Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Improve Security Visibility with AlienVault USM Correlation Directives

2,738 views

Published on

At the heart of SIEM is ability to correlate events from one or many sources into actionable alarms based on your security policies. AlienVault USM provides over 2100 correlation directives developed by the AlienVault Labs team, plus the ability to create your own custom rules.
Join us for this customer training session covering how to:
Ensure you are using the latest and greatest built-in correlation directives from AlienVault Labs
Write your own correlation directives based on events from one or more sources
Turn correlation information into actionable alarms
Use correlations to enforce your security policies

  • Be the first to comment

Improve Security Visibility with AlienVault USM Correlation Directives

  1. 1. Agenda A review of the built-in Correlation Directives from AlienVault Labs How to write your own correlation directives based on events from one or more sources How to turn correlation information into actionable alarms How to use correlations to enforce your security policies
  2. 2. Logical Correlation New events are generated using the information provided by detectors and monitors. Is configured using correlation directives. New events will have new priority and reliability values. Directives are defined through logical trees, in which the horizontal axis defines an OR operation and the vertical one defines an AND operation. Correlation level 1 Correlation level 3 1 2a 2b 3b3a 3c 3d Correlation level 2
  3. 3. Logical Correlation
  4. 4. Directives Examples Configuration > Threat Intelligence > Directives
  5. 5. Alarms Alarms are special events that may depend on other events. Alarms require investigation and remediation. Analysis> Alarms An overview of alarms per type, frequency, and time. A list of alarms.
  6. 6. Toggle search. Specify search filter. Alarm intent. Time window. Select time window and intent. Search and Filter Utilize search if interested in specific alarms. Alternatively, click a blue circle to see alarms with a specific intent and within a specific time window.
  7. 7. Sort alarms. Alarm with OTX feed. Click alarm to see more information. Alarm is still being correlated. Close or delete alarm if false positive. Alarms List Pay attention to alarms with OTX data. Sort alarms by risk and examine the high risk alarms first. Alarms that are still being correlated cannot be edited.
  8. 8. Examine source(s) and destination(s). Directive event. Individual event that triggered directive event. Click an event to see details. Read the knowledge base. Correlation level. Examine Alarm Details Examine details about the alarm.
  9. 9. Normalized event information. SIEM information. Read the knowledge base. Examine the offending packet. Examine Event Details
  10. 10. Customizing correlation directives
  11. 11. Clone directive. Delete directive. Edit directive. Disable directive. Logical Correlation Logical correlation uses correlation directives to detect attacks. By default, AlienVault USM includes more than 2,100 built-in directives. Users can customize existing directives or create custom ones. Directives can be edited or created in the graphical editor or by editing XML files.
  12. 12. Global Properties Correlation Directives <directive id="28012" name="AV Network attack, too many dropped inbound packets from DST_IP" priority="2"> Name of the directive, which becomes the name of the generated event/alert ID of the directive: • All correlation events have 1505 as plugin ID • Event type ID is the ID of the directive • Reserved range for user-defined directives (500,000-1,000,000) Priority of the directive (impact of this attack in your network): • All events generated within this directive will have priority set to the global priority value of the correlation directive
  13. 13. Correlation Rules Correlation Directives (Cont.) Correlation directives are composed of multiple rules. Rules define conditions to match incoming events. When a condition is met: • If this is the last level of the directive, then create a new event. If there are further levels: • Wait for more incoming events. Add rule. Clone rule. Delete rule. Change level of a rule.
  14. 14. Correlation Process Incoming events are matched by started directives first. If the events do not match started directives, they will be matched against all other directives. Events can be correlated by several directives. Attributes in a rule can be sticky or sticky different. ServerServers DST_ PORT STICKY 80 80 80 80 80 80 ServerServers DST_ PORT STICKY DIFFERENT 22 23 25 53 80 443 Single directive event. Single directive event.
