Effective Use of Security

Event Correlation

Mark G. Clancy

Chief Information Security Officer

The Depository Trust & Clearing Corporation

DTCC Non-Confidential (White)

About DTCC

• DTCC provides custody and asset servicing for

$36.5 trillion in securities

– Most of which are „dematerilized” or only exist in

book entry form

• DTCC provides clearance and settlement for all

cash equity transactions completed by the 50+

exchanges and alternative trading platforms

(ECNs) operating in U.S. capital markets and

also in fixed income markets in the U.S. for

government, agency-backed, and mortgage

backed securities.

• In 2010 DTCC settled more than $1.66

quadrillion in securities transactions.

Information Security Program

Overview

Input

TVAOutput

Security

Monitoring

Top TV

Remediation

Provisioning De-Provisioning

Access

Recertification

Access Control

Vulnerability

Management

Configuration

Management

Security Awareness, Education and Communication

KPIs Information Technology Risk

Policy

Management

Application Risk Program

Security Monitoring Program:

Cornerstones

Cornerstone 1

Baseline Security Settings

- 66 Baselines from STIG,

CIS, & in house

standards

- Risk Rate Devices: High,

Medium, Low

Compliance to Settings

- 1000+ servers

- 99.9% convergence to

baselines

Security Event Monitoring

-4000 Device Logs

-345mm daily events

Security Monitoring with SEIM

• SIEM captures, aggregates, correlates and analyzes

log information from over 4,000 DTCC devices, such

as Servers, Routers, Firewalls, etc.

• SIEM creates rules that aggregate and correlate the

data creating immediate alerts of security events for

TVA staff response

• These alerts leads to identification of security

incident(s) feeding the DTCC Incident Response

Process or events that require further analysis

and/or remediation

- SIEM generates Daily, Weekly, Monthly and on-demand Security Reports, which include both summary and descriptive reports for logged anomalies that CIS and Infrastructure technology subject matter experts (SMEs) identify require immediate investigation.

DTCC SIEM Architecture

NAS

LC

D-SRV

A-SRV

NAS

LC

D-SRV

A-SRV

Main Site

Remote Site

Replication

Collecting Data from Supported Device Types

Collect Data using various Supported Methods SFTP, FTP, WMI,

Syslog, ODBC, and LEA for a variety of device types, such as:

• Network - Checkpoint, Cisco Pix, Cisco Routers

• Host - Windows, Unix Solaris, AIX, Linux

• Mainframe - IBM RACF

• Web Access - Blue Coat

• Anti – Malware/IPS/IDS - SEP11, CA Etrust, Sourcefire

• Access Based- RSA Access Server, Citrix Netscaler

• Storage- Brocade, FabricOS

Collecting Data from Unsupported Device Types

• Requires Additional Custom Coding

• Middleware

– IBM Webseal

– Wharelock IP Authentication

– Cleartrust

– CMAN

– EAI Cookie Monitoring

• Desktop Monitoring

–Systrack

• Database

–DB2 Universal Database

Custom Correlation Rules

• Examples of DTCC‟s Custom Correlation

Rules

– Suspicious Data upload

– Malware not Cleaned by SEP11

– Malware detected on External Drives

– Multiple systems affected by Malware

– Windows Log Tampering

– Account Lockout Monitoring

– Privileged Account Changes

– Watch list Monitoring

Custom Reports (Scheduled and Ad-Hoc)

• Examples of Custom Reports:

– Network – Top Usage (Bandwidth, Ports, drops,

etc)

– Web Activity - Executable Downloads, Top 25

Sites - Uploaded Data, User Agent Monitoring

– Windows - Privileged Monitoring, Logon Failure

Activity, Account Modification, Remote Access

Activity

– Unix - Summary - Daily Successful /Unsuccessful

Super User Activity

– Symantec Antivirus - Malware Detection Details

– Storage - FabricOS/Brocade - Successful

logins/Configuration and User Changes

– Midlleware - Administrative Lockouts, Failed

Logins, Illegal User

Asset Tracking

• Inventory Check of Security Eligible Devices

– Automated process to verify that system is active

and reporting to SIEM

– Requires combination of SIEM reports and Asset

Management Tool

2

5 5 5

8

0 01 1 1 1

4

01 1

6

01

21

4

7

9

12 2

0

2

0

2

0

2

0

2

4

6

8

10

1/2

0/2

010

1/2

7/2

010

2/3

/2010

2/1

0/2

010

2/1

7/2

010

2/2

4/2

010

3/3

/2010

3/1

0/2

010

3/1

7/2

010

3/2

4/2

010

3/3

1/2

010

4/7

/2010

4/1

4/2

010

4/2

1/2

010

4/2

8/2

010

5/5

/2010

5/1

2/2

010

5/1

9/2

010

5/2

6/2

010

6/2

/2010

6/9

/2010

6/1

6/2

010

6/2

3/2

010

6/3

0/2

010

7/7

/2010

7/1

4/2

010

7/2

1/2

010

7/2

8/2

010

8/4

/2010

8/1

1/2

010

8/1

8/2

010

8/2

5/2

010

Servers Not Registered to Envision Envision: Routers and Switches (Security Event Monitoring)

Group Eligible Devices

*

Registered

Percentage Eligible Devices

Registered

Remarks

Team A 76 71 93%

Team B 168 133 79%

Team C 734 702 96%

Universal Device Support Life

Cycle

1- Log Collection

(Device log file through FTP)

2- Requirement Gathering

(Event ID List, Msg type, Count, Device

Classification -{type/class}, Reports,

Correlation rules)

3- UDS Development

(Log Parsing, Analysis, Coding)

4- Testing

(Code testing at LAB

environment)

5- Customer Validation

(Validation of Device Discovery

and Event Categorization

6- Production Deployment

(Deploy the device XML into RSA

enVision production

environment)

7 - Final Testing and

Confirmation

UDS Support

1. Collection

2. Requirement

Gathering

3. UDS

Development

4. Testing

5. Validation

6. Production

Deployment

7. Final Testing

and

Confirmation

Common Attack Scenario -

Adversary Gains Foothold

Adversary

Compromised Website

Host 1

www.hackedsite.com

Adversary determines that it has an

interest in an organization„s

“protected” information

Tainted e-mail sent to organization„s

users

User clicks on link to compromised

website, remote admin tool installed

Additional tools uploaded

Using credentials gained, adversary works

to establish additional footholds

Host 2

Using SEIM to Increase Your ‘Luck’

Adversary

Compromised Website

Host 1

www.hackedsite.com

•Inbound emails headers get logged

to SEIM – compare vs. intellegence

to/from/subject and source IPs

•End user web traffic (proxy) logs

to SIEM - beaconing

•Account login Activity – unsual sources

Host 2

•Network traffic data upload

Common Attack Scenario - Data Mining

Host 2File

Server

Host 1

Adversary

Using network flow data to

see connections from host 1

to host 2 – (forensic)

Remote host may or may not

be the same IP/domain as

initial attack

Multiple files are typically

extracted as an encrypted

bundle

Data mining typically occurs

on file servers via share

permissions

SEIM on Data Mining Attacks

Host 2File

Server

Host 1

Adversary

Adversary frequently will

perform data mining through

a host (Host 2) other than the

initially compromised host

(Host 1)

Today‟s SEIM can‟t tie all

these threads together -

Use DLP or other tools to

watch for encrypted payloads

from unusal places

Good question!?! - some folks

have tried using usage

activity monitoring

Questions?

Email: MClancy [@] dtcc.com

Phone: 212.855.8842