Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

RSA 2006 - Visual Security Event Analysis


Published on

Security Analysis presentation from RSA 2006

Published in: Technology
  • Be the first to comment

  • Be the first to like this

RSA 2006 - Visual Security Event Analysis

  1. 1. Visual Security Event Analysis Raffael Marty, GCIA, CISSP ArcSight Inc. 02/14/06 – HT2-103
  2. 2. Disclaimer IP addresses and host names showing up in graphs and descriptions were obfuscated/changed. The addresses are completely random and any resemblance with well-known addresses or host names are purely coincidental.
  3. 3. Who Am I? ● Raffael Marty, GCIA, CISSP ● Strategic Application Solutions @ ArcSight, Inc. ● Intrusion Detection Research @ IBM Research ● IT Security Consultant @ PriceWaterhouse Coopers ● Open Vulnerability and Assessment Language (OVAL) board member ● Speaker at Various Security Conferences ● Passion for Visual Security Event Analysis see
  4. 4. Table Of Contents• The Security Monitoring Challenge• Solving Event Overload - Today — Normalization — Prioritization — Correlation• Visual Security Event Analysis — Situational Awareness — Real-time Monitoring — Forensic and Historical Analysis
  5. 5. A Picture is Worth a Thousand Log Entries Detect the Expected Detect the Expected & Discover the Unexpected & Discover the Unexpected Reduce Analysis and Response Times Reduce Analysis and Response Times Make Better Decisions Make Better Decisions
  6. 6. Typical Security Monitoring Challenges ? Complexity ? “ How can I Accuracy manage this flood of data?” “ I wish I could see prioritized and relevant information!” Efficiency “ How can we prioritize ? and communicate efficiently?” ? Reporting “ How can I demonstrate compliance?” … and do it all cost effectively
  7. 7. The Needle in the Haystack Security information / events  Tens of millions per day  Millions  Less than per day 1 million per month  A few thousand Defense per month in Depth Insider Threat Com pliance  Attack  Verified  Pre-attacks formation  Normal breaches  Raw events  Audit trail  Policy  Potential violations breaches  Failed attacks  Identified  False alarms  Misuse vulnerabilities
  8. 8. Solving EventOverload - Today
  9. 9. Data Analysis Components• Collection, Normalization, and Aggregation• Risk-based Prioritization with Vulnerability and Asset Information• Real-time Correlation across event sources — Rule-based Correlation — Statistical Correlation Intelligence• Advanced Analytics — Pattern Detection
  10. 10. Event Normalization and CategorizationNormalization: Categorization: Sample Raw Pix Events: Jun 01 2005 00:00:12: %PIX-3-106011: Deny inbound (No xlate) udp src outside: dst outside: Jun 01 2005 00:00:12: %PIX-6-305011: Built dynamic TCP translation from isp: to outside: Jun 01 2005 00:00:12: %PIX-6-302013: Built outbound TCP connection 2044303174 for outside: ( to Jun 02 2005 12:16:03: %PIX-6-106015: Deny TCP (no connection) from isp: ( Jun 02 2005 12:16:03: %PIX-6-106015: Deny TCP (no204.110.227.16/443 to connection) from flags FIN ACK on interface outside to flags FIN ACK on interface outside
  11. 11. Risk-based PrioritizationVulnerability Agents Scanner Asset Information Agent Severity Asset Criticality Unix/Linux/ AIX/Solaris Severity Relevance Security Model Confidence Device Agents Security Device Event Mainframe & Apps Prioritized Event Databases Collector Windows Systems
  12. 12. Event Correlation• Most overused and least well-defined concept in ESM.• Combine multiple events through predefined rules or analyze statistical properties of event streams —Across devices —Heavily utilizing event categorization• Helps eliminate false positives• Correlation is not prioritization! —Can use priorities of individual events
  13. 13. Four Types of Real-time Correlation • Simple Event Match Failed logins on UNIX systems 5 or more failed Attempted Brute Failed logins logins in a minute Force Attack on Windows systems from same source • Complex Multi-Event Match Attempted Brute Force Attack + Successful login Successful Login to Windows systems
  14. 14. Four Types of Real-time Correlation • Statistical — Mathematical model 50% increase in traffic per port and machine ?Traffic per port going to • Stateful user Simple jdoe user jdoe Compex Correlation ram ram 3 jdoe … ram 3 User on terminated Statistical … employee list … Manual Population tries to login Login attempt from user ram
  15. 15. Advanced Analytics - Pattern Detection • Automatically detect repetitive event patterns Name Device Product NETBIOS DCERPC Activation Snort little endian bind attempting NETBIOS DCERPC System Snort Activity path overflow attempt litlen endian unicode Tagged Packet Snort SHELLCODE x86 NOOP Snort NETBIOS DCERPC Remote Snort activity bind attempt • Capability to detect new worms, malware, system misconfigurations, etc. • Automatically create correlation rules to flag new occurrences of attack
  16. 16. Visual SecurityEvent Analysis
  17. 17. Why a Visual Approach Helps A picture tells more than a thousand log lines
  18. 18. Visual Approach – Benefits I • Multiple views on the same data
  19. 19. Visual Approach – Benefits II• Selection and drill-down• Color by sifferent properties
  20. 20. Three Aspects of Visual Security Event Analysis• Situational Awareness — What is happening in a specific business area (e.g., compliance monitoring) — What is happening on a specific network — What are certain servers doing• Real-Time Monitoring and Incident Response — Capture important activities and take action — Event Workflow — Collaboration• Forensic and Historic Investigation — Selecting arbitrary set of events for investigation — Understanding big picture — Analyzing relationships - Exploration — Reporting
  21. 21. Situational Awareness
  22. 22. Instant Awareness
  23. 23. Event Graph Dashboard
  24. 24. MMS CDRs From Phone# MSG Type To Phone#
  25. 25. Geo Spatial Visualization
  26. 26. Real-time Monitoring
  27. 27. Real-time Monitoring – Detect Activity
  28. 28. Analysis Process Real-time Visual Data Detection Processing Automatic Action Rem ed Auto iation m a ti Creation of new Filters c Visual and Correlation Components Investigation is a lys An nd al ric sic a to n His Fore Assign to Assign Ticket 2 Level Analysis nd for Operations
  29. 29. Visual Detection and Investigation Beginning of Analyst’s shift
  30. 30. Visual Detection Scanning activity is displayed Firewall Blocks Scan Events
  31. 31. Visual Investigation
  32. 32. Define New Correlation Rules and Filters 1. Rule Assign for further analysis if More than 20 firewall drops from an external machine to an internal machine 3. Open a ticket for Operations to quarantine and clean infected machines 2. Filter • Internal machines on white-list • connecting to active directory servers
  33. 33. Real-time Analysis - Summary • Benefits of Visual Analysis — Visually driven process for investigating events — Visual investigation helps • getting a quick turn-around • detected new and previously unknown patterns (i.e. incidents) — Reduced event load for analysts by feeding gained knowledge back into analysis work-flow.
  34. 34. Forensic andHistorical Analysis
  35. 35. Forensic and Historical Investigation• Three Areas of Concern — Defense in Depth — Insider Threat — Compliance
  36. 36. Defense In Depth - Port Scan Detection
  37. 37. Analysis - Port Scan?
  38. 38. Insider Threat – User Reporting High ratio of failed logins
  39. 39. Insider Threat - Email Problems 2:00 < Delay < 10:00 Delay > 10:00 To To Delay
  40. 40. Compliance – Business Reporting• Attacks targeting internal systems Revenue Generating Systems Attacks
  41. 41. Compliance - Business Reporting
  42. 42. Summary Detect the expected & discover the unexpected Reduce analysis and response times Make better decisions
  43. 43. Q&A Raffael Marty ArcSight, Inc.Email: