1 - Security Blackbelt - Data Mapping and Dynamic Lists - Norbert

7/28/2019 1 - Security Blackbelt - Data Mapping and Dynamic Lists - Norbert

1/31

Security Blackbelt TrainingBrainShare EMEA 2010

Norbert Klasen

Senior Consultant

[email protected]


2/31

Novell, Inc. All rights reserved.2

Agenda

Business Data Mappings

Dynamic Lists and Correlation Rules

iTrac


3/31

Business Data Mappings


4/31


Data Translation

Add information not present in event generated bysource

Lookup information in a table

Collector

CSV files

legacy: TRANSLATE()

JavaScript: lookup()

e.g. Severity, Taxonomy, descriptive names for numericconstants, DNS resolution


5/31


Mapping Service

Mappings are applied by Event Router in CollectorManager

das_query distributes (delta) maps to CollectorManagers

Map data is cached on Collector Managers

CSV file on $ESEC_HOME/data/map_data


6/31


Point in Time

Data is always injected at the time an event isprocessed by Sentinel

No updates if a relation changes


7/31


Map Definition

Map definition Column name

Column data type

> Rage support

Key checkbox

Separator

Event Configuration

External

Referenced from map

> Boolean

> Value from map


8/31

SCC Demo


9/31


Use Case 1 Identity Tracking

Who did it?

Correlate events from various systems that relate to thesame person

Inject identity information into events

person identity accounts

Account names

(Init|Target)UserName

(Init|Target)UserDomain Possibly multiple nameforms per account


10/31


Novell IDM Integration

ID Vault (IDM)

Sentinel Driver (IDM)

JMS Message Bus (Sentinel)

ID Vault Collector (Sentinel) Identity API (Sentinel)

Identity and Account DB Tables/Views (Sentinel)

AccountIdentity Mapping Table (Sentinel)

Mapping Service (Sentinel)


11/31


Other Integrations

Generic Identity Collector

Microsoft Active Directory (work in progress)

Build your own using the SDK


12/31


Account Identity Map

Keys MSSPCustomerName

UserName

UserDomain

Applied to Initiator and Target

Values

Identity GUID

FullName Department


13/31


Result

Active View

Identity Browser

Correlation Rules

Reports


14/31

SCC Demo


15/31


Use Case 2 Assets

What does this server do? Is it critical?

Inject asset information into events

Hostname

MAC

Category

Description

Product

Criticality

Owner

Location


16/31


Asset Map


IP

Applied to Initiator, Target, Observer, and Reporter

Values

Class

Criticality

Department (Function)

AssetID


17/31


Integrations

Generic Asset Collector (CSV)

Build your own using the SDK


18/31

SCC Demo


19/31


Use Case 2 Advisor

Is an attack directed at a vulnerable system Correlate attacks with vulnerabilities

Load scan results into Sentinel Subscribe to Advisor feed

Connect IDS


20/31


IsExploitWatchList Map


DeviceAttackName

DeviceName (e.g. Snort)

TargetIP

Values

Vulnerability (flag 0 or 1)


21/31

Dynamic Lists and Correlation Rules


22/31


Dynamic Lists

Lists of Elements Distributed Caching and Loockup

Correlation Engines

List Attributes

Transient/Persistant Elements

Time to Live

Maximum Size

Elements can be added and removed manually orautomatically

Action

Inlist operator


23/31


Use Case Effected By Exploit

Detects users who may be at risk for having theiraccount information stolen by the attacker that hasexploited the asset, which may in turn enable theattacker to compromise other systems.

Prerequisite: Advisor Put exploited asset on dynamic list

Create alarm if user logs into such an asset


24/31

SCC Demo


25/31

iTrac


26/31


iTrac Definitions

IncidentActionable condition

Action

Preconfigured step

Template

Definition of steps to be taken in response to an incident

Interactive and automated actions

Process Specific instance of a template that is used actively track an

incident


27/31


ITrac Template Components

Steps Manual Step (user interaction)

Command Step (launch script)

Mail Step

Decision Step (branch)

Transitions

Activities

Variables


28/31


Use Case Access to Exploited Asset

ITRAC TemplateAccess to Exploitet Asset

Correlation Rule

IdT-Affected By Exploits

Creates Incident with attached workflow


29/31

SCC Demo


30/31


31/31

Unpublished Work of Novell, Inc. All Rights Reserved.

This work is an unpublished work and contains confidential, proprietary, and trade secret information of Novell, Inc.Access to this work is restricted to Novell employees who have a need to know to perform tasks within the scopeof their assignments. No part of this work may be practiced, performed, copied, distributed, revised, modified,translated, abridged, condensed, expanded, collected, or adapted without the prior written consent of Novell, Inc.Any use or exploitation of this work without authorization could subject the perpetrator to criminal and civil liability.

General Disclaimer

This document is not to be construed as a promise by any participating company to develop, deliver, or market aproduct. It is not a commitment to deliver any material, code, or functionality, and should not be relied upon inmaking purchasing decisions. Novell, Inc. makes no representations or warranties with respect to the contentsof this document, and specifically disclaims any express or implied warranties of merchantability or f itness for anyparticular purpose. The development, release, and timing of features or functionality described for Novell productsremains at the sole discretion of Novell. Further, Novell, Inc. reserves the right to revise this document and tomake changes to its content, at any time, without obligation to notify any person or entity of such revisions orchanges. All Novell marks referenced in this presentation are trademarks or registered trademarks of Novell, Inc.in the United States and other countries. All third-party trademarks are the property of their respective owners.

1 - Security Blackbelt - Data Mapping and Dynamic Lists - Norbert

Documents

Transcript of 1 - Security Blackbelt - Data Mapping and Dynamic Lists - Norbert