SlideShare a Scribd company logo

Open service risk correlation

F
frantzyv

The document compares risk-based correlation to rule-based correlation for network security event management. Risk-based correlation considers all available evidence across an enterprise to assess risk, while rule-based correlation relies on specific rules that require extensive ongoing maintenance. Risk-based systems are more accurate, efficient, and cost-effective as they are not constrained by rules or timing of events. The document concludes risk-based correlation is superior to rule-based correlation for network security.

Technology
1 of 6
Download to read offline
White Paper making network security secure Risk Based Correlation vs. Rule Based Correlation OpenService, Inc., 100 Nickerson Road, Suite 100, Marlborough, MA 01752 800.892.3646 508.597.5300 info@openservice.com www.openservice.com
Contents 1.0. About OpenService, Inc. 2 2.0. Accuracy 3 3.0. Total Cost of Ownership 3 4.0. Efficiency 3 5.0. Event Order & Training 5 6.0. Conclusions 5 7.0. Finite-State Engine 5 01
1.0. About OpenService, Inc. OpenService, Inc. (Open) helps global enterprises and government organizations turn deployed security systems into effective enterprise protection. OpenService offers integrated security information management and network fault correlation applications that intelligently link events from multiple sources to accurately pull the threat signal from the event noise using real-time root cause analysis. Founded in the early 1990’s as an IT consultancy, OpenService produced technologies which developed into the expertise and products to collect, manage and correlate large amounts of real-time data from disparate sources. Well funded and with a growing track record of successful security information management implementations, our customers include Sonnenschein et al., Ace Hardware, Raytheon and Visa. OpenService led the enterprise security information manage- ment market with public customer success stories during the first half of 2004, a testament to our values, approach and technology. Investors include Advent International, one of the world’s leading venture capital firms, who led an $8 million ‘C’ round in November 2003. Unlike security information management toolkits that can be expensive and time-consuming to deploy and maintain, OpenService’s software applications deploy in days, not months, and provides a blended view of security and network metrics to effectively manage threats and meet legislative standards compliance. Our security event management and network fault correlation technologies are based on proven software solutions that have stood the test of time in major corporations. OpenService’s track record of innovation shows how these trusted technologies deliver the confidence that enterprise network security managers seek. • Eight patents already granted on Security Threat Manager (STM) components. • First Security Information Management vendor to be certified as “Nokia OK” • Only vendor to deliver multiple published customer successes in 2004. • irst security event correlation product that detects threats before they become exploits. F • First SIM / SEM vendor to provide business security intelligence capabilities. • First SIM product to deliver security operations business performance metrics. Our continued innovation and leadership extends to relationships with leading enterprise IT vendors such as Check Point, Hewlett-Packard, Micromuse and Akamai. For more information visit OpenService online at www.openservice.com or email us at info@openservice.com 02
2.0. Accuracy There are certain cases of known exploits, but in general, no system is able to provide perfect intrusion detection. Merely examining n number of events over some period of time cannot conclusively determine that a device has been exploited. Underlying IDS systems, even when tuned, are notorious for reporting false positives. How, then, can a rule system—relying exclu- sively on these types of inputs to make decisions—be accurate in its assessments? The risk based approach relies on the preponderance of evidence across an enterprise when making an assessment. Numerous factors are considered in the process, including the type of events, topological location of the event, and various attacker and target characteristics, which may increase or decrease the impact a single event has on the overall risk score of a device. Unlike a rules engine, the risk based approach does not rely on fuzzy inference, but on an edu- cated and accurate assessment of the situation across an enterprise. 3.0. Total Cost of Ownership According to CERT, roughly 4,000 new vulnerabilities are discovered every year. That’s 10 per day, including weekends. Many of these vulnerabilities include multiple attack vectors and, therefore, require multiple rules to detect. Writing loose, generic rules will likely lead to many false positives, while writing tight, concise rules (if it is even possible for a given vector) is ex- tremely time consuming, given the volume. Additionally, the rules engine owner must make a substantial investment in developing expertise in the rules entry system. Easy to use, GUI based systems tend to be limited in the flexibility of rule creation, while those with actual embedded scripting language processors require the security staff to spend countless hours developing code, rather than mitigating risks. The system becomes only as effective as the creativity of the rule writer. Risk based systems focus mainly on the assets and their position in the network topology. As new threats emerge, the assets remain constant and no system tuning or additional program- ming is required. Instead, signature updates are received by the system so that new threats can be incorporated into risk calculations. The algorithms themselves have been developed over a period of months by subject matter experts and have remained unchanged since their incep- tion. The rules system requires continual maintenance, while the risk algorithms have stood the test of time. 4.0. Efficiency Many rules engines implement a variant of the Rete algorithm for rules processing which con- tinually applies a series of “if-then” conditionals repeatedly against a data set. This algorithm, while effective for expert systems, isn’t as efficient for the characteristics of security event pro- cessing. The implementation of the Rete algorithm calls for a memory of recently tested data sets to be maintained so that they may be skipped on future iterations of the rule set if the data set they represent has not changed. Unfortunately, the characteristics of an active network don’t 03
cleanly fit this model as high value targets generally remain under constant assault. As more targets are constantly under monitoring, the expected efficiencies are not recognized. To miti- gate this problem, constraints are applied to the system, including dropping partially matched rules with time or keeping the datasets on a slower, secondary storage medium (ie – a database) reducing the effectiveness of the system. Furthermore, it is recognized that static implementations of data processing algorithms, such as the risk based system, are more able to optimize both speed, and memory consumption than rules based implementations. Risk Based Correlation - Unconstrained by Sliding Windows The first event initiates a Correlation Instance. The instance A single alert sounds and raises immediately calculates a Risk Score for this first event and in priority as events increase. The compares that score to a Risk Threshold and issues an alarm user is not overwhelmed with alerts. if the threshold is crossed. Illustration shows how the Alarm Priority changes over time. Rules Based Correlation - Limited by a Sliding Window A single alarm sounds for every rule The company presets the number of events and detection that is met. The user can find himself window size. This example shows a rule of 5 events occurring unindated with alarms not knowing within a 20 second window. which to check first. Sliding Window - 20 seconds in duration. 04
5.0. Event Order and Timing To remain efficient, rule based systems must be sensitive to the timing and ordering of events. This problem becomes particularly difficult in a distributed environment, as events arrive at vari- ous times due to network latency and various scheduling issues. Now, recognize the possibility of evasion an attacker can enjoy who introduces a slight variation in the attack vector, events generated out of order, or a timing delay. How can you assume the attack will follow a set script during an exploit? If the script is reduced to a guaranteed recognizable event, then there is no correlation at all and the system is effectively reduced to an IDS. The rules based system be- comes a slave to its own rules. As already mentioned, in a risk based system, each event is considered in its own context as a score for that event is determined. In this case, the score is the same whether it becomes before or after another event or happens to be delayed for some reason. The risk based system relies on data across an algorithm to develop a complete picture of the risk associated with a device and, therefore, the importance of precise timing and ordering of events in these algorithms is reduced. 6.0. Conclusions If rules based processing is so inferior, why does it appear so popular? Most people can easily conceive of a simple rule to detect some condition and perform some action. Developing and optimizing a risk algorithm is not trivial. However, managing a rule based system does not stop at developing a few rules, but instead involves managing and maintaining hundreds of rules, combinations of rules, and a variety of actions associated with them. 7.0. Finite-State Engine As an added benefit, using a finite-state engine in conjunction with the risk algorithms enhances the effectiveness. A rule is time bound by nature, a combination on events based on some criteria, in some period of time. This can lead to false negatives when the criteria for the rule are met, but not within the time window (sliding window). Additionally, rules processing mostly takes place on events that have already been inserted into a database. Using the database for correlation is inherently inefficient as the database is processing continuous inserts while at the same time trying to process the rules queries. By using finite-state, in memory processing there is no time bound “sliding window” constraint, nor is the inefficiency of a database method a factor. 05

