Reducing False-Positives and False-Negatives in Security Event Data Using Context Derek G. Shaw August 2011.

Slides:



Advertisements
Similar presentations
Firewalls By Tahaei Fall What is a firewall? a choke point of control and monitoring interconnects networks with differing trust imposes restrictions.
Advertisements

FIREWALLS Chapter 11.
Snort & ACID. UTSA IS 6973 Computer Forensics SNORT.
1 Chapter 7 Intrusion Detection. 2 Objectives In this chapter, you will: Understand intrusion detection benefits and problems Learn about network intrusion.
Presentation by: Peter Thomas Blue Lance, Inc Using SIEM Solutions Effectively to meet Security, Audit, and Compliance Requirements.
MCTS Guide to Microsoft Windows Server 2008 Network Infrastructure Configuration Chapter 4 Installing and Configuring the Dynamic Host Configuration Protocol.
1.  To analyze and explain the IDS placement in network topology  To explain the relationship between honey pots and IDS  To explain, analyze and evaluate.
NETWORK SECURITY INTRUSION DETECTION SYSTEMS (IDS) KANDIAH.M Clarkson University, Potsdam, New York.
Common IS Threat Mitigation Strategies An overview of common detection and protection technologies Max Caceres CORE Security Technologies
5/1/2006Sireesha/IDS1 Intrusion Detection Systems (A preliminary study) Sireesha Dasaraju CS526 - Advanced Internet Systems UCCS.
Lesson 13-Intrusion Detection. Overview Define the types of Intrusion Detection Systems (IDS). Set up an IDS. Manage an IDS. Understand intrusion prevention.
IBM Security Network Protection (XGS)
© 2012 IBM Corporation IBM Security Systems 1 © 2014 IBM Corporation IBM Security Network Protection (XGS) Advanced Threat Protection Integration Framework.
SYSLOG Real-Time Monitoring of System i Events. What is SYSLOG? Multi server environments are now the reality at most sites; however the number of operators.
Lecture 11 Intrusion Detection (cont)
Department Of Computer Engineering
Pro Exchange SPAM Filter An Exchange 2000 based spam filtering solution.
Network Intrusion Detection Systems Slides by: MM Clements A Adekunle The University of Greenwich.
INTRUSION DETECTION SYSTEMS Tristan Walters Rayce West.
Understanding Active Directory
Database Auditing Models Dr. Gabriel. 2 Auditing Overview Audit examines: documentation that reflects (from business or individuals); actions, practices,
1 Intrusion Detection Systems. 2 Intrusion Detection Intrusion is any use or attempted use of a system that exceeds authentication limits Intrusions are.
Information Systems CS-507 Lecture 40. Availability of tools and techniques on the Internet or as commercially available software that an intruder can.
B OTNETS T HREATS A ND B OTNETS DETECTION Mona Aldakheel
Computer Security Fundamentals Chuck Easttom Chapter 1 Introduction to to Computer Security.
Protecting Mainframe and Distributed Corporate Data from FTP Attacks: Introducing FTP/Security Suite Alessandro Braccia, DBA Sistemi.
Malware Hunter How To Guide for SecurityCenter Continuous View™
IDS – Intrusion Detection Systems. Overview  Concept  Concept : “An Intrusion Detection System is required to detect all types of malicious network.
IDS Intrusion Detection Systems CERT definition: A combination of hardware and software that monitors and collects system and network information and analyzes.
Csci5233 Computer Security1 Bishop: Chapter 27 System Security.
Firewall and Internet Access Mechanism that control (1)Internet access, (2)Handle the problem of screening a particular network or an organization from.
Chapter 6 of the Executive Guide manual Technology.
Clay Brockman ITK 478 Fall Why intrusion detection? Comparing two types: Monitoring Database Application Behavior Using Time Signatures.
Module 10: Monitoring ISA Server Overview Monitoring Overview Configuring Alerts Configuring Session Monitoring Configuring Logging Configuring.
11 SECURING YOUR NETWORK PERIMETER Chapter 10. Chapter 10: SECURING YOUR NETWORK PERIMETER2 CHAPTER OBJECTIVES  Establish secure topologies.  Secure.
Distributed IDS The implementation of a Distributed Intrusion Detection System over a medium scale open network where the focus is availability of services.
CSCI 530 Lab Intrusion Detection Systems IDS. A collection of techniques and methodologies used to monitor suspicious activities both at the network and.
Mitsubishi Research Institute, Inc Analyses on Distribution of Malicious Packets and Threats over the Internet August 27-31, 2007 APAN Network Research.
Network Monitoring System for the UNIX Lab Bradley Kita Capstone Project Mentor: Dr C. David Shaffer Fall 2004/Spring 2005.
MCTS Guide to Microsoft Windows Server 2008 Network Infrastructure Configuration Chapter 4 Installing and Configuring the Dynamic Host Configuration Protocol.
Knowing What You Missed Forensic Techniques for Investigating Network Traffic.
Securing the Network Infrastructure. Firewalls Typically used to filter packets Designed to prevent malicious packets from entering the network or its.
© 2012 IBM Corporation IBM Security Systems 1 © 2014 IBM Corporation IBM Security Network Protection (XGS) Integration Framework: QRadar 7.2 MR1.
Wireless Intrusion Prevention System
IT Security. What is Information Security? Information security describes efforts to protect computer and non computer equipment, facilities, data, and.
DataFlow Diagram – Level 0
© 2005,2006 NeoAccel Inc. Partners Presentation Authentication & Access Control.
Cryptography and Network Security Sixth Edition by William Stallings.
Intrusion Detection Systems Paper written detailing importance of audit data in detecting misuse + user behavior 1984-SRI int’l develop method of.
KAPLAN SCHOOL OF INFORMATION SYSTEMS AND TECHNOLOGY Intrusion Detection and Incidence Response Course Name – IT Intrusion Detection and Incidence.
WebWatcher A Lightweight Tool for Analyzing Web Server Logs Hervé DEBAR IBM Zurich Research Laboratory Global Security Analysis Laboratory
I NTRUSION P REVENTION S YSTEM (IPS). O UTLINE Introduction Objectives IPS’s Detection methods Classifications IPS vs. IDS IPS vs. Firewall.
Role Of Network IDS in Network Perimeter Defense.
IS3220 Information Technology Infrastructure Security
Unit 2 Personal Cyber Security and Social Engineering Part 2.
Security Log Visualization with a Correlation Engine: Chris Kubecka Security-evangelist.eu All are welcome in the House of Bytes English Language Presentation.
Virtual Directory Services and Directory Synchronization May 13 th, 2008 Bill Claycomb Computer Systems Analyst Infrastructure Computing Systems Department.
Chapter 13 Network Security Auditing Antivirus Firewalls Authentication Authorization Encryption.
Intrusion Detection Systems Dj Gerena. What is an Intrusion Detection System Hardware and/or software Attempts to detect Intrusions Heuristics /Statistics.
25/09/ Firewall, IDS & IPS basics. Summary Firewalls Intrusion detection system Intrusion prevention system.
LANDesk Software Confidential Data Analytics LANDESK Day 5. March 2014 Jan Pisarik Technical Presales Manager.
SIEM Rotem Mesika System security engineering
CompTIA Security+ Study Guide (SY0-401)
High Performance Computing Lab.
CompTIA Security+ Study Guide (SY0-401)
Security Operations Without Going Blind
Security Operations Without Going Blind
ISMS Information Security Management System
CORE Security Technologies
Intrusion Prevention Systems
Presentation transcript:

