centralizing and analyzing security events: deploying security information management systems lynn...
TRANSCRIPT
Centralizing and Analyzing Security Events: Deploying
Security Information Management Systems
Lynn RayTowson University
Copyright Lynn Ray, 2007. This work is the intellectual property rights of the author. Permission is granted for this material to be shared for non-commercial, educational purposes, provided that this copyright statement appears on the reproducedMaterials and notice is given that the copying is by permission of the author. Todisseminate otherwise or to republish requires written permission from the author.
Reasons for Centralized Event Management
• Increase diversity of security devices and protocols
• Multiple types of security events and threats
• Manual collection and analysis of events
• Need quick response to threats – zero day attacks
• Comply with audits
Threat Statistics(Courtesy of Message Labs)
• 10 new worms are found each day• Average 20 targeted attacks per day• Increase use of ransomware• Use of blended threats (spam and
virus, spyware and Trojans, triple Trojans, etc.)
• Off-the-shelf virus kits
Security Information Management Defined
• Collaboration of security solutions and intelligent networking technologies
• Integrates heterogeneous array of network devices and security products
• Builds pervasive security utilizing existing security enterprise– Monitors and collects event data– Correlates and analyzes event data across
enterprise– Compares against known treats– Identifies threats and alerts– Automatically locates and mitigates threats
RawEventData
CollectionFiltering
DataNormalization
& Reduction
EventAggregation
& Coordination
Pattern Discovery
Prioritization
Event Display
& Report
Response&
Mitigation
Raw Data
Data Refinement
Action
How SIM Works
Drivers Behind SIM Adoption
• Financial discipline– Managing operations effectively– Employee efficiency– Reduce administrative overhead– ROI/business value security
• Security effectiveness– Operational risk– Finances required to mitigate risk
Incident Response and Laws
• Incident response– Many attack vectors– Many different information sources– Mitigation priority
• Federal laws– FERPA – Family Educational Rights and Privacy Act
– HIPAA – Health Insurance Portability and Accountability
– GLBA – Gramm-Leach-Bliley
Compliance• Policy-driven security management
program• Validation of security controls• Risk management approach to
information security• Due diligence in application of
internal controls• Effective security incident
management process• Security event reporting• Archiving and document preservation
Consideration Factors
• High cost ($100K or more)• Difficult to implement and deploy• Takes months to tune out false
positives• Requires specialized training to
support
Data Correlation
Valid Incidents
Sessions
Rules
Verify
Isolated Events
Correlation R
eduction
Router Cfg.
Firewall Log
Switch Cfg.Switch Log
Server LogAV AlertApp Log
VA Scanner
Firewall Cfg.
NetflowNAT Cfg.
IDS Event
...
(Lynn: Description of this graphic?)
SureVector AnalysisTM
1. Host A Port Scans Target X
2. Host A Buffer Overflow Attacks X
Where X is behind NAT device andWhere X is Vulnerable to attack
3. Target X executes PasswordAttacks Target Y located
downstream from NAT Device
SureVector™ Analysis– Visible and accurate attack path– Drill-down, full incident and raw event
details– Pinpoint the true sources of anomalous
and attack behavior– More complete and accurate story
Host A
Target X
Target Y
6
“Response”• Uses leveraged mitigation• Use control capabilities within your
infrastructure– Layer 2/3 attack path is clearly visible– Mitigation enforcement devices are identified– Exact mitigation command is provided
]
Results
Deployed Cisco MARS SIM Device– Communicates with multiple devices– Collects syslog data from devices– Utilizes intelligent agents to gather and
correlate data from devices– Provides automated reporting and
resolution of threats– Displays path of threats
How Does SIM Help?
• Greatly reduces false positives• Defines effective mitigation responses• Provide quick and easy access to
audit compliance reports• Ability to visualize attack path• ID source of threats• Make precise recommendations for
removal of threats
Monitors Diverse Environments
McAfee ePO
Desktops
Firewall
IDS VPN
RoutersSwitches
Unix and Windows Servers
MARS
Wireless
Intelligent Agents
• Used free SNARE* agent for Windows servers operating systems– Deployed on all servers– Pushes security events in real time to
SIM– Minimum performance effects to server
• Testing other SNARE agents– Web service (Apache and IIS)– Operating system (Unix, Linux)
*System Intrusion Analysis and Reporting Environment
Compliance and Reporting
• Survived state auditor• Provide instant reports to auditors• Established automated reports
– Track failed access, virus and worm threats, etc.
– Reduced level of daily log review
Recommendations
• Devise implementation strategy– ID devices where security event data
will be collected– Consider open source and commercial
products– Demo and get opinions from support
staff– ID storage requirements for data
• Integrate with incident handling procedures
Devise a Deployment Plan
• Setup team composed of server admin, network and security staff
• Standardize collection of syslog data• Use intelligent agents to collect data• Monitor all network and computer
systems – OS and Web• Establish administration of system• Determine report that will be useful
and implement automated reporting
System Administration
• Device managed by security personnel• Allow automated response to threats
for better protection against threats– Allow SIM admin access to all monitored devices– Obtain cooperation from other support personnel
(server admin, network, etc.)
• Tune out false positives• Setup automated reporting, record
keeping and incident handling
Event Reports
• Determine reports that will be useful and Implement automated reporting
• SANS Institute recommends:– Attempts to gain access through
existing accounts– Failed file or resource access attempts– Unauthorized changes to users, groups
and services– Systems most vulnerable to attack– Suspicious or unauthorized network
traffic patterns
Incident Response
• Determine how will respond to alerts• Establish escalation procedures for
handling suspected and confirmed intrusions
• Link steps to incident handling plan• Keep track of efforts and decisions
Compliance Verification
• Provided evidence of compliance to state and local policies
• Able to rapidly provide reports
Summary
In summary, SIM…– Provides centralized network
monitoring.– Automatically pulls logs from multiple
devices– Eliminates the need for manually
intensive analysis– Eliminates the need to respond to
threats manually.– Provides reporting capabilities
required for daily review by State & University audits and security guidelines.