White Paper   making network security secureRisk Based Correlationvs. Rule Based CorrelationOpenService, Inc., 100 Nickers...
Contents1.0.	 About OpenService, Inc.	   	 22.0.	 Accuracy	                  	 33.0.	 Total Cost of Ownership	   	 34.0.	 ...
1.0.	About OpenService, Inc.OpenService, Inc. (Open) helps global enterprises and government organizations turn deployedse...
2.0.	AccuracyThere are certain cases of known exploits, but in general, no system is able to provide perfectintrusion dete...
cleanly fit this model as high value targets generally remain under constant assault. As moretargets are constantly under ...
5.0.	Event Order and TimingTo remain efficient, rule based systems must be sensitive to the timing and ordering of events....
Upcoming SlideShare
Loading in …5
×

Open service risk correlation

191 views
167 views

Published on

Rule vs Risk Base Correlation Doc

Published in: Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
191
On SlideShare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
4
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

Open service risk correlation

  1. 1. White Paper making network security secureRisk Based Correlationvs. Rule Based CorrelationOpenService, Inc., 100 Nickerson Road, Suite 100, Marlborough, MA 01752800.892.3646 508.597.5300 info@openservice.com www.openservice.com
  2. 2. Contents1.0. About OpenService, Inc. 22.0. Accuracy 33.0. Total Cost of Ownership 34.0. Efficiency 35.0. Event Order & Training 56.0. Conclusions 57.0. Finite-State Engine 5 01
  3. 3. 1.0. About OpenService, Inc.OpenService, Inc. (Open) helps global enterprises and government organizations turn deployedsecurity systems into effective enterprise protection. OpenService offers integrated securityinformation management and network fault correlation applications that intelligently link eventsfrom multiple sources to accurately pull the threat signal from the event noise using real-timeroot cause analysis.Founded in the early 1990’s as an IT consultancy, OpenService produced technologies whichdeveloped into the expertise and products to collect, manage and correlate large amounts ofreal-time data from disparate sources. Well funded and with a growing track record of successfulsecurity information management implementations, our customers include Sonnenschein et al.,Ace Hardware, Raytheon and Visa. OpenService led the enterprise security information manage-ment market with public customer success stories during the first half of 2004, a testament toour values, approach and technology. Investors include Advent International, one of the world’sleading venture capital firms, who led an $8 million ‘C’ round in November 2003.Unlike security information management toolkits that can be expensive and time-consumingto deploy and maintain, OpenService’s software applications deploy in days, not months, andprovides a blended view of security and network metrics to effectively manage threats and meetlegislative standards compliance. Our security event management and network fault correlationtechnologies are based on proven software solutions that have stood the test of time in majorcorporations. OpenService’s track record of innovation shows how these trusted technologiesdeliver the confidence that enterprise network security managers seek. • Eight patents already granted on Security Threat Manager (STM) components. • First Security Information Management vendor to be certified as “Nokia OK” • Only vendor to deliver multiple published customer successes in 2004. • irst security event correlation product that detects threats before they become exploits. F • First SIM / SEM vendor to provide business security intelligence capabilities. • First SIM product to deliver security operations business performance metrics.Our continued innovation and leadership extends to relationships with leading enterprise ITvendors such as Check Point, Hewlett-Packard, Micromuse and Akamai. For more informationvisit OpenService online at www.openservice.com or email us at info@openservice.com 02
  4. 4. 2.0. AccuracyThere are certain cases of known exploits, but in general, no system is able to provide perfectintrusion detection. Merely examining n number of events over some period of time cannotconclusively determine that a device has been exploited. Underlying IDS systems, even whentuned, are notorious for reporting false positives. How, then, can a rule system—relying exclu-sively on these types of inputs to make decisions—be accurate in its assessments?The risk based approach relies on the preponderance of evidence across an enterprise whenmaking an assessment. Numerous factors are considered in the process, including the type ofevents, topological location of the event, and various attacker and target characteristics, whichmay increase or decrease the impact a single event has on the overall risk score of a device.Unlike a rules engine, the risk based approach does not rely on fuzzy inference, but on an edu-cated and accurate assessment of the situation across an enterprise.3.0. Total Cost of OwnershipAccording to CERT, roughly 4,000 new vulnerabilities are discovered every year. That’s 10 perday, including weekends. Many of these vulnerabilities include multiple attack vectors and,therefore, require multiple rules to detect. Writing loose, generic rules will likely lead to manyfalse positives, while writing tight, concise rules (if it is even possible for a given vector) is ex-tremely time consuming, given the