The document provides an overview of event correlation concepts by Reza Adineh, highlighting its importance in security operations and incident response. It outlines the definition, processes, types, and various approaches to event correlation, emphasizing its role in identifying significant events from large volumes of data. Additionally, the document discusses methods for implementing correlation, such as SIEM solutions and various correlation strategies like rule-based, profile-based, and Bayesian approaches.

1. A general review on Event
Correlation Concepts
Presented by :
Reza Adineh
ReZa.AdineH; Think Smarter, Stay Secure .... 112/20/2018

2. Who am I ?
Reza Adineh
• Professional Summary:
• Over 10 years of professional experience
• SOC & CSIRT Architect & Consultant
• SIEM Engineer
• Currently working as senior on SOC & IR
• Authors of “Threat Intelligence for Threat Hunting” & “Next Generation SOC”
• Authoring “Threat Intelligence”, “Security Operation Center” & “Threat Hunting”
Courses Instructor for many official courses including Security+, CysA+, CHFI,
ECIH, Log management, Forensic Investigation, Incident response, Splunk
administration, etc.
ReZa.AdineH; Think Smarter, Stay Secure .... 212/20/2018

3. Event correlation definition:
• Event correlation is a technique for making sense of a large number
of events and pinpointing the few events that are really important in
that mass of information. This is accomplished by looking for and
analyzing relationships between events.
ReZa.AdineH; Think Smarter, Stay Secure .... 312/20/2018

4. Event Correlation
• Correlation is a statistical measure that indicates the extent to which
two or more variables fluctuate together. A positive correlation
indicates the extent to which those variables increase or decrease in
parallel; a negative correlation indicates the extent to which one
variable increases as the other decreases.
ReZa.AdineH; Think Smarter, Stay Secure .... 412/20/2018

5. Event Correlation
• In simple word:
it is a way to find out specific and particular conditions among the events.
12/20/2018 ReZa.AdineH; Think Smarter, Stay Secure .... 5

6. Event Correlation
• Event Correlation is the process of relating a set of events that have
occurred in a predefined interval of time.
• The process includes analysis of the events to know how it could add
up to become a bigger event ! And finally in most of the case it could
be an Incident .
• It usually occurs on the log management platform, after the users find
out certain logs having similar properties. In general it is not a
completely new concepts, it used some how in many different
solution, such as NIDS.
• In general, the event correlation is implemented with the help of single
event correlator software
ReZa.AdineH; Think Smarter, Stay Secure .... 612/20/2018

7. SIEM Event Correlation
• SIEM event correlation is an essential part of any SIEM solution. It
aggregates and analyzes log data from across your network
applications, systems, and devices, making it possible to discover
security threats and malicious patterns of behaviors that otherwise go
unnoticed and can lead to compromise or data loss.
ReZa.AdineH; Think Smarter, Stay Secure .... 712/20/2018

8. Steps in event correlation
• Event Aggregation
• Event Masking
• Event Filtering
• Root cause analysis
ReZa.AdineH; Think Smarter, Stay Secure .... 812/20/2018

9. Types of Event Correlation
• Simple Correlation
• This is when you use one log source for correlation
• Cross Correlation
• In this case you have to use multiple log source for correlation
• Tip: keep in mind which most useful type in most case is cross
correlation. Because when you need to detect an incident, you need
many different log source for collecting evidence, and in this case the
result is more reliable and efficient for analysis.
ReZa.AdineH; Think Smarter, Stay Secure .... 912/20/2018

10. Prerequisites of event correlation
• Transmission of Events and data
• Pull or Push
• Normalization
• Reduction
ReZa.AdineH; Think Smarter, Stay Secure .... 1012/20/2018

11. Event Correlation Approaches
• Graph-based correlation approach
• Neural-Network Based correlation approach
• Code-book based correlation approach
• Rule-Based correlation approach
• Field-based correlation approach
• Automated field correlation approach
• Packet parameter/payload correlation approach
ReZa.AdineH; Think Smarter, Stay Secure .... 1112/20/2018

12. Event Correlation Approaches
• Profile (finger print) based correlation approach
• Vulnerability based correlation approach
• Open port based correlation approach
• Bayesian based correlation approach
• Time based correlation approach
ReZa.AdineH; Think Smarter, Stay Secure .... 1212/20/2018

