Centralizing and Analyzing Security Events: Deploying Security Information Management Systems Lynn Ray Towson University Copyright Lynn Ray, This work is the intellectual property rights of the author. Permission is granted for this material to be shared for non-commercial, educational purposes, provided that this copyright statement appears on the reproduced Materials and notice is given that the copying is by permission of the author. To disseminate otherwise or to republish requires written permission from the author.

Reasons for Centralized Event Management Increase diversity of security devices and protocols Multiple types of security events and threats Manual collection and analysis of events Need quick response to threats – zero day attacks Comply with audits

Threat Statistics (Courtesy of Message Labs) 10 new worms are found each day Average 20 targeted attacks per day Increase use of ransomware Use of blended threats (spam and virus, spyware and Trojans, triple Trojans, etc.) Off-the-shelf virus kits

Security Information Management Defined Collaboration of security solutions and intelligent networking technologies Integrates heterogeneous array of network devices and security products Builds pervasive security utilizing existing security enterprise –Monitors and collects event data –Correlates and analyzes event data across enterprise –Compares against known treats –Identifies threats and alerts –Automatically locates and mitigates threats

Raw Event Data Collection Filtering Data Normalization & Reduction Event Aggregation & Coordination Pattern Discovery Prioritization Event Display & Report Response & Mitigation Raw Data Data Refinement Action How SIM Works

Drivers Behind SIM Adoption Financial discipline –Managing operations effectively –Employee efficiency –Reduce administrative overhead –ROI/business value security Security effectiveness –Operational risk –Finances required to mitigate risk

Incident Response and Laws Incident response –Many attack vectors –Many different information sources –Mitigation priority Federal laws –FERPA – Family Educational Rights and Privacy Act –HIPAA – Health Insurance Portability and Accountability –GLBA – Gramm-Leach-Bliley

Compliance Policy-driven security management program Validation of security controls Risk management approach to information security Due diligence in application of internal controls Effective security incident management process Security event reporting Archiving and document preservation

Consideration Factors High cost ($100K or more) Difficult to implement and deploy Takes months to tune out false positives Requires specialized training to support

Monitoring Functionality Correlates, reduces and categorizes events Validates incidents

Data Correlation Valid Incidents Sessions Rules Verify Isolated Events Correlation Reduction Router Cfg. Firewall Log Switch Cfg. Switch Log Server Log AV Alert App Log VA Scanner Firewall Cfg. Netflow NAT Cfg. IDS Event (Lynn: Description of this graphic?)

Event Analysis

SureVector Analysis TM 1. Host A Port Scans Target X 2. Host A Buffer Overflow Attacks X Where X is behind NAT device and Where X is Vulnerable to attack 3. Target X executes Password Attacks Target Y located downstream from NAT Device SureVector™ Analysis –Visible and accurate attack path –Drill-down, full incident and raw event details –Pinpoint the true sources of anomalous and attack behavior –More complete and accurate story Host A Target X Target Y 6

“Response” Uses leveraged mitigation Use control capabilities within your infrastructure –Layer 2/3 attack path is clearly visible –Mitigation enforcement devices are identified –Exact mitigation command is provided ]

Typical Compliance Report

Towson University SIM Deployment

Results Deployed Cisco MARS SIM Device –Communicates with multiple devices –Collects syslog data from devices –Utilizes intelligent agents to gather and correlate data from devices –Provides automated reporting and resolution of threats –Displays path of threats

How Does SIM Help? Greatly reduces false positives Defines effective mitigation responses Provide quick and easy access to audit compliance reports Ability to visualize attack path ID source of threats Make precise recommendations for removal of threats

Monitors Diverse Environments McAfee ePO Desktops Firewall IDS VPN Routers Switches Unix and Windows Servers MARS Wireless

Intelligent Agents Used free SNARE* agent for Windows servers operating systems –Deployed on all servers –Pushes security events in real time to SIM –Minimum performance effects to server Testing other SNARE agents –Web service (Apache and IIS) –Operating system (Unix, Linux) *System Intrusion Analysis and Reporting Environment

Compliance and Reporting Survived state auditor Provide instant reports to auditors Established automated reports –Track failed access, virus and worm threats, etc. –Reduced level of daily log review

Recommendations Devise implementation strategy –ID devices where security event data will be collected –Consider open source and commercial products –Demo and get opinions from support staff –ID storage requirements for data Integrate with incident handling procedures

Devise a Deployment Plan Setup team composed of server admin, network and security staff Standardize collection of syslog data Use intelligent agents to collect data Monitor all network and computer systems – OS and Web Establish administration of system Determine report that will be useful and implement automated reporting

System Administration Device managed by security personnel Allow automated response to threats for better protection against threats –Allow SIM admin access to all monitored devices –Obtain cooperation from other support personnel (server admin, network, etc.) Tune out false positives Setup automated reporting, record keeping and incident handling

Event Reports Determine reports that will be useful and Implement automated reporting SANS Institute recommends: –Attempts to gain access through existing accounts –Failed file or resource access attempts –Unauthorized changes to users, groups and services –Systems most vulnerable to attack –Suspicious or unauthorized network traffic patterns

Incident Response Determine how will respond to alerts Establish escalation procedures for handling suspected and confirmed intrusions Link steps to incident handling plan Keep track of efforts and decisions

Compliance Verification Provided evidence of compliance to state and local policies Able to rapidly provide reports

Summary In summary, SIM… –Provides centralized network monitoring. –Automatically pulls logs from multiple devices –Eliminates the need for manually intensive analysis –Eliminates the need to respond to threats manually. –Provides reporting capabilities required for daily review by State & University audits and security guidelines.