Security Information and Event Management for Private Clouds

Dean Faculty of Engineering & Applied Sciences Director Information Technology Professor of Electrical Engineering DHA Suffa University Karachi, Pakistan

Dr. Athar Mahboob

Pakistan CIO Summit 2013 May 21-22, 2013

Agenda

Introduction to Security Information and Event Management Understand the business case for a SIEM solution Understand the technical architecture of a SIEM solution Get familiar with an economical and open source SIEM solution OSSIM
2

Typical Private Cloud

Thin Clients High Speed Campus Network
600+ network nodes in 8 segments covering all offices and Labs at DSU connecting to a High Performance Network Core

Wireless Network

Infrastructure Access Points and smaller access points provide wireless networking coverage to entire DSU campus.

IT Applications

Laptop

PDA

LMS Email Timetable Student Feedback Online Admission Test Instant Messaging Network Mgmt Service Directory Services Terminals Services Desktop Applications Engineering Design Apps Online Admission Application Storage Services Video Conference Service ERP Accounting Student Records Library Management

DSU Private Cloud (Data Center) SAN Xen Hypervisor

ERP, LMS, Email

DSU Data

Virtual Private Network VPN

DSU Firewall

VPN access to DSU Network for Faculty and Students. Through VPN all IT services can be accessed securely from any remote location Email Web

Multiple redundant media high-speed Internet Links

Servers
PERN Video Conferencing

Internet 10 + 10 MBPS

HEC Digital Library Social Media

Threat Economy: Historic Attacker Motivations

Writers
Tool and Toolkit Writers Malware Writers Worms Viruses Trojans

Asset
Compromise Individual Host or Application

End Value
Fame Theft Espionage (Corporate/ Government)

Compromise Environment

Take Away: Fame was by far the dominant motivator

From: Security Information Management (SIM) Technology Brief, Ken Kaminski, Cisco Systems, Security Architect Northeast US, CISSP, GCIA

Threat Economy: Today

Writers
Tool and Toolkit Writers

First Stage Abusers

Hacker/Direct Attack

Middle Men
Compromised Host and Application

Second Stage Abusers

End Value
Fame Theft Espionage (Corporate/ Government) Extorted Pay-Offs

Malware Writers Worms Viruses Trojans Spyware Information Harvesting Machine Harvesting Bot-Net Creation Extortionist/ DDoS-for-Hire

Bot-Net Management: For Rent, for Lease, for Sale

Spammer Commercial Sales Phisher Fraudulent Sales

Personal Information Information Brokerage

Pharmer/DNS Poisoning

Advertising Revenue Financial Fraud

Take Away 2: Multiple methods to achieve goal

Internal Theft: Abuse of Privilege

Identity Theft Electronic IP Leakage

Take Away 3: Sustainable economy, resilient to shocks

Take Away 1: For-Profit end values

From: Security Information Management (SIM) Technology Brief, Ken Kaminski, Cisco Systems, Security Architect Northeast US, CISSP, GCIA

New Threat Economy

From: http://www.scmagazineus.com/hacker-arrested-in-greece-for-stealing-selling-weapons-data/article/104718/

New Threat Economy

From: http://www.wired.com/threatlevel/2008/10/fed-blotter-new/

All is fair in love and war !!!

STATE ACTORS ARE PART OF THE THREAT ECONOMY TOO PUBLIC-PRIVATE PARTNERSHIP :-)

APT - Example

June, 2010 StuxNet Worm Target: Natanz Nuclear Facility Motivation: Cyber Sabotage?

Advanced Persistent Threat APT

The attack techniques started from self replicating code evolved into Advanced Persistent Threat
Use 0-day Be stealthy Target users Target indirectly Exploit multi-attack vectors Use state-of-the-art technique Be Persistent

Hacking is no more about fun

Corporate Espionage State Secrets Cyber Sabotage

10

StuxNet How It Spread?

Exploited Four Zero Day Vulnerabilities

11

12

US Killer Spy Drones Controls Switch to Linux

13

Old Windows

14

New Linux

15

Drivers for Information Security Management

Regulatory Compliance

HIPAA, SOX, FISMA, GLBA, FDA, PCI, Basel II, OSHA and ISO 27002 Need to respond timely to security events
HIPAA: Health Insurance Portability and Accountability Act SOX: Public Company Accounting Reform and Investor Protection Act of 2002 and commonly called SOX FISMA: The Federal Information Security Management Act of 2002 FDA: The Food and Drug Administration PCI Data Security Standard (PCI DSS): The Payment Card Industry (PCI) and Validation Regulations Basel II: The New Accord: International Convergence of Capital Measurement and Capital Standards GLBA: Gramm-Leach-Bliley Act, also known as the Gramm-Leach-Bliley Financial Services Modernization Act ISO/IEC 27002 (formerly 17799) is an information security standard published and most recently revised in June 2005 by the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC) OSHA: The United States Occupational Safety and Health Administration

Information security breaches are costly

Information systems environment is heterogeneous, multi-vendor, and complex

compliance - a state or acts of accordance with established standards, specifications, regulations, or laws. Compliance more often connotes a very specific following of the provided model and is usually the term used for the adherence to government regulations and laws
http://searchcio.techtarget.com/sDefinition/0,,sid182_gci947386,00.html

16

17

SIEM versus ISM

Information Security Management

SIEM Security Information and Event Management

SIM Security Information Management SEM Security Event Management

18

SIEM

A SIEM or SIM is a computerized tool used on enterprise data networks to centralize the storage and interpretation of logs, or events, generated by other software [or hardware] running on the network A new concept (About 10 Years old) A natural evolution of log management A SIEM enables organizations to achieve roundthe-clock pro-active security and compliance.
19

Beginnings of SIEM are in Log Management

Log management Automation in collection of logs in a central place e.g. syslog-ng Tools for log searching and analysis Still a dependence on expert human for analysis

Typical human expert cannot process more than a 1000 events a day
20

Conclusion - automate more

Logs
What Logs? Audit Logs Transaction Logs Intrusion Logs Connection Logs System Performance Records User Activity Logs Misc. alerts and other messages From Where? Firewalls/Intrusion Prevention Routers/switches Intrusion Detection Servers, Desktops, Mainframes Business Applications Databases Anti-virus VPNs 21

Inverted Pyramid of Event Significance

85,000 Events

UNIX Syslogs

Windows Event Logs

1,036,800 Events

IDS and Access Logs

1,100,000 Events

787,000 Events

Firewall

12,000 Events

Antivirus

3 MILLION 15,000 24 8

TOTAL EVENTS CORRELATED EVENTS DISTINCTIVE SECURITY ISSUES INCIDENTS REQUIRING ACTION

22

The Challenge of SIEM

Billions and Billions of events

Firewalls, IDS, IPS, Anti-Virus, Databases, Operating Systems, Content filters Information overload

Lack of standards Difficult correlation

Making sense of event sequences that appear unrelated False positives and validation issues Heterogeneous IT environment
23

Technical Drivers of SIEM

React Faster!

Too much data, but not enough information High Signal To Noise Ratio No situational awareness Too many tools to isolate root cause

Improve Efficiency

Compliance requirements Nothing gets shut down Cost center reality 24

Reduce risk and cost

Reduce risk and cost by dramatically reducing the time it takes to effectively respond

Risk/Cost

Time to remediate
25

Business Objectives of SIEM

Increase overall security posture of an organization Turn chaos into order Aggregate log file data from disparate sources Create holistic security views for compliance reporting Identify and track causal relationships in the network in near real-time Build a historical forensic foundation
26

Generic SIEM Architecture

R Box

R Box

Reaction and reporting Collect

Inputs from target sources Agent and agentless methods

A Box

K Box

A Box

Incident Analysis

K Box

Knowledge base

Aggregate
D Box

D Box

Formatted messages database

Bring all the information to a central point

Normalize
Translate disparate syntax into a standardized one

C Box

C Box

C Boxes

Correlate
If A and B then C

Collection boxes

Report
State of health Policy conformance

E Box

E Box

E Box

E Box

E Box

E Boxes

Event generators: sensors & pollers

Archive

27

NOC vs SOC
Separates auditing role from operations role

28

State-of-the-art Cyber Security Operations Center, a comprehensive cyber threat detection and response center that focuses on protecting Northrop Grumman and its customers networks and data worldwide. (Northrop Grumman)

29
http://www.armybase.us/2009/07/northrop-grumman-opens-cyber-security-operations-center/

Reactive
Incident Response, Notification, Tracking, Analysis, Containment, Eradication, and Remediation

Proactive
Network Vulnerability Scanning: Network, Systems

Predictive
Strategic Analysis

S O C

Incident Detection Systems (IDS)

Vulnerability Handling

Threat Management & Correlation System

Computer Forensics & Malware Analysis

Third-Party Pen. Testing (3rd Party) Email Filtering & Blocking DNS Sinkhole Threat Tracking, Monitoring, & Mitigation Patch/Asset Management

Situational Awareness: Log Monitoring, Event Aggregation and Correlation (SIM) Flow/Network Behavior Monitoring Host Based Monitoring System (HBSS): Antivirus, Firewall, Anti-Malware, Application White listing Active Protection: Intrusion Prevention System (IPS)

Web & Application Scanning

30

Linux and Open Source

Business model is based on services alone:

Implementation Customizations Training Documentation Support

A fair and consumer friendly business model for software because:

Software is incrementally developed Software is infinitely replicable

31

Clearing Misconceptions About Open Source

Open source is free software ! Software is free, people are not ! Free as in freedom not necessarily as in free beer Open source is a viable business model Open source is a better software engineering methodology
Given enough eye-balls, all bugs are shallow Linus' Law
32

Why Open Source for SIEM?

Commercial products have a high cost of entry barrier User can become confused with the:

Marketing terms Feature bloat

Open source SIEM has matured can compete head-on with commercial offerings Open Source SIEM can even be used as a learning tool requirements analysis tool for a commercial SIEM specifications
33

Open Source Security Information Management - OSSIM

Made of best of breed open source security tools: snort, ntop, nmap, nagios Full installer plug & play Integrated Graphical Management Console Includes Reporting Engine (JasperReports) with pre-designed reports Commercially supported - AlienVault Implemented in local companies
34

Magic Quadrant for Security Information and Event Management - 2011

35

Magic Quadrant for Security Information and Event Management - 2012

Source: Gartner (May 2012)

36

OSSIM Pros

Extendable Stable Low cost Works with native tools and mechanisms

Easier to integrate Less overhead

Wide range of tools combined into one solution

37

OSSIM - Integrated Tools

Snort Ntop Fprobe NFDump NFSen OCS Nagios OpenVAS Nikto OSVDB OSSEC KISMET NMAP P0f ArpWatch

38

OSSIM Web Interface

39

SIEM Concepts

Detection and Collection

40

Active Versus Passive Tools

The different tools integrated in OSSIM can be classified into two categories:

Active: They generate traffic within the network which is being monitored. Passive: They analyze network traffic without generating any traffic within the network being monitored.

The passive tools require a port mirroring /port span configured in the network equipment. 41

Sensors: Data Sources

Data Source
Any application or device that generates events within the network that is being monitored External Data Sources
Network Devices: Routers, Switches, Wireless AP... Servers: Domain Controller, Email server, LDAP... Applications: Web Servers, Databases, Proxy... Operating Systems: Linux, Windows, Solaris...

Collectors

Internal Data Sources

Collect information on the network level
Intrusion Detection Vulnerability Detection Anomaly Detection Discovery, Learning & Network Profiling Inventory Systems

Detectors

42

Sensor: Collection
The Sensor can aggregate events using multiple collection methods

43

Sensor: Detection
Detection is done by setting the Sensors NIC into promiscuous mode to collect all the traffic on the monitored network
HUB Port Mirroring/Spanning Network Tap

44

Event
Any log entry generated by any Data Source at application, system or network level will be called an event. For SIEM it is important to know:
When has the event been generated? What is involved? (Systems, users, ) Which application generated the event? Whats the event type?

45

The SIEM
The SIEM component provides the system with Security Intelligence and Data Mining capacities, featuring:
Real-time Event processing Risk metrics Risk assessment Correlation Policies Management Active Response Incident Management Reporting 46

Logger Secure Reliable Storage

The Logger component stores events in raw format in the file system. Events are digitally signed and stored en masse ensuring their admissibility as evidence in a court of law. The logger component allows storage of an unlimited number of events for forensic purpose. For this purpose the logger is usually configured so that events are stored in a NAS / SAN network storage system. 10:1 Compression to save Disk Space
47

Database
The AlienVault database runs on a MySQL server SIEM Events, configurations, and inventory information are stored in the Database Database is a required component in any AlienVault deployment, even if no Logger is being used

48

Detection
The process of identifying behavior that leads to the generation of an event Multiple elements that can be used by SIEM to provide detection capabilities:
Snort, Ntop, Arpwatch (Example Data Sources included in AlienVault) Existing corporate applications/tools Tools that have been deployed prior to SIEM installation (Firewalls, Antivirus)

49

Collection
The task that determines which events shall be collected into the Server Collection is done by the Sensors Server can collect events using multiple methods:
Some require configuring the Data Source to send events to the Sensor (E.g.: Syslog, FTP...) Other require the Sensor gathers the events from the application or device (WMI, SQL, SCP...)

