Security InformationManagers: State of the Art

Joel M SnyderSenior Partner

Opus Onejms@opus1.com

2

Definition:SIMs accept security information frommultiple sources within the enterpriseand analyze it to provide a higherlevel of understanding.

SIM SEM SEIM SIEM ESM You-name-it

3

SYSLOG

Windows

SSH/Telnet

Files

SNMP

Databases

Alerts!

Reports!

Archives!

Insight!

Or, in pretty pictures …

4

You have lots and lots of data

You can add tools,such as IDS

You can collect fromexisting points

Your servers &workstationshave usefuldata as well

5

Data Are Pretty Useless WithoutAnalysis Collecting raw data doesn’t help you very

much• … unless your goal is filling up that SAN

(50 switches * 1 event/hour +4 firewalls * 10 log entry/second +20 routers * 25 netflows/second +10 servers * 1 event/minute +1000 workstations * 1 event/hour+2 IDS sensors * 15 events/second) * 100 chars/entry * 24 hrs/day * 7 days/week= 32 Gbytes/week

6

Welcome to the World of SIM/SEM

TriGeoQ1 LabsTenable

SymantecProtego (CSCO)OpenService

Network Intelligence(RSA/EMC)

NetIQnetForensics

netForensicsIntellitacticsHightower

E-Security (Novell)ConsulCA

LogLogicArcsighteIQnetworks

Grabbing all that data is just a starting point,though…

7

SIMs support a security informationlifecycle

Normalize andStore

Correlate/Analyze

Alert/Respond

Reporting

Forensics

Collect

8

Collecting Is More Than Filling upDisks Data have to be collected

• Syslog (sure, pick the easy one)• SNMP Traps• Windows Event Logs and

Performance Data Agent-full Agent-less

• Vulnerability analyzerreports/logs/data

• J. Random Log Files• Anything Else You Can Imagine

Data have to be normalized Data have to be stored and

managed

Normalize &Store

Correlate/Analyze

Alert/Respond

Reporting

Forensics

Collect

9

Normalization and StorageManagement are Hard Normalization: These are

the same Storage: Data grow

forever14:55:20 accept fw1.opus1.com >eth1product VPN-1 & Firewall-1 src1.2.3.4 s_port 4523 dst 192.245.12.2service http proto tcp rule 15

Jan 16 14:55:20 207.182.32.1netscreen.opus1.com: Netscreendevice_id=00351653456 system-notification—00257(traffic):start_time="2005-01-16 14:55:19"duration=1 policy_id=0 service=httpproto=6 src zone-Trust dstzone=Untrust action=Permit sent=11903rcvd-31454 src=1.2.3.4dst=192.245.12.2 src_port=4523dst_port=80

On-line

Near-line

Off-line

10

Most SIM products normalize fields,and apply a hierarchy

14:55:20 accept fw1.opus1.com >eth1product VPN-1 & Firewall-1 src1.2.3.4 s_port 4523 dst 192.245.12.2service http proto tcp rule 15

WARNINGTCP80192.245.12.245231.2.3.4IISbackslashevasion

14:55

INFOTCP80192.245.12.245231.2.3.4Trafficaccepted byfirewall

14:55

SeverityProto.DestPort

Dest IPSourcePort

SourceIP

MessageDate/Time

14:55:20 sfs2 SFIMS: [119:9:1] Snort Alert [Classification: Unknown][Priority: 3] {TCP} 1.2.3.4:4523->192.245.12.2:80

11

The Hierarchy is Important to Unifyingyour View Attack Behavior

• Inferred Attack• Resource Attack

Network Attack Access Access->Application Access-> Daabase Access->Application Access-> File Transfer Access->Application Access-> Mail Access Access->Configuration Access Access->Core Access -> ICMP Redirect Access Access->File System Access->NFS Access

Suspicious Behavior• Authentication Suspicious

Failed Authentication

12

Correlation and Analysis are whereSIMs earn their keep Events/Log Data need

to be prioritized Events/Log Data need

to be combined to forma greater whole

Events/Log Data needto be correlated so thatparticular patterns canbe identified

Events/Log Data/FlowData need to beaggregated so thattraffic and trend datacan be brought out

Normalize &Store

Correlate/Analyze

Alert/Respond

Reporting

Forensics

Collect

13

Cross-event Correlation is the mostcommon type to consider

Sometimes a single eventis what you care about

Sometimes you wantmultiple events

Jan 16 14:37:30 207.182.32.1netscreen.opus1.com: NetScreendevice_id=00351653456 system-warning-00515: duration=0 start_time="2005-01-16 14:37:04" netscreen: Admin User"netscreen" logged in for Web(https)management (port 443) from12.146.232.2:3473. (2005-01-1614:34:32)

“Unauthorized Access toAdministrative Services”

14:55:20 accept fw1.opus1.com >eth1product VPN-1 & Firewall-1 src 1.2.3.4s_port 4523 dst 192.245.12.2 servicehttp proto tcp rule 15resource=http://192.245.12.2/scripts/..%%35c../winnt/system32/cmd.exe?/c+dir

14:55:22 accept fw1.opus1.com >eth0product VPN-1 & Firewall-1 src192.245.12.2 s_port 69 dst 1.2.3.4service tftp proto udp rule 18

“Successful NIMDA causingvictim to TFTP down virus”

14

Correlation and Analysis can alsobring together different data sources

Host InformationDNS & NetBIOS names

Operating SystemMAC & IP Addresses

VLAN TagAttributesCriticality

NotesAddt’l User-specified

ProtocolsL3: IP, etc.

L4: TCP, UDP, etc.Services

Ports and ProtocolsBanners

Client Applications Vulnerabilities

Host ProfilesFlow Record

01010100101 010

sFlow RecordsFlow Record

Firewall DataVA DataIDS Data

Manager Configuration

15

Flow Data are a nice Bonus

SYN

SYN-ACK

ACK

Data

Data

FIN

FIN-ACK

ACK

16

With Correlation and Analysis, YouWant Alerting Alerting has a bad name

(and well it should)• Poor alerting was invented by

the pager companies as a way tosell minutes…

Alerting requires veryflexible thinking andconfiguration• Time-of-day differences• Rate limiting• Different profile

Normalize &Store

Correlate/Analyze

Alert/Respond

Reporting

Forensics

Collect

17

Correlation and Alerts Form BusinessRules This is the heart of SIM

You explain:• what is important to you• what you want to do about it

The SIM sorts through the pile of poop

Experienced consulting helps a lot here

18

Business RulesAre Not Hard to Write

Track CompromisedSystems

IF (attack signature towardsa system) AND THENWITHIN 10 MINUTES (ICMPrate towards same systemgoes over 5/minute) THENALERT

Keep Backups of DisklessDevices

IF (Cisco syslog showsconfiguration was changed)THEN Launch Script toBackup Config

19

Good SIMs also come with a pile ofbusiness rules and auto-correlation

Rule HT13 monitors Windows, Linux, and Solarisoperating systems (OSs) and other assets for servicechanges (additions, deletions, or modifications) thatoccur directly after attacks. This rule will alsomonitor for key words in a URL string and thedirection of traffic between assets and non-assets.

HT13 AttackFollowed byService Change

Rule HT12 monitors Windows, Linux, and Solarisoperating systems (OSs) and other assets foraccount changes that occur directly after attacks.

HT12 AttackFollowed byAccountChange

Rule HT11 reports inactivity from Reporting Assetsduring a given time frame. Rule HT11 determines ifa Reporting Asset has stopped reporting.

HT11 InactiveReportingAssetNotification

DescriptionRule

20

Some Brave Souls like ActiveResponse

SIM

1. IPS or system reports loginfailures from 192.58.128.30.(User can’t rememberpassword to his web server.)

Anatomy of a Self-Inflicted“Denial of Service” Attack

2. SIM decides to blockall traffic from192.58.128.30 for 1 hr.

21

So What Happens Next?

1. Traffic is blocked to user’sweb server. User can nolonger get to web server fromhis home cable modem.

2. User assumes web server isdead. User VPNs into remotepower system and cyclespower to device.

3. User is impatient. Device isfsck-ing disk 5 minutes laterwhen user cycles poweragain.

4. Now web server is truly dead.

22

Even if you like it, Active Response isharder than it sounds

Attack from the Internet:where does the block go?

Attack from within: wheredoes the block go? Howlong to block?

?

?

?

?

?

23

Normalize &Store

Correlate/Analyze

Alert/Respond

Reporting

Forensics

Collect

Once the Data Are There, ManagingThem Is a Part of the Job Forensics Reporting Archiving

• Companies are comingunder more and morecompliance regimes whichrequire not only keeping 3to 7 years worth of logs butthe ability to retrieve datafrom those archives quicklyand flexibly

24

Reporting Is More Than Making C-series Execs Happy Performance

analysis is usefuldata for you

And of course prettypictures are nice formanagement

25

Forensics Are a Natural Follow-on toAny Pile of Data

System Y generateda log message. Howmany times has thishappened this year?

This system wasattacked by X. Whoelse has X attacked?

Alert Z happened.Wht other alerts

happen every time Zhappens?

Event M ishappening. What

went on just prior tothis starting?

26

Picking a SIM Means Looking at EachRequirement

How does it collect and storedata?• Can it integrate with a variety of

network elements?• Does it talk to a VA scanner (if you

care)?• How smart is it regarding hosts (if

you care)?

How are business rulesexpressed?• How does it correlate and analyze

data?• How flexible is it in alerting?

If you want activeresponse• Does it work?

What are the forensicscapabilities?

Can it support your dataretention requirements?

Does it have usefulreports?• Useful to you• Useful to management

Thanks!

Joel SnyderSenior Partner

Opus Onejms@opus1.com