Workflow Based Security Incident Management

3,203 views

Published on

PCI Conference paper presentation, 2005

Published in: Technology
0 Comments
1 Like
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
3,203
On SlideShare
0
From Embeds
0
Number of Embeds
20
Actions
Shares
0
Downloads
138
Comments
0
Likes
1
Embeds 0
No embeds

No notes for slide

Workflow Based Security Incident Management

  1. 1. Workflow Based Security Incident Management Meletis A. Belsis 1 , Alkis Simitsis 2 , Stefanos Gritzalis 1 <ul><ul><li>(1) University of the Aegean </li></ul></ul><ul><ul><li>Dept. of Information and Communication Systems Eng. </li></ul></ul><ul><ul><li>meletis_belsis@yahoo.com, sgritz@aegean.gr </li></ul></ul><ul><ul><li>(2) National Technical University of Athens </li></ul></ul><ul><ul><li>Dept. of Electrical and Computer Engineering </li></ul></ul><ul><ul><li>[email_address] </li></ul></ul>
  2. 2. Outline <ul><li>Introduction </li></ul><ul><li>Incident Collection </li></ul><ul><li>ETL Workflows </li></ul><ul><li>System Architecture for the Incident Management </li></ul><ul><li>Conclusions </li></ul>M. Belsis, A. Simitsis, S. Gritzalis @ PCI'05, Volos, 13/11/2005
  3. 3. Introduction <ul><li>A Security incident is some set of events that involve an attack or series of attacks at one or more sites (John D. Howard) </li></ul><ul><li>Security incidents are not an one step process </li></ul><ul><ul><li>a security incident is some set of events </li></ul></ul><ul><ul><li>involves an attack or a series of attacks </li></ul></ul><ul><ul><li>at one or more sites </li></ul></ul><ul><ul><li>may involve one or more criminals </li></ul></ul><ul><ul><li>may take place in different tide </li></ul></ul><ul><ul><li>may take place from different geographical locations </li></ul></ul><ul><li>Storing such incident information is an invaluable tool to users, administrators and managers. </li></ul>M. Belsis, A. Simitsis, S. Gritzalis @ PCI'05, Volos, 13/11/2005
  4. 4. Background <ul><li>Today many incident databases exist </li></ul><ul><li>Most of them follow the Balkanised Model </li></ul><ul><li>Examples of such include the </li></ul><ul><ul><li>IBM’s VuLDA </li></ul></ul><ul><ul><li>NIST ICAT </li></ul></ul><ul><ul><li>Ohio University IDB </li></ul></ul><ul><li>Many efforts have been made to form a central approach to incident information storage </li></ul><ul><ul><li>CERT/CC </li></ul></ul><ul><ul><li>Europe S3000 </li></ul></ul><ul><ul><li>Open Vulnerability and Assessment Language (OVAL) </li></ul></ul><ul><ul><li>Cerias Incident Response Database (CIRDB) </li></ul></ul><ul><ul><li>Incident Object Description and Exchange Format (IODEF) </li></ul></ul>M. Belsis, A. Simitsis, S. Gritzalis @ PCI'05, Volos, 13/11/2005
  5. 5. Background M. Belsis, A. Simitsis, S. Gritzalis @ PCI'05, Volos, 13/11/2005 IODEF Incident Data Model
  6. 6. Motivation <ul><li>Current incident databases use different schemas and format. </li></ul><ul><li>Today experts and law enforcement units require the complete picture of an incident before taking decisions. </li></ul><ul><li>Unfortunately forcing experts around the world to a use common structure is difficult if possible at all. </li></ul><ul><li>What is needed is an infrastructure that can collect and integrate information from different incident databases </li></ul><ul><ul><li>Delivering such a structure incorporates providing solutions to a number of problems </li></ul></ul><ul><ul><ul><li>gathering </li></ul></ul></ul><ul><ul><ul><li>export snapshots/differentials </li></ul></ul></ul><ul><ul><ul><li>transportation </li></ul></ul></ul><ul><ul><ul><li>transformations </li></ul></ul></ul><ul><ul><ul><li>cleaning issues </li></ul></ul></ul><ul><ul><ul><li>efficient loading </li></ul></ul></ul>M. Belsis, A. Simitsis, S. Gritzalis @ PCI'05, Volos, 13/11/2005