50

Normalization
The process of translating the events generated by different tools into a unique and normalized format
Normalization is done in the Sensor Log information is normalized using regular expressions by AlienVault Sensors

End Device/App

Sensor

Mar 22 20:40:15 ossim-A su[27992]: Successful su for root by root

event type="detector" date="2008-03-22 20:40:15" sensor="192.168.1.109" interface="eth0 plugin_id="4005" plugin_sid="2" src_ip="192.168.1.109" dst_ip="192.168.1.109" username="root" log="Mar 22 20:40:15 ossim-A su[27992]: Successful su for root by root"

SIEM Server

51

Data Source
A Data Source is any application or device that generates logs, events and information AlienVault can collect events from any Data Source by using a Data Source Connector (Plugin)

52

Data Source ID
The Data Source ID (Formerly known as Plugin_id) is a unique number used by AlienVault to identify each of the Data Source types that send events to AlienVault
This number is used in correlation rules and when defining Policy Rules

53

Event Type
The Event Type (Formerly known as Plugin_sid) is a unique number (Within each Data Source) that identifies the different events a Data Source is able to generate.
The Event Type always has to be associated to a Data Source ID, since multiple Data Source ID can share common Event Types.
(E.g.: 404 Event Type in Apache and IIS)

54

Assets
An Asset is any device available on a network that is being monitored by SIEM
Assets in AlienVault have a value (0-5). Each Asset will have a different value depending on their task within the network Assets in AlienVault:

55

Asset Value
Every Asset in AlienVault has an Asset Value (0-5)
Assets not defined within the AlienVault Inventory have a default

Asset Value of 2
Assets will have different values depending on their role within the

monitored network
E.g.: A printing company
Printers will be a very high asset value

E.g.: A company offering Web hosting

Web servers and database servers will be a valuable asset while printers on the other hand wont be so important.

56

Defining an Asset in OSSIM

57

Event Priority
Priority is the importance of the event itself It is a measure which tries to determine the relative impact an event could have in our network.
Priority is a value between 0 and 5
0 1 2 3 4 5 No importance Very Low Low Average Important Very Important

58

Event Reliability
Reliability determines the probability of an attack being real or not.
E.g.: A single authentication failure.
Would you be able to determine if it is a real attack (Brute Force attack) using a single event?

Reliability can be a value between 0 and 10

0 False Positive 1 10% chance of being an attack 2 20% chance of being an attack 10 Real attack

59

Event Risk
The SIEM calculates a risk for each event processed in the SIEM
The Event Risk is a numeric value (0-10)

60

Alarm
Any event with a risk value greater than or equal to 1 will become an alarm.
An alarm is a special type of event since it can have more than one event originating it. Correlation doesnt generate alarms (done by server during R.A), it will generate new events that may or may not become alarms.

61

Correlation
Correlation is the process of transforming various input data into a new output data element Using correlation we can transform two or more input events into a more reliable output event Through correlation of various events from disparate data sources a SIEM delivers greater Security Intelligence

62

Aggregated Risk
Apart from calculating a risk value for each event, the AlienVault SIEM also maintains an Aggregated risk indicator for each asset of the network
This aggregated risk is stored in two properties of each asset within AlienVault
Compromise: Compromise means a network element is generating lots of events as source, this is, its behaving like if its been compromised Attack: Attack is a value that measures the level of attack an element has received in our network, that is, how much it has been attacked

63

Compromise Value
Compromise value is increased by taking into account the risk of the event calculated using the Asset Value of the source (The Asset value of the destination is ignored even if it is higher)
This value increases the compromise value of the host, the compromise value of the host groups, networks and network groups the host belongs to, as well as the global compromise

64

Attack Value
Attack value is increased by taking into account the risk of the event calculated using the Asset Value of the destination (The Asset value of the source is ignored even if it is higher)
This value increases the attack value of the host, the attack value of the host groups, networks and network groups the host belongs to, as well as the global attack value

65

From Alarm to Ticket

Alarms can be ignored or can be converted to tickets Tickets can be assigned to IS or IT officers The ticket life cycle is the Security Event handling/management

66

Security Event Management

67

Conclusions
OSSIM provides SIEM capabilities to small and medium sized organizations OSSIM leverages best of breed open source tools and combines them into integrated SIEM to manage security events OSSIM can be setup quickly time is money

68

Thank You !

69