Recommended

Security Event Analysis Through Correlation
Security Event Analysis Through CorrelationSecurity Event Analysis Through Correlation
Security Event Analysis Through Correlation
Anton Chuvakin
 
Need Of Security Operations Over SIEM
Need Of Security Operations Over SIEMNeed Of Security Operations Over SIEM
Need Of Security Operations Over SIEM
Siemplify
 
AlienVault Partner Update: So Many Security Products to Sell to My Customers…...
AlienVault Partner Update: So Many Security Products to Sell to My Customers…...AlienVault Partner Update: So Many Security Products to Sell to My Customers…...
AlienVault Partner Update: So Many Security Products to Sell to My Customers…...
AlienVault
 
CyberSecurity Strategy For Defendable ROI
CyberSecurity Strategy For Defendable ROICyberSecurity Strategy For Defendable ROI
CyberSecurity Strategy For Defendable ROI
Siemplify
 
Rothke rsa 2012 building a security operations center (soc)
Rothke rsa 2012 building a security operations center (soc)Rothke rsa 2012 building a security operations center (soc)
Rothke rsa 2012 building a security operations center (soc)
Ben Rothke
 
SIEM for Beginners: Everything You Wanted to Know About Log Management but We...
SIEM for Beginners: Everything You Wanted to Know About Log Management but We...SIEM for Beginners: Everything You Wanted to Know About Log Management but We...
SIEM for Beginners: Everything You Wanted to Know About Log Management but We...
AlienVault
 
Rothke secure360 building a security operations center (soc)
Rothke secure360 building a security operations center (soc)Rothke secure360 building a security operations center (soc)
Rothke secure360 building a security operations center (soc)
Ben Rothke
 
How To Select Security Orchestration Vendor
How To Select Security Orchestration VendorHow To Select Security Orchestration Vendor
How To Select Security Orchestration Vendor
Siemplify
 

Recommended

Security Event Analysis Through Correlation
Security Event Analysis Through CorrelationSecurity Event Analysis Through Correlation
Security Event Analysis Through Correlation
Anton Chuvakin
 
Need Of Security Operations Over SIEM
Need Of Security Operations Over SIEMNeed Of Security Operations Over SIEM
Need Of Security Operations Over SIEM
Siemplify
 
AlienVault Partner Update: So Many Security Products to Sell to My Customers…...
AlienVault Partner Update: So Many Security Products to Sell to My Customers…...AlienVault Partner Update: So Many Security Products to Sell to My Customers…...
AlienVault Partner Update: So Many Security Products to Sell to My Customers…...
AlienVault
 
CyberSecurity Strategy For Defendable ROI
CyberSecurity Strategy For Defendable ROICyberSecurity Strategy For Defendable ROI
CyberSecurity Strategy For Defendable ROI
Siemplify
 
Rothke rsa 2012 building a security operations center (soc)
Rothke rsa 2012 building a security operations center (soc)Rothke rsa 2012 building a security operations center (soc)
Rothke rsa 2012 building a security operations center (soc)
Ben Rothke
 
SIEM for Beginners: Everything You Wanted to Know About Log Management but We...
SIEM for Beginners: Everything You Wanted to Know About Log Management but We...SIEM for Beginners: Everything You Wanted to Know About Log Management but We...
SIEM for Beginners: Everything You Wanted to Know About Log Management but We...
AlienVault
 
Rothke secure360 building a security operations center (soc)
Rothke secure360 building a security operations center (soc)Rothke secure360 building a security operations center (soc)
Rothke secure360 building a security operations center (soc)
Ben Rothke
 
How To Select Security Orchestration Vendor
How To Select Security Orchestration VendorHow To Select Security Orchestration Vendor
How To Select Security Orchestration Vendor
Siemplify
 
MSSP Security Orchestration Shopping List
MSSP Security Orchestration Shopping ListMSSP Security Orchestration Shopping List
MSSP Security Orchestration Shopping List
Siemplify
 
NASA OIG Report
NASA OIG ReportNASA OIG Report
NASA OIG Report
Priyanka Aash
 
Maceo Wattley Contributor Infosec
Maceo Wattley Contributor InfosecMaceo Wattley Contributor Infosec
Maceo Wattley Contributor Infosec
Dr. Maceo D. Wattley
 
Security Orchestration, Automation & Incident Response
Security Orchestration, Automation & Incident ResponseSecurity Orchestration, Automation & Incident Response
Security Orchestration, Automation & Incident Response
Siemplify
 