  15. 15. Example: Denial of Service Attack Create Custom Correlation Directive Many connections from a single host (with a bad reputation) may indicate DoS attack attempt. Firewall events (detector data source) can be checked for connections. Monitor data source can be used to verify if the service is still up after a suspected attack. Correlation level 1 Correlation level 2 Correlation level 3 Correlation level 4 1 ACCEPT event from the firewall Port 139 Source: A 100 ACCEPT events from the firewall Port 139 Source: A 1000 ACCEPT events from the firewall Port 139 Source: A Is the service still up?
  16. 16. Configuration Tasks Create Custom Correlation Directive (Cont.) 1. Create a new directive. 2. Create a correlation level 1 rule. 3. Create a subsequent correlation rule. 4. Repeat Task 3 until you configured all correlation rules. 5. Restart the server.
  17. 17. Specify directive properties. Create new Directive. Task 1: Create New Directive Create Custom Correlation Directive (Cont.) Configuration > Threat Intelligence > Directives
  18. 18. Task 2: Create Correlation Level 1 Rule Create Custom Correlation Directive (Cont.) Specify rule name and data source plugin and event type ID(s). Only detector data sources can be used in the first correlation level.
  19. 19. Task 2: Create Correlation Level 1 Rule (Cont.) Create Custom Correlation Directive (Cont.) Specify source and destination IP address(es). Specify source and destination ports. Optionally include OTX data. Select rule reliability.
  20. 20. Set reliability as absolute or relative value. Inherit settings from parent rule. Add child rule. Task 3: Create Correlation Level 2 Rule Create Custom Correlation Directive (Cont.) Process of adding second rule is similar to adding the first one. Option to inherit source and destination IP addresses and ports from a parent rule.
  21. 21. Task 3: Create Correlation Level 2 Rule (Cont.) Create Custom Correlation Directive (Cont.) Timeout and occurrence values have to be edited after adding the rule. Click the value to edit it.
  22. 22. Task 4: Crate Correlation Level 3 Rule Create Custom Correlation Directive (Cont.) The process of adding level 3 rule is the same as when adding level 2 rule. Increase reliability of an event when more occurrences are detected.
  23. 23. Task 5: Create Correlation Level 4 Rule Create Custom Correlation Directive (Cont.) Add monitor data source plugin to verify if the service is still up. Other steps are the same as in the previous tasks. Add child rule. Inherit settings from parent rule.
  24. 24. Task 5: Create Correlation Level 4 Rule (Cont.) Create Custom Correlation Directive (Cont.) Timeout and occurrence values have different meanings in monitor rules. Click the value to edit it.
  25. 25. Task 6: Restart Server Create Custom Correlation Directive (Cont.) Changes are applied by restarting the server. Restarting the server stops the correlation process. Restart server.
  26. 26. Resulting XML File Create Custom Correlation Directive (Cont.) <directive id="500003" name="DoS attack to NetBIOS" priority="2"> <rule type="detector" name="Established connections" from="ANY" to=„10.177.76.249" port_from="ANY" port_to="139" from_rep="true" from_rep_min_pri="3" from_rep_min_rel="3" reliability="0" occurrence="1" plugin_id="1636" plugin_sid="106102"> <rules> <rule type="detector" name="Established connections" from="1:SRC_IP" to="1:DST_IP" port_from="ANY" port_to="1:DST_PORT" reliability="+2" occurrence="100" time_out="30" plugin_id="1636" plugin_sid="1:PLUGIN_SID"> <rules> <rule type="detector" name="Established connections" from="1:SRC_IP" to="1:DST_IP" port_from="ANY" port_to="1:DST_PORT" reliability="+2" occurrence="1000" time_out="30" plugin_id="1636" plugin_sid="1:PLUGIN_SID"> <rules> <rule type="monitor" name="Service up" from="1:SRC_IP" to="1:DST_IP" port_from="ANY" port_to="1:DST_PORT" reliability="+6" occurrence="1" time_out="1" plugin_id="2008" plugin_sid="2"/> </rules> </rule> </rules> </rule> </rules> </rule> </directive>
  27. 27. Best Practices Create Custom Correlation Directive (Cont.) Directives should not always generate alarms • Use reasonable priority and reliability values to ease incident management Use the existing directives to: • Learn how directives are configured • Adopt them to your environment and needs Look for multiple types of events: • Bad authentication types • Discarded packets due to different violations
  28. 28. USM Sizing Examples Multiple locations with less than 2500 EPS Enterprise deployment • Many locations Logger Single location with less than 1000 EPS
  29. 29. Customer Sizing Examples Single location with less than 1000 EPS Multiple locations with less than 2500 EPS Enterprise deployment • Many locations Logger
  30. 30. 888.613.6023 ALIENVAULT.COM CONTACT US HELLO@ALIENVAULT.COM Weekly Threat Intelligence update summaries are posted in the AlienVault forum here Hands-on 5-day training classes delivered in- person or “live on-line” • Email training@alienvault.com for more info Subscribe to the AlienVault blogs for more info on emerging threats and security best practices

×