InvestIgate Data Breaches
8
Technology Blueprint INVESTIGATE DATA BREACHES Collect, analyze, and preserve security forensic information
Transcript of InvestIgate Data Breaches
Technology Blueprint
InvestIgate Data BreachesCollect, analyze, and preserve security forensic information
2 Investigate Data Breaches
Collect, analyze, and preserve security forensic information
The Situation
It is the text or email message that every security professional dreads: “We’ve been hacked.”
Questions race through your mind: “How did this happen? What systems did they compromise? What sensitive data was accessed and what did they do with it?”
To answer these questions, and the ones that are sure to follow, you’re going to need specific data about the security breach. You need to quickly, accurately, and concisely identify what endpoints were involved, what alarms or alerts were generated, what users were affected, what files and data repositories they visited during the breach, and what data was uploaded or sent outside the perimeter during the incident.
This is where digital forensics come into play and where your organization’s supporting security infrastructure can make the crucial difference.
Driving ConcernsSecurity breaches can happen even when you have done everything right. Attackers have become much more laser-like and sophisticated at exploiting the weakest link in the security chain: the end user. Since no IT security environment can be completely secure against end user actions, it is important to ensure the proper infrastructure is in place to provide quick, accurate intelligence immediately upon detection of a breach.
Some of the forensic information that you will need to provide quickly includes:
• How did this happen? What alerts were triggered during the attack? What alerts have been triggered leading up to the attack? Have there been other related probes to the perimeter or other defenses that might provide clues as to the attacker’s identity or motives? First generation SIEM (Security Information and Event Management) and other security management solutions can provide basic alert data. However, without correlation and content awareness to give this data contextual meaning, these alerts appear as disconnected, random events.
• What systems were involved? To understand the impact of an attack, it is crucial to know which network endpoints participated in the event. Did the attack spread to other computers on the network? What other network connections were attempted by these endpoints during the attack? Without the ability to correlate network flow data to attack events, it becomes impossible to spot patterns or understand if subsequent alerts are part of the original attack as it spreads across the network. You also cannot ensure that you have fully remediated any compromised systems.
• What users were affected? To assess the risk to the enterprise from this attack, it is important to understand whom it affected. What role did these users play within the organization? What level of access or clearance to sensitive data did the users have? Have any other security events been associated with these users prior to this attack? Clearly, if the affected user had limited access to proprietary information, the impact of the breach is also limited. However, what if the affected user were a board member with access to confidential financial information? Most security management tools do not include detailed user entitlement information with alert data, making it difficult to understand just how serious the organization’s exposure was as a result of a given breach.
LEVEL 1 3 4 5
SECURITY CONNECTEDREFERENCE ARCHITECTURE
2
LEVEL 1 2 4 5
SECURITY CONNECTEDREFERENCE ARCHITECTURE
3
LEVEL 2 3 4 5
SECURITY CONNECTEDREFERENCE ARCHITECTURE
1
LEVEL 1 2 3 5
SECURITY CONNECTEDREFERENCE ARCHITECTURE
4
LEVEL 1 2 3 4
SECURITY CONNECTEDREFERENCE ARCHITECTURE
5
Security Connected
The Security Connected framework from McAfee enables integration of multiple products, services, and partnerships for centralized, efficient, and effective risk mitigation. Built on more than two decades of proven security practices, the Security Connected approach helps organizations of all sizes and segments—across all geographies—improve security postures, optimize security for greater cost effectiveness, and align security strategically with business initiatives. The Security Connected Reference Architecture provides a concrete path from ideas to implementation. Use it to adapt the Security Connected concepts to your unique risks, infrastructure, and business objectives. McAfee is relentlessly focused on finding new ways to keep our customers safe.
3Investigate Data Breaches
• What sensitive data did the attack compromise? A thorough impact assessment has to include a damage report to determine if any sensitive data left the organization during the attack. Was there a corresponding large data transfer from the main Oracle database at the time of the attack? Was information uploaded to a location outside the perimeter? If so, precisely what information was compromised and where did it go? While traditional firewall logs can document outbound connections, this type of log lacks correlation to database transactions or IP geolocation, DNS, WHOIS, and other contextual information for outbound connections. This rich detail allows you to detect where these servers are physically located and who owns them.
• When collecting forensic event data, how do I observe proper Chain of Custody procedures? If legal or HR action is required as a result of the attack investigation, proper handling and Chain of Custody (CoC) rules require collection and reporting of alert and event data using methods that preserve the original content. You must not change timestamps or modify the original in such a way that the data is not admissible as evidence.
Without solid contextual information correlated to security events, any forensic evaluation will lack the intelligence needed to comprehend the scope and impact of a security breach.
Solution DescriptionMcAfee recommends an integrated, mutually supporting infrastructure that provides not only alerts when security events occur, but related content and context that fill in the gaps left by standard security alerting and reporting. Correlation to metadata—such as network flow information, user access levels, user entitlement, and IP geolocation—add depth to alert response and reporting and enable a greater understanding of the effect and severity of a security breach.
• How did this happen? Network and endpoint security should be integrated into a single defense-in-depth protection system. Attack event data should be provided to a centralized response console that spans all attack vectors and covers all platforms and protocols. The IT staff will be able to quickly determine which exploits and attack vectors were utilized in the attack. For example, the Zeus Trojan typically uses a multi-pronged approach of phishing emails combined with a “drive-by” download to infect a target. With the proper infrastructure, you can identify and replay this sequence by correlating information from the endpoint security solution with data flows from the email and web gateways. Your security teams also gain the details necessary to tighten perimeter and endpoint security.
• What systems were involved? The ideal infrastructure is capable of identifying all systems affected by the attack by correlating network flow data with security event alerts to understand where the attack originated, what systems were compromised by the attack, and what connections those compromised systems made after the attack. By correlating event data with network flow data, the complete story of attack patterns, sequences, and details can be reconstructed to show the investigating team exactly which systems were involved and what they connected to both during and after the attack. This gives the responders a checklist of endpoints that require scrutiny to ensure that attackers have not deployed backdoors, rootkits, or other mechanisms that would allow reentry into your network.
• What users were affected? While the Active Directory user name delivered with standard attack data is useful, to really understand the impact of the attack it is necessary to have an architecture that provides detailed user entitlements and access levels correlated to the event. The ideal infrastructure allows the investigative staff to quickly query Active Directory and other identity repositories from within the event alert to determine specific user access details listing out what servers, applications, network shares, databases, and other shared resources the user can access. Additionally, the infrastructure should allow the user’s scope of access to be determined in order to understand if this is a standard user or an administrator.
Decision ElementsThese factors could influence your architecture:
•Do you require a 24/7 highly available environment?
•Does your organization collect and analyze netflow data?
•What are your log retention requirements?
•What compliance standards affect your organization?
4 Investigate Data Breaches
• What sensitive data did the attack compromise? The recommended architecture would give IT security staff detailed database or file share access, upload, and network flow information correlated to attack data to show the content and context of any data access and transfer. Ideally, the solution should capture all data that is leaving the network for later analysis.
• When collecting forensic event data, how do I observe proper Chain of Custody procedures? The ideal infrastructure maintains its own standalone, normalized database made up of event and correlation data for investigation. This separate repository prevents compromises to the forensic purity of the original logs and event data. Audit controls on the investigation database ensure that once event and correlation data have been written to it, any access is tracked. If a colluding malicious insider attempts a change, the system should prevent and report this action.
Technologies Used in the McAfee SolutionTo fulfill these requirements, the McAfee solution has three interlocking components: McAfee® Enterprise Security Manager (ESM) (content and context-aware SIEM) acts as the primary workflow and investigation console, McAfee ePolicy Orchestrator® (McAfee ePO™) acts as the policy and maintenance engine for host based security solutions, and McAfee Network Security Platform (NSP) provides inline network intrusion prevention.
When a security event occurs, an alert originates from either the endpoint under attack or the network sensor appliance that detected the attack (or both). The alert goes to the relevant security management console (McAfee ePO for endpoint and McAfee Network Security Manager for the NSP) and propagates to the McAfee ESM console, where it is sequenced and correlated with the other events occurring on your network. The original attack alert data remains in the repository specific to that layer. This practice ensures that you can query and report event data within McAfee ESM without modifying the original data. The data remains forensically pure.
From within the McAfee ESM alert, the responding IT team can drill into details about the event, create and assign a case for any follow up required, and track the case’s progress. Data from other sources can be pulled together and correlated with the security event to give investigators a deep and comprehensive sequence of activities. For example, netflow and application session information, web and email gateway connection data, database transaction details, and Active Directory user access rights can be combined with the security event in a single event report.
This content can be further enriched with the use of what SANS (System and Network Security Institute) has termed “referential data.” This is data external to the SIEM that can add even greater depth to the forensic report. For example, in addition to the multiple event source and log correlation already discussed, the forensic investigator can cross-reference the data collected against external sources such as a Human Resources provided flat file (referential data) containing the names and user IDs of recently terminated employees. Any match found would provide valuable clues as to the motive and culprit, clues that a first generation SIEM or standard security alert would be unable to provide. One crisp summary shows exactly what happened, where it happened, whom it affected, and what information (if any) has been compromised.
Through integration, McAfee ePO and McAfee NSP share detailed endpoint information, including OS, patch levels, installed applications, and security countermeasure information, for attack response prioritization and relevancy. This information makes it easy to determine whether a given attack was successful and provides investigators a profile for hunting other potential victims or attack entry points.
5Investigate Data Breaches
Network Backbone
VA Scan Data
Application Contents100s of applications and 500+
document types
Database TransactionsData traf�c from leading
databases
McAfee ePOMalware and endpoint
security events
McAfee NSPNetwork security events
Net�ow DataDetailed Network
Connection/Section Data
Access Rights McAfee ESM
OS events
Malware Viruses Trojans
WebMail, Email
Web Access (HTTP)
Chat (IRC, AOL/ICQ, SIP Yahoo, MSN, Jabber)
P2P File Sharing (Gnutella)
Protocol Anomalies
Exploits Vulnerabilities
LocationDevice and Application Log Files
User Identity
Logical network diagram illustrating data flows and interconnections of McAfee solution.
McAfee Enterprise Security Manager (ESM)McAfee ESM receives input from a host of sources throughout the enterprise, both security and non-security related platforms (McAfee ePO, AV, HIPS, firewall, proxy, IPS, Windows/Unix/fileserver/Oracle/email logs, as well as many others). Additionally, its “content awareness” goes beyond simple log scraping. It fills in the gaps left by other SIEM and incident reporting solutions by adding relevant contextual data. Individual events that appear to be unrelated can take new meaning when correlated with a known attack. While user X may have access to a database, for instance, seeing a connection attempt by this user within seconds of a known attack sheds new light on both the attack’s motive and potential impact. Security solutions alert you to the presence of an attack but do not have a view of your overall enterprise; McAfee ESM provides that view, with forensic details such as:
• Windows name services, DNS, and NIS servers. Maps the IP addresses in logs to human readable names
• Defined asset groups. Shows internal or external status of an IP address as well as logical or physical meta-groups. For example, a Finance asset group can be created to identify endpoints and servers used by the finance group. This detail can be especially helpful in identifying systems that are subject to regulatory compliance rules including PCI.
• WHOIS servers. WHOIS information for external addresses shows who owns them and where they are located
• Geolocation. Documents the physical location of the external system(s) a compromised machine may have connected to
• Asset and owner information for internal addresses. Critical for understanding internal projects and teams affected by the breach
6 Investigate Data Breaches
• Active Directory and LDAP servers. Maps user names to actual user identities• Entitlement servers. Shows the assets that the affected users are entitled to for a clear picture of just
how damaging the attack might have been• Attack and exploit information. Correlates attack with contextual data to provide a richer
understanding of other events that occurred at the same time • Vulnerability assessment information. Allows detailed vulnerability information from a variety of
assessment tools to be included with alerts and reports to show if the systems that were attacked were vulnerable to the attack
• Email and web upload contents, including attachments. This evidence can positively identify the data compromised to gauge the impact of the event
• Social network communication. Provides the ability to monitor communications within social media sites so that these can be correlated with attack events. The contents of the web application itself can be reviewed and included in the forensic analysis of the event.
• Database queries and the size or subject matter of their responses. Correlates the security event with database transaction logs detailing exactly what took place during the database session. Investigators see both database queries performed as well as all responses produced.
• IM conversation contents. Allows investigators to explore and review IM conversation details correlated to attack events to understand the attack motivations and possible culprits
McAfee ESM includes a customizable interface and high performance query engine to allow deep drill down into a limitless number of event and content data relationships for detail-driven relational data mining. Default or “Out-of-Box” views provide a starting point for analysis. The system maintains forensic integrity: drill down processes do not modify the data sources, ensuring the proper chain of custody should legal or HR action result from the investigation.
McAfee ePolicy Orchestrator (McAfee ePO)McAfee ePO is the centralized policy and management environment used by McAfee endpoint security products as well as many McAfee partner solutions. The McAfee ePO endpoint agent provides a wide range of information that is beneficial to managing and investigating security events. The full list is too long to provide in this document, however, some of the most pertinent parameters include: detailed attack event data, host name, IP address, MAC address, user name (from Active Directory), operating system and patch level of the managed node, application inventory on the managed node, network services, attack countermeasure status, compliance audit status, and vulnerability assessment scan data.
McAfee Network Security Platform (NSP)The McAfee Network Security Platform (NSP) is a family of high performance, purpose-built, telco-grade appliances that provide inline threat protection and mitigation. McAfee NSP integrates with ePO to enable an overlapping, mutually reinforcing security environment covering network segments as well as individual endpoints.
From a forensics standpoint, NSP’s Real Time Threat Analyzer gathers detailed information, including PCAP and wireshark traces, from network attacks. This information includes: attack name, source and destination IP addresses, source and destination country location, source and destination reputation information (McAfee Global Threat Intelligence data, see: http://www.mcafee.com/us/mcafee-labs/threat-intelligence.aspx), file threat reputation information, user name, application information, protocols, and relevant MS/CVE numbers. These details are correlated with host events both through McAfee ESM and through a two-way integration into McAfee ePO that allows endpoints running McAfee Host Intrusion Prevention to act as IDS sensors on the corporate network. This capability is unique and permits network and endpoint attack correlation.
7Investigate Data Breaches
Optional IntegrationsMcAfee Data Loss Prevention (DLP) can add an extra layer of protection and forensic capability. McAfee DLP includes data capture technology that can collect and index all traffic passing through the dedicated DLP network appliances. The capture database enhances forensics with the ability to look back in time at network connections to identify suspicious behavior. You can perform detailed searches on historical data, with search strings based on virtually any aspect of the network connection (time, user name, IP address, protocol, and more). McAfee DLP capture technology does not require a policy trigger rule to be in place at the time of the network connection. Transfers that do not trigger a DLP policy are still indexed and stored within the capture database for later analysis.
This archive augments the capabilities discussed in this paper by keeping a forensically pure, corroborating copy of network flows within a secure, self-contained environment. With 6TB of dedicated storage, McAfee DLP records all aspects of all network transactions and can apply DLP controls on traffic that violates policy to ensure data remains within the network perimeter even when successful attacks occur. All network protocols are supported, and forensic information collected includes source and destination IP addresses, source and destination user names and email addresses, ports and protocols used during transfer, time, and the contents of the network transfer, including copies of the full attachment as well as the full message body and header. You can use this evidence of attempted transfers to determine motives as well as culprits, even in cases where the transfer was unsuccessful. Since the DLP capture database does not rely on netflow or application session data, it can be used to checkpoint and independently corroborate conclusions drawn from within McAfee ESM.
McAfee ePO integrates with third parties like Guidance Software, which makes EnCase. EnCase enables corporations to conduct thorough, network-enabled, and court-validated digital investigations and leverage McAfee ePO for deployment and reporting. Additionally, EnCase integrates with McAfee full disk encryption to allow low-level forensic investigations on encrypted disks. Download a full solution brief on EnCase with McAfee ePO from http://www.mcafee.com/us/resources/solution-briefs/sb-guidance.pdf
For a full list of Security Innovation Alliance partners involved in forensics, please see the following: mcafee.com/SIApartnerdirectory
Impact of the SolutionWith forensic analysis, the little details count. Answering the questions of who, what, where, and when is important, but to really understand the impact of a security breach, much more contextual information is required. McAfee completes this picture by filling in the gaps normally left by first-generation log-scraping SIEM technologies.
Within minutes of an incident, your IT staff can quickly and accurately understand not just what happened but precisely who was involved, what level of responsibility they have in the enterprise, what other related events have occurred, what data may have been accessed and compromised, who received that data, and where they are located. This comprehensive view allows not just remediation of the technical aspect of the breach, but also facilitates the damage control that might be necessary if a sensitive data leak occurred during the incident. If legal authorities or HR need to be engaged, the forensic integrity of the data is maintained to ensure that reports and conclusions based on this reporting are suitable for courtroom use.
McAfee integrates network and endpoint security, then correlates and extrapolates this information with rich contextual and content data. You gain a much more focused and complete picture of an incident’s impact than the old method of using disconnected security platforms and early SIEM technology.
2821 Mission College BoulevardSanta Clara, CA 95054 888 847 8766 www.mcafee.com
McAfee, McAfee Data Loss Prevention, McAfee ePO, McAfee ePolicy Orchestrator, McAfee Network Security Platform, McAfee Enterprise Security Manager, McAfee Security Innovation Alliance, and the McAfee logo are registered trademarks or trademarks of McAfee or its subsidiaries in the United States and other countries. Other marks and brands may be claimed as the property of others. The product plans, specifications, and descriptions herein are provided for information only and subject to change without notice, and are provided without warranty of any kind, express or implied. Copyright © 2012 McAfee41723bp_data-breaches-L3_0412_fnl_ETMG
Q&A
My SIEM vendor tells me they can do the same thing. What’s so special about McAfee ESM?While most first generation SIEM technologies were built upon existing database technologies such as Oracle or MS-SQL, McAfee ESM was designed from the ground up with data correlation, speed, and performance as primary design goals. Instead of using general purpose computing platforms, McAfee ESM uses the combination of high performance, dedicated appliances and a proprietary high performance file system to deliver query speeds many times faster than standard SIEM technology. All operations are performed in RAM instead of using the RAM and disk combination utilized by most Oracle and SQL implementations. This dramatically increases the speed and query response allowing McAfee ESM to return results of even complex queries in seconds or minutes.
I have forensic tools in place already that dissect endpoints and servers after a breach. Why do I need McAfee ESM?McAfee ESM is not intended to displace forensic dissection tools, but rather augment forensic reporting by putting the attack event into context and allowing the investigators to gain a deeper understanding of the attack’s impact. Through the use of event correlation with contextual information, McAfee ESM provides a richer view of an attack than standard forensic tools can provide. Further, McAfee integrates with established third party forensic providers to allow the use of these tools within the recommended framework.
Do I need to replace my entire infrastructure to utilize McAfee ESM?While the integrated McAfee approach discussed in this paper offers special value, from a forensic standpoint, many of the advantages discussed within this paper can be achieved using McAfee ESM along with other third party security vendors’ solutions. McAfee ESM can work with virtually any security provider you might already be using for endpoint and network security. As you expand your security infrastructure, you can use a hybrid or phased approach to ensure minimal disruption and a smooth transition.
Additional Resourceshttp://mcafee.com/esmhttp://www.mcafee.com/us/partners/security-innovation-alliance/index.aspxhttp://www.mcafee.com/us/services/strategic-consulting/incident-response-forensics/index.aspxwww.mcafee.com/kb www.mcafee.com/epohttp://www.mcafee.com/us/products/network-security-platform.aspx
About the AuthorJim Wojno is a senior sales engineer in the McAfee Mid-Atlantic Region. Jim provides technical assistance and support to enterprise customers in the Ohio Valley area, assisting with project scoping, solution selection, proof-of-concept pilots, and production implementation for all McAfee security solutions.
Jim has been involved with enterprise information security since the mid-1990s and worked at leading-edge technology firms such as Sun Microsystems and Symantec prior to McAfee. Areas of specific focus include project management, endpoint and server security, network intrusion detection and prevention, policy compliance auditing, and risk assessment.
Jim holds an associate’s degree in applied electronics from DeVry. In addition, Jim holds CISSP (Certified Information Systems Security Professional) and ISSEP (Information Systems Security Engineering Professional) certifications from (ISC) as well as Security+ certification from CompTIA. He also serves as vice president of the Cleveland Ohio ISSA chapter.
