Upload
kaida
View
53
Download
5
Tags:
Embed Size (px)
DESCRIPTION
Reducing False-Positives and False-Negatives in Security Event Data Using Context. Derek G. Shaw August 2011. Overview of Security Monitoring. Reducing False-Positives and False-Negatives in Security Event Data Using Context —2— August 2011. Purpose of Security Monitoring. - PowerPoint PPT Presentation
Citation preview
Reducing False-Positives and False-Negatives in Security Event Data Using Context
Derek G. ShawAugust 2011
Overview of Security Monitoring
Reducing False-Positives and False-Negatives in Security Event Data Using Context—2—August 2011
Purpose of Security Monitoring
Reducing False-Positives and False-Negatives in Security Event Data Using Context—3—August 2011
The purpose of security monitoring is to provide real-time, up-to-the-minute security awareness of current threats, risks, and compromises as accurately as possible.
Components of Security Monitoring
Reducing False-Positives and False-Negatives in Security Event Data Using Context—4—August 2011
• Consoles (Analyst Desktop)• Database• Manager (Rules, Data Aggregation, Data
Correlation, Reporting)• Sensors
• Intrusion Detection System• Log Servers• Network Flows• Vulnerability Scanners
The False Problem With Security Monitoring
Reducing False-Positives and False-Negatives in Security Event Data Using Context—5—August 2011
• False-positivesNormal or expected behavior that is identified as anomalous or malicious
• False-negatives Conditions that should be identified as
anomalous or malicious but are not
Why So Many False Positives and Who Knows Hows Many False-
Negatives
Reducing False-Positives and False-Negatives in Security Event Data Using Context—6—August 2011
• While some false-positives and false-negatives will occur, a good portion can be attributed to lack of knowledge about the environment being monitored
• Not keeping knowledge about the environment up-to-date as well as historically accurate
So, how do you reduce the rate of both false-positives and false-
negatives?
Context
Reducing False-Positives and False-Negatives in Security Event Data Using Context—7—August 2011
What is Context
Reducing False-Positives and False-Negatives in Security Event Data Using Context—8—August 2011
Context is additional data and information that is added to security event data to increase the relevance and meaning of the data in relation to one’s environment.
Traditional Security Event Data
Reducing False-Positives and False-Negatives in Security Event Data Using Context—9—August 2011
Traditional Network Flow Event Data
Reducing False-Positives and False-Negatives in Security Event Data Using Context—10—August 2011
Start Time End Time Source Address Source Port Direction
2011-01-01 12:30:04 2011-01-011 12:30:34 192.168.1.1 12525 ->
Destination Address Destination Port IP Protocol Duration Flags
10.0.1.1 80 TCP 30 E
Source Packets Destination Packets Source Bytes Destination Bytes
5 53 384 12453
Note : 192.168.0.0/16 - Corporate Network
Traditional IDS Event Data
Reducing False-Positives and False-Negatives in Security Event Data Using Context—11—August 2011
Detection Time Alert Source Address Source Port
2011-01-01 12:30:04 MS SQL Injection Attempt 10.0.2.1 12525
Destination Address Destination Port IP Protocol
192.168.2.1 1443 TCP
Note : 192.168.0.0/16 - Corporate Network
Traditional Syslog Event Data
Reducing False-Positives and False-Negatives in Security Event Data Using Context—12—August 2011
Date Time Host Process PID
Jan 1 13:54:12 192.168.24.33 SUDO 34456
Message
jdoe : TTY=ttys000 ; PWD=/Users/jdoe ; USER=root ; COMMAND=/bin/bash
Note : 192.168.0.0/16 - Corporate Network
Traditional Security Event Data with Context Added
Reducing False-Positives and False-Negatives in Security Event Data Using Context—13—August 2011
Network Flow Event Data with Context
Reducing False-Positives and False-Negatives in Security Event Data Using Context—14—August 2011
Start Time End Time Source Address Source Port Source Network
2011-01-01 12:30:04 2011-01-011 12:30:34 192.168.1.1 12525 Unused - 192.168.1.0-192.168.1.255
Direction Destination Address Destination Port Destination Network IP Protocol