Weathering the Storm of IT Security Compliance
Weathering the Storm of IT Security ComplianceWeathering the Storm of IT Security Compliance
Weathering the Storm of IT Security Compliance
Condition Zebra (CONZebra)
 
Changing the Security Monitoring Status Quo
Changing the Security Monitoring Status QuoChanging the Security Monitoring Status Quo
Changing the Security Monitoring Status Quo
EMC
 
So You Got That SIEM. NOW What Do You Do?  by Dr. Anton Chuvakin
So You Got That SIEM. NOW What Do You Do?  by Dr. Anton ChuvakinSo You Got That SIEM. NOW What Do You Do?  by Dr. Anton Chuvakin
So You Got That SIEM. NOW What Do You Do?  by Dr. Anton Chuvakin
Anton Chuvakin
 
Security Operation Center Fundamental
Security Operation Center FundamentalSecurity Operation Center Fundamental
Security Operation Center Fundamental
Amir Hossein Zargaran
 
Security operations center 5 security controls
Security operations center 5 security controls Security operations center 5 security controls
Security operations center 5 security controls
AlienVault
 
Top 10 SIEM Best Practices, SANS Ask the Expert
Top 10 SIEM Best Practices, SANS Ask the ExpertTop 10 SIEM Best Practices, SANS Ask the Expert
Top 10 SIEM Best Practices, SANS Ask the Expert
AccelOps
 
SIEM 101: Get a Clue About IT Security Analysis
SIEM 101: Get a Clue About IT Security Analysis SIEM 101: Get a Clue About IT Security Analysis
SIEM 101: Get a Clue About IT Security Analysis
AlienVault
 
Msp deck v1.0
Msp deck v1.0Msp deck v1.0
Msp deck v1.0
AccelOps
 
Understanding security operation.pptx
Understanding security operation.pptxUnderstanding security operation.pptx
Understanding security operation.pptx
Piyush Jain
 
MSSP - Security Orchestration & Automation
MSSP - Security Orchestration & AutomationMSSP - Security Orchestration & Automation
MSSP - Security Orchestration & Automation
Siemplify
 
Security Operations Center (SOC) Essentials for the SME
Security Operations Center (SOC) Essentials for the SMESecurity Operations Center (SOC) Essentials for the SME
Security Operations Center (SOC) Essentials for the SME
AlienVault
 
Ca world 2007 SOC integration
Ca world 2007 SOC integrationCa world 2007 SOC integration
Ca world 2007 SOC integration
Michael Nickle
 
SOC presentation- Building a Security Operations Center
SOC presentation- Building a Security Operations CenterSOC presentation- Building a Security Operations Center
SOC presentation- Building a Security Operations Center
Michael Nickle
 
Insight into SOAR
Insight into SOARInsight into SOAR
Insight into SOAR
DNIF
 
7 Steps to Build a SOC with Limited Resources
7 Steps to Build a SOC with Limited Resources7 Steps to Build a SOC with Limited Resources
7 Steps to Build a SOC with Limited Resources
LogRhythm
 
SIEM Alone is Not Enough
SIEM Alone is Not EnoughSIEM Alone is Not Enough
SIEM Alone is Not Enough
Tripwire
 
Event mgt feb09
Event mgt feb09Event mgt feb09
Event mgt feb09
pladott11
 
Managing Compliance
Managing ComplianceManaging Compliance
Managing Compliance
SecPod Technologies
 

More Related Content

What's hot

MSSP Security Orchestration Shopping List
MSSP Security Orchestration Shopping ListMSSP Security Orchestration Shopping List
MSSP Security Orchestration Shopping List
Siemplify
 
NASA OIG Report
NASA OIG ReportNASA OIG Report
NASA OIG Report
Priyanka Aash
 
Maceo Wattley Contributor Infosec
Maceo Wattley Contributor InfosecMaceo Wattley Contributor Infosec
Maceo Wattley Contributor Infosec
Dr. Maceo D. Wattley
 
Security Orchestration, Automation & Incident Response
Security Orchestration, Automation & Incident ResponseSecurity Orchestration, Automation & Incident Response
Security Orchestration, Automation & Incident Response
Siemplify
 
Weathering the Storm of IT Security Compliance
Weathering the Storm of IT Security ComplianceWeathering the Storm of IT Security Compliance
Weathering the Storm of IT Security Compliance
Condition Zebra (CONZebra)
 
Changing the Security Monitoring Status Quo
Changing the Security Monitoring Status QuoChanging the Security Monitoring Status Quo
Changing the Security Monitoring Status Quo
EMC
 
So You Got That SIEM. NOW What Do You Do?  by Dr. Anton Chuvakin
So You Got That SIEM. NOW What Do You Do?  by Dr. Anton ChuvakinSo You Got That SIEM. NOW What Do You Do?  by Dr. Anton Chuvakin
So You Got That SIEM. NOW What Do You Do?  by Dr. Anton Chuvakin
Anton Chuvakin
 
Security Operation Center Fundamental
Security Operation Center FundamentalSecurity Operation Center Fundamental
Security Operation Center Fundamental
Amir Hossein Zargaran
 
Security operations center 5 security controls
Security operations center 5 security controls Security operations center 5 security controls
Security operations center 5 security controls
AlienVault
 
Top 10 SIEM Best Practices, SANS Ask the Expert
Top 10 SIEM Best Practices, SANS Ask the ExpertTop 10 SIEM Best Practices, SANS Ask the Expert
Top 10 SIEM Best Practices, SANS Ask the Expert
AccelOps
 
SIEM 101: Get a Clue About IT Security Analysis
SIEM 101: Get a Clue About IT Security Analysis SIEM 101: Get a Clue About IT Security Analysis
SIEM 101: Get a Clue About IT Security Analysis
AlienVault
 
Msp deck v1.0
Msp deck v1.0Msp deck v1.0
Msp deck v1.0
AccelOps
 
Understanding security operation.pptx
Understanding security operation.pptxUnderstanding security operation.pptx
Understanding security operation.pptx
Piyush Jain
 
MSSP - Security Orchestration & Automation
MSSP - Security Orchestration & AutomationMSSP - Security Orchestration & Automation
MSSP - Security Orchestration & Automation
Siemplify
 
