Reduce analysis and response times Quickly visualize thousands of events Facilitate communication Graphs are easier to understand than textual events Make better decisions Situational awareness Visualize status of business posture Visual display of most important properties Detecte the Expected & Discover the Unexpected Reporting Visually identify patterns and outliers
The graph shows a configuration that uses the destination address (green nodes) and target ports (white nodes). The contiguous port numbers either represent a part of a portscan or, what is more likely, a device which reports source ports as destination ports for some of the events.
Disclaimer IP addresses and host names showing up in graphs and descriptions were obfuscated/changed. The addresses are completely random and any resemblance with well-known addresses or host names are purely coincidental.
Who Am I? ● Raffael Marty, GCIA, CISSP ● Strategic Application Solutions @ ArcSight, Inc. ● Intrusion Detection Research @ IBM Research ● IT Security Consultant @ PriceWaterhouse Coopers ● Open Vulnerability and Assessment Language (OVAL) board member ● Speaker at Various Security Conferences ● Passion for Visual Security Event Analysis see http://afterglow.sourceforge.net
A Picture is Worth a Thousand Log Entries Detect the Expected Detect the Expected & Discover the Unexpected & Discover the Unexpected Reduce Analysis and Response Times Reduce Analysis and Response Times Make Better Decisions Make Better Decisions
Typical Security Monitoring Challenges ? Complexity ? “ How can I Accuracy manage this flood of data?” “ I wish I could see prioritized and relevant information!” Efficiency “ How can we prioritize ? and communicate efficiently?” ? Reporting “ How can I demonstrate compliance?” … and do it all cost effectively
The Needle in the Haystack Security information / events Tens of millions per day Millions Less than per day 1 million per month A few thousand Defense per month in Depth Insider Threat Com pliance Attack Verified Pre-attacks formation Normal breaches Raw events Audit trail Policy Potential violations breaches Failed attacks Identified False alarms Misuse vulnerabilities
Data Analysis Components• Collection, Normalization, and Aggregation• Risk-based Prioritization with Vulnerability and Asset Information• Real-time Correlation across event sources — Rule-based Correlation — Statistical Correlation Intelligence• Advanced Analytics — Pattern Detection
Event Normalization and CategorizationNormalization: Categorization: Sample Raw Pix Events: Jun 01 2005 00:00:12: %PIX-3-106011: Deny inbound (No xlate) udp src outside:10.50.215.97/6346 dst outside:188.8.131.52/6346 Jun 01 2005 00:00:12: %PIX-6-305011: Built dynamic TCP translation from isp:10.50.107.51/1967 to outside:184.108.40.206/62013 Jun 01 2005 00:00:12: %PIX-6-302013: Built outbound TCP connection 2044303174 for outside:220.127.116.11/80 (18.104.22.168/80) to Jun 02 2005 12:16:03: %PIX-6-106015: Deny TCP (no connection) from isp:10.50.107.51/1967 (22.214.171.124/62013) Jun 02 2005 12:16:03: %PIX-6-106015: Deny TCP (no126.96.36.199/443 10.50.215.102/15605 to connection) from flags FIN ACK on interface outside 10.50.215.102/15605 to 188.8.131.52/443 flags FIN ACK on interface outside
Risk-based PrioritizationVulnerability Agents Scanner Asset Information Agent Severity Asset Criticality Unix/Linux/ AIX/Solaris Severity Relevance Security Model Confidence Device Agents Security Device Event Mainframe & Apps Prioritized Event Databases Collector Windows Systems
Event Correlation• Most overused and least well-defined concept in ESM.• Combine multiple events through predefined rules or analyze statistical properties of event streams —Across devices —Heavily utilizing event categorization• Helps eliminate false positives• Correlation is not prioritization! —Can use priorities of individual events
Four Types of Real-time Correlation • Simple Event Match Failed logins on UNIX systems 5 or more failed Attempted Brute Failed logins logins in a minute Force Attack on Windows systems from same source • Complex Multi-Event Match Attempted Brute Force Attack + Successful login Successful Login to Windows systems
Four Types of Real-time Correlation • Statistical — Mathematical model 50% increase in traffic per port and machine ?Traffic per port going to 10.0.0.2 • Stateful user Simple jdoe user jdoe Compex Correlation ram ram 3 jdoe … ram 3 User on terminated Statistical … employee list … Manual Population tries to login Login attempt from user ram
Advanced Analytics - Pattern Detection • Automatically detect repetitive event patterns Name Device Product NETBIOS DCERPC Activation Snort little endian bind attempting NETBIOS DCERPC System Snort Activity path overflow attempt litlen endian unicode Tagged Packet Snort SHELLCODE x86 NOOP Snort NETBIOS DCERPC Remote Snort activity bind attempt • Capability to detect new worms, malware, system misconfigurations, etc. • Automatically create correlation rules to flag new occurrences of attack
Why a Visual Approach Helps A picture tells more than a thousand log lines
Visual Approach – Benefits I • Multiple views on the same data
Visual Approach – Benefits II• Selection and drill-down• Color by sifferent properties
Three Aspects of Visual Security Event Analysis• Situational Awareness — What is happening in a specific business area (e.g., compliance monitoring) — What is happening on a specific network — What are certain servers doing• Real-Time Monitoring and Incident Response — Capture important activities and take action — Event Workflow — Collaboration• Forensic and Historic Investigation — Selecting arbitrary set of events for investigation — Understanding big picture — Analyzing relationships - Exploration — Reporting
Analysis Process Real-time Visual Data Detection Processing Automatic Action Rem ed Auto iation m a ti Creation of new Filters c Visual and Correlation Components Investigation is a lys An nd al ric sic a to n His Fore Assign to Assign Ticket 2 Level Analysis nd for Operations
Visual Detection and Investigation Beginning of Analyst’s shift
Define New Correlation Rules and Filters 1. Rule Assign for further analysis if More than 20 firewall drops from an external machine to an internal machine 3. Open a ticket for Operations to quarantine and clean infected machines 2. Filter • Internal machines on white-list • connecting to active directory servers
Real-time Analysis - Summary • Benefits of Visual Analysis — Visually driven process for investigating events — Visual investigation helps • getting a quick turn-around • detected new and previously unknown patterns (i.e. incidents) — Reduced event load for analysts by feeding gained knowledge back into analysis work-flow.