Title: Presentation Title Size 30PT
1Security Information Management (SIM) Technology
Brief
Ken Kaminski Cisco Systems Security Architect
Northeast US CISSP, GCIA
2Agenda
- Threat Economy Driving Change
- Security Information Management and Log
Consolidation Two sides of the coin - Network Behavior Analysis
- An Intrusion Prevention Grid Tying it all
Together - QA
3Threat Economy Driving Change
4Threat Economy Historic Attacker Motivations
End Value
Writers
Asset
Tool and Toolkit Writers
Fame
Compromise Individual Host or Application
Theft
Malware Writers
Espionage (Corporate/ Government)
Worms
Compromise Environment
Viruses
Trojans
Take Away Fame was by far the dominant motivator
5Threat Economy Today
Second Stage Abusers
First Stage Abusers
Writers
Middle Men
End Value
Tool and Toolkit Writers
Hacker/Direct Attack
Fame
Compromised Host and Application
Theft
Espionage (Corporate/ Government)
Malware Writers
Extortionist/ DDoS-for-Hire
Machine Harvesting
Bot-Net Creation
Worms
Extorted Pay-Offs
Spammer
Bot-Net Management For Rent, for Lease, for Sale
Viruses
Commercial Sales
Trojans
Phisher
Fraudulent Sales
Information Harvesting
Personal Information
Spyware
Pharmer/DNS Poisoning
Advertising Revenue
Information Brokerage
Financial Fraud
Identity Theft
Internal Theft Abuse of Privilege
Electronic IP Leakage
Take Away 2 Multiple methods to achieve goal
Take Away 1 For-Profit end values
Take Away 3 Sustainable economy, resilient to
shocks
6Security Information Management (SIM) and Log
Consolidation Two sides of the Coin
7Security Information Management
- Definition SIM refers to the collection of data
into a central repository for analysis and
correlation, reduce the number of security events
to a manageable and actionable list, automating
analysis such that real attacks and intruders can
be discerned.
Different terms exist SIM Security Information
Management SEM Security Event Management SIEM
Security Information and Event Management
Gartner Group, Made up of SIM and SEM
Depending on the company or vendor could be used
in different way. There is no official
definition for each of them
8Security Information Management
- Multivendor Security Event Management
analyze/correlate events Security devices (incl.
Firewalls, IPS, HIPS, AV, VPN/SSL, etc.) and
Network devices - Primary driver near real-time threat management
to improve security incident response to internal
and external threats - Solves the problem of coordinating information
from multiple logging silos (i.e. firewalls, IPS,
HIPS, AV, Network, etc.) - IT SecOps Security Analysts in SOC
- Large Enterprises First line of defense to be
followed up with advanced forensics
tools/analysis in response to security incidents - Primary Funding IT Security and Threat
Management sources
9FW/NIDS Syslog Internal Threat Information
Resource
?
Log/Alert
10Log Consolidation and Management
- Primary focus on Host and Application Log
Management - Secondary focus on SIM capabilities
- Primary drivers Regulatory , internal IT policy,
contract compliance - IT Security, Audit, Compliance groups
- Critical watch actions of authorized users on
servers - Today Log Aggregation requirements trump SIM for
funding
11Security Information Management
- A SIM consists of at least 5 major elements
- Log consolidation
- Event Normalization
- Threat correlation
- Incident management
- Reporting
Compliance is often an orthogonal process to
correlation
12Log Consolidation
- A defense in depth strategy utilizes multiple
devices - Firewalls, NIPS, HIPS, AV, AAA, VPN, Application
Events, OS Logs
Need to consolidate and normalize similar events
from multiple vendors
Unique SIM event database for all different input
Universal SYSLOG support
AAA
13Aggregation
- Aggregation means
- Hold in Memory and remove duplicates
- Longer the hold, longer the delay away from
real-time - How many messages did I see from the same type
within the time-out window ? store one event in
the DB witha counter - Time-out value can be adjusted as needed
- Average aggregation saves 75 disk space
- Increasingly duplicate events are being
aggregated on end devices (ex. Firewalls)
14Normalization
- Security monitoring environment is multi-vendor
- Events from different devices and vendors have
different formats - Need to compare similarnormalizedevents from
multiple vendors apples-to-apples
IIS
15Log Consolidation/Normalization Example
Sasser Worm from an IDS and vulnerability
perspective (small portion)
MARS ID1911301
16Two Formats Raw and Filtered
- Early SIM vendors altered raw logs in order to
help inserting events into the database
technology speed issues - Focused on Correlation at the expense of
forensics and legal requirements where altered
data is a problem - Most modern SIM products store raw logs separate
and concurrent with filtered and processed data
which lives in the database
17Event Sources
- Primary syslog
- Windows 1. Snare Agent for syslog
- 2. Proprietary Agent
- 3. Clientless Native Pull - Netbios
- Non-syslog Checkpoint Firewalls LEA
- Some NIDS/NIPS SDEE
- Vulnerability Assessment vendors
- AS/400 and Mainframes flat files
- Databases ODBC and SQL Queries
18Event Sources cont.
- Focus on servers and applications not
workstations due to device count, licensing, and
scalability issues - Network Admission Control devices
- Authentications sources AD, LDAP, Novell,
Radius, local accounts - Network devices routers, switches, Wireless APs
and Controllers, Remote Access VPN/SSL devices
19Threat Correlation
- Need to build the history of an attack.
- A good SIM needs to use a mixture of different
correlation types - Event based X on Y (vulnerable) gt A
- Rule based XYZ gt A
- Anomaly based deviation from the norm
- Risk based attack disruptive and target
critical and reporting device trustworthy gt
escalate
20Threat Correlation Rule Based (II)
21Threat Correlation - Example (III)
Correlation can only be a good as the data fed to
the SIM system
Probe
Penetrate
Propagate
22Threat Correlation Post Incident Analysis (IV)
- Post incident analysis to adjust incident
severity based on context - Did the attack reach destination?
- Is the victim vulnerable?
- How important is the victim system?
- Further events indicated a possible compromise?
High
Medium
Analysis can be static or dynamic
23Incident Management
- Use defined playbooks and escalation procedures
- What happens after a threat is identified?
- Notification email, pagers, informs to
enterprise - Managers (MOM, HP Openview)
- Trouble Ticket Creation (via XML)
- Automated responses execution of scripts
- Response and Remediation logging
24Reporting
- Short term threat correlation needs real time
data - Long term forensic queries need a database built
for capacity, with file management and
compression tools for a capacity at a minimum of
18 months (often more)
Best practice Use different engine for each
functionality
25Real Time Reporting
10.1.1.10 Is Generating an Attack, Tell Me More
- In a Few Clicks You Can See
- Destination reached by 10.1.1.10
- The sessions for the destination of interest
- Or any other information you might be interested
in
26Trending Reports
27SIM Vendor Architecture
- Appliances integrated database, often on
customized Linux kernel on standard hardware - Software integrated by user or vendor on
seperately purchased hardware - 1. Collectors agents on devices or
pre- processors on servers - 2. Threat Analysis Engine real-time
correlation - 3. Database Log Manager for raw logs and
filtered data - 4. Console
28Security Threat Management (STM)
- Refers to the ability to not only analyze and
correlate data sources as SIM can, but come up
with actual solutions for the operator to choose
from - Network Topology awareness and configuration
channels often required into Switches, Routers,
Firewalls - Solves the NAT/PAT problem to track NATed outside
user from internal NAT address to external ip
address. SIM cannot do this.
29Topology Awareness
- Full visibility of the network
- Capacity of reconstruct sessions and their path
- ONLY visibility allows mitigation suggestion
30Events per Second (EPS)
- EPS are calculated based on two variables
- Database insertion rate write to Relational DB
- Commercial 5,000-6,000 eps
- Custom Maximized 15,000 eps
- Insertion rate dependancies on application
writing to it -
- Short term aggregation setup
31Correlation What about Flat Files vs. Relational
Dbase?
- Claims to 100,000 eps
- Downsides
- Low Reliability and Integrity
- Low Security
- Limited Data Structuring not feasible to create
relationships within or between files - Relational Databases remain the favored approach
32Custom Embedded RAM Databases
- Dept of Energy -gt NitroSecurity Database custom
database optimized for security logs. Faster than
Relational database order of 1-2x - Embedded RAM Databases very fast but limited to
size of RAM
33Scale
- To scale beyond an appliance Distributed and
Multi-tier Model - Adds significant overall costs software loaded
on multiple server platforms - Database still limited by database insertion
rate. A device capable of rates seen in very
large enterprises does not exist today - These are always very costly solutions price
for software/hardware and operational/installation
34Case for Separate Log Consolidation and SIM?
- A case can be made for separating Log
Consolidation and SIM in large enterprises based
on volume of events from all possible sources
(network and security devices, servers,
applications, VA) vs. the ability of one system
to keep up. - Small to Medium sized enterprises might find both
functions in a single vendor - Most Large Enterprises are unhappy with their
current SIM solution. - Large Enterprises generate huge volumes of events
SIMs have scaling issues related primarily to
the rate events can be written into a database. - 5-10 Gbps Firewalls will change the landscape
Logging will be a huge issue Testing at 6.1
GB of traffic had 71,000 conns/sec. Current SIM
technology cannot handle these rates - Log Consolidation vendors can handle the scale
and do better meeting compliance and forensics
requirements
35Recent Shift in Analyst Community
- Reality check they once recommended a god-box
that does SIM and Log Consolidation - No vendor can do both well either lean one way
or the other - Organizational requirements evolve faster than
any vendor can keep up with - Keeping up with multivendor support alone is a
huge challenge support is per vendor product
and version release - Separation of duties one vendor for SIM and one
for Log Consolidation
36A Tiered approach to a complicated solution
Tier 1 Log Consolidation
Tier 2 SIM
Tier 3 Event Manager
Log Aggregation Data Storage Raw Log
Analysis Data Mining
Policy Enforcement Incident Mngmt
Normalization Correlation
Enterprise Event Management Ticketing
Remediation Case Management
37 An Expandable Architecture
HPOV, Tivoli, NetMon Sys
Log Consolidator
SIM
Tier 1
Tier 3
Tier 2
Raw Log Data
Trouble Ticketing
Correlation
Storage HA
Case Management
NBAD - perhaps
Data Mining
Paging - Alerting
Security Policy Enforcement
Forensic Apps
Adv. Reporting
Reporting
Special Apps
Incident Forensics
False Positive Analysis
38Benefits to a 3 Tier Solution
- No codependency. One vendor trying to meet all
your needs, expensive and limited to their
capabilities - No single point of failure HA, long term
storage - Better work flow for multiple internal
organizations, separation of responsibilities,
utilize existing apps - Choices, best of breed in all 3 tiers, no single
point of vulnerability - More.
39Final Thoughts
- SIM large investment in time and money
- Critical custom parsers, custom rules, and
custom reports one size does not fit all - As the size of the enterprise increases so does
the need for a separate SIM and Log Consolidation
solution - SIM cannot handle the rates of 5-10 Gbps
Firewalls see a shift in this data to Netflow
like formats which can handle these rates - As the size of the enterprise increases so the
need for a separate Network Behavior Analysis
(NBA) solution vs a hybrid SIM/NBA next topic
40Network Behavioral Analysis (NBA)
41What Is Meant by Telemetry?
Telemetryn. The science and technology of
automatic measurement and transmission of data by
wire, radio, or other means from remote sources,
as from space vehicles, to receiving stations for
recording and analysis.
Source The American Heritage Dictionary of the
English Language, Fourth Edition
42Network Telemetry
- Network telemetry offers extensive and useful
detection capabilities - This telemetry is often coupled with dedicated
analysis systems to collect, trend, and correlate
observed activity - There are several forms of telemetry available
from routers, switches, and other network devices
Cisco Netflow, Jflow (Juniper), and Netstream
(Huawei) - Although initially implemented by Cisco, NetFlow
is emerging as an IETF standard Internet
Protocol Flow Information eXport (IPFIX). Based
on the NetFlow Version 9 implementation, IPFIX is
going to be the industry standard in the very
near future. Network infrastructure vendors,
including Nortel Networks and others, are already
adding IPFIX support to their enterprise switches
and routers. - There are a number of open source and commercial
tools available which greatly enhance the utility
of network telemetry
43Key Concept NetFlow Scalability
- Packet capture is like a wiretap
- NetFlow is like a phone bill
- This level of granularity allows NetFlow to scale
for very large amounts of traffic - We can learn a lot from studying the phone bill
- Whos talking to whom, over what protocols and
ports, for how long, at what speed, for
whatduration, etc. - NetFlow is a form of telemetry pushed from the
routers/switches each one can be a sensor
44Network Behavior Analysis (NBA)
- Visibility into network activity for the purposes
of security and operations - Focus Network Opsec not InfoSec
- Last line of defense after Firewalls, IPS, SIM
- Network Telemetry data Netflow, DNS, BGP, SNMP,
RMON, Packet Capture, AAA, Syslog anomaly
detection technology - Tension Security wants real-time analysis vs
operations wants performance and capacity
measurement and planning (Crannog, NetScout,
NetQos, Netuitive, OPNet). Market has vendors in
each of these - Gartner Group 2010 these two will be one market
45NBA Anomaly Detection
- Statistical Anomaly Detection baseline of
network traffic (pps/bps, connections, packet
size distro, etc.). - Behavioral Anomaly Detection Comms relationship
modeling who talks to who? Domain of Pure Play
NBA vendors
46NetFlow Threat Detection Algorithmic Analysis
Concern Index
47NBA
- Pure Play NBA vendors Arbor Networks, Narus,
Mazu, Lancope, and Q1 Labs - Large Enterprises generally require a pure play
NBA vendor - Trend Add Identity (IP addr to Username)
- There are some hybrid SIM NBA vendors (limited)
48Visualization of a Worm Outbreak
49An Intrusion Prevention Grid Tying it all
Together
50Intrusion Prevention