Security Information Managers: State of the Artopus1.com/www/presentations/smartdefense-sim.pdf ·...
Transcript of Security Information Managers: State of the Artopus1.com/www/presentations/smartdefense-sim.pdf ·...
2
Definition:SIMs accept security information frommultiple sources within the enterpriseand analyze it to provide a higherlevel of understanding.
SIM SEM SEIM SIEM ESM You-name-it
3
SYSLOG
Windows
SSH/Telnet
Files
SNMP
Databases
Alerts!
Reports!
Archives!
Insight!
Or, in pretty pictures …
4
You have lots and lots of data
You can add tools,such as IDS
You can collect fromexisting points
Your servers &workstationshave usefuldata as well
5
Data Are Pretty Useless WithoutAnalysis Collecting raw data doesn’t help you very
much• … unless your goal is filling up that SAN
(50 switches * 1 event/hour +4 firewalls * 10 log entry/second +20 routers * 25 netflows/second +10 servers * 1 event/minute +1000 workstations * 1 event/hour+2 IDS sensors * 15 events/second) * 100 chars/entry * 24 hrs/day * 7 days/week= 32 Gbytes/week
6
Welcome to the World of SIM/SEM
TriGeoQ1 LabsTenable
SymantecProtego (CSCO)OpenService
Network Intelligence(RSA/EMC)
NetIQnetForensics
netForensicsIntellitacticsHightower
E-Security (Novell)ConsulCA
LogLogicArcsighteIQnetworks
Grabbing all that data is just a starting point,though…
7
SIMs support a security informationlifecycle
Normalize andStore
Correlate/Analyze
Alert/Respond
Reporting
Forensics
Collect
8
Collecting Is More Than Filling upDisks Data have to be collected
• Syslog (sure, pick the easy one)• SNMP Traps• Windows Event Logs and
Performance Data Agent-full Agent-less
• Vulnerability analyzerreports/logs/data
• J. Random Log Files• Anything Else You Can Imagine
Data have to be normalized Data have to be stored and
managed
Normalize &Store
Correlate/Analyze
Alert/Respond
Reporting
Forensics
Collect
9
Normalization and StorageManagement are Hard Normalization: These are
the same Storage: Data grow
forever14:55:20 accept fw1.opus1.com >eth1product VPN-1 & Firewall-1 src1.2.3.4 s_port 4523 dst 192.245.12.2service http proto tcp rule 15
Jan 16 14:55:20 207.182.32.1netscreen.opus1.com: Netscreendevice_id=00351653456 system-notification—00257(traffic):start_time="2005-01-16 14:55:19"duration=1 policy_id=0 service=httpproto=6 src zone-Trust dstzone=Untrust action=Permit sent=11903rcvd-31454 src=1.2.3.4dst=192.245.12.2 src_port=4523dst_port=80
On-line
Near-line
Off-line
10
Most SIM products normalize fields,and apply a hierarchy
14:55:20 accept fw1.opus1.com >eth1product VPN-1 & Firewall-1 src1.2.3.4 s_port 4523 dst 192.245.12.2service http proto tcp rule 15
WARNINGTCP80192.245.12.245231.2.3.4IISbackslashevasion
14:55
INFOTCP80192.245.12.245231.2.3.4Trafficaccepted byfirewall
14:55
SeverityProto.DestPort
Dest IPSourcePort
SourceIP
MessageDate/Time
14:55:20 sfs2 SFIMS: [119:9:1] Snort Alert [Classification: Unknown][Priority: 3] {TCP} 1.2.3.4:4523->192.245.12.2:80
11
The Hierarchy is Important to Unifyingyour View Attack Behavior
• Inferred Attack• Resource Attack
Network Attack Access Access->Application Access-> Daabase Access->Application Access-> File Transfer Access->Application Access-> Mail Access Access->Configuration Access Access->Core Access -> ICMP Redirect Access Access->File System Access->NFS Access
Suspicious Behavior• Authentication Suspicious
Failed Authentication
12
Correlation and Analysis are whereSIMs earn their keep Events/Log Data need
to be prioritized Events/Log Data need
to be combined to forma greater whole
Events/Log Data needto be correlated so thatparticular patterns canbe identified
Events/Log Data/FlowData need to beaggregated so thattraffic and trend datacan be brought out
Normalize &Store
Correlate/Analyze
Alert/Respond
Reporting
Forensics
Collect
13
Cross-event Correlation is the mostcommon type to consider
Sometimes a single eventis what you care about
Sometimes you wantmultiple events
Jan 16 14:37:30 207.182.32.1netscreen.opus1.com: NetScreendevice_id=00351653456 system-warning-00515: duration=0 start_time="2005-01-16 14:37:04" netscreen: Admin User"netscreen" logged in for Web(https)management (port 443) from12.146.232.2:3473. (2005-01-1614:34:32)
“Unauthorized Access toAdministrative Services”
14:55:20 accept fw1.opus1.com >eth1product VPN-1 & Firewall-1 src 1.2.3.4s_port 4523 dst 192.245.12.2 servicehttp proto tcp rule 15resource=http://192.245.12.2/scripts/..%%35c../winnt/system32/cmd.exe?/c+dir
14:55:22 accept fw1.opus1.com >eth0product VPN-1 & Firewall-1 src192.245.12.2 s_port 69 dst 1.2.3.4service tftp proto udp rule 18
“Successful NIMDA causingvictim to TFTP down virus”
14
Correlation and Analysis can alsobring together different data sources
Host InformationDNS & NetBIOS names
Operating SystemMAC & IP Addresses
VLAN TagAttributesCriticality
NotesAddt’l User-specified
ProtocolsL3: IP, etc.
