Your SlideShare is downloading. ×
RSA 2006 - Visual Security Event Analysis
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×

Saving this for later?

Get the SlideShare app to save on your phone or tablet. Read anywhere, anytime - even offline.

Text the download link to your phone

Standard text messaging rates apply

RSA 2006 - Visual Security Event Analysis

510
views

Published on

Security Analysis presentation from RSA 2006

Security Analysis presentation from RSA 2006

Published in: Technology

0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
510
On Slideshare
0
From Embeds
0
Number of Embeds
2
Actions
Shares
0
Downloads
33
Comments
0
Likes
0
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
No notes for slide
  • Reduce analysis and response times Quickly visualize thousands of events Facilitate communication Graphs are easier to understand than textual events Make better decisions Situational awareness Visualize status of business posture Visual display of most important properties Detecte the Expected & Discover the Unexpected Reporting Visually identify patterns and outliers
  • The graph shows a configuration that uses the destination address (green nodes) and target ports (white nodes). The contiguous port numbers either represent a part of a portscan or, what is more likely, a device which reports source ports as destination ports for some of the events.
  • Transcript

    • 1. Visual Security Event Analysis Raffael Marty, GCIA, CISSP ArcSight Inc. 02/14/06 – HT2-103
    • 2. Disclaimer IP addresses and host names showing up in graphs and descriptions were obfuscated/changed. The addresses are completely random and any resemblance with well-known addresses or host names are purely coincidental.
    • 3. Who Am I? ● Raffael Marty, GCIA, CISSP ● Strategic Application Solutions @ ArcSight, Inc. ● Intrusion Detection Research @ IBM Research ● IT Security Consultant @ PriceWaterhouse Coopers ● Open Vulnerability and Assessment Language (OVAL) board member ● Speaker at Various Security Conferences ● Passion for Visual Security Event Analysis see http://afterglow.sourceforge.net
    • 4. Table Of Contents• The Security Monitoring Challenge• Solving Event Overload - Today — Normalization — Prioritization — Correlation• Visual Security Event Analysis — Situational Awareness — Real-time Monitoring — Forensic and Historical Analysis
    • 5. A Picture is Worth a Thousand Log Entries Detect the Expected Detect the Expected & Discover the Unexpected & Discover the Unexpected Reduce Analysis and Response Times Reduce Analysis and Response Times Make Better Decisions Make Better Decisions
    • 6. Typical Security Monitoring Challenges ? Complexity ? “ How can I Accuracy manage this flood of data?” “ I wish I could see prioritized and relevant information!” Efficiency “ How can we prioritize ? and communicate efficiently?” ? Reporting “ How can I demonstrate compliance?” … and do it all cost effectively
    • 7. The Needle in the Haystack Security information / events  Tens of millions per day  Millions  Less than per day 1 million per month  A few thousand Defense per month in Depth Insider Threat Com pliance  Attack  Verified  Pre-attacks formation  Normal breaches  Raw events  Audit trail  Policy  Potential violations breaches  Failed attacks  Identified  False alarms  Misuse vulnerabilities
    • 8. Solving EventOverload - Today
    • 9. Data Analysis Components• Collection, Normalization, and Aggregation• Risk-based Prioritization with Vulnerability and Asset Information• Real-time Correlation across event sources — Rule-based Correlation — Statistical Correlation Intelligence• Advanced Analytics — Pattern Detection
    • 10. Event Normalization and CategorizationNormalization: Categorization: Sample Raw Pix Events: Jun 01 2005 00:00:12: %PIX-3-106011: Deny inbound (No xlate) udp src outside:10.50.215.97/6346 dst outside:204.110.228.254/6346 Jun 01 2005 00:00:12: %PIX-6-305011: Built dynamic TCP translation from isp:10.50.107.51/1967 to outside:204.110.228.254/62013 Jun 01 2005 00:00:12: %PIX-6-302013: Built outbound TCP connection 2044303174 for outside:213.189.13.17/80 (213.189.13.17/80) to Jun 02 2005 12:16:03: %PIX-6-106015: Deny TCP (no connection) from isp:10.50.107.51/1967 (204.110.228.254/62013) Jun 02 2005 12:16:03: %PIX-6-106015: Deny TCP (no204.110.227.16/443 10.50.215.102/15605 to connection) from flags FIN ACK on interface outside 10.50.215.102/15605 to 204.110.227.16/443 flags FIN ACK on interface outside