Security Operations Center (SOC) Essentials for the SME
Security Operations Center (SOC) Essentials for the SMESecurity Operations Center (SOC) Essentials for the SME
Security Operations Center (SOC) Essentials for the SME
AlienVault
 
Ca world 2007 SOC integration
Ca world 2007 SOC integrationCa world 2007 SOC integration
Ca world 2007 SOC integration
Michael Nickle
 
SOC presentation- Building a Security Operations Center
SOC presentation- Building a Security Operations CenterSOC presentation- Building a Security Operations Center
SOC presentation- Building a Security Operations Center
Michael Nickle
 
Insight into SOAR
Insight into SOARInsight into SOAR
Insight into SOAR
DNIF
 
7 Steps to Build a SOC with Limited Resources
7 Steps to Build a SOC with Limited Resources7 Steps to Build a SOC with Limited Resources
7 Steps to Build a SOC with Limited Resources
LogRhythm
 
SIEM Alone is Not Enough
SIEM Alone is Not EnoughSIEM Alone is Not Enough
SIEM Alone is Not Enough
Tripwire
 

What's hot (20)

MSSP Security Orchestration Shopping List
MSSP Security Orchestration Shopping ListMSSP Security Orchestration Shopping List
MSSP Security Orchestration Shopping List
 
NASA OIG Report
NASA OIG ReportNASA OIG Report
NASA OIG Report
 
Maceo Wattley Contributor Infosec
Maceo Wattley Contributor InfosecMaceo Wattley Contributor Infosec
Maceo Wattley Contributor Infosec
 
Security Orchestration, Automation & Incident Response
Security Orchestration, Automation & Incident ResponseSecurity Orchestration, Automation & Incident Response
Security Orchestration, Automation & Incident Response
 
Weathering the Storm of IT Security Compliance
Weathering the Storm of IT Security ComplianceWeathering the Storm of IT Security Compliance
Weathering the Storm of IT Security Compliance
 
Changing the Security Monitoring Status Quo
Changing the Security Monitoring Status QuoChanging the Security Monitoring Status Quo
Changing the Security Monitoring Status Quo
 
So You Got That SIEM. NOW What Do You Do?  by Dr. Anton Chuvakin
So You Got That SIEM. NOW What Do You Do?  by Dr. Anton ChuvakinSo You Got That SIEM. NOW What Do You Do?  by Dr. Anton Chuvakin
So You Got That SIEM. NOW What Do You Do?  by Dr. Anton Chuvakin
 
Security Operation Center Fundamental
Security Operation Center FundamentalSecurity Operation Center Fundamental
Security Operation Center Fundamental
 
Security operations center 5 security controls
Security operations center 5 security controls Security operations center 5 security controls
Security operations center 5 security controls
 
Top 10 SIEM Best Practices, SANS Ask the Expert
Top 10 SIEM Best Practices, SANS Ask the ExpertTop 10 SIEM Best Practices, SANS Ask the Expert
Top 10 SIEM Best Practices, SANS Ask the Expert
 
SIEM 101: Get a Clue About IT Security Analysis
SIEM 101: Get a Clue About IT Security Analysis SIEM 101: Get a Clue About IT Security Analysis
SIEM 101: Get a Clue About IT Security Analysis
 
Msp deck v1.0
Msp deck v1.0Msp deck v1.0
Msp deck v1.0
 
Understanding security operation.pptx
Understanding security operation.pptxUnderstanding security operation.pptx
Understanding security operation.pptx
 
MSSP - Security Orchestration & Automation
MSSP - Security Orchestration & AutomationMSSP - Security Orchestration & Automation
MSSP - Security Orchestration & Automation
 
Security Operations Center (SOC) Essentials for the SME
Security Operations Center (SOC) Essentials for the SMESecurity Operations Center (SOC) Essentials for the SME
Security Operations Center (SOC) Essentials for the SME
 
Ca world 2007 SOC integration
Ca world 2007 SOC integrationCa world 2007 SOC integration
Ca world 2007 SOC integration
 
SOC presentation- Building a Security Operations Center
SOC presentation- Building a Security Operations CenterSOC presentation- Building a Security Operations Center
SOC presentation- Building a Security Operations Center
 
Insight into SOAR
Insight into SOARInsight into SOAR
Insight into SOAR
 
7 Steps to Build a SOC with Limited Resources
7 Steps to Build a SOC with Limited Resources7 Steps to Build a SOC with Limited Resources
7 Steps to Build a SOC with Limited Resources
 
SIEM Alone is Not Enough
SIEM Alone is Not EnoughSIEM Alone is Not Enough
SIEM Alone is Not Enough
 

Similar to Open service risk correlation

Event mgt feb09
Event mgt feb09Event mgt feb09
Event mgt feb09
pladott11
 
Managing Compliance
Managing ComplianceManaging Compliance
Managing Compliance
SecPod Technologies
 
Leveraging Log Management to provide business value
Leveraging Log Management to provide business valueLeveraging Log Management to provide business value
Leveraging Log Management to provide business value
Enterprise Technology Management (ETM)
 
Getting the Most Value from VM and Compliance Programs white paper
Getting the Most Value from VM and Compliance Programs white paperGetting the Most Value from VM and Compliance Programs white paper
Getting the Most Value from VM and Compliance Programs white paper
Tawnia Beckwith
 
SMS Security Unleashed: Your Toolkit for Bulletproof Fraud Detection!
SMS Security Unleashed: Your Toolkit for Bulletproof Fraud Detection!SMS Security Unleashed: Your Toolkit for Bulletproof Fraud Detection!
SMS Security Unleashed: Your Toolkit for Bulletproof Fraud Detection!
SecurityGen1
 
Effectively Manage and Continuously Monitor Tech and Cyber Risk and Compliance
Effectively Manage and Continuously Monitor Tech and Cyber Risk and ComplianceEffectively Manage and Continuously Monitor Tech and Cyber Risk and Compliance
Effectively Manage and Continuously Monitor Tech and Cyber Risk and Compliance
Alireza Ghahrood
 
network-host-reconciliation
network-host-reconciliationnetwork-host-reconciliation
network-host-reconciliation
Gordon Mackay - CISSP
 
