Presentation Title Size 30PT

1 / 50
About This Presentation
Title:

Presentation Title Size 30PT

Description:

Presentation Title Size 30PT – PowerPoint PPT presentation

Number of Views:36
Avg rating:3.0/5.0
Slides: 51
Provided by: cisc88

less

Transcript and Presenter's Notes

Title: Presentation Title Size 30PT


1
Security Information Management (SIM) Technology
Brief
Ken Kaminski Cisco Systems Security Architect
Northeast US CISSP, GCIA
2
Agenda
  • Threat Economy Driving Change
  • Security Information Management and Log
    Consolidation Two sides of the coin
  • Network Behavior Analysis
  • An Intrusion Prevention Grid Tying it all
    Together
  • QA

3
Threat Economy Driving Change
4
Threat Economy Historic Attacker Motivations
End Value
Writers
Asset
Tool and Toolkit Writers
Fame
Compromise Individual Host or Application
Theft
Malware Writers
Espionage (Corporate/ Government)
Worms
Compromise Environment
Viruses
Trojans
Take Away Fame was by far the dominant motivator
5
Threat Economy Today
Second Stage Abusers
First Stage Abusers
Writers
Middle Men
End Value
Tool and Toolkit Writers
Hacker/Direct Attack
Fame
Compromised Host and Application
Theft
Espionage (Corporate/ Government)
Malware Writers
Extortionist/ DDoS-for-Hire
Machine Harvesting
Bot-Net Creation
Worms
Extorted Pay-Offs
Spammer
Bot-Net Management For Rent, for Lease, for Sale
Viruses
Commercial Sales
Trojans
Phisher
Fraudulent Sales
Information Harvesting
Personal Information
Spyware
Pharmer/DNS Poisoning
Advertising Revenue
Information Brokerage
Financial Fraud
Identity Theft
Internal Theft Abuse of Privilege
Electronic IP Leakage
Take Away 2 Multiple methods to achieve goal
Take Away 1 For-Profit end values
Take Away 3 Sustainable economy, resilient to
shocks
6
Security Information Management (SIM) and Log
Consolidation Two sides of the Coin
7
Security Information Management
  • Definition SIM refers to the collection of data
    into a central repository for analysis and
    correlation, reduce the number of security events
    to a manageable and actionable list, automating
    analysis such that real attacks and intruders can
    be discerned.

Different terms exist SIM Security Information
Management SEM Security Event Management SIEM
Security Information and Event Management
Gartner Group, Made up of SIM and SEM
Depending on the company or vendor could be used
in different way. There is no official
definition for each of them
8
Security Information Management
  • Multivendor Security Event Management
    analyze/correlate events Security devices (incl.
    Firewalls, IPS, HIPS, AV, VPN/SSL, etc.) and
    Network devices
  • Primary driver near real-time threat management
    to improve security incident response to internal
    and external threats
  • Solves the problem of coordinating information
    from multiple logging silos (i.e. firewalls, IPS,
    HIPS, AV, Network, etc.)
  • IT SecOps Security Analysts in SOC
  • Large Enterprises First line of defense to be
    followed up with advanced forensics
    tools/analysis in response to security incidents
  • Primary Funding IT Security and Threat
    Management sources

9
FW/NIDS Syslog Internal Threat Information
Resource
?
Log/Alert
10
Log Consolidation and Management
  • Primary focus on Host and Application Log
    Management
  • Secondary focus on SIM capabilities
  • Primary drivers Regulatory , internal IT policy,
    contract compliance
  • IT Security, Audit, Compliance groups
  • Critical watch actions of authorized users on
    servers
  • Today Log Aggregation requirements trump SIM for
    funding

11
Security Information Management
  • A SIM consists of at least 5 major elements
  • Log consolidation
  • Event Normalization
  • Threat correlation
  • Incident management
  • Reporting

Compliance is often an orthogonal process to
correlation
12
Log Consolidation
  • A defense in depth strategy utilizes multiple
    devices
  • Firewalls, NIPS, HIPS, AV, AAA, VPN, Application
    Events, OS Logs

Need to consolidate and normalize similar events
from multiple vendors
Unique SIM event database for all different input
Universal SYSLOG support
AAA
13
Aggregation
  • Aggregation means
  • Hold in Memory and remove duplicates
  • Longer the hold, longer the delay away from
    real-time
  • How many messages did I see from the same type
    within the time-out window ? store one event in
    the DB witha counter
  • Time-out value can be adjusted as needed
  • Average aggregation saves 75 disk space
  • Increasingly duplicate events are being
    aggregated on end devices (ex. Firewalls)

14
Normalization
  • Security monitoring environment is multi-vendor
  • Events from different devices and vendors have
    different formats
  • Need to compare similarnormalizedevents from
    multiple vendors apples-to-apples

IIS
15
Log Consolidation/Normalization Example
Sasser Worm from an IDS and vulnerability
perspective (small portion)
MARS ID1911301
16
Two Formats Raw and Filtered
  • Early SIM vendors altered raw logs in order to
    help inserting events into the database
    technology speed issues
  • Focused on Correlation at the expense of
    forensics and legal requirements where altered
    data is a problem
  • Most modern SIM products store raw logs separate
    and concurrent with filtered and processed data
    which lives in the database

17
Event Sources
  • Primary syslog
  • Windows 1. Snare Agent for syslog
  • 2. Proprietary Agent
  • 3. Clientless Native Pull - Netbios
  • Non-syslog Checkpoint Firewalls LEA
  • Some NIDS/NIPS SDEE
  • Vulnerability Assessment vendors
  • AS/400 and Mainframes flat files
  • Databases ODBC and SQL Queries

18
Event Sources cont.
  • Focus on servers and applications not
    workstations due to device count, licensing, and
    scalability issues
  • Network Admission Control devices
  • Authentications sources AD, LDAP, Novell,
    Radius, local accounts
  • Network devices routers, switches, Wireless APs
    and Controllers, Remote Access VPN/SSL devices

19
Threat Correlation
  • Need to build the history of an attack.
  • A good SIM needs to use a mixture of different
    correlation types
  • Event based X on Y (vulnerable) gt A
  • Rule based XYZ gt A
  • Anomaly based deviation from the norm
  • Risk based attack disruptive and target
    critical and reporting device trustworthy gt
    escalate

20
Threat Correlation Rule Based (II)
21
Threat Correlation - Example (III)
Correlation can only be a good as the data fed to
the SIM system
Probe
Penetrate
Propagate
22
Threat Correlation Post Incident Analysis (IV)
  • Post incident analysis to adjust incident
    severity based on context
  • Did the attack reach destination?
  • Is the victim vulnerable?
  • How important is the victim system?
  • Further events indicated a possible compromise?

High
Medium
Analysis can be static or dynamic
23
Incident Management
  • Use defined playbooks and escalation procedures
  • What happens after a threat is identified?
  • Notification email, pagers, informs to
    enterprise
  • Managers (MOM, HP Openview)
  • Trouble Ticket Creation (via XML)
  • Automated responses execution of scripts
  • Response and Remediation logging

24
Reporting
  • Short term threat correlation needs real time
    data
  • Long term forensic queries need a database built
    for capacity, with file management and
    compression tools for a capacity at a minimum of
    18 months (often more)

Best practice Use different engine for each
functionality
25
Real Time Reporting
10.1.1.10 Is Generating an Attack, Tell Me More
  • In a Few Clicks You Can See
  • Details for a device
  • Destination reached by 10.1.1.10
  • The sessions for the destination of interest
  • Or any other information you might be interested
    in

