to Action” and ideally happen infrequently.
Correlation is another process that identifies or creates Events and/or Alarms
�Provides a link between conditions� For example, a potential brute force attack is detected, followed by a successful authentication from the same origin host.
� A user logs in after being terminated (after account disabled, after employee status changed in HRM, etc.)
CorrelationCorrelationCorrelationCorrelation
�Many types of correlation:� On multiple occurrences of an event in a time threshold.
� From a location, country, IP address, domain name.
� Involving a user account, application, or specific file.
� In close time proximity with a different event.
�When an event is not witnessed.
� “From common sense to applied mathematics.”
Case Study: Ford EspionageCase Study: Ford EspionageCase Study: Ford EspionageCase Study: Ford Espionage(Source: The Detroit News)(Source: The Detroit News)(Source: The Detroit News)(Source: The Detroit News)
10-year employee (1997-2007) at Ford Motor Company copied 4,000 documents onto a portable hard drive.
Documents included design specifications
Employee attempted to use the documents to secure a job in a Chinese automobile company in 2005 (while still working for Ford)Chinese automobile company in 2005 (while still working for Ford)
Employee was arrested (Oct 15th, 2009)
Where are my logs?Where are my logs?Where are my logs?Where are my logs?
Once logs have been processed, they reside in a database until searched for.
Some are sent to real-time systems, such as a dashboard or “tail” display of the most recent logs.
At this point, tools are provided for the “actors” to use the SIEM to accomplish their goals:
� Stopping intrusions, malware, and internal security concernsconcerns
� Detecting, diagnosing and fixing problems
� Working within organizational procedure (ITIL, etc.)
� Proving compliance with GRC (Governance, Regulation and Compliance)
DashboardDashboardDashboardDashboard
The SIEM Dashboard is a major launching point for investigations� Provides real-time awareness
Most simplified display� Most simplified display
InvestigationsInvestigationsInvestigationsInvestigations
Investigations are searches based on facts we know (who, when, where) and are expanded or restricted based on clues
Example: Employee
If we noticed user SMITH doing something suspicious, we might investigate what SMITH was doing for the last month, or what SMITH’s computer was doing at the time of the event, or other computers SMITH accessed
Example: Employee termination may be the trigger for the investigation, by company policy
VisualizationVisualizationVisualizationVisualization
ReportingReportingReportingReporting
Reports allow for post-event review, in case a critical situation was missed
Report collections have better visibility than the Dashboard alone
Basic security and auditing summaries should be generated frequently to supplement the Dashboard
Report reviews should be a part of any � Report reviews should be a part of any organizational security plan and/or policy
� Typically MSSPs provide weekly reviews of reports
� Compliance often mandates daily, weekly or monthly review
Could the “Disgruntled Employee” Breach Could the “Disgruntled Employee” Breach Could the “Disgruntled Employee” Breach Could the “Disgruntled Employee” Breach have been detected and prevented?have been detected and prevented?have been detected and prevented?have been detected and prevented?
Council of Community Health Clinics (CCHC), hacked by former employee
� Employee resigned following a bad review
� Accessed corporate server through RDP connection
� Server contained personally identifiable medical data
� Ex-employee disabled the automatic backup process; later deleted patient data
Potential consequences to the organizationPotential consequences to the organization
� Patients had to wait hours to see doctors
� Loss of patient data could have led to loss of life
Consequences to Ex-employee
� Convicted and sentenced to more than 5 years in prison
� Forced to pay more than $400,000 in restitution
Could the “Disgruntled Employee” Breach Could the “Disgruntled Employee” Breach Could the “Disgruntled Employee” Breach Could the “Disgruntled Employee” Breach have been detected and prevented?have been detected and prevented?have been detected and prevented?have been detected and prevented?
Highlights from the case study:“Employee resigned following a bad review”
� Use SIEM to instantly begin monitoring employee’s user account, even if access has been terminated
“Accessed corporate server through RDP connection”
� SIEM would be able to monitor and detect remote connections
“Server contained personally identifiable medical data”
� Confidential and proprietary information on this server would be monitored for access attempts
“Ex-employee disabled the automatic backup process, later deleted patient data”
� Process monitoring could detect the change made to the backup process; confidential patient data monitored
ConclusionConclusionConclusionConclusion
SIEMs provide a way to collect and process logs� Enrich logs to add meaningful context
� Escalates meaningful logs to Events
� Escalates urgent Events to Alarms
SIEMs provide tools for investigating activities on a network� Enhance activities involving Security, Operations and Auditing
� Tools include:� Tools include:
� Dashboard
� Reporting
� Investigations
� Visualization
Q&AQ&AQ&AQ&AQ&AQ&AQ&AQ&A