2005 issa journal-simsevaluation
2005 issa journal-simsevaluation2005 issa journal-simsevaluation
2005 issa journal-simsevaluation
asundaram1
 
NetWatcher Customer Overview
NetWatcher Customer OverviewNetWatcher Customer Overview
NetWatcher Customer Overview
Scott Suhy
 
The Security and Compliance Plan for Maxistar Medical Supplies Company
The Security and Compliance Plan for Maxistar Medical Supplies Company The Security and Compliance Plan for Maxistar Medical Supplies Company
The Security and Compliance Plan for Maxistar Medical Supplies Company
Abdulrahman Alamri
 
Take back your security infrastructure
Take back your security infrastructureTake back your security infrastructure
Take back your security infrastructure
Anton Chuvakin
 
Security architecture, engineering and operations
Security architecture, engineering and operationsSecurity architecture, engineering and operations
Security architecture, engineering and operations
Piyush Jain
 
Project Quality-SIPOCSelect a process of your choice and creat.docx
Project Quality-SIPOCSelect a process of your choice and creat.docxProject Quality-SIPOCSelect a process of your choice and creat.docx
Project Quality-SIPOCSelect a process of your choice and creat.docx
wkyra78
 
McAfee SIEM solution
McAfee SIEM solution McAfee SIEM solution
McAfee SIEM solution
hashnees
 
Insights into cyber security and risk
Insights into cyber security and riskInsights into cyber security and risk
Insights into cyber security and risk
EY
 
The future of cyber security
The future of cyber securityThe future of cyber security
The future of cyber security
Sandip Juthani
 
Overall Security Process Review CISC 6621Agend.docx
Overall Security Process Review CISC 6621Agend.docxOverall Security Process Review CISC 6621Agend.docx
Overall Security Process Review CISC 6621Agend.docx
karlhennesey
 
Glenn Lazarus- Why Your Observability Strategy Needs Security Observability
Glenn Lazarus- Why Your Observability Strategy Needs Security ObservabilityGlenn Lazarus- Why Your Observability Strategy Needs Security Observability
Glenn Lazarus- Why Your Observability Strategy Needs Security Observability
itnewsafrica
 
Five Mistakes of Vulnerability Management
Five Mistakes of Vulnerability ManagementFive Mistakes of Vulnerability Management
Five Mistakes of Vulnerability Management
Anton Chuvakin
 
ZSAH Security - Web
ZSAH Security - WebZSAH Security - Web
ZSAH Security - Web
Fahd Khan
 

Similar to Open service risk correlation (20)

Event mgt feb09
Event mgt feb09Event mgt feb09
Event mgt feb09
 
Managing Compliance
Managing ComplianceManaging Compliance
Managing Compliance
 
Leveraging Log Management to provide business value
Leveraging Log Management to provide business valueLeveraging Log Management to provide business value
Leveraging Log Management to provide business value
 
Getting the Most Value from VM and Compliance Programs white paper
Getting the Most Value from VM and Compliance Programs white paperGetting the Most Value from VM and Compliance Programs white paper
Getting the Most Value from VM and Compliance Programs white paper
 
SMS Security Unleashed: Your Toolkit for Bulletproof Fraud Detection!
SMS Security Unleashed: Your Toolkit for Bulletproof Fraud Detection!SMS Security Unleashed: Your Toolkit for Bulletproof Fraud Detection!
SMS Security Unleashed: Your Toolkit for Bulletproof Fraud Detection!
 
Effectively Manage and Continuously Monitor Tech and Cyber Risk and Compliance
Effectively Manage and Continuously Monitor Tech and Cyber Risk and ComplianceEffectively Manage and Continuously Monitor Tech and Cyber Risk and Compliance
Effectively Manage and Continuously Monitor Tech and Cyber Risk and Compliance
 
network-host-reconciliation
network-host-reconciliationnetwork-host-reconciliation
network-host-reconciliation
 
2005 issa journal-simsevaluation
2005 issa journal-simsevaluation2005 issa journal-simsevaluation
2005 issa journal-simsevaluation
 
NetWatcher Customer Overview
NetWatcher Customer OverviewNetWatcher Customer Overview
NetWatcher Customer Overview
 
The Security and Compliance Plan for Maxistar Medical Supplies Company
The Security and Compliance Plan for Maxistar Medical Supplies Company The Security and Compliance Plan for Maxistar Medical Supplies Company
The Security and Compliance Plan for Maxistar Medical Supplies Company
 
Take back your security infrastructure
Take back your security infrastructureTake back your security infrastructure
Take back your security infrastructure
 
Security architecture, engineering and operations
Security architecture, engineering and operationsSecurity architecture, engineering and operations
Security architecture, engineering and operations
 
Project Quality-SIPOCSelect a process of your choice and creat.docx
Project Quality-SIPOCSelect a process of your choice and creat.docxProject Quality-SIPOCSelect a process of your choice and creat.docx
Project Quality-SIPOCSelect a process of your choice and creat.docx
 
McAfee SIEM solution
McAfee SIEM solution McAfee SIEM solution
McAfee SIEM solution
 
Insights into cyber security and risk
Insights into cyber security and riskInsights into cyber security and risk
Insights into cyber security and risk
 
The future of cyber security
The future of cyber securityThe future of cyber security
The future of cyber security
 
Overall Security Process Review CISC 6621Agend.docx
Overall Security Process Review CISC 6621Agend.docxOverall Security Process Review CISC 6621Agend.docx
Overall Security Process Review CISC 6621Agend.docx
 
Glenn Lazarus- Why Your Observability Strategy Needs Security Observability
Glenn Lazarus- Why Your Observability Strategy Needs Security ObservabilityGlenn Lazarus- Why Your Observability Strategy Needs Security Observability
Glenn Lazarus- Why Your Observability Strategy Needs Security Observability
 
Five Mistakes of Vulnerability Management
Five Mistakes of Vulnerability ManagementFive Mistakes of Vulnerability Management
Five Mistakes of Vulnerability Management
 
