RSA 2006 - Visual Security Event Analysis
-
date post
23-Sep-2014 -
Category
Technology
-
view
735 -
download
2
description
Transcript of RSA 2006 - Visual Security Event Analysis
![Page 1: RSA 2006 - Visual Security Event Analysis](https://reader038.fdocuments.net/reader038/viewer/2022103013/542064607bef0af7078b4f77/html5/thumbnails/1.jpg)
Visual Security Event AnalysisVisual Security Event Analysis
Raffael Marty, GCIA, CISSPArcSight Inc.
02/14/06 – HT2-103
Raffael Marty, GCIA, CISSPArcSight Inc.
02/14/06 – HT2-103
![Page 2: RSA 2006 - Visual Security Event Analysis](https://reader038.fdocuments.net/reader038/viewer/2022103013/542064607bef0af7078b4f77/html5/thumbnails/2.jpg)
IP addresses and host names showingup in graphs and descriptions were
obfuscated/changed. The addresses are completely random and any resemblancewith well-known addresses or host names
are purely coincidental.
Disclaimer
![Page 3: RSA 2006 - Visual Security Event Analysis](https://reader038.fdocuments.net/reader038/viewer/2022103013/542064607bef0af7078b4f77/html5/thumbnails/3.jpg)
● Raffael Marty, GCIA, CISSP
● Strategic Application Solutions @ ArcSight, Inc.
● Intrusion Detection Research @ IBM Research
● IT Security Consultant @ PriceWaterhouse Coopers
● Open Vulnerability and Assessment Language (OVAL) board member
● Speaker at Various Security Conferences
● Passion for Visual Security Event Analysis
see http://afterglow.sourceforge.net
Who Am I?
![Page 4: RSA 2006 - Visual Security Event Analysis](https://reader038.fdocuments.net/reader038/viewer/2022103013/542064607bef0af7078b4f77/html5/thumbnails/4.jpg)
Table Of Contents
• The Security Monitoring Challenge
• Solving Event Overload - Today
— Normalization
— Prioritization
— Correlation
• Visual Security Event Analysis
— Situational Awareness
— Real-time Monitoring
— Forensic and Historical Analysis
![Page 5: RSA 2006 - Visual Security Event Analysis](https://reader038.fdocuments.net/reader038/viewer/2022103013/542064607bef0af7078b4f77/html5/thumbnails/5.jpg)
A Picture is Worth a Thousand Log Entries
Detect the Expected & Discover the Unexpected
Detect the Expected & Discover the Unexpected
Make Better DecisionsMake Better Decisions
Reduce Analysis and Response TimesReduce Analysis and Response Times
![Page 6: RSA 2006 - Visual Security Event Analysis](https://reader038.fdocuments.net/reader038/viewer/2022103013/542064607bef0af7078b4f77/html5/thumbnails/6.jpg)
?
Typical Security Monitoring Challenges
“ I wish I could see prioritized and relevant information!”
“ How can we prioritize and communicate efficiently?” ??
Accuracy
Efficiency
… and do it all cost effectively
Complexity
Reporting“ How can I
demonstrate compliance?”
?“ How can I manage this flood
of data?”