26
Trending Reports
27
SIM Vendor Architecture
  • Appliances integrated database, often on
    customized Linux kernel on standard hardware
  • Software integrated by user or vendor on
    seperately purchased hardware
  • 1. Collectors agents on devices or
    pre- processors on servers
  • 2. Threat Analysis Engine real-time
    correlation
  • 3. Database Log Manager for raw logs and
    filtered data
  • 4. Console

28
Security Threat Management (STM)
  • Refers to the ability to not only analyze and
    correlate data sources as SIM can, but come up
    with actual solutions for the operator to choose
    from
  • Network Topology awareness and configuration
    channels often required into Switches, Routers,
    Firewalls
  • Solves the NAT/PAT problem to track NATed outside
    user from internal NAT address to external ip
    address. SIM cannot do this.

29
Topology Awareness
  • Full visibility of the network
  • Capacity of reconstruct sessions and their path
  • ONLY visibility allows mitigation suggestion

30
Events per Second (EPS)
  • EPS are calculated based on two variables
  • Database insertion rate write to Relational DB
  • Commercial 5,000-6,000 eps
  • Custom Maximized 15,000 eps
  • Insertion rate dependancies on application
    writing to it
  • Short term aggregation setup

31
Correlation What about Flat Files vs. Relational
Dbase?
  • Claims to 100,000 eps
  • Downsides
  • Low Reliability and Integrity
  • Low Security
  • Limited Data Structuring not feasible to create
    relationships within or between files
  • Relational Databases remain the favored approach

32
Custom Embedded RAM Databases
  • Dept of Energy -gt NitroSecurity Database custom
    database optimized for security logs. Faster than
    Relational database order of 1-2x
  • Embedded RAM Databases very fast but limited to
    size of RAM

33
Scale
  • To scale beyond an appliance Distributed and
    Multi-tier Model
  • Adds significant overall costs software loaded
    on multiple server platforms
  • Database still limited by database insertion
    rate. A device capable of rates seen in very
    large enterprises does not exist today
  • These are always very costly solutions price
    for software/hardware and operational/installation

34
Case for Separate Log Consolidation and SIM?
  • A case can be made for separating Log
    Consolidation and SIM in large enterprises based
    on volume of events from all possible sources
    (network and security devices, servers,
    applications, VA) vs. the ability of one system
    to keep up.
  • Small to Medium sized enterprises might find both
    functions in a single vendor
  • Most Large Enterprises are unhappy with their
    current SIM solution.
  • Large Enterprises generate huge volumes of events
    SIMs have scaling issues related primarily to
    the rate events can be written into a database.
  • 5-10 Gbps Firewalls will change the landscape
    Logging will be a huge issue Testing at 6.1
    GB of traffic had 71,000 conns/sec. Current SIM
    technology cannot handle these rates
  • Log Consolidation vendors can handle the scale
    and do better meeting compliance and forensics
    requirements

35
Recent Shift in Analyst Community
  • Reality check they once recommended a god-box
    that does SIM and Log Consolidation
  • No vendor can do both well either lean one way
    or the other
  • Organizational requirements evolve faster than
    any vendor can keep up with
  • Keeping up with multivendor support alone is a
    huge challenge support is per vendor product
    and version release
  • Separation of duties one vendor for SIM and one
    for Log Consolidation

36
A Tiered approach to a complicated solution
Tier 1 Log Consolidation
Tier 2 SIM
Tier 3 Event Manager
Log Aggregation Data Storage Raw Log
Analysis Data Mining
Policy Enforcement Incident Mngmt
Normalization Correlation
Enterprise Event Management Ticketing
Remediation Case Management
37
An Expandable Architecture
HPOV, Tivoli, NetMon Sys
Log Consolidator
SIM
Tier 1
Tier 3
Tier 2
Raw Log Data
Trouble Ticketing
Correlation
Storage HA
Case Management
NBAD - perhaps
Data Mining
Paging - Alerting
Security Policy Enforcement
Forensic Apps
Adv. Reporting
Reporting
Special Apps
Incident Forensics
False Positive Analysis
38
Benefits to a 3 Tier Solution
  • No codependency. One vendor trying to meet all
    your needs, expensive and limited to their
    capabilities
  • No single point of failure HA, long term
    storage
  • Better work flow for multiple internal
    organizations, separation of responsibilities,
    utilize existing apps
  • Choices, best of breed in all 3 tiers, no single
    point of vulnerability
  • More.

39
Final Thoughts
  • SIM large investment in time and money
  • Critical custom parsers, custom rules, and
    custom reports one size does not fit all
  • As the size of the enterprise increases so does
    the need for a separate SIM and Log Consolidation
    solution
  • SIM cannot handle the rates of 5-10 Gbps
    Firewalls see a shift in this data to Netflow
    like formats which can handle these rates
  • As the size of the enterprise increases so the
    need for a separate Network Behavior Analysis
    (NBA) solution vs a hybrid SIM/NBA next topic

40
Network Behavioral Analysis (NBA)
41
What Is Meant by Telemetry?
Telemetryn. The science and technology of
automatic measurement and transmission of data by
wire, radio, or other means from remote sources,
as from space vehicles, to receiving stations for
recording and analysis.
Source The American Heritage Dictionary of the
English Language, Fourth Edition
42
Network Telemetry
  • Network telemetry offers extensive and useful
    detection capabilities
  • This telemetry is often coupled with dedicated
    analysis systems to collect, trend, and correlate
    observed activity
  • There are several forms of telemetry available
    from routers, switches, and other network devices
    Cisco Netflow, Jflow (Juniper), and Netstream
    (Huawei)
  • Although initially implemented by Cisco, NetFlow
    is emerging as an IETF standard Internet
    Protocol Flow Information eXport (IPFIX). Based
    on the NetFlow Version 9 implementation, IPFIX is
    going to be the industry standard in the very
    near future. Network infrastructure vendors,
    including Nortel Networks and others, are already
    adding IPFIX support to their enterprise switches
    and routers.
  • There are a number of open source and commercial
    tools available which greatly enhance the utility
    of network telemetry

43
Key Concept NetFlow Scalability
  • Packet capture is like a wiretap
  • NetFlow is like a phone bill
  • This level of granularity allows NetFlow to scale
    for very large amounts of traffic
  • We can learn a lot from studying the phone bill
  • Whos talking to whom, over what protocols and
    ports, for how long, at what speed, for
    whatduration, etc.
  • NetFlow is a form of telemetry pushed from the
    routers/switches each one can be a sensor

44
Network Behavior Analysis (NBA)
  • Visibility into network activity for the purposes
    of security and operations
  • Focus Network Opsec not InfoSec
  • Last line of defense after Firewalls, IPS, SIM
  • Network Telemetry data Netflow, DNS, BGP, SNMP,
    RMON, Packet Capture, AAA, Syslog anomaly
    detection technology
  • Tension Security wants real-time analysis vs
    operations wants performance and capacity
    measurement and planning (Crannog, NetScout,
    NetQos, Netuitive, OPNet). Market has vendors in
    each of these
  • Gartner Group 2010 these two will be one market

45
NBA Anomaly Detection
  • Statistical Anomaly Detection baseline of
    network traffic (pps/bps, connections, packet
    size distro, etc.).
  • Behavioral Anomaly Detection Comms relationship
    modeling who talks to who? Domain of Pure Play
    NBA vendors

46
NetFlow Threat Detection Algorithmic Analysis
Concern Index
47
NBA
  • Pure Play NBA vendors Arbor Networks, Narus,
    Mazu, Lancope, and Q1 Labs
  • Large Enterprises generally require a pure play
    NBA vendor
  • Trend Add Identity (IP addr to Username)
  • There are some hybrid SIM NBA vendors (limited)

48
Visualization of a Worm Outbreak
49
An Intrusion Prevention Grid Tying it all
Together
50
Intrusion Prevention
Write a Comment
User Comments (0)