    • 11. Risk-based PrioritizationVulnerability Agents Scanner Asset Information Agent Severity Asset Criticality Unix/Linux/ AIX/Solaris Severity Relevance Security Model Confidence Device Agents Security Device Event Mainframe & Apps Prioritized Event Databases Collector Windows Systems
    • 12. Event Correlation• Most overused and least well-defined concept in ESM.• Combine multiple events through predefined rules or analyze statistical properties of event streams —Across devices —Heavily utilizing event categorization• Helps eliminate false positives• Correlation is not prioritization! —Can use priorities of individual events
    • 13. Four Types of Real-time Correlation • Simple Event Match Failed logins on UNIX systems 5 or more failed Attempted Brute Failed logins logins in a minute Force Attack on Windows systems from same source • Complex Multi-Event Match Attempted Brute Force Attack + Successful login Successful Login to Windows systems
    • 14. Four Types of Real-time Correlation • Statistical — Mathematical model 50% increase in traffic per port and machine ?Traffic per port going to 10.0.0.2 • Stateful user Simple jdoe user jdoe Compex Correlation ram ram 3 jdoe … ram 3 User on terminated Statistical … employee list … Manual Population tries to login Login attempt from user ram
    • 15. Advanced Analytics - Pattern Detection • Automatically detect repetitive event patterns Name Device Product NETBIOS DCERPC Activation Snort little endian bind attempting NETBIOS DCERPC System Snort Activity path overflow attempt litlen endian unicode Tagged Packet Snort SHELLCODE x86 NOOP Snort NETBIOS DCERPC Remote Snort activity bind attempt • Capability to detect new worms, malware, system misconfigurations, etc. • Automatically create correlation rules to flag new occurrences of attack
    • 16. Visual SecurityEvent Analysis
    • 17. Why a Visual Approach Helps A picture tells more than a thousand log lines
    • 18. Visual Approach – Benefits I • Multiple views on the same data
    • 19. Visual Approach – Benefits II• Selection and drill-down• Color by sifferent properties
    • 20. Three Aspects of Visual Security Event Analysis• Situational Awareness — What is happening in a specific business area (e.g., compliance monitoring) — What is happening on a specific network — What are certain servers doing• Real-Time Monitoring and Incident Response — Capture important activities and take action — Event Workflow — Collaboration• Forensic and Historic Investigation — Selecting arbitrary set of events for investigation — Understanding big picture — Analyzing relationships - Exploration — Reporting
    • 21. Situational Awareness
    • 22. Instant Awareness
    • 23. Event Graph Dashboard
    • 24. MMS CDRs From Phone# MSG Type To Phone#
    • 25. Geo Spatial Visualization
    • 26. Real-time Monitoring
    • 27. Real-time Monitoring – Detect Activity
    • 28. Analysis Process Real-time Visual Data Detection Processing Automatic Action Rem ed Auto iation m a ti Creation of new Filters c Visual and Correlation Components Investigation is a lys An nd al ric sic a to n His Fore Assign to Assign Ticket 2 Level Analysis nd for Operations
    • 29. Visual Detection and Investigation Beginning of Analyst’s shift
    • 30. Visual Detection Scanning activity is displayed Firewall Blocks Scan Events
    • 31. Visual Investigation
    • 32. Define New Correlation Rules and Filters 1. Rule Assign for further analysis if More than 20 firewall drops from an external machine to an internal machine 3. Open a ticket for Operations to quarantine and clean infected machines 2. Filter • Internal machines on white-list • connecting to active directory servers
    • 33. Real-time Analysis - Summary • Benefits of Visual Analysis — Visually driven process for investigating events — Visual investigation helps • getting a quick turn-around • detected new and previously unknown patterns (i.e. incidents) — Reduced event load for analysts by feeding gained knowledge back into analysis work-flow.
    • 34. Forensic andHistorical Analysis
    • 35. Forensic and Historical Investigation• Three Areas of Concern — Defense in Depth — Insider Threat — Compliance
    • 36. Defense In Depth - Port Scan Detection
    • 37. Analysis - Port Scan?
    • 38. Insider Threat – User Reporting High ratio of failed logins
    • 39. Insider Threat - Email Problems 2:00 < Delay < 10:00 Delay > 10:00 To To Delay
    • 40. Compliance – Business Reporting• Attacks targeting internal systems Revenue Generating Systems Attacks
    • 41. Compliance - Business Reporting
    • 42. Summary Detect the expected & discover the unexpected Reduce analysis and response times Make better decisions
    • 43. Q&A Raffael Marty ArcSight, Inc.Email: raffy@arcsight.com