![Page 7: RSA 2006 - Visual Security Event Analysis](https://reader038.fdocuments.net/reader038/viewer/2022103013/542064607bef0af7078b4f77/html5/thumbnails/7.jpg)
Raw events
Normal
Audit trail
Failed attacks
False alarms
Pre-attacksAttack
formationVerified
breachesPolicy
violations
Identified vulnerabilities
Misuse
Potential breaches
Tens of millions per day Millions
per dayLess than
1 million per month A few thousand
per month
The Needle in the Haystack
Security information / events
Insider Threat
Compliance
Defense in Depth
![Page 8: RSA 2006 - Visual Security Event Analysis](https://reader038.fdocuments.net/reader038/viewer/2022103013/542064607bef0af7078b4f77/html5/thumbnails/8.jpg)
Solving Event Overload - Today
![Page 9: RSA 2006 - Visual Security Event Analysis](https://reader038.fdocuments.net/reader038/viewer/2022103013/542064607bef0af7078b4f77/html5/thumbnails/9.jpg)
Data Analysis Components
Intelligence
• Collection, Normalization, and Aggregation• Risk-based Prioritization with Vulnerability and Asset Information• Real-time Correlation across event sources
— Rule-based Correlation
— Statistical Correlation
• Advanced Analytics— Pattern Detection
![Page 10: RSA 2006 - Visual Security Event Analysis](https://reader038.fdocuments.net/reader038/viewer/2022103013/542064607bef0af7078b4f77/html5/thumbnails/10.jpg)
Event Normalization and Categorization
Jun 01 2005 00:00:12: %PIX-3-106011: Deny inbound (No xlate) udp src outside:10.50.215.97/6346 dst outside:204.110.228.254/6346Jun 01 2005 00:00:12: %PIX-6-305011: Built dynamic TCP translation from isp:10.50.107.51/1967 to outside:204.110.228.254/62013Jun 01 2005 00:00:12: %PIX-6-302013: Built outbound TCP connection 2044303174 for outside:213.189.13.17/80 (213.189.13.17/80) to isp:10.50.107.51/1967 (204.110.228.254/62013)Jun 02 2005 12:16:03: %PIX-6-106015: Deny TCP (no connection) from 10.50.215.102/15605 to 204.110.227.16/443 flags FIN ACK on interface outside
Sample Raw Pix Events:
Jun 02 2005 12:16:03: %PIX-6-106015: Deny TCP (no connection) from 10.50.215.102/15605 to 204.110.227.16/443 flags FIN ACK on interface outside
Categorization:Normalization:
![Page 11: RSA 2006 - Visual Security Event Analysis](https://reader038.fdocuments.net/reader038/viewer/2022103013/542064607bef0af7078b4f77/html5/thumbnails/11.jpg)
Risk-based Prioritization
Windows Systems
Unix/Linux/AIX/Solaris
SecurityDevice
SecurityDevice
SecurityDevice
SecurityDevice
Mainframe& Apps
Mainframe& Apps
DatabasesDatabases
Agents
EventEvent
Collector
Prioritized Event
Prioritized Event
VulnerabilityScanner
VulnerabilityScanner
Agents
Asset Information
Asset Information
Model ConfidenceModel Confidence RelevanceRelevanceSeveritySeverity
Asset CriticalityAsset CriticalityAgent SeverityAgent Severity
![Page 12: RSA 2006 - Visual Security Event Analysis](https://reader038.fdocuments.net/reader038/viewer/2022103013/542064607bef0af7078b4f77/html5/thumbnails/12.jpg)
Event Correlation
• Most overused and least well-defined concept in ESM.
• Combine multiple events through predefined rules
or analyze statistical properties of event streams
—Across devices
—Heavily utilizing event categorization
• Helps eliminate false positives
• Correlation is not prioritization!
—Can use priorities of individual events
![Page 13: RSA 2006 - Visual Security Event Analysis](https://reader038.fdocuments.net/reader038/viewer/2022103013/542064607bef0af7078b4f77/html5/thumbnails/13.jpg)
• Simple Event Match
• Complex Multi-Event Match
Failed loginson Windows systems
Failed loginson UNIX systems
5 or more failed logins in a minutefrom same source
Attempted Brute Force Attack
Attempted Brute Force Attack +
Successful LoginSuccessful loginto Windows systems
Attempted Brute Force Attack
Four Types of Real-time Correlation
![Page 14: RSA 2006 - Visual Security Event Analysis](https://reader038.fdocuments.net/reader038/viewer/2022103013/542064607bef0af7078b4f77/html5/thumbnails/14.jpg)
…3ram
jdoe
user
…3ram
jdoe
Four Types of Real-time Correlation
• Statistical
— Mathematical model
• Stateful
50% increasein traffic per port
and machine?
Traffic per port going to 10.0.0.2
userjdoeram…
Simple
Compex Correlation
Statistical
Manual Population
User on terminated employee list tries to login
Login attemptfrom user ram
![Page 15: RSA 2006 - Visual Security Event Analysis](https://reader038.fdocuments.net/reader038/viewer/2022103013/542064607bef0af7078b4f77/html5/thumbnails/15.jpg)
Advanced Analytics - Pattern Detection
• Automatically detect repetitive event patterns
• Capability to detect new worms, malware, system misconfigurations, etc.
