Bringing Actionable Events to the Forefront in AlienVault

CORRELATIONS, ALARMS AND POLICIES

LESS SEARCHING, MORE RESPONDING

A SIEM can collect hundreds of thousands of log entries per

hour…

The primary purpose of a SIEM (over a simple log aggregator

and search tool) is freeing up Security Analysts from having

to manually search through these logs to locate the things

that need to have a human response brought to them.

Within Alienvault USM and OSSIM, the tools to do this are:

Correlation Rules and Alarms

CORRELATION RULESLog Correlation is the process of matching incoming events for sequences and patterns that are apparent to a human, but invisible to the machine.

If one user attempts to log into 8 separate computers all at the same time, a human will suspect something awry is happening – yet to each of those 8 computers, nothing out of the ordinary is happening.A new user is created from an administrator’s workstation. Nothing unusual in that, except that antivirus on the administrator’s system just reported that it failed to completely remove a malware infection.

Log correlation is about encoding human knowledge of security threats and abnormal behavior into a filter for events that provide evidence of that behavior – by putting together the information from individual security controls into a ‘bigger picture’ of what’s happened on the network, and giving analysts a starting place to begin investigation from.

ALARMS

Alarms are the starting point for Analysts to begin investigations and

analysis from.

They can be matches from correlation rules, individual events from

security controls, or particular log events that are sufficiently

significant to warrant immediate investigation.

Within AlienVault, they are the primary driver of workflow for

Analysts – the things happening that require human intervention on.

FRESHLY SQUEEZED ALARMS – THE INFORMATION LIFE CYCLE

1. Logs are received by AlienVault.2. They are normalized into named Events.3. These Events are fed into the Correlation Engine.4. Matches on Correlation rules generate new Events5. Policy configurations turn particular Events into Alarms

“THIS ALARM IS STILL BEING CORRELATED”

The animated green ‘gear’ icon in duration indicates that a correlation rule has matched against incoming Events, and that more Events may match against the signature in the immediate future. Correlation rules often look for events over a period of time, after a minimum number of those events have been observed, the alarm will trigger, but additional events may match and be grouped into the alarm.

E.G. a correlation rule looking for “over 5 failed logins to a system within 5 seconds” will show in the alarms list after the first 5 failed logins, but will continue to match on all other failed logins for the specific time window – if 40 failed logins are seen in 5 seconds , all 40 failed login events will be matched to the alarm.

POLICIESPolicies in AlienVault are a set of rules for how to escalate Events in the SIEM to human attention.

A Policy has two components – Conditions and Actions“If That, Then This”

Policies are the primary method of filtering what is brought to the attention of the analyst using AlienVault USM or OSSIM.

They also allow that attention to be routed to different people, groups, and other destinations – by using those conditions to select what should be done with an event.

POLICY CONDITIONS

Conditions make use of the information about your network previously

populated into AlienVault – especially Asset Management

“Alerts from this group of hosts go to these analysts”

“After this time of day, send emergency alerts to the on-call team instead”

ELEMENTS OF POLICY CONDITIONS

By setting a sequence of conditional factors – what type of event is this? Where did it come from? What hosts and services does it involve? AlienVault can route actionable information to different target ‘audiences’ as appropriate to your business operations.

POLICY ACTIONS

Events and Alarms that match a policy may have actions associated with them – these actions can use information from the matching event to construct what happens when a matched event occurs.