RSA 2006 - Visual Security Event Analysis


Published on

Security Analysis presentation from RSA 2006

Published in: Technology
  • Be the first to comment

  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide
  • Reduce analysis and response times Quickly visualize thousands of events Facilitate communication Graphs are easier to understand than textual events Make better decisions Situational awareness Visualize status of business posture Visual display of most important properties Detecte the Expected & Discover the Unexpected Reporting Visually identify patterns and outliers
  • The graph shows a configuration that uses the destination address (green nodes) and target ports (white nodes). The contiguous port numbers either represent a part of a portscan or, what is more likely, a device which reports source ports as destination ports for some of the events.
  • RSA 2006 - Visual Security Event Analysis

    1. 1. Visual Security Event Analysis Raffael Marty, GCIA, CISSP ArcSight Inc. 02/14/06 – HT2-103
    2. 2. Disclaimer IP addresses and host names showing up in graphs and descriptions were obfuscated/changed. The addresses are completely random and any resemblance with well-known addresses or host names are purely coincidental.
    3. 3. Who Am I? ● Raffael Marty, GCIA, CISSP ● Strategic Application Solutions @ ArcSight, Inc. ● Intrusion Detection Research @ IBM Research ● IT Security Consultant @ PriceWaterhouse Coopers ● Open Vulnerability and Assessment Language (OVAL) board member ● Speaker at Various Security Conferences ● Passion for Visual Security Event Analysis see
    4. 4. Table Of Contents• The Security Monitoring Challenge• Solving Event Overload - Today — Normalization — Prioritization — Correlation• Visual Security Event Analysis — Situational Awareness — Real-time Monitoring — Forensic and Historical Analysis
    5. 5. A Picture is Worth a Thousand Log Entries Detect the Expected Detect the Expected & Discover the Unexpected & Discover the Unexpected Reduce Analysis and Response Times Reduce Analysis and Response Times Make Better Decisions Make Better Decisions
    6. 6. Typical Security Monitoring Challenges ? Complexity ? “ How can I Accuracy manage this flood of data?” “ I wish I could see prioritized and relevant information!” Efficiency “ How can we prioritize ? and communicate efficiently?” ? Reporting “ How can I demonstrate compliance?” … and do it all cost effectively
    7. 7. The Needle in the Haystack Security information / events  Tens of millions per day  Millions  Less than per day 1 million per month  A few thousand Defense per month in Depth Insider Threat Com pliance  Attack  Verified  Pre-attacks formation  Normal breaches  Raw events  Audit trail  Policy  Potential violations breaches  Failed attacks  Identified  False alarms  Misuse vulnerabilities
    8. 8. Solving EventOverload - Today
    9. 9. Data Analysis Components• Collection, Normalization, and Aggregation• Risk-based Prioritization with Vulnerability and Asset Information• Real-time Correlation across event sources — Rule-based Correlation — Statistical Correlation Intelligence• Advanced Analytics — Pattern Detection
    10. 10. Event Normalization and CategorizationNormalization: Categorization: Sample Raw Pix Events: Jun 01 2005 00:00:12: %PIX-3-106011: Deny inbound (No xlate) udp src outside: dst outside: Jun 01 2005 00:00:12: %PIX-6-305011: Built dynamic TCP translation from isp: to outside: Jun 01 2005 00:00:12: %PIX-6-302013: Built outbound TCP connection 2044303174 for outside: ( to Jun 02 2005 12:16:03: %PIX-6-106015: Deny TCP (no connection) from isp: ( Jun 02 2005 12:16:03: %PIX-6-106015: Deny TCP (no204.110.227.16/443 to connection) from flags FIN ACK on interface outside to flags FIN ACK on interface outside
    11. 11. Risk-based PrioritizationVulnerability Agents Scanner Asset Information Agent Severity Asset Criticality Unix/Linux/ AIX/Solaris Severity Relevance Security Model Confidence Device Agents Security Device Event Mainframe & Apps Prioritized Event Databases Collector Windows Systems
    12. 12. Event Correlation• Most overused and least well-defined concept in ESM.• Combine multiple events through predefined rules or analyze statistical properties of event streams —Across devices —Heavily utilizing event categorization• Helps eliminate false positives• Correlation is not prioritization! —Can use priorities of individual events