L4: TCP, UDP, etc.Services
Ports and ProtocolsBanners
Client Applications Vulnerabilities
Host ProfilesFlow Record
01010100101 010
sFlow RecordsFlow Record
Firewall DataVA DataIDS Data
Manager Configuration
15
Flow Data are a nice Bonus
SYN
SYN-ACK
ACK
Data
Data
FIN
FIN-ACK
ACK
16
With Correlation and Analysis, YouWant Alerting Alerting has a bad name
(and well it should)• Poor alerting was invented by
the pager companies as a way tosell minutes…
Alerting requires veryflexible thinking andconfiguration• Time-of-day differences• Rate limiting• Different profile
Normalize &Store
Correlate/Analyze
Alert/Respond
Reporting
Forensics
Collect
17
Correlation and Alerts Form BusinessRules This is the heart of SIM
You explain:• what is important to you• what you want to do about it
The SIM sorts through the pile of poop
Experienced consulting helps a lot here
18
Business RulesAre Not Hard to Write
Track CompromisedSystems
IF (attack signature towardsa system) AND THENWITHIN 10 MINUTES (ICMPrate towards same systemgoes over 5/minute) THENALERT
Keep Backups of DisklessDevices
IF (Cisco syslog showsconfiguration was changed)THEN Launch Script toBackup Config
19
Good SIMs also come with a pile ofbusiness rules and auto-correlation
Rule HT13 monitors Windows, Linux, and Solarisoperating systems (OSs) and other assets for servicechanges (additions, deletions, or modifications) thatoccur directly after attacks. This rule will alsomonitor for key words in a URL string and thedirection of traffic between assets and non-assets.
HT13 AttackFollowed byService Change
Rule HT12 monitors Windows, Linux, and Solarisoperating systems (OSs) and other assets foraccount changes that occur directly after attacks.
HT12 AttackFollowed byAccountChange
Rule HT11 reports inactivity from Reporting Assetsduring a given time frame. Rule HT11 determines ifa Reporting Asset has stopped reporting.
HT11 InactiveReportingAssetNotification
DescriptionRule
20
Some Brave Souls like ActiveResponse
SIM
1. IPS or system reports loginfailures from 192.58.128.30.(User can’t rememberpassword to his web server.)
Anatomy of a Self-Inflicted“Denial of Service” Attack
2. SIM decides to blockall traffic from192.58.128.30 for 1 hr.
21
So What Happens Next?
1. Traffic is blocked to user’sweb server. User can nolonger get to web server fromhis home cable modem.
2. User assumes web server isdead. User VPNs into remotepower system and cyclespower to device.
3. User is impatient. Device isfsck-ing disk 5 minutes laterwhen user cycles poweragain.
4. Now web server is truly dead.
22
Even if you like it, Active Response isharder than it sounds
Attack from the Internet:where does the block go?
Attack from within: wheredoes the block go? Howlong to block?
?
?
?
?
?
23
Normalize &Store
Correlate/Analyze
Alert/Respond
Reporting
Forensics
Collect
Once the Data Are There, ManagingThem Is a Part of the Job Forensics Reporting Archiving
• Companies are comingunder more and morecompliance regimes whichrequire not only keeping 3to 7 years worth of logs butthe ability to retrieve datafrom those archives quicklyand flexibly
24
Reporting Is More Than Making C-series Execs Happy Performance
analysis is usefuldata for you
And of course prettypictures are nice formanagement
25
Forensics Are a Natural Follow-on toAny Pile of Data
System Y generateda log message. Howmany times has thishappened this year?
This system wasattacked by X. Whoelse has X attacked?
Alert Z happened.Wht other alerts
happen every time Zhappens?
Event M ishappening. What
went on just prior tothis starting?
26
Picking a SIM Means Looking at EachRequirement
How does it collect and storedata?• Can it integrate with a variety of
network elements?• Does it talk to a VA scanner (if you
care)?• How smart is it regarding hosts (if
you care)?
How are business rulesexpressed?• How does it correlate and analyze
data?• How flexible is it in alerting?
If you want activeresponse• Does it work?
What are the forensicscapabilities?
Can it support your dataretention requirements?
Does it have usefulreports?• Useful to you• Useful to management