Author: Abhijit Khuperkar, Data Specialist & Big Data Evangelist

Data Security Analytics:

Analysis of the Firewall Log

Presentation Outline

Problem Statement

Key Observations

Dashboards

Problem Statement

► Dataset: The dataset contains the firewall log data for a month’s

period between 1-Sep’14 to 1-Oct’14. The dataset includes a record of

approx. 87,000 events grouped into categories and log responses.

► Goal: Carry out a high-level analysis of the firewall log data. Explore

data and perform aggregate data analysis.

► Criteria: Identify vulnerable categories, Drill down into problem, Visually

represent the analysis

The Challenge

Methodology

► Data: Standardized log messages to drill down into important log

messages

► Analysis: Carried out a descriptive and aggregate analysis of number

of security events, log responses. Drilled down into intrusion prevention

events having high priority and vulnerable security events

► Visualization: Prepared Tableau dashboards representing data

aggregates visually

► Event logs: One-fifth of total logs are intrusion prevention events. Of these, 1% logs have medium-high priority alerts and security warnings. The connection was dropped for many authorized access events

Key Observations

► Event trend: Intrusion prevention events were higher than usual during 15-23 Sep’14. As a result, a large number of security alerts and warnings were triggered during this period. Some outliers in authorized network access were observed during 5-14 Sep’14

► Intrusion events: High priority alerts and synchronization floods are potential threats. The dashboard shows three source IPs of high priority alerts and their destination IPs. IPs of sync flood were untraceable.

► VPN access: The warnings and notices for the VPN access events were the result of payload type security alert, mismatch in encryption algorithm and IKE proposal. Firewall took action by dropping few packets and connections

► Source & destination IPs: Four source IPs account for 44% of the log events. Likewise, two IPs received bulk of the requests accounting for 15% of total logs recorded by firewall

Click the headings to jump to the dashboard

Dashboards

Security Events At A GlanceBack to Key Observations

Events need

drill down

Trend in Security EventsBack to Key Observations

Higher than

usual alerts

Higher than

usual intrusions

Intrusion Prevention EventsBack to Key Observations

Destination

IPs

Alerts with Medium-

High priority and

potential Sync

flood

Untraceable

sources. IPs were

unavailable

xxx.xx.xxx.xxx yyy.xx.xxx.xxx zzz.xx.xxx.xxx

VPN Access EventsBack to Key Observations

Potential

security threats

Key reasons:

Mismatch encrypt

algorithm, IKE

proposal

Source vs Destination SystemsBack to Key Observations

44% of the security

logs attributed to

the four Source IPs

Two destination IPs

are accessed

most

xxx.xx.xxx.xxx xxx.xx.xxx.xxx

xxx.xx.xxx.xxx

xxx.xx.xxx.xxx

xxx.xx.xxx.xxx

xxx.xx.xxx.xxx

Abhijit Khuperkar, Data Specialist & Big Data Evangelist

akhuperkar@yahoo.com

For queries and feedback contact

Thank you!