ZSAH Security - Web
ZSAH Security - WebZSAH Security - Web
ZSAH Security - Web
 

Recently uploaded

Climate Impact of Software Testing at Nordic Testing Days
Climate Impact of Software Testing at Nordic Testing DaysClimate Impact of Software Testing at Nordic Testing Days
Climate Impact of Software Testing at Nordic Testing Days
Kari Kakkonen
 
TrustArc Webinar - 2024 Global Privacy Survey
TrustArc Webinar - 2024 Global Privacy SurveyTrustArc Webinar - 2024 Global Privacy Survey
TrustArc Webinar - 2024 Global Privacy Survey
TrustArc
 
Removing Uninteresting Bytes in Software Fuzzing
Removing Uninteresting Bytes in Software FuzzingRemoving Uninteresting Bytes in Software Fuzzing
Removing Uninteresting Bytes in Software Fuzzing
Aftab Hussain
 
Infrastructure Challenges in Scaling RAG with Custom AI models
Infrastructure Challenges in Scaling RAG with Custom AI modelsInfrastructure Challenges in Scaling RAG with Custom AI models
Infrastructure Challenges in Scaling RAG with Custom AI models
Zilliz
 
HCL Notes und Domino Lizenzkostenreduzierung in der Welt von DLAU
HCL Notes und Domino Lizenzkostenreduzierung in der Welt von DLAUHCL Notes und Domino Lizenzkostenreduzierung in der Welt von DLAU
HCL Notes und Domino Lizenzkostenreduzierung in der Welt von DLAU
panagenda
 
Video Streaming: Then, Now, and in the Future
Video Streaming: Then, Now, and in the FutureVideo Streaming: Then, Now, and in the Future
Video Streaming: Then, Now, and in the Future
Alpen-Adria-Universität
 
“I’m still / I’m still / Chaining from the Block”
“I’m still / I’m still / Chaining from the Block”“I’m still / I’m still / Chaining from the Block”
“I’m still / I’m still / Chaining from the Block”
Claudio Di Ciccio
 
Let's Integrate MuleSoft RPA, COMPOSER, APM with AWS IDP along with Slack
Let's Integrate MuleSoft RPA, COMPOSER, APM with AWS IDP along with SlackLet's Integrate MuleSoft RPA, COMPOSER, APM with AWS IDP along with Slack
Let's Integrate MuleSoft RPA, COMPOSER, APM with AWS IDP along with Slack
shyamraj55
 
GraphRAG for Life Science to increase LLM accuracy
GraphRAG for Life Science to increase LLM accuracyGraphRAG for Life Science to increase LLM accuracy
GraphRAG for Life Science to increase LLM accuracy
Tomaz Bratanic
 
Best 20 SEO Techniques To Improve Website Visibility In SERP
Best 20 SEO Techniques To Improve Website Visibility In SERPBest 20 SEO Techniques To Improve Website Visibility In SERP
Best 20 SEO Techniques To Improve Website Visibility In SERP
Pixlogix Infotech
 
Building Production Ready Search Pipelines with Spark and Milvus
Building Production Ready Search Pipelines with Spark and MilvusBuilding Production Ready Search Pipelines with Spark and Milvus
Building Production Ready Search Pipelines with Spark and Milvus
Zilliz
 
GraphSummit Singapore | Enhancing Changi Airport Group's Passenger Experience...
GraphSummit Singapore | Enhancing Changi Airport Group's Passenger Experience...GraphSummit Singapore | Enhancing Changi Airport Group's Passenger Experience...
GraphSummit Singapore | Enhancing Changi Airport Group's Passenger Experience...
Neo4j
 
GraphSummit Singapore | Graphing Success: Revolutionising Organisational Stru...
GraphSummit Singapore | Graphing Success: Revolutionising Organisational Stru...GraphSummit Singapore | Graphing Success: Revolutionising Organisational Stru...
GraphSummit Singapore | Graphing Success: Revolutionising Organisational Stru...
Neo4j
 
Full-RAG: A modern architecture for hyper-personalization
Full-RAG: A modern architecture for hyper-personalizationFull-RAG: A modern architecture for hyper-personalization
Full-RAG: A modern architecture for hyper-personalization
Zilliz
 
Unlock the Future of Search with MongoDB Atlas_ Vector Search Unleashed.pdf
Unlock the Future of Search with MongoDB Atlas_ Vector Search Unleashed.pdfUnlock the Future of Search with MongoDB Atlas_ Vector Search Unleashed.pdf
Unlock the Future of Search with MongoDB Atlas_ Vector Search Unleashed.pdf
Malak Abu Hammad
 
Communications Mining Series - Zero to Hero - Session 1
Communications Mining Series - Zero to Hero - Session 1Communications Mining Series - Zero to Hero - Session 1
Communications Mining Series - Zero to Hero - Session 1
DianaGray10
 
AI 101: An Introduction to the Basics and Impact of Artificial Intelligence
AI 101: An Introduction to the Basics and Impact of Artificial IntelligenceAI 101: An Introduction to the Basics and Impact of Artificial Intelligence
AI 101: An Introduction to the Basics and Impact of Artificial Intelligence
IndexBug
 
GraphSummit Singapore | Neo4j Product Vision & Roadmap - Q2 2024
GraphSummit Singapore | Neo4j Product Vision & Roadmap - Q2 2024GraphSummit Singapore | Neo4j Product Vision & Roadmap - Q2 2024
GraphSummit Singapore | Neo4j Product Vision & Roadmap - Q2 2024
Neo4j
 
Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...
Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...
Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...
SOFTTECHHUB
 
Programming Foundation Models with DSPy - Meetup Slides
Programming Foundation Models with DSPy - Meetup SlidesProgramming Foundation Models with DSPy - Meetup Slides
Programming Foundation Models with DSPy - Meetup Slides
Zilliz
 

Recently uploaded (20)

Climate Impact of Software Testing at Nordic Testing Days
Climate Impact of Software Testing at Nordic Testing DaysClimate Impact of Software Testing at Nordic Testing Days
Climate Impact of Software Testing at Nordic Testing Days
 
TrustArc Webinar - 2024 Global Privacy Survey
TrustArc Webinar - 2024 Global Privacy SurveyTrustArc Webinar - 2024 Global Privacy Survey
TrustArc Webinar - 2024 Global Privacy Survey
 