Reducing False-Positives and False-Negatives in Security Event Data Using Context Derek G. Shaw August 2011

Overview of Security Monitoring Reducing False-Positives and False-Negatives in Security Event Data Using Context —2— August 2011

Purpose of Security Monitoring Reducing False-Positives and False-Negatives in Security Event Data Using Context —3— August 2011 The purpose of security monitoring is to provide real-time, up-to-the-minute security awareness of current threats, risks, and compromises as accurately as possible.

Components of Security Monitoring Reducing False-Positives and False-Negatives in Security Event Data Using Context —4— August 2011 Consoles (Analyst Desktop) Database Manager (Rules, Data Aggregation, Data Correlation, Reporting) Sensors Intrusion Detection System Log Servers Network Flows Vulnerability Scanners

The False Problem With Security Monitoring Reducing False-Positives and False-Negatives in Security Event Data Using Context —5— August 2011 False-positives Normal or expected behavior that is identified as anomalous or malicious False-negatives Conditions that should be identified as anomalous or malicious but are not

Why So Many False Positives and Who Knows Hows Many False-Negatives Reducing False-Positives and False-Negatives in Security Event Data Using Context —6— August 2011 While some false-positives and false-negatives will occur, a good portion can be attributed to lack of knowledge about the environment being monitored Not keeping knowledge about the environment up-to- date as well as historically accurate

So, how do you reduce the rate of both false-positives and false-negatives? Context Reducing False-Positives and False-Negatives in Security Event Data Using Context —7— August 2011

What is Context Reducing False-Positives and False-Negatives in Security Event Data Using Context —8— August 2011 Context is additional data and information that is added to security event data to increase the relevance and meaning of the data in relation to one’s environment.