volume. Additionally, the rules engine owner must make asubstantial investment in developing expertise in the rules entry system. Easy to use, GUI basedsystems tend to be limited in the flexibility of rule creation, while those with actual embeddedscripting language processors require the security staff to spend countless hours developingcode, rather than mitigating risks. The system becomes only as effective as the creativity of therule writer.Risk based systems focus mainly on the assets and their position in the network topology. Asnew threats emerge, the assets remain constant and no system tuning or additional program-ming is required. Instead, signature updates are received by the system so that new threats canbe incorporated into risk calculations. The algorithms themselves have been developed over aperiod of months by subject matter experts and have remained unchanged since their incep-tion. The rules system requires continual maintenance, while the risk algorithms have stood thetest of time.4.0. EfficiencyMany rules engines implement a variant of the Rete algorithm for rules processing which con-tinually applies a series of “if-then” conditionals repeatedly against a data set. This algorithm,while effective for expert systems, isn’t as efficient for the characteristics of security event pro-cessing. The implementation of the Rete algorithm calls for a memory of recently tested datasets to be maintained so that they may be skipped on future iterations of the rule set if the dataset they represent has not changed. Unfortunately, the characteristics of an active network don’t 03
  5. 5. cleanly fit this model as high value targets generally remain under constant assault. As moretargets are constantly under monitoring, the expected efficiencies are not recognized. To miti-gate this problem, constraints are applied to the system, including dropping partially matchedrules with time or keeping the datasets on a slower, secondary storage medium (ie – a database)reducing the effectiveness of the system.Furthermore, it is recognized that static implementations of data processing algorithms, such asthe risk based system, are more able to optimize both speed, and memory consumption thanrules based implementations.Risk Based Correlation - Unconstrained by Sliding WindowsThe first event initiates a Correlation Instance. The instance A single alert sounds and raisesimmediately calculates a Risk Score for this first event and in priority as events increase. Thecompares that score to a Risk Threshold and issues an alarm user is not overwhelmed with alerts.if the threshold is crossed.Illustration shows how the Alarm Priority changes over time.Rules Based Correlation - Limited by a Sliding Window A single alarm sounds for every ruleThe company presets the number of events and detection that is met. The user can find himselfwindow size. This example shows a rule of 5 events occurring unindated with alarms not knowingwithin a 20 second window. which to check first.Sliding Window - 20 seconds in duration. 04
  6. 6. 5.0. Event Order and TimingTo remain efficient, rule based systems must be sensitive to the timing and ordering of events.This problem becomes particularly difficult in a distributed environment, as events arrive at vari-ous times due to network latency and various scheduling issues. Now, recognize the possibilityof evasion an attacker can enjoy who introduces a slight variation in the attack vector, eventsgenerated out of order, or a timing delay. How can you assume the attack will follow a set scriptduring an exploit? If the script is reduced to a guaranteed recognizable event, then there is nocorrelation at all and the system is effectively reduced to an IDS. The rules based system be-comes a slave to its own rules.As already mentioned, in a risk based system, each event is considered in its own context as ascore for that event is determined. In this case, the score is the same whether it becomes beforeor after another event or happens to be delayed for some reason. The risk based system relieson data across an algorithm to develop a complete picture of the risk associated with a deviceand, therefore, the importance of precise timing and ordering of events in these algorithms isreduced.6.0. ConclusionsIf rules based processing is so inferior, why does it appear so popular? Most people can easilyconceive of a simple rule to detect some condition and perform some action. Developing andoptimizing a risk algorithm is not trivial. However, managing a rule based system does not stopat developing a few rules, but instead involves managing and maintaining hundreds of rules,combinations of rules, and a variety of actions associated with them.7.0. Finite-State EngineAs an added benefit, using a finite-state engine in conjunction with the risk algorithms enhancesthe effectiveness. A rule is time bound by nature, a combination on events based on somecriteria, in some period of time. This can lead to false negatives when the criteria for the ruleare met, but not within the time window (sliding window). Additionally, rules processing mostlytakes place on events that have already been inserted into a database. Using the database forcorrelation is inherently inefficient as the database is processing continuous inserts while at thesame time trying to process the rules queries. By using finite-state, in memory processing thereis no time bound “sliding window” constraint, nor is the inefficiency of a database method afactor. 05

×