    13. 13. Four Types of Real-time Correlation • Simple Event Match Failed logins on UNIX systems 5 or more failed Attempted Brute Failed logins logins in a minute Force Attack on Windows systems from same source • Complex Multi-Event Match Attempted Brute Force Attack + Successful login Successful Login to Windows systems
    14. 14. Four Types of Real-time Correlation • Statistical — Mathematical model 50% increase in traffic per port and machine ?Traffic per port going to • Stateful user Simple jdoe user jdoe Compex Correlation ram ram 3 jdoe … ram 3 User on terminated Statistical … employee list … Manual Population tries to login Login attempt from user ram
    15. 15. Advanced Analytics - Pattern Detection • Automatically detect repetitive event patterns Name Device Product NETBIOS DCERPC Activation Snort little endian bind attempting NETBIOS DCERPC System Snort Activity path overflow attempt litlen endian unicode Tagged Packet Snort SHELLCODE x86 NOOP Snort NETBIOS DCERPC Remote Snort activity bind attempt • Capability to detect new worms, malware, system misconfigurations, etc. • Automatically create correlation rules to flag new occurrences of attack
    16. 16. Visual SecurityEvent Analysis
    17. 17. Why a Visual Approach Helps A picture tells more than a thousand log lines
    18. 18. Visual Approach – Benefits I • Multiple views on the same data
    19. 19. Visual Approach – Benefits II• Selection and drill-down• Color by sifferent properties
    20. 20. Three Aspects of Visual Security Event Analysis• Situational Awareness — What is happening in a specific business area (e.g., compliance monitoring) — What is happening on a specific network — What are certain servers doing• Real-Time Monitoring and Incident Response — Capture important activities and take action — Event Workflow — Collaboration• Forensic and Historic Investigation — Selecting arbitrary set of events for investigation — Understanding big picture — Analyzing relationships - Exploration — Reporting
    21. 21. Situational Awareness
    22. 22. Instant Awareness
    23. 23. Event Graph Dashboard
    24. 24. MMS CDRs From Phone# MSG Type To Phone#
    25. 25. Geo Spatial Visualization
    26. 26. Real-time Monitoring
    27. 27. Real-time Monitoring – Detect Activity
    28. 28. Analysis Process Real-time Visual Data Detection Processing Automatic Action Rem ed Auto iation m a ti Creation of new Filters c Visual and Correlation Components Investigation is a lys An nd al ric sic a to n His Fore Assign to Assign Ticket 2 Level Analysis nd for Operations
    29. 29. Visual Detection and Investigation Beginning of Analyst’s shift
    30. 30. Visual Detection Scanning activity is displayed Firewall Blocks Scan Events
    31. 31. Visual Investigation
    32. 32. Define New Correlation Rules and Filters 1. Rule Assign for further analysis if More than 20 firewall drops from an external machine to an internal machine 3. Open a ticket for Operations to quarantine and clean infected machines 2. Filter • Internal machines on white-list • connecting to active directory servers
    33. 33. Real-time Analysis - Summary • Benefits of Visual Analysis — Visually driven process for investigating events — Visual investigation helps • getting a quick turn-around • detected new and previously unknown patterns (i.e. incidents) — Reduced event load for analysts by feeding gained knowledge back into analysis work-flow.
    34. 34. Forensic andHistorical Analysis
    35. 35. Forensic and Historical Investigation• Three Areas of Concern — Defense in Depth — Insider Threat — Compliance
    36. 36. Defense In Depth - Port Scan Detection
    37. 37. Analysis - Port Scan?
    38. 38. Insider Threat – User Reporting High ratio of failed logins
    39. 39. Insider Threat - Email Problems 2:00 < Delay < 10:00 Delay > 10:00 To To Delay
    40. 40. Compliance – Business Reporting• Attacks targeting internal systems Revenue Generating Systems Attacks
    41. 41. Compliance - Business Reporting
    42. 42. Summary Detect the expected & discover the unexpected Reduce analysis and response times Make better decisions
    43. 43. Q&A Raffael Marty ArcSight, Inc.Email: