Visual Security Event AnalysisVisual Security Event Analysis

Raffael Marty, GCIA, CISSPArcSight Inc.

02/14/06 – HT2-103

Raffael Marty, GCIA, CISSPArcSight Inc.

02/14/06 – HT2-103

IP addresses and host names showingup in graphs and descriptions were

obfuscated/changed. The addresses are completely random and any resemblancewith well-known addresses or host names

are purely coincidental.

Disclaimer

● Raffael Marty, GCIA, CISSP

● Strategic Application Solutions @ ArcSight, Inc.

● Intrusion Detection Research @ IBM Research

● IT Security Consultant @ PriceWaterhouse Coopers

● Open Vulnerability and Assessment Language (OVAL) board member

● Speaker at Various Security Conferences

● Passion for Visual Security Event Analysis

see http://afterglow.sourceforge.net

Who Am I?

Table Of Contents

• The Security Monitoring Challenge

• Solving Event Overload - Today

— Normalization

— Prioritization

— Correlation

• Visual Security Event Analysis

— Situational Awareness

— Real-time Monitoring

— Forensic and Historical Analysis

A Picture is Worth a Thousand Log Entries

Detect the Expected & Discover the Unexpected

Detect the Expected & Discover the Unexpected

Make Better DecisionsMake Better Decisions

Reduce Analysis and Response TimesReduce Analysis and Response Times

?

Typical Security Monitoring Challenges

“ I wish I could see prioritized and relevant information!”

“ How can we prioritize and communicate efficiently?” ??

Accuracy

Efficiency

… and do it all cost effectively

Complexity

Reporting“ How can I

demonstrate compliance?”

?“ How can I manage this flood

of data?”

Raw events

Normal

Audit trail

Failed attacks

False alarms

Pre-attacksAttack

formationVerified

breachesPolicy

violations

Identified vulnerabilities

Misuse

Potential breaches

Tens of millions per day Millions

per dayLess than

1 million per month A few thousand

per month

The Needle in the Haystack

Security information / events

Insider Threat

Compliance

Defense in Depth

Solving Event Overload - Today

Data Analysis Components

Intelligence

• Collection, Normalization, and Aggregation• Risk-based Prioritization with Vulnerability and Asset Information• Real-time Correlation across event sources

— Rule-based Correlation

— Statistical Correlation

• Advanced Analytics— Pattern Detection

Event Normalization and Categorization

Jun 01 2005 00:00:12: %PIX-3-106011: Deny inbound (No xlate) udp src outside:10.50.215.97/6346 dst outside:204.110.228.254/6346Jun 01 2005 00:00:12: %PIX-6-305011: Built dynamic TCP translation from isp:10.50.107.51/1967 to outside:204.110.228.254/62013Jun 01 2005 00:00:12: %PIX-6-302013: Built outbound TCP connection 2044303174 for outside:213.189.13.17/80 (213.189.13.17/80) to isp:10.50.107.51/1967 (204.110.228.254/62013)Jun 02 2005 12:16:03: %PIX-6-106015: Deny TCP (no connection) from 10.50.215.102/15605 to 204.110.227.16/443 flags FIN ACK on interface outside

Sample Raw Pix Events:

Jun 02 2005 12:16:03: %PIX-6-106015: Deny TCP (no connection) from 10.50.215.102/15605 to 204.110.227.16/443 flags FIN ACK on interface outside

Categorization:Normalization:

Risk-based Prioritization

Windows Systems

Unix/Linux/AIX/Solaris

SecurityDevice

SecurityDevice

SecurityDevice

SecurityDevice

Mainframe& Apps

Mainframe& Apps

DatabasesDatabases

Agents

EventEvent

Collector

Prioritized Event

Prioritized Event

VulnerabilityScanner

VulnerabilityScanner

Agents

Asset Information

Asset Information

Model ConfidenceModel Confidence RelevanceRelevanceSeveritySeverity

Asset CriticalityAsset CriticalityAgent SeverityAgent Severity

Event Correlation

• Most overused and least well-defined concept in ESM.

• Combine multiple events through predefined rules

or analyze statistical properties of event streams

—Across devices

—Heavily utilizing event categorization

• Helps eliminate false positives

• Correlation is not prioritization!

—Can use priorities of individual events

• Simple Event Match

• Complex Multi-Event Match

Failed loginson Windows systems

Failed loginson UNIX systems

5 or more failed logins in a minutefrom same source

Attempted Brute Force Attack

Attempted Brute Force Attack +

Successful LoginSuccessful loginto Windows systems

Attempted Brute Force Attack

Four Types of Real-time Correlation

…3ram

jdoe

user

…3ram

jdoe

Four Types of Real-time Correlation

• Statistical

— Mathematical model

• Stateful

50% increasein traffic per port

and machine?

Traffic per port going to 10.0.0.2

userjdoeram…

Simple

Compex Correlation

Statistical

Manual Population

User on terminated employee list tries to login

Login attemptfrom user ram

Advanced Analytics - Pattern Detection

• Automatically detect repetitive event patterns

• Capability to detect new worms, malware, system misconfigurations, etc.

• Automatically create correlation rules to flag new occurrences of attack

Name Device Product

NETBIOS DCERPC Activation little endian bind attempting

Snort

NETBIOS DCERPC System Activity path overflow attempt litlen endian unicode

Snort

Tagged Packet Snort

SHELLCODE x86 NOOP Snort

NETBIOS DCERPC Remote activity bind attempt

Snort

Visual Security Event Analysis

Why a Visual Approach Helps

A picture tells more than a thousand log lines

Visual Approach – Benefits I

• Multiple views on the same data

• Selection and drill-down

Visual Approach – Benefits II

• Color by sifferent properties

Three Aspects of Visual Security Event Analysis

• Situational Awareness— What is happening in a specific business area

(e.g., compliance monitoring)

— What is happening on a specific network

— What are certain servers doing

• Real-Time Monitoring and Incident Response

— Capture important activities and take action

— Event Workflow

— Collaboration

• Forensic and Historic Investigation

— Selecting arbitrary set of events for investigation

— Understanding big picture

— Analyzing relationships - Exploration

— Reporting

Situational Awareness

Instant Awareness

Event Graph Dashboard

MMS CDRs

FromPhone#

ToPhone#

MSG Type

Geo Spatial Visualization

Real-time Monitoring

Real-time Monitoring – Detect Activity

Visual Detection

Assign to 2nd Level Analysis

Visual Investigation

Creation of new Filtersand Correlation Components

Real-timeData

Processing

Assign Ticket for Operations

Analysis Process

Forensic and Historical Analysis

Automatic Remediation

AutomaticAction

Beginning of Analyst’s shift

Visual Detection and Investigation

Visual Detection

Scan Events

Firewall Blocks

Scanning activity is displayed

Visual Investigation

Define New Correlation Rules and Filters

Assign for further analysis if

More than 20 firewall drops

from an external machine

to an internal machine

1. Rule

• Internal machines on white-list• connecting to active directory servers

2. Filter

3. Open a ticket for Operations to quarantine and clean infected machines

Real-time Analysis - Summary

• Benefits of Visual Analysis

— Visually driven process for investigating events

— Visual investigation helps

• getting a quick turn-around

• detected new and previously unknown patterns (i.e. incidents)

— Reduced event load for analysts by feeding gained knowledge back into analysis work-flow.

Forensic and Historical Analysis

Forensic and Historical Investigation

• Three Areas of Concern

— Defense in Depth

— Insider Threat

— Compliance

Defense In Depth - Port Scan Detection

Analysis - Port Scan?

Insider Threat – User Reporting

High ratio of failed logins

Insider Threat - Email Problems

2:00 < Delay < 10:00

Delay > 10:00

To Delay

To

Compliance – Business Reporting

• Attacks targeting internal systemsAttacks

Revenue Generating Systems

Compliance - Business Reporting

Summary

Detect the expected

& discover the unexpected

Make better decisions

Reduce analysis and response times

Q & A

Email: raffy@arcsight.com

Raffael MartyArcSight, Inc.