• Automatically create correlation rules to flag new occurrences of attack
Name Device Product
NETBIOS DCERPC Activation little endian bind attempting
Snort
NETBIOS DCERPC System Activity path overflow attempt litlen endian unicode
Snort
Tagged Packet Snort
SHELLCODE x86 NOOP Snort
NETBIOS DCERPC Remote activity bind attempt
Snort
![Page 16: RSA 2006 - Visual Security Event Analysis](https://reader038.fdocuments.net/reader038/viewer/2022103013/542064607bef0af7078b4f77/html5/thumbnails/16.jpg)
Visual Security Event Analysis
![Page 17: RSA 2006 - Visual Security Event Analysis](https://reader038.fdocuments.net/reader038/viewer/2022103013/542064607bef0af7078b4f77/html5/thumbnails/17.jpg)
Why a Visual Approach Helps
A picture tells more than a thousand log lines
![Page 18: RSA 2006 - Visual Security Event Analysis](https://reader038.fdocuments.net/reader038/viewer/2022103013/542064607bef0af7078b4f77/html5/thumbnails/18.jpg)
Visual Approach – Benefits I
• Multiple views on the same data
![Page 19: RSA 2006 - Visual Security Event Analysis](https://reader038.fdocuments.net/reader038/viewer/2022103013/542064607bef0af7078b4f77/html5/thumbnails/19.jpg)
• Selection and drill-down
Visual Approach – Benefits II
• Color by sifferent properties
![Page 20: RSA 2006 - Visual Security Event Analysis](https://reader038.fdocuments.net/reader038/viewer/2022103013/542064607bef0af7078b4f77/html5/thumbnails/20.jpg)
Three Aspects of Visual Security Event Analysis
• Situational Awareness— What is happening in a specific business area
(e.g., compliance monitoring)
— What is happening on a specific network
— What are certain servers doing
• Real-Time Monitoring and Incident Response
— Capture important activities and take action
— Event Workflow
— Collaboration
• Forensic and Historic Investigation
— Selecting arbitrary set of events for investigation
— Understanding big picture
— Analyzing relationships - Exploration
— Reporting
![Page 21: RSA 2006 - Visual Security Event Analysis](https://reader038.fdocuments.net/reader038/viewer/2022103013/542064607bef0af7078b4f77/html5/thumbnails/21.jpg)
Situational Awareness
![Page 22: RSA 2006 - Visual Security Event Analysis](https://reader038.fdocuments.net/reader038/viewer/2022103013/542064607bef0af7078b4f77/html5/thumbnails/22.jpg)
Instant Awareness
![Page 23: RSA 2006 - Visual Security Event Analysis](https://reader038.fdocuments.net/reader038/viewer/2022103013/542064607bef0af7078b4f77/html5/thumbnails/23.jpg)
Event Graph Dashboard
![Page 24: RSA 2006 - Visual Security Event Analysis](https://reader038.fdocuments.net/reader038/viewer/2022103013/542064607bef0af7078b4f77/html5/thumbnails/24.jpg)
MMS CDRs
FromPhone#
ToPhone#
MSG Type
![Page 25: RSA 2006 - Visual Security Event Analysis](https://reader038.fdocuments.net/reader038/viewer/2022103013/542064607bef0af7078b4f77/html5/thumbnails/25.jpg)
Geo Spatial Visualization
![Page 26: RSA 2006 - Visual Security Event Analysis](https://reader038.fdocuments.net/reader038/viewer/2022103013/542064607bef0af7078b4f77/html5/thumbnails/26.jpg)
Real-time Monitoring
![Page 27: RSA 2006 - Visual Security Event Analysis](https://reader038.fdocuments.net/reader038/viewer/2022103013/542064607bef0af7078b4f77/html5/thumbnails/27.jpg)
Real-time Monitoring – Detect Activity
![Page 28: RSA 2006 - Visual Security Event Analysis](https://reader038.fdocuments.net/reader038/viewer/2022103013/542064607bef0af7078b4f77/html5/thumbnails/28.jpg)
Visual Detection
Assign to 2nd Level Analysis
Visual Investigation
Creation of new Filtersand Correlation Components
Real-timeData
Processing
Assign Ticket for Operations
Analysis Process
Forensic and Historical Analysis
Automatic Remediation
AutomaticAction