Removing Uninteresting Bytes in Software Fuzzing
Removing Uninteresting Bytes in Software FuzzingRemoving Uninteresting Bytes in Software Fuzzing
Removing Uninteresting Bytes in Software Fuzzing
 
Infrastructure Challenges in Scaling RAG with Custom AI models
Infrastructure Challenges in Scaling RAG with Custom AI modelsInfrastructure Challenges in Scaling RAG with Custom AI models
Infrastructure Challenges in Scaling RAG with Custom AI models
 
HCL Notes und Domino Lizenzkostenreduzierung in der Welt von DLAU
HCL Notes und Domino Lizenzkostenreduzierung in der Welt von DLAUHCL Notes und Domino Lizenzkostenreduzierung in der Welt von DLAU
HCL Notes und Domino Lizenzkostenreduzierung in der Welt von DLAU
 
Video Streaming: Then, Now, and in the Future
Video Streaming: Then, Now, and in the FutureVideo Streaming: Then, Now, and in the Future
Video Streaming: Then, Now, and in the Future
 
“I’m still / I’m still / Chaining from the Block”
“I’m still / I’m still / Chaining from the Block”“I’m still / I’m still / Chaining from the Block”
“I’m still / I’m still / Chaining from the Block”
 
Let's Integrate MuleSoft RPA, COMPOSER, APM with AWS IDP along with Slack
Let's Integrate MuleSoft RPA, COMPOSER, APM with AWS IDP along with SlackLet's Integrate MuleSoft RPA, COMPOSER, APM with AWS IDP along with Slack
Let's Integrate MuleSoft RPA, COMPOSER, APM with AWS IDP along with Slack
 
GraphRAG for Life Science to increase LLM accuracy
GraphRAG for Life Science to increase LLM accuracyGraphRAG for Life Science to increase LLM accuracy
GraphRAG for Life Science to increase LLM accuracy
 
Best 20 SEO Techniques To Improve Website Visibility In SERP
Best 20 SEO Techniques To Improve Website Visibility In SERPBest 20 SEO Techniques To Improve Website Visibility In SERP
Best 20 SEO Techniques To Improve Website Visibility In SERP
 
Building Production Ready Search Pipelines with Spark and Milvus
Building Production Ready Search Pipelines with Spark and MilvusBuilding Production Ready Search Pipelines with Spark and Milvus
Building Production Ready Search Pipelines with Spark and Milvus
 
GraphSummit Singapore | Enhancing Changi Airport Group's Passenger Experience...
GraphSummit Singapore | Enhancing Changi Airport Group's Passenger Experience...GraphSummit Singapore | Enhancing Changi Airport Group's Passenger Experience...
GraphSummit Singapore | Enhancing Changi Airport Group's Passenger Experience...
 
GraphSummit Singapore | Graphing Success: Revolutionising Organisational Stru...
GraphSummit Singapore | Graphing Success: Revolutionising Organisational Stru...GraphSummit Singapore | Graphing Success: Revolutionising Organisational Stru...
GraphSummit Singapore | Graphing Success: Revolutionising Organisational Stru...
 
Full-RAG: A modern architecture for hyper-personalization
Full-RAG: A modern architecture for hyper-personalizationFull-RAG: A modern architecture for hyper-personalization
Full-RAG: A modern architecture for hyper-personalization
 
Unlock the Future of Search with MongoDB Atlas_ Vector Search Unleashed.pdf
Unlock the Future of Search with MongoDB Atlas_ Vector Search Unleashed.pdfUnlock the Future of Search with MongoDB Atlas_ Vector Search Unleashed.pdf
Unlock the Future of Search with MongoDB Atlas_ Vector Search Unleashed.pdf
 
Communications Mining Series - Zero to Hero - Session 1
Communications Mining Series - Zero to Hero - Session 1Communications Mining Series - Zero to Hero - Session 1
Communications Mining Series - Zero to Hero - Session 1
 
AI 101: An Introduction to the Basics and Impact of Artificial Intelligence
AI 101: An Introduction to the Basics and Impact of Artificial IntelligenceAI 101: An Introduction to the Basics and Impact of Artificial Intelligence
AI 101: An Introduction to the Basics and Impact of Artificial Intelligence
 
GraphSummit Singapore | Neo4j Product Vision & Roadmap - Q2 2024
GraphSummit Singapore | Neo4j Product Vision & Roadmap - Q2 2024GraphSummit Singapore | Neo4j Product Vision & Roadmap - Q2 2024
GraphSummit Singapore | Neo4j Product Vision & Roadmap - Q2 2024
 
Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...
Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...
Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...
 
Programming Foundation Models with DSPy - Meetup Slides
Programming Foundation Models with DSPy - Meetup SlidesProgramming Foundation Models with DSPy - Meetup Slides
Programming Foundation Models with DSPy - Meetup Slides
 