Traditional Security Event Data Reducing False-Positives and False-Negatives in Security Event Data Using Context —9— August 2011

Traditional Network Flow Event Data Reducing False-Positives and False-Negatives in Security Event Data Using Context —10— August 2011 Start TimeEnd TimeSource AddressSource PortDirection :30: :30: > Destination AddressDestination PortIP ProtocolDurationFlags TCP30E Source PacketsDestination PacketsSource BytesDestination Bytes Note : /16 - Corporate Network

Traditional IDS Event Data Reducing False-Positives and False-Negatives in Security Event Data Using Context —11— August 2011 Detection TimeAlertSource AddressSource Port :30:04MS SQL Injection Attempt Destination AddressDestination PortIP Protocol TCP Note : /16 - Corporate Network

Traditional Syslog Event Data Reducing False-Positives and False-Negatives in Security Event Data Using Context —12— August 2011 DateTimeHostProcessPID Jan 113:54: SUDO34456 Message jdoe : TTY=ttys000 ; PWD=/Users/jdoe ; USER=root ; COMMAND=/bin/bash Note : /16 - Corporate Network

Traditional Security Event Data with Context Added Reducing False-Positives and False-Negatives in Security Event Data Using Context —13— August 2011

Network Flow Event Data with Context Reducing False-Positives and False-Negatives in Security Event Data Using Context —14— August 2011 Start TimeEnd TimeSource AddressSource PortSource Network :30: :30: Unused DirectionDestination AddressDestination PortDestination NetworkIP Protocol -> ChinaTCP DurationFlagsSource PacketsDestination PacketsSource Bytes 30E Destination BytesAlertAsset Tags 12453Destination Address on Malware Watch ListUnknown Note : /16 - Corporate Network

IDS Event Data with Context Reducing False-Positives and False-Negatives in Security Event Data Using Context —15— August 2011 Detection TimeAlertSource AddressSource Port :30:04MS SQL Injection Attempt Source NetworkDestination AddressDestination PortDestination NetworkIP Protocol Brazil Printer Network TCP Asset Tags Printer, No-Internet Note : /16 - Corporate Network

Syslog Event Data with Context Reducing False-Positives and False-Negatives in Security Event Data Using Context —16— August 2011 DateTimeHostHost NetworkProcess Jan 113:54: Financial SUDO PIDMessage 34456jdoe : TTY=ttys000 ; PWD=/Users/jdoe ; USER=root ; COMMAND=/bin/bash AssetAlertUser Info Linux, Financial, DB, RestrictedUser not authorized for SUDO on host John Doe, Mail Room Staff Note : /16 - Corporate Network

Types of Networks Context Reducing False-Positives and False-Negatives in Security Event Data Using Context —17— August 2011 Access tags (Internal, Private, External, No-Internet) Dark space tags for unused IP space Subnet descriptions

Types of Asset Context Reducing False-Positives in Security Event Data Using Context —18— August 2011 Business Role Tags (Financial, HR, Printers) Operating System Software Category Tags (Apache, BIND, MySQL) System Classification Tags (SSH Server, LDAP Server, Web Server, DNS)

Types of User Context Reducing False-Positives in Security Event Data Using Context —19— August 2011 Real Name Working group (Mail Room, Control Room, Networking Group) List of accounts List of privileged access accounts

How Context is Implemented Reducing False-Positives and False-Negatives in Security Event Data Using Context —20— August 2011

Context Data Sources Reducing False-Positives and False-Negatives in Security Event Data Using Context —20— August 2011 Memory-resident key/value data stores Contains data about assets, networks, and users Continually updated by data mining scripts

Context Preprocessor Reducing False-Positives and False-Negatives in Security Event Data Using Context —22— August 2011 Sits between the sensors and security monitoring system manager Queries the context data sources in real-time based on IP addresses or user names Appends any context data available to event data record

Important Things to Remember Reducing False-Positives and False-Negatives in Security Event Data Using Context —23— August 2011 For context to be effective, it must be current. For events to be accurately reflected in your environment, context cannot be treated as on-demand in the manager. Context for a given event must be recorded once and not changed. Treating context as on-demand in the manager may turn an alert into a false- negative.

Advantages of Context Reducing False-Positives and False-Negatives in Security Event Data Using Context —24— August 2011 Adds additional data and information to the event record that the sensor does not have. Updates to context data sources can be automated and dynamic.

Advantages of Context (cont.) Reducing False-Positives and False-Negatives in Security Event Data Using Context —25— August 2011 Changes to your environment can be reflected in updating the context data; requiring less changes to security monitoring rules and filters Security monitoring rules and filters can be created for context. This eliminates or reduces the need to create filters and rules based on lists of IP addresses, one-off rules, and filter exceptions.

Disadvantages of Context Reducing False-Positives and False-Negatives in Security Event Data Using Context —26— August 2011 Requires analysts to understand the IT infrastructure Requires constant upkeep to stay relevant Extra process in security monitoring workflow

Questions? Comments? Reducing False-Positives and False-Negatives in Security Event Data Using Context —27— August 2011

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.