13. Correlation: Graph-based approach
• This approach construct a graph with each node as a system
component and each edge as dependency among 2 components.
ReZa.AdineH; Think Smarter, Stay Secure .... 1312/20/2018

14. Correlation: Neural-Network Based approach
• This approach uses a neural network to detect the anomalies in the
event stream, root cause of fault events, etc.
ReZa.AdineH; Think Smarter, Stay Secure .... 1412/20/2018

15. Correlation: Code-book based approach
• This approach uses a code book to store a set of events and correlate them.
• Monitors capture alarm events; configuration model contains the
configuration of network.
• Event model represents events and their casual relationships.
• Correlator correlate alarms events with event model and determines the
problem that caused the events.
• Problem events viewed as messages generated by a system and encoded in
sets of alarms. Correlator decodes the problem message to identify the
problem.
• There are two phases:
• Codebook selection phase
• Correlator compares alarm events with codebook and identifies the problem.
ReZa.AdineH; Think Smarter, Stay Secure .... 1512/20/2018

16. Correlation: Rule-Based approach
• In this approach, events are correlated according to a set of rules as
follows:
• Condition -> Action
• We have to make a combination of rules with logical operator to get
results.
ReZa.AdineH; Think Smarter, Stay Secure .... 1612/20/2018

17. Field-based approach
• A basic approach where specific events are compared with single or
multiplied fields in the normalized data.
ReZa.AdineH; Think Smarter, Stay Secure .... 1712/20/2018

18. Automated field correlation
• This methods checks and compares all the fields systematically and
intentionally for positive and negative correlation with each other to
determine the correlation across one or multiple fields.
ReZa.AdineH; Think Smarter, Stay Secure .... 1812/20/2018

19. Packet parameter/payload correlation
• This approach is used to correlating particular packets with other
packets.
• This approach can make a list of possible new attacks by comparing
packets with attacks signatures.
ReZa.AdineH; Think Smarter, Stay Secure .... 1912/20/2018

20. Profile (finger print) based correlation
approach
• A series of datasets can be gathered from forensic events data such as
isolated OS fingerprints, isolated port scan, finger information, banner
snatching to compare link attack data to other attacker profiles.
• This information is used to identify whether any system is a rely or a
formerly compromised host, or to detect the same hacker from
different locations.
• In this approach the most important thing is a good enough baseline.
ReZa.AdineH; Think Smarter, Stay Secure .... 2012/20/2018

21. Vulnerability based correlation approach
• This approach is used to map IDS events that target a specific
vulnerable host with the help of vulnerability scanner.
• This approach is also used to deduce an attack on a particular host in
advance, and it prioritized attack data so that you can response to
trouble spots quickly.
ReZa.AdineH; Think Smarter, Stay Secure .... 2112/20/2018

22. Open port based correlation approach
• This approach determines the rates of successful attacks by comparing
it with the list of open ports available on the hosts and that are being
attacked.
ReZa.AdineH; Think Smarter, Stay Secure .... 2212/20/2018

23. Bayesian based correlation approach
• This approach is an advanced correlation method that assumes and
predict what an attacker can do next after attack by studying the
statistics and probability.
ReZa.AdineH; Think Smarter, Stay Secure .... 2312/20/2018

24. Role or Time based correlation approach
• This is used to monitor the systems and users behavior and provide an
alert if something amanous is found.
• It focus on roles of systems and or users.
• In this approach, when a condition is happened the alert is triggered
and wait for next condition in a defined time.
ReZa.AdineH; Think Smarter, Stay Secure .... 2412/20/2018

25. Route Correlation
• This approach is used to extract the attack route information and use
that information to single out other attack data.
• In this correlation we have information about the attack path or flow.
ReZa.AdineH; Think Smarter, Stay Secure .... 2512/20/2018

26. Hybrid correlation
ReZa.AdineH; Think Smarter, Stay Secure .... 26
• In this types of correlation we need correlate simultaneously multiple
source together and enriching them, to get the results.
• In fact It is combination of different approaches.
12/20/2018

27. Alerting and Incidents
ReZa.AdineH; Think Smarter, Stay Secure .... 2712/20/2018

28. ReZa.AdineH; Think Smarter, Stay Secure .... 28
End.
12/20/2018