![Page 29: RSA 2006 - Visual Security Event Analysis](https://reader038.fdocuments.net/reader038/viewer/2022103013/542064607bef0af7078b4f77/html5/thumbnails/29.jpg)
Beginning of Analyst’s shift
Visual Detection and Investigation
![Page 30: RSA 2006 - Visual Security Event Analysis](https://reader038.fdocuments.net/reader038/viewer/2022103013/542064607bef0af7078b4f77/html5/thumbnails/30.jpg)
Visual Detection
Scan Events
Firewall Blocks
Scanning activity is displayed
![Page 31: RSA 2006 - Visual Security Event Analysis](https://reader038.fdocuments.net/reader038/viewer/2022103013/542064607bef0af7078b4f77/html5/thumbnails/31.jpg)
Visual Investigation
![Page 32: RSA 2006 - Visual Security Event Analysis](https://reader038.fdocuments.net/reader038/viewer/2022103013/542064607bef0af7078b4f77/html5/thumbnails/32.jpg)
Define New Correlation Rules and Filters
Assign for further analysis if
More than 20 firewall drops
from an external machine
to an internal machine
1. Rule
• Internal machines on white-list• connecting to active directory servers
2. Filter
3. Open a ticket for Operations to quarantine and clean infected machines
![Page 33: RSA 2006 - Visual Security Event Analysis](https://reader038.fdocuments.net/reader038/viewer/2022103013/542064607bef0af7078b4f77/html5/thumbnails/33.jpg)
Real-time Analysis - Summary
• Benefits of Visual Analysis
— Visually driven process for investigating events
— Visual investigation helps
• getting a quick turn-around
• detected new and previously unknown patterns (i.e. incidents)
— Reduced event load for analysts by feeding gained knowledge back into analysis work-flow.
![Page 34: RSA 2006 - Visual Security Event Analysis](https://reader038.fdocuments.net/reader038/viewer/2022103013/542064607bef0af7078b4f77/html5/thumbnails/34.jpg)
Forensic and Historical Analysis
![Page 35: RSA 2006 - Visual Security Event Analysis](https://reader038.fdocuments.net/reader038/viewer/2022103013/542064607bef0af7078b4f77/html5/thumbnails/35.jpg)
Forensic and Historical Investigation
• Three Areas of Concern
— Defense in Depth
— Insider Threat
— Compliance
![Page 36: RSA 2006 - Visual Security Event Analysis](https://reader038.fdocuments.net/reader038/viewer/2022103013/542064607bef0af7078b4f77/html5/thumbnails/36.jpg)
Defense In Depth - Port Scan Detection
![Page 37: RSA 2006 - Visual Security Event Analysis](https://reader038.fdocuments.net/reader038/viewer/2022103013/542064607bef0af7078b4f77/html5/thumbnails/37.jpg)
Analysis - Port Scan?
![Page 38: RSA 2006 - Visual Security Event Analysis](https://reader038.fdocuments.net/reader038/viewer/2022103013/542064607bef0af7078b4f77/html5/thumbnails/38.jpg)
Insider Threat – User Reporting
High ratio of failed logins
![Page 39: RSA 2006 - Visual Security Event Analysis](https://reader038.fdocuments.net/reader038/viewer/2022103013/542064607bef0af7078b4f77/html5/thumbnails/39.jpg)
Insider Threat - Email Problems
2:00 < Delay < 10:00
Delay > 10:00
To Delay
To
![Page 40: RSA 2006 - Visual Security Event Analysis](https://reader038.fdocuments.net/reader038/viewer/2022103013/542064607bef0af7078b4f77/html5/thumbnails/40.jpg)
Compliance – Business Reporting
• Attacks targeting internal systemsAttacks
Revenue Generating Systems
![Page 41: RSA 2006 - Visual Security Event Analysis](https://reader038.fdocuments.net/reader038/viewer/2022103013/542064607bef0af7078b4f77/html5/thumbnails/41.jpg)
Compliance - Business Reporting
![Page 42: RSA 2006 - Visual Security Event Analysis](https://reader038.fdocuments.net/reader038/viewer/2022103013/542064607bef0af7078b4f77/html5/thumbnails/42.jpg)
Summary
Detect the expected
& discover the unexpected
Make better decisions
Reduce analysis and response times