Open service risk correlation

  • 1. White Paper making network security secure Risk Based Correlation vs. Rule Based Correlation OpenService, Inc., 100 Nickerson Road, Suite 100, Marlborough, MA 01752 800.892.3646 508.597.5300 info@openservice.com www.openservice.com
  • 2. Contents 1.0. About OpenService, Inc. 2 2.0. Accuracy 3 3.0. Total Cost of Ownership 3 4.0. Efficiency 3 5.0. Event Order & Training 5 6.0. Conclusions 5 7.0. Finite-State Engine 5 01
  • 3. 1.0. About OpenService, Inc. OpenService, Inc. (Open) helps global enterprises and government organizations turn deployed security systems into effective enterprise protection. OpenService offers integrated security information management and network fault correlation applications that intelligently link events from multiple sources to accurately pull the threat signal from the event noise using real-time root cause analysis. Founded in the early 1990’s as an IT consultancy, OpenService produced technologies which developed into the expertise and products to collect, manage and correlate large amounts of real-time data from disparate sources. Well funded and with a growing track record of successful security information management implementations, our customers include Sonnenschein et al., Ace Hardware, Raytheon and Visa. OpenService led the enterprise security information manage- ment market with public customer success stories during the first half of 2004, a testament to our values, approach and technology. Investors include Advent International, one of the world’s leading venture capital firms, who led an $8 million ‘C’ round in November 2003. Unlike security information management toolkits that can be expensive and time-consuming to deploy and maintain, OpenService’s software applications deploy in days, not months, and provides a blended view of security and network metrics to effectively manage threats and meet legislative standards compliance. Our security event management and network fault correlation technologies are based on proven software solutions that have stood the test of time in major corporations. OpenService’s track record of innovation shows how these trusted technologies deliver the confidence that enterprise network security managers seek. • Eight patents already granted on Security Threat Manager (STM) components. • First Security Information Management vendor to be certified as “Nokia OK” • Only vendor to deliver multiple published customer successes in 2004. • irst security event correlation product that detects threats before they become exploits. F • First SIM / SEM vendor to provide business security intelligence capabilities. • First SIM product to deliver security operations business performance metrics. Our continued innovation and leadership extends to relationships with leading enterprise IT vendors such as Check Point, Hewlett-Packard, Micromuse and Akamai. For more information visit OpenService online at www.openservice.com or email us at info@openservice.com 02
  • 4. 2.0. Accuracy There are certain cases of known exploits, but in general, no system is able to provide perfect intrusion detection. Merely examining n number of events over some period of time cannot conclusively determine that a device has been exploited. Underlying IDS systems, even when tuned, are notorious for reporting false positives. How, then, can a rule system—relying exclu- sively on these types of inputs to make decisions—be accurate in its assessments? The risk based approach relies on the preponderance of evidence across an enterprise when making an assessment. Numerous factors are considered in the process, including the type of events, topological location of the event, and various attacker and target characteristics, which may increase or decrease the impact a single event has on the overall risk score of a device. Unlike a rules engine, the risk based approach does not rely on fuzzy inference, but on an edu- cated and accurate assessment of the situation across an enterprise. 3.0. Total Cost of Ownership According to CERT, roughly 4,000 new vulnerabilities are discovered every year. That’s 10 per day, including weekends. Many of these vulnerabilities include multiple attack vectors and, therefore, require multiple rules to detect. Writing loose, generic rules will likely lead to many false positives, while writing tight, concise rules (if it is even possible for a given vector) is ex- tremely time consuming, given the volume. Additionally, the rules engine owner must make a substantial investment in developing expertise in the rules entry system. Easy to use, GUI based systems tend to be limited in the flexibility of rule creation, while those with actual embedded scripting language processors require the security staff to spend countless hours developing code, rather than mitigating risks. The system becomes only as effective as the creativity of the rule writer. Risk based systems focus mainly on the assets and their position in the network topology. As new threats emerge, the assets remain constant and no system tuning or additional program- ming is required. Instead, signature updates are received by the system so that new threats can be incorporated into risk calculations. The algorithms themselves have been developed over a period of months by subject matter experts and have remained unchanged since their incep- tion. The rules system requires continual maintenance, while the risk algorithms have stood the test of time. 4.0. Efficiency Many rules engines implement a variant of the Rete algorithm for rules processing which con- tinually applies a series of “if-then” conditionals repeatedly against a data set. This algorithm, while effective for expert systems, isn’t as efficient for the characteristics of security event pro- cessing. The implementation of the Rete algorithm calls for a memory of recently tested data sets to be maintained so that they may be skipped on future iterations of the rule set if the data set they represent has not changed. Unfortunately, the characteristics of an active network don’t 03
  • 5. cleanly fit this model as high value targets generally remain under constant assault. As more targets are constantly under monitoring, the expected efficiencies are not recognized. To miti- gate this problem, constraints are applied to the system, including dropping partially matched rules with time or keeping the datasets on a slower, secondary storage medium (ie – a database) reducing the effectiveness of the system. Furthermore, it is recognized that static implementations of data processing algorithms, such as the risk based system, are more able to optimize both speed, and memory consumption than rules based implementations. Risk Based Correlation - Unconstrained by Sliding Windows The first event initiates a Correlation Instance. The instance A single alert sounds and raises immediately calculates a Risk Score for this first event and in priority as events increase. The compares that score to a Risk Threshold and issues an alarm user is not overwhelmed with alerts. if the threshold is crossed. Illustration shows how the Alarm Priority changes over time. Rules Based Correlation - Limited by a Sliding Window A single alarm sounds for every rule The company presets the number of events and detection that is met. The user can find himself window size. This example shows a rule of 5 events occurring unindated with alarms not knowing within a 20 second window. which to check first. Sliding Window - 20 seconds in duration. 04
  • 6. 5.0. Event Order and Timing To remain efficient, rule based systems must be sensitive to the timing and ordering of events. This problem becomes particularly difficult in a distributed environment, as events arrive at vari- ous times due to network latency and various scheduling issues. Now, recognize the possibility of evasion an attacker can enjoy who introduces a slight variation in the attack vector, events generated out of order, or a timing delay. How can you assume the attack will follow a set script during an exploit? If the script is reduced to a guaranteed recognizable event, then there is no correlation at all and the system is effectively reduced to an IDS. The rules based system be- comes a slave to its own rules. As already mentioned, in a risk based system, each event is considered in its own context as a score for that event is determined. In this case, the score is the same whether it becomes before or after another event or happens to be delayed for some reason. The risk based system relies on data across an algorithm to develop a complete picture of the risk associated with a device and, therefore, the importance of precise timing and ordering of events in these algorithms is reduced. 6.0. Conclusions If rules based processing is so inferior, why does it appear so popular? Most people can easily conceive of a simple rule to detect some condition and perform some action. Developing and optimizing a risk algorithm is not trivial. However, managing a rule based system does not stop at developing a few rules, but instead involves managing and maintaining hundreds of rules, combinations of rules, and a variety of actions associated with them. 7.0. Finite-State Engine As an added benefit, using a finite-state engine in conjunction with the risk algorithms enhances the effectiveness. A rule is time bound by nature, a combination on events based on some criteria, in some period of time. This can lead to false negatives when the criteria for the rule are met, but not within the time window (sliding window). Additionally, rules processing mostly takes place on events that have already been inserted into a database. Using the database for correlation is inherently inefficient as the database is processing continuous inserts while at the same time trying to process the rules queries. By using finite-state, in memory processing there is no time bound “sliding window” constraint, nor is the inefficiency of a database method a factor. 05