The document discusses security information and event management (SIEM) solutions for private clouds. It provides an agenda that includes an introduction to SIEM, understanding the business case for SIEM, understanding SIEM technical architecture, and an overview of the open source SIEM solution OSSIM. The document also includes examples of typical private cloud architectures, the evolving threat economy and motivations of attackers, and how SIEM solutions help address security challenges through log management, event correlation, and gaining situational awareness.
The document discusses security information and event management (SIEM) solutions for private clouds. It provides an agenda that includes an introduction to SIEM, understanding the business case for SIEM, understanding SIEM technical architecture, and an overview of the open source SIEM solution OSSIM. The document also includes examples of typical private cloud architectures, the evolving threat economy and motivations of attackers, and how SIEM solutions help address security challenges through log management, event correlation, and gaining situational awareness.
The document discusses security information and event management (SIEM) solutions for private clouds. It provides an agenda that includes an introduction to SIEM, understanding the business case for SIEM, understanding SIEM technical architecture, and an overview of the open source SIEM solution OSSIM. The document also includes examples of typical private cloud architectures, the evolving threat economy and motivations of attackers, and how SIEM solutions help address security challenges through log management, event correlation, and gaining situational awareness.
The document discusses security information and event management (SIEM) solutions for private clouds. It provides an agenda that includes an introduction to SIEM, understanding the business case for SIEM, understanding SIEM technical architecture, and an overview of the open source SIEM solution OSSIM. The document also includes examples of typical private cloud architectures, the evolving threat economy and motivations of attackers, and how SIEM solutions help address security challenges through log management, event correlation, and gaining situational awareness.
Copyright:
Attribution Non-Commercial (BY-NC)
Available Formats
Download as PDF, TXT or read online from Scribd
Download as pdf or txt
You are on page 1/ 69
Security Information and Event Management for Private Clouds
Dean Faculty of Engineering & Applied Sciences Director Information Technology Professor of Electrical Engineering DHA Suffa University Karachi, Pakistan
Dr. Athar Mahboob
Pakistan CIO Summit 2013 May 21-22, 2013
Agenda
Introduction to Security Information and Event Management Understand the business case for a SIEM solution Understand the technical architecture of a SIEM solution Get familiar with an economical and open source SIEM solution OSSIM 2
Typical Private Cloud
Thin Clients High Speed Campus Network 600+ network nodes in 8 segments covering all offices and Labs at DSU connecting to a High Performance Network Core
Wireless Network
Infrastructure Access Points and smaller access points provide wireless networking coverage to entire DSU campus.
IT Applications
Laptop
PDA
LMS Email Timetable Student Feedback Online Admission Test Instant Messaging Network Mgmt Service Directory Services Terminals Services Desktop Applications Engineering Design Apps Online Admission Application Storage Services Video Conference Service ERP Accounting Student Records Library Management
DSU Private Cloud (Data Center) SAN Xen Hypervisor
ERP, LMS, Email
DSU Data
Virtual Private Network VPN
DSU Firewall
VPN access to DSU Network for Faculty and Students. Through VPN all IT services can be accessed securely from any remote location Email Web
Multiple redundant media high-speed Internet Links
Servers PERN Video Conferencing
Internet 10 + 10 MBPS
HEC Digital Library Social Media
Threat Economy: Historic Attacker Motivations
Writers Tool and Toolkit Writers Malware Writers Worms Viruses Trojans
Asset Compromise Individual Host or Application
End Value Fame Theft Espionage (Corporate/ Government)
Compromise Environment
Take Away: Fame was by far the dominant motivator
From: Security Information Management (SIM) Technology Brief, Ken Kaminski, Cisco Systems, Security Architect Northeast US, CISSP, GCIA
Threat Economy: Today
Writers Tool and Toolkit Writers
First Stage Abusers
Hacker/Direct Attack
Middle Men Compromised Host and Application
Second Stage Abusers
End Value Fame Theft Espionage (Corporate/ Government) Extorted Pay-Offs
The attack techniques started from self replicating code evolved into Advanced Persistent Threat Use 0-day Be stealthy Target users Target indirectly Exploit multi-attack vectors Use state-of-the-art technique Be Persistent
Hacking is no more about fun
Corporate Espionage State Secrets Cyber Sabotage
10
StuxNet How It Spread?