  7. 7. Contributions <ul><li>We employ advance database techniques to tackle the problem of designing a centralized incident DBMS </li></ul><ul><li>We identify the main problems that are underlying the population of a central incident database </li></ul><ul><li>We propose a method based on ETL workflows for the incremental maintenance of such a centralized database </li></ul><ul><li>We present a framework for incident correlation in order to keep track of a full attack that its component incidents are stored in different databases </li></ul>M. Belsis, A. Simitsis, S. Gritzalis @ PCI'05, Volos, 13/11/2005
  8. 8. Outline <ul><li>Introduction </li></ul><ul><li>Incident Collection </li></ul><ul><li>ETL Workflows </li></ul><ul><li>System Architecture for the Incident Management </li></ul><ul><li>Conclusions </li></ul>M. Belsis, A. Simitsis, S. Gritzalis @ PCI'05, Volos, 13/11/2005
  9. 9. Incident Collection M. Belsis, A. Simitsis, S. Gritzalis @ PCI'05, Volos, 13/11/2005
  10. 10. Incident Collection <ul><li>In terms of the transformation tasks , there are two main classes of problems </li></ul><ul><ul><li>conflicts and problems at the schema level </li></ul></ul><ul><ul><li>data level transformations (i.e., at the instance level ) </li></ul></ul><ul><li>More specifically </li></ul><ul><ul><li>Naming conflicts </li></ul></ul><ul><ul><ul><li>homonyms </li></ul></ul></ul><ul><ul><ul><li>synonyms </li></ul></ul></ul><ul><ul><li>Structural conflicts </li></ul></ul><ul><ul><li>Data formatting </li></ul></ul><ul><ul><li>String Problems </li></ul></ul><ul><ul><ul><li>‘ Hewlett Packard’ vs. ‘HP’ vs. ‘Hioulet Pakard’ </li></ul></ul></ul>M. Belsis, A. Simitsis, S. Gritzalis @ PCI'05, Volos, 13/11/2005
  11. 11. Incident Collection <ul><li>A problem </li></ul><ul><ul><li>the time window for the population of the centralized database is rather too small to repeat the same job more than once </li></ul></ul><ul><li>... a solution </li></ul><ul><ul><li>instead of extracting, transforming, and loading all the data, we are interested only to those incident records that have been changed during the last execution of the process </li></ul></ul><ul><ul><li>this means that we are interested only to the incident data that are </li></ul></ul><ul><ul><ul><li>newly inserted </li></ul></ul></ul><ul><ul><ul><li>updated </li></ul></ul></ul><ul><ul><ul><li>deleted </li></ul></ul></ul>M. Belsis, A. Simitsis, S. Gritzalis @ PCI'05, Volos, 13/11/2005
  12. 12. Outline <ul><li>Introduction </li></ul><ul><li>Incident Collection </li></ul><ul><li>ETL Workflows </li></ul><ul><li>System Architecture for the Incident Management </li></ul><ul><li>Conclusions </li></ul>M. Belsis, A. Simitsis, S. Gritzalis @ PCI'05, Volos, 13/11/2005
  13. 13. ETL Workflows M. Belsis, A. Simitsis, S. Gritzalis @ PCI'05, Volos, 13/11/2005 More informations can be found at: http://www.dblab.ntua.gr/~asimi/
  14. 14. ETL Workflows <ul><li>Extraction-Transformation-Loading (ETL) tools </li></ul><ul><ul><li>can be used to facilitate the population of a centralized incident database from several different incident DBs </li></ul></ul><ul><ul><li>are pieces of software responsible for the extraction of data from several sources, their cleansing, their customization, their transformation in order to fit business needs, and finally, their loading into a central DB </li></ul></ul><ul><ul><li>their most prominent tasks include </li></ul></ul><ul><ul><ul><li>the identification of relevant information at the source side </li></ul></ul></ul><ul><ul><ul><li>the extraction of this information </li></ul></ul></ul><ul><ul><ul><li>the transportation of this information to the Data Staging Area (DSA), where all the transformations take place </li></ul></ul></ul><ul><ul><ul><li>the transformation, (i.e., customization and integration) of the information coming from multiple sources into a common format </li></ul></ul></ul><ul><ul><ul><li>the cleaning of the resulting data set, on the basis of database and business rules </li></ul></ul></ul><ul><ul><ul><li>the propagation and loading of the data to a central DB </li></ul></ul></ul>M. Belsis, A. Simitsis, S. Gritzalis @ PCI'05, Volos, 13/11/2005
  15. 15. Outline <ul><li>Introduction </li></ul><ul><li>Incident Collection </li></ul><ul><li>ETL Workflows </li></ul><ul><li>System Architecture for the Incident Management </li></ul><ul><li>Conclusions </li></ul>M. Belsis, A. Simitsis, S. Gritzalis @ PCI'05, Volos, 13/11/2005
  16. 16. System Architecture <ul><li>The system proposed, is based on the OMG’s CORBA architecture. </li></ul><ul><li>CORBA allows for the addition of new services on demand. </li></ul><ul><li>CORBA is transperent from client applications, OS, and platform. </li></ul><ul><li>Registered law enforcement units will be able to access incident information through the WEB </li></ul><ul><li>Data are going to be collected from CSIRT databases on a daily basis </li></ul>M. Belsis, A. Simitsis, S. Gritzalis @ PCI'05, Volos, 13/11/2005 www.dcs.fmph.uniba.sk
  17. 17. System Architecture <ul><li>Incident data are protected during transit using the CORBA’s Security Service Protocol (SECP) using the SSL protocol </li></ul><ul><li>The final Corba’s security API will provide Security at level 3 with a Common Secure Interoperability at level 0 in order to disallow privilege delegation. </li></ul>M. Belsis, A. Simitsis, S. Gritzalis @ PCI'05, Volos, 13/11/2005
  18. 18. System Architecture M. Belsis, A. Simitsis, S. Gritzalis @ PCI'05, Volos, 13/11/2005
  19. 19. Outline <ul><li>Introduction </li></ul><ul><li>Incident Collection </li></ul><ul><li>ETL Workflows </li></ul><ul><li>System Architecture for the Incident Management </li></ul><ul><li>Conclusions </li></ul>M. Belsis, A. Simitsis, S. Gritzalis @ PCI'05, Volos, 13/11/2005
  20. 20. Conclusions <ul><li>This research delivers a framework for automated incident information collection. </li></ul><ul><li>The collection and correlation of incident related data is vital </li></ul><ul><li>Incident data collected from different sources need to be cleaned and homogenized before a centrally stored. </li></ul><ul><li>We try to minimize the time window between the appearance of an incident and its worldwide publication. </li></ul><ul><li>Automated correlation of incident information will allow law enforcement units to pursuit the criminals </li></ul>M. Belsis, A. Simitsis, S. Gritzalis @ PCI'05, Volos, 13/11/2005
  21. 21. Future Work <ul><li>Select an incident structure able to store information received from diverse databases </li></ul><ul><ul><li>Currently we review two potential candidates :IODEF and IDM. </li></ul></ul><ul><li>Optimization of the ETL process to enable incident information correlation during the collection process </li></ul><ul><li>Correlation of information stored on the central database using data mining techniques </li></ul><ul><li>Allow the public community to securely access incident information using database personalized views </li></ul>M. Belsis, A. Simitsis, S. Gritzalis @ PCI'05, Volos, 13/11/2005
  22. 22. <ul><li>Thank You! </li></ul><ul><li>Belsis Meletis </li></ul>M. Belsis, A. Simitsis, S. Gritzalis @ PCI'05, Volos, 13/11/2005

×