Centralizing and Analyzing Security Events: Deploying

Security Information Management Systems

Lynn RayTowson University

Copyright Lynn Ray, 2007. This work is the intellectual property rights of the author. Permission is granted for this material to be shared for non-commercial, educational purposes, provided that this copyright statement appears on the reproducedMaterials and notice is given that the copying is by permission of the author. Todisseminate otherwise or to republish requires written permission from the author.

Reasons for Centralized Event Management

• Increase diversity of security devices and protocols

• Multiple types of security events and threats

• Manual collection and analysis of events

• Need quick response to threats – zero day attacks

• Comply with audits

Threat Statistics(Courtesy of Message Labs)

• 10 new worms are found each day• Average 20 targeted attacks per day• Increase use of ransomware• Use of blended threats (spam and

virus, spyware and Trojans, triple Trojans, etc.)

• Off-the-shelf virus kits

Security Information Management Defined

• Collaboration of security solutions and intelligent networking technologies

• Integrates heterogeneous array of network devices and security products

• Builds pervasive security utilizing existing security enterprise– Monitors and collects event data– Correlates and analyzes event data across

enterprise– Compares against known treats– Identifies threats and alerts– Automatically locates and mitigates threats

RawEventData

CollectionFiltering

DataNormalization

& Reduction

EventAggregation

& Coordination

Pattern Discovery

Prioritization

Event Display

& Report

Response&

Mitigation

Raw Data

Data Refinement

Action

How SIM Works

Drivers Behind SIM Adoption

• Financial discipline– Managing operations effectively– Employee efficiency– Reduce administrative overhead– ROI/business value security

• Security effectiveness– Operational risk– Finances required to mitigate risk

Incident Response and Laws

• Incident response– Many attack vectors– Many different information sources– Mitigation priority

• Federal laws– FERPA – Family Educational Rights and Privacy Act

– HIPAA – Health Insurance Portability and Accountability

– GLBA – Gramm-Leach-Bliley

Compliance• Policy-driven security management

program• Validation of security controls• Risk management approach to

information security• Due diligence in application of

internal controls• Effective security incident

management process• Security event reporting• Archiving and document preservation

Consideration Factors

• High cost ($100K or more)• Difficult to implement and deploy• Takes months to tune out false

positives• Requires specialized training to

support

Monitoring Functionality

• Correlates, reduces and categorizes events• Validates incidents

Data Correlation

Valid Incidents

Sessions

Rules

Verify

Isolated Events

Correlation R

eduction

Router Cfg.

Firewall Log

Switch Cfg.Switch Log

Server LogAV AlertApp Log

VA Scanner

Firewall Cfg.

NetflowNAT Cfg.

IDS Event

...

(Lynn: Description of this graphic?)

Event Analysis

SureVector AnalysisTM

1. Host A Port Scans Target X

2. Host A Buffer Overflow Attacks X

Where X is behind NAT device andWhere X is Vulnerable to attack

3. Target X executes PasswordAttacks Target Y located

downstream from NAT Device

SureVector™ Analysis– Visible and accurate attack path– Drill-down, full incident and raw event

details– Pinpoint the true sources of anomalous

and attack behavior– More complete and accurate story

Host A

Target X

Target Y

6

“Response”• Uses leveraged mitigation• Use control capabilities within your

infrastructure– Layer 2/3 attack path is clearly visible– Mitigation enforcement devices are identified– Exact mitigation command is provided

]

Typical Compliance Report

Towson University

SIM Deployment

Results

Deployed Cisco MARS SIM Device– Communicates with multiple devices– Collects syslog data from devices– Utilizes intelligent agents to gather and

correlate data from devices– Provides automated reporting and

resolution of threats– Displays path of threats

How Does SIM Help?

• Greatly reduces false positives• Defines effective mitigation responses• Provide quick and easy access to

audit compliance reports• Ability to visualize attack path• ID source of threats• Make precise recommendations for

removal of threats

Monitors Diverse Environments

McAfee ePO

Desktops

Firewall

IDS VPN

RoutersSwitches

Unix and Windows Servers

MARS

Wireless

Intelligent Agents

• Used free SNARE* agent for Windows servers operating systems– Deployed on all servers– Pushes security events in real time to

SIM– Minimum performance effects to server

• Testing other SNARE agents– Web service (Apache and IIS)– Operating system (Unix, Linux)

*System Intrusion Analysis and Reporting Environment

Compliance and Reporting

• Survived state auditor• Provide instant reports to auditors• Established automated reports

– Track failed access, virus and worm threats, etc.

– Reduced level of daily log review

Recommendations

• Devise implementation strategy– ID devices where security event data

will be collected– Consider open source and commercial

products– Demo and get opinions from support

staff– ID storage requirements for data

• Integrate with incident handling procedures

Devise a Deployment Plan

• Setup team composed of server admin, network and security staff

• Standardize collection of syslog data• Use intelligent agents to collect data• Monitor all network and computer

systems – OS and Web• Establish administration of system• Determine report that will be useful

and implement automated reporting

System Administration

• Device managed by security personnel• Allow automated response to threats

for better protection against threats– Allow SIM admin access to all monitored devices– Obtain cooperation from other support personnel

(server admin, network, etc.)

• Tune out false positives• Setup automated reporting, record

keeping and incident handling

Event Reports

• Determine reports that will be useful and Implement automated reporting

• SANS Institute recommends:– Attempts to gain access through

existing accounts– Failed file or resource access attempts– Unauthorized changes to users, groups

and services– Systems most vulnerable to attack– Suspicious or unauthorized network

traffic patterns

Incident Response

• Determine how will respond to alerts• Establish escalation procedures for

handling suspected and confirmed intrusions

• Link steps to incident handling plan• Keep track of efforts and decisions

Compliance Verification

• Provided evidence of compliance to state and local policies

• Able to rapidly provide reports

Summary

In summary, SIM…– Provides centralized network

monitoring.– Automatically pulls logs from multiple

devices– Eliminates the need for manually

intensive analysis– Eliminates the need to respond to

threats manually.– Provides reporting capabilities

required for daily review by State & University audits and security guidelines.