Exploited Four Zero Day Vulnerabilities
11
12
US Killer Spy Drones Controls Switch to Linux
13
Old Windows
14
New Linux
15
Drivers for Information Security Management
Regulatory Compliance
HIPAA, SOX, FISMA, GLBA, FDA, PCI, Basel II, OSHA and ISO 27002 Need to respond timely to security events HIPAA: Health Insurance Portability and Accountability Act SOX: Public Company Accounting Reform and Investor Protection Act of 2002 and commonly called SOX FISMA: The Federal Information Security Management Act of 2002 FDA: The Food and Drug Administration PCI Data Security Standard (PCI DSS): The Payment Card Industry (PCI) and Validation Regulations Basel II: The New Accord: International Convergence of Capital Measurement and Capital Standards GLBA: Gramm-Leach-Bliley Act, also known as the Gramm-Leach-Bliley Financial Services Modernization Act ISO/IEC 27002 (formerly 17799) is an information security standard published and most recently revised in June 2005 by the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC) OSHA: The United States Occupational Safety and Health Administration
Information security breaches are costly
Information systems environment is heterogeneous, multi-vendor, and complex
compliance - a state or acts of accordance with established standards, specifications, regulations, or laws. Compliance more often connotes a very specific following of the provided model and is usually the term used for the adherence to government regulations and laws http://searchcio.techtarget.com/sDefinition/0,,sid182_gci947386,00.html
16
17
SIEM versus ISM
Information Security Management
SIEM Security Information and Event Management
SIM Security Information Management SEM Security Event Management
18
SIEM
A SIEM or SIM is a computerized tool used on enterprise data networks to centralize the storage and interpretation of logs, or events, generated by other software [or hardware] running on the network A new concept (About 10 Years old) A natural evolution of log management A SIEM enables organizations to achieve roundthe-clock pro-active security and compliance. 19
Beginnings of SIEM are in Log Management
Log management Automation in collection of logs in a central place e.g. syslog-ng Tools for log searching and analysis Still a dependence on expert human for analysis
Typical human expert cannot process more than a 1000 events a day 20
Conclusion - automate more
Logs What Logs? Audit Logs Transaction Logs Intrusion Logs Connection Logs System Performance Records User Activity Logs Misc. alerts and other messages From Where? Firewalls/Intrusion Prevention Routers/switches Intrusion Detection Servers, Desktops, Mainframes Business Applications Databases Anti-virus VPNs 21
Inverted Pyramid of Event Significance
85,000 Events
UNIX Syslogs
Windows Event Logs
1,036,800 Events
IDS and Access Logs
1,100,000 Events
787,000 Events
Firewall
12,000 Events
Antivirus
3 MILLION 15,000 24 8
TOTAL EVENTS CORRELATED EVENTS DISTINCTIVE SECURITY ISSUES INCIDENTS REQUIRING ACTION
Making sense of event sequences that appear unrelated False positives and validation issues Heterogeneous IT environment 23
Technical Drivers of SIEM
React Faster!
Too much data, but not enough information High Signal To Noise Ratio No situational awareness Too many tools to isolate root cause
Improve Efficiency
Compliance requirements Nothing gets shut down Cost center reality 24
Reduce risk and cost
Reduce risk and cost by dramatically reducing the time it takes to effectively respond
Risk/Cost
Time to remediate 25
Business Objectives of SIEM
Increase overall security posture of an organization Turn chaos into order Aggregate log file data from disparate sources Create holistic security views for compliance reporting Identify and track causal relationships in the network in near real-time Build a historical forensic foundation 26
Generic SIEM Architecture
R Box
R Box
Reaction and reporting Collect
Inputs from target sources Agent and agentless methods
A Box
K Box
A Box
Incident Analysis
K Box
Knowledge base
Aggregate D Box
D Box
Formatted messages database
Bring all the information to a central point
Normalize Translate disparate syntax into a standardized one
C Box
C Box
C Boxes
Correlate If A and B then C
Collection boxes
Report State of health Policy conformance
E Box
E Box
E Box
E Box
E Box
E Boxes
Event generators: sensors & pollers
Archive
27
NOC vs SOC Separates auditing role from operations role
28
State-of-the-art Cyber Security Operations Center, a comprehensive cyber threat detection and response center that focuses on protecting Northrop Grumman and its customers networks and data worldwide. (Northrop Grumman)
Situational Awareness: Log Monitoring, Event Aggregation and Correlation (SIM) Flow/Network Behavior Monitoring Host Based Monitoring System (HBSS): Antivirus, Firewall, Anti-Malware, Application White listing Active Protection: Intrusion Prevention System (IPS)
Web & Application Scanning
30
Linux and Open Source
Business model is based on services alone:
Implementation Customizations Training Documentation Support
A fair and consumer friendly business model for software because:
Software is incrementally developed Software is infinitely replicable
31
Clearing Misconceptions About Open Source
Open source is free software ! Software is free, people are not ! Free as in freedom not necessarily as in free beer Open source is a viable business model Open source is a better software engineering methodology Given enough eye-balls, all bugs are shallow Linus' Law 32
Why Open Source for SIEM?
Commercial products have a high cost of entry barrier User can become confused with the:
Marketing terms Feature bloat
Open source SIEM has matured can compete head-on with commercial offerings Open Source SIEM can even be used as a learning tool requirements analysis tool for a commercial SIEM specifications 33
Open Source Security Information Management - OSSIM
Made of best of breed open source security tools: snort, ntop, nmap, nagios Full installer plug & play Integrated Graphical Management Console Includes Reporting Engine (JasperReports) with pre-designed reports Commercially supported - AlienVault Implemented in local companies 34
Magic Quadrant for Security Information and Event Management - 2011
35
Magic Quadrant for Security Information and Event Management - 2012
Source: Gartner (May 2012)
36
OSSIM Pros
Extendable Stable Low cost Works with native tools and mechanisms
The different tools integrated in OSSIM can be classified into two categories:
Active: They generate traffic within the network which is being monitored. Passive: They analyze network traffic without generating any traffic within the network being monitored.
The passive tools require a port mirroring /port span configured in the network equipment. 41
Sensors: Data Sources
Data Source Any application or device that generates events within the network that is being monitored External Data Sources Network Devices: Routers, Switches, Wireless AP... Servers: Domain Controller, Email server, LDAP... Applications: Web Servers, Databases, Proxy... Operating Systems: Linux, Windows, Solaris...
Collectors
Internal Data Sources
Collect information on the network level Intrusion Detection Vulnerability Detection Anomaly Detection Discovery, Learning & Network Profiling Inventory Systems
Detectors
42
Sensor: Collection The Sensor can aggregate events using multiple collection methods
43
Sensor: Detection Detection is done by setting the Sensors NIC into promiscuous mode to collect all the traffic on the monitored network HUB Port Mirroring/Spanning Network Tap
44
Event Any log entry generated by any Data Source at application, system or network level will be called an event. For SIEM it is important to know: When has the event been generated? What is involved? (Systems, users, ) Which application generated the event? Whats the event type?
45
The SIEM The SIEM component provides the system with Security Intelligence and Data Mining capacities, featuring: Real-time Event processing Risk metrics Risk assessment Correlation Policies Management Active Response Incident Management Reporting 46
Logger Secure Reliable Storage
The Logger component stores events in raw format in the file system. Events are digitally signed and stored en masse ensuring their admissibility as evidence in a court of law. The logger component allows storage of an unlimited number of events for forensic purpose. For this purpose the logger is usually configured so that events are stored in a NAS / SAN network storage system. 10:1 Compression to save Disk Space 47
Database The AlienVault database runs on a MySQL server SIEM Events, configurations, and inventory information are stored in the Database Database is a required component in any AlienVault deployment, even if no Logger is being used
48
Detection The process of identifying behavior that leads to the generation of an event Multiple elements that can be used by SIEM to provide detection capabilities: Snort, Ntop, Arpwatch (Example Data Sources included in AlienVault) Existing corporate applications/tools Tools that have been deployed prior to SIEM installation (Firewalls, Antivirus)
49
Collection The task that determines which events shall be collected into the Server Collection is done by the Sensors Server can collect events using multiple methods: Some require configuring the Data Source to send events to the Sensor (E.g.: Syslog, FTP...) Other require the Sensor gathers the events from the application or device (WMI, SQL, SCP...)
50
Normalization The process of translating the events generated by different tools into a unique and normalized format Normalization is done in the Sensor Log information is normalized using regular expressions by AlienVault Sensors
End Device/App
Sensor
Mar 22 20:40:15 ossim-A su[27992]: Successful su for root by root
event type="detector" date="2008-03-22 20:40:15" sensor="192.168.1.109" interface="eth0 plugin_id="4005" plugin_sid="2" src_ip="192.168.1.109" dst_ip="192.168.1.109" username="root" log="Mar 22 20:40:15 ossim-A su[27992]: Successful su for root by root"
SIEM Server
51
Data Source A Data Source is any application or device that generates logs, events and information AlienVault can collect events from any Data Source by using a Data Source Connector (Plugin)
52
Data Source ID The Data Source ID (Formerly known as Plugin_id) is a unique number used by AlienVault to identify each of the Data Source types that send events to AlienVault This number is used in correlation rules and when defining Policy Rules
53
Event Type The Event Type (Formerly known as Plugin_sid) is a unique number (Within each Data Source) that identifies the different events a Data Source is able to generate. The Event Type always has to be associated to a Data Source ID, since multiple Data Source ID can share common Event Types. (E.g.: 404 Event Type in Apache and IIS)
54
Assets An Asset is any device available on a network that is being monitored by SIEM Assets in AlienVault have a value (0-5). Each Asset will have a different value depending on their task within the network Assets in AlienVault:
55
Asset Value Every Asset in AlienVault has an Asset Value (0-5) Assets not defined within the AlienVault Inventory have a default
Asset Value of 2 Assets will have different values depending on their role within the
monitored network E.g.: A printing company Printers will be a very high asset value
E.g.: A company offering Web hosting
Web servers and database servers will be a valuable asset while printers on the other hand wont be so important.
56
Defining an Asset in OSSIM
57
Event Priority Priority is the importance of the event itself It is a measure which tries to determine the relative impact an event could have in our network. Priority is a value between 0 and 5 0 1 2 3 4 5 No importance Very Low Low Average Important Very Important
58
Event Reliability Reliability determines the probability of an attack being real or not. E.g.: A single authentication failure. Would you be able to determine if it is a real attack (Brute Force attack) using a single event?
Reliability can be a value between 0 and 10
0 False Positive 1 10% chance of being an attack 2 20% chance of being an attack 10 Real attack
59
Event Risk The SIEM calculates a risk for each event processed in the SIEM The Event Risk is a numeric value (0-10)
60
Alarm Any event with a risk value greater than or equal to 1 will become an alarm. An alarm is a special type of event since it can have more than one event originating it. Correlation doesnt generate alarms (done by server during R.A), it will generate new events that may or may not become alarms.
61
Correlation Correlation is the process of transforming various input data into a new output data element Using correlation we can transform two or more input events into a more reliable output event Through correlation of various events from disparate data sources a SIEM delivers greater Security Intelligence
62
Aggregated Risk Apart from calculating a risk value for each event, the AlienVault SIEM also maintains an Aggregated risk indicator for each asset of the network This aggregated risk is stored in two properties of each asset within AlienVault Compromise: Compromise means a network element is generating lots of events as source, this is, its behaving like if its been compromised Attack: Attack is a value that measures the level of attack an element has received in our network, that is, how much it has been attacked
63
Compromise Value Compromise value is increased by taking into account the risk of the event calculated using the Asset Value of the source (The Asset value of the destination is ignored even if it is higher) This value increases the compromise value of the host, the compromise value of the host groups, networks and network groups the host belongs to, as well as the global compromise
64
Attack Value Attack value is increased by taking into account the risk of the event calculated using the Asset Value of the destination (The Asset value of the source is ignored even if it is higher) This value increases the attack value of the host, the attack value of the host groups, networks and network groups the host belongs to, as well as the global attack value
65
From Alarm to Ticket
Alarms can be ignored or can be converted to tickets Tickets can be assigned to IS or IT officers The ticket life cycle is the Security Event handling/management
66
Security Event Management
67
Conclusions OSSIM provides SIEM capabilities to small and medium sized organizations OSSIM leverages best of breed open source tools and combines them into integrated SIEM to manage security events OSSIM can be setup quickly time is money