-> 10.0.1.1 80 China TCP
Duration Flags Source Packets Destination Packets Source Bytes
30 E 5 53 384
Destination Bytes Alert Asset Tags
12453 Destination Address on Malware Watch List Unknown
Note : 192.168.0.0/16 - Corporate Network
IDS Event Data with Context
Reducing False-Positives and False-Negatives in Security Event Data Using Context—15—August 2011
Detection Time Alert Source Address Source Port
2011-01-01 12:30:04 MS SQL Injection Attempt 10.2.3.1 12525
Source Network Destination Address Destination Port Destination Network IP Protocol
Brazil 192.168.127.22 1443 Printer Network - 192.168.127.0-192.168.127.255
TCP
Asset Tags
Printer, No-Internet
Note : 192.168.0.0/16 - Corporate Network
Syslog Event Data with Context
Reducing False-Positives and False-Negatives in Security Event Data Using Context—16—August 2011
Date Time Host Host Network Process
Jan 1 13:54:12 192.168.24.33 Financial - 192.168.24.0-192.168.24.255
SUDO
PID Message
34456 jdoe : TTY=ttys000 ; PWD=/Users/jdoe ; USER=root ; COMMAND=/bin/bash
Asset Alert User Info
Linux, Financial, DB, Restricted User not authorized for SUDO on host John Doe, Mail Room Staff
Note : 192.168.0.0/16 - Corporate Network
Types of Networks Context
Reducing False-Positives and False-Negatives in Security Event Data Using Context—17—August 2011
• Access tags (Internal, Private, External, No-Internet)
• Dark space tags for unused IP space• Subnet descriptions
Types of Asset Context
Reducing False-Positives in Security Event Data Using Context—18—August 2011
• Business Role Tags (Financial, HR, Printers)• Operating System• Software Category Tags (Apache, BIND, MySQL)• System Classification Tags (SSH Server, LDAP Server, Web Server, DNS)
Types of User Context
Reducing False-Positives in Security Event Data Using Context—19—August 2011
•Real Name•Working group (Mail Room, Control Room, Networking Group)•List of accounts•List of privileged access accounts
How Context is Implemented
Reducing False-Positives and False-Negatives in Security Event Data Using Context—20—August 2011
Context Data Sources
Reducing False-Positives and False-Negatives in Security Event Data Using Context—20—August 2011
• Memory-resident key/value data stores• Contains data about assets, networks,
and users• Continually updated by data mining
scripts
Context Preprocessor
Reducing False-Positives and False-Negatives in Security Event Data Using Context—22—August 2011
• Sits between the sensors and security monitoring system manager
• Queries the context data sources in real-time based on IP addresses or user names
• Appends any context data available to event data record
Important Things to Remember
Reducing False-Positives and False-Negatives in Security Event Data Using Context—23—August 2011
• For context to be effective, it must be current.
• For events to be accurately reflected in your environment, context cannot be treated as on-demand in the manager. Context for a given event must be recorded once and not changed.
• Treating context as on-demand in the manager may turn an alert into a false-negative.
Advantages of Context
Reducing False-Positives and False-Negatives in Security Event Data Using Context—24—August 2011
• Adds additional data and information to the event record that the sensor does not have.
• Updates to context data sources can be automated and dynamic.
Advantages of Context (cont.)
Reducing False-Positives and False-Negatives in Security Event Data Using Context—25—August 2011
• Changes to your environment can be reflected in updating the context data; requiring less changes to security monitoring rules and filters
• Security monitoring rules and filters can be created for context. This eliminates or reduces the need to create filters and rules based on lists of IP addresses, one-off rules, and filter exceptions.
Disadvantages of Context
Reducing False-Positives and False-Negatives in Security Event Data Using Context—26—August 2011
•Requires analysts to understand the IT infrastructure
•Requires constant upkeep to stay relevant
•Extra process in security monitoring workflow
Questions? Comments?
Reducing False-Positives and False-Negatives in Security Event Data Using Context—27—August 2011