Presentation Title Size 30PT

1 / 50

About This Presentation

Title:

Presentation Title Size 30PT

Description:

Presentation Title Size 30PT – PowerPoint PPT presentation

Number of Views:36

Avg rating:3.0/5.0

Slides: 51

Provided by: cisc88

more less

Transcript and Presenter's Notes

Title: Presentation Title Size 30PT

1
Security Information Management (SIM) Technology
Brief
Ken Kaminski Cisco Systems Security Architect
Northeast US CISSP, GCIA
2
Agenda

Threat Economy Driving Change
Security Information Management and Log
Consolidation Two sides of the coin
Network Behavior Analysis
An Intrusion Prevention Grid Tying it all
Together
QA

3
Threat Economy Driving Change
4
Threat Economy Historic Attacker Motivations
End Value
Writers
Asset
Tool and Toolkit Writers
Fame
Compromise Individual Host or Application
Theft
Malware Writers
Espionage (Corporate/ Government)
Worms
Compromise Environment
Viruses
Trojans
Take Away Fame was by far the dominant motivator
5
Threat Economy Today
Second Stage Abusers
First Stage Abusers
Writers
Middle Men
End Value
Tool and Toolkit Writers
Hacker/Direct Attack
Fame
Compromised Host and Application
Theft
Espionage (Corporate/ Government)
Malware Writers
Extortionist/ DDoS-for-Hire
Machine Harvesting
Bot-Net Creation
Worms
Extorted Pay-Offs
Spammer
Bot-Net Management For Rent, for Lease, for Sale
Viruses
Commercial Sales
Trojans
Phisher
Fraudulent Sales
Information Harvesting
Personal Information
Spyware
Pharmer/DNS Poisoning
Advertising Revenue
Information Brokerage
Financial Fraud
Identity Theft
Internal Theft Abuse of Privilege
Electronic IP Leakage
Take Away 2 Multiple methods to achieve goal
Take Away 1 For-Profit end values
Take Away 3 Sustainable economy, resilient to
shocks
6
Security Information Management (SIM) and Log
Consolidation Two sides of the Coin
7
Security Information Management

Definition SIM refers to the collection of data
into a central repository for analysis and
correlation, reduce the number of security events
to a manageable and actionable list, automating
analysis such that real attacks and intruders can
be discerned.

Different terms exist SIM Security Information
Management SEM Security Event Management SIEM
Security Information and Event Management
Gartner Group, Made up of SIM and SEM
Depending on the company or vendor could be used
in different way. There is no official
definition for each of them
8
Security Information Management

Multivendor Security Event Management
analyze/correlate events Security devices (incl.
Firewalls, IPS, HIPS, AV, VPN/SSL, etc.) and
Network devices
Primary driver near real-time threat management
to improve security incident response to internal
and external threats
Solves the problem of coordinating information
from multiple logging silos (i.e. firewalls, IPS,
HIPS, AV, Network, etc.)
IT SecOps Security Analysts in SOC
Large Enterprises First line of defense to be
followed up with advanced forensics
tools/analysis in response to security incidents
Primary Funding IT Security and Threat
Management sources

9
FW/NIDS Syslog Internal Threat Information
Resource
?
Log/Alert
10
Log Consolidation and Management

Primary focus on Host and Application Log
Management
Secondary focus on SIM capabilities
Primary drivers Regulatory , internal IT policy,
contract compliance
IT Security, Audit, Compliance groups
Critical watch actions of authorized users on
servers
Today Log Aggregation requirements trump SIM for
funding

11
Security Information Management

A SIM consists of at least 5 major elements
Log consolidation
Event Normalization
Threat correlation
Incident management
Reporting

Compliance is often an orthogonal process to
correlation
12
Log Consolidation

A defense in depth strategy utilizes multiple
devices
Firewalls, NIPS, HIPS, AV, AAA, VPN, Application
Events, OS Logs

Need to consolidate and normalize similar events
from multiple vendors
Unique SIM event database for all different input
Universal SYSLOG support
AAA
13
Aggregation

Aggregation means
Hold in Memory and remove duplicates
Longer the hold, longer the delay away from
real-time
How many messages did I see from the same type
within the time-out window ? store one event in
the DB witha counter
Time-out value can be adjusted as needed
Average aggregation saves 75 disk space
Increasingly duplicate events are being
aggregated on end devices (ex. Firewalls)

14
Normalization

Security monitoring environment is multi-vendor
Events from different devices and vendors have
different formats
Need to compare similarnormalizedevents from
multiple vendors apples-to-apples

IIS
15
Log Consolidation/Normalization Example
Sasser Worm from an IDS and vulnerability
perspective (small portion)
MARS ID1911301
16
Two Formats Raw and Filtered

Early SIM vendors altered raw logs in order to
help inserting events into the database
technology speed issues
Focused on Correlation at the expense of
forensics and legal requirements where altered
data is a problem
Most modern SIM products store raw logs separate
and concurrent with filtered and processed data
which lives in the database

17
Event Sources

Primary syslog
Windows 1. Snare Agent for syslog
2. Proprietary Agent
3. Clientless Native Pull - Netbios
Non-syslog Checkpoint Firewalls LEA
Some NIDS/NIPS SDEE
Vulnerability Assessment vendors
AS/400 and Mainframes flat files
Databases ODBC and SQL Queries

18
Event Sources cont.

Focus on servers and applications not
workstations due to device count, licensing, and
scalability issues
Network Admission Control devices
Authentications sources AD, LDAP, Novell,
Radius, local accounts
Network devices routers, switches, Wireless APs
and Controllers, Remote Access VPN/SSL devices

19
Threat Correlation

Need to build the history of an attack.

A good SIM needs to use a mixture of different
correlation types
Event based X on Y (vulnerable) gt A
Rule based XYZ gt A
Anomaly based deviation from the norm
Risk based attack disruptive and target
critical and reporting device trustworthy gt
escalate

20
Threat Correlation Rule Based (II)
21
Threat Correlation - Example (III)
Correlation can only be a good as the data fed to
the SIM system
Probe
Penetrate
Propagate
22
Threat Correlation Post Incident Analysis (IV)

Post incident analysis to adjust incident
severity based on context
Did the attack reach destination?
Is the victim vulnerable?
How important is the victim system?
Further events indicated a possible compromise?

High
Medium
Analysis can be static or dynamic
23
Incident Management

Use defined playbooks and escalation procedures
What happens after a threat is identified?
Notification email, pagers, informs to
enterprise
Managers (MOM, HP Openview)
Trouble Ticket Creation (via XML)
Automated responses execution of scripts
Response and Remediation logging

24
Reporting

Short term threat correlation needs real time
data
Long term forensic queries need a database built
for capacity, with file management and
compression tools for a capacity at a minimum of
18 months (often more)

Best practice Use different engine for each
functionality
25
Real Time Reporting
10.1.1.10 Is Generating an Attack, Tell Me More

In a Few Clicks You Can See

Details for a device

Destination reached by 10.1.1.10

The sessions for the destination of interest

Or any other information you might be interested
in

26
Trending Reports
27
SIM Vendor Architecture

Appliances integrated database, often on
customized Linux kernel on standard hardware
Software integrated by user or vendor on
seperately purchased hardware
1. Collectors agents on devices or
pre- processors on servers
2. Threat Analysis Engine real-time
correlation
3. Database Log Manager for raw logs and
filtered data
4. Console

28
Security Threat Management (STM)

Refers to the ability to not only analyze and
correlate data sources as SIM can, but come up
with actual solutions for the operator to choose
from
Network Topology awareness and configuration
channels often required into Switches, Routers,
Firewalls
Solves the NAT/PAT problem to track NATed outside
user from internal NAT address to external ip
address. SIM cannot do this.

29
Topology Awareness

Full visibility of the network
Capacity of reconstruct sessions and their path
ONLY visibility allows mitigation suggestion

30
Events per Second (EPS)

EPS are calculated based on two variables
Database insertion rate write to Relational DB
Commercial 5,000-6,000 eps
Custom Maximized 15,000 eps
Insertion rate dependancies on application
writing to it
Short term aggregation setup

31
Correlation What about Flat Files vs. Relational
Dbase?

Claims to 100,000 eps
Downsides
Low Reliability and Integrity
Low Security
Limited Data Structuring not feasible to create
relationships within or between files
Relational Databases remain the favored approach

32
Custom Embedded RAM Databases

Dept of Energy -gt NitroSecurity Database custom
database optimized for security logs. Faster than
Relational database order of 1-2x
Embedded RAM Databases very fast but limited to
size of RAM

33
Scale

To scale beyond an appliance Distributed and
Multi-tier Model
Adds significant overall costs software loaded
on multiple server platforms
Database still limited by database insertion
rate. A device capable of rates seen in very
large enterprises does not exist today
These are always very costly solutions price
for software/hardware and operational/installation

34
Case for Separate Log Consolidation and SIM?

A case can be made for separating Log
Consolidation and SIM in large enterprises based
on volume of events from all possible sources
(network and security devices, servers,
applications, VA) vs. the ability of one system
to keep up.
Small to Medium sized enterprises might find both
functions in a single vendor
Most Large Enterprises are unhappy with their
current SIM solution.
Large Enterprises generate huge volumes of events
SIMs have scaling issues related primarily to
the rate events can be written into a database.
5-10 Gbps Firewalls will change the landscape
Logging will be a huge issue Testing at 6.1
GB of traffic had 71,000 conns/sec. Current SIM
technology cannot handle these rates
Log Consolidation vendors can handle the scale
and do better meeting compliance and forensics
requirements

35
Recent Shift in Analyst Community

Reality check they once recommended a god-box
that does SIM and Log Consolidation
No vendor can do both well either lean one way
or the other
Organizational requirements evolve faster than
any vendor can keep up with
Keeping up with multivendor support alone is a
huge challenge support is per vendor product
and version release
Separation of duties one vendor for SIM and one
for Log Consolidation

36
A Tiered approach to a complicated solution
Tier 1 Log Consolidation
Tier 2 SIM
Tier 3 Event Manager
Log Aggregation Data Storage Raw Log
Analysis Data Mining
Policy Enforcement Incident Mngmt
Normalization Correlation
Enterprise Event Management Ticketing
Remediation Case Management
37
An Expandable Architecture
HPOV, Tivoli, NetMon Sys
Log Consolidator
SIM
Tier 1
Tier 3
Tier 2
Raw Log Data
Trouble Ticketing
Correlation
Storage HA
Case Management
NBAD - perhaps
Data Mining
Paging - Alerting
Security Policy Enforcement
Forensic Apps
Adv. Reporting
Reporting
Special Apps
Incident Forensics
False Positive Analysis
38
Benefits to a 3 Tier Solution

No codependency. One vendor trying to meet all
your needs, expensive and limited to their
capabilities
No single point of failure HA, long term
storage
Better work flow for multiple internal
organizations, separation of responsibilities,
utilize existing apps
Choices, best of breed in all 3 tiers, no single
point of vulnerability
More.

39
Final Thoughts

SIM large investment in time and money
Critical custom parsers, custom rules, and
custom reports one size does not fit all
As the size of the enterprise increases so does
the need for a separate SIM and Log Consolidation
solution
SIM cannot handle the rates of 5-10 Gbps
Firewalls see a shift in this data to Netflow
like formats which can handle these rates
As the size of the enterprise increases so the
need for a separate Network Behavior Analysis
(NBA) solution vs a hybrid SIM/NBA next topic

40
Network Behavioral Analysis (NBA)
41
What Is Meant by Telemetry?
Telemetryn. The science and technology of
automatic measurement and transmission of data by
wire, radio, or other means from remote sources,
as from space vehicles, to receiving stations for
recording and analysis.
Source The American Heritage Dictionary of the
English Language, Fourth Edition
42
Network Telemetry

Network telemetry offers extensive and useful
detection capabilities
This telemetry is often coupled with dedicated
analysis systems to collect, trend, and correlate
observed activity
There are several forms of telemetry available
from routers, switches, and other network devices
Cisco Netflow, Jflow (Juniper), and Netstream
(Huawei)
Although initially implemented by Cisco, NetFlow
is emerging as an IETF standard Internet
Protocol Flow Information eXport (IPFIX). Based
on the NetFlow Version 9 implementation, IPFIX is
going to be the industry standard in the very
near future. Network infrastructure vendors,
including Nortel Networks and others, are already
adding IPFIX support to their enterprise switches
and routers.
There are a number of open source and commercial
tools available which greatly enhance the utility
of network telemetry

43
Key Concept NetFlow Scalability

Packet capture is like a wiretap
NetFlow is like a phone bill
This level of granularity allows NetFlow to scale
for very large amounts of traffic
We can learn a lot from studying the phone bill
Whos talking to whom, over what protocols and
ports, for how long, at what speed, for
whatduration, etc.
NetFlow is a form of telemetry pushed from the
routers/switches each one can be a sensor

44
Network Behavior Analysis (NBA)

Visibility into network activity for the purposes
of security and operations
Focus Network Opsec not InfoSec
Last line of defense after Firewalls, IPS, SIM
Network Telemetry data Netflow, DNS, BGP, SNMP,
RMON, Packet Capture, AAA, Syslog anomaly
detection technology
Tension Security wants real-time analysis vs
operations wants performance and capacity
measurement and planning (Crannog, NetScout,
NetQos, Netuitive, OPNet). Market has vendors in
each of these
Gartner Group 2010 these two will be one market

45
NBA Anomaly Detection

Statistical Anomaly Detection baseline of
network traffic (pps/bps, connections, packet
size distro, etc.).
Behavioral Anomaly Detection Comms relationship
modeling who talks to who? Domain of Pure Play
NBA vendors

46
NetFlow Threat Detection Algorithmic Analysis
Concern Index
47
NBA