Security Information and Event Management for Private Clouds

Dr. Athar MahboobDean Faculty of Engineering & Applied Sciences

Director Information TechnologyProfessor of Electrical Engineering

DHA Suffa UniversityKarachi, Pakistan

Pakistan CIO Summit 2013May 21-22, 2013

2

Agenda● Introduction to Security Information and Event

Management ● Understand the business case for a SIEM

solution● Understand the technical architecture of a

SIEM solution● Get familiar with an economical and open

source SIEM solution – OSSIM

3

Typical Private Cloud

IT Applications LMS Email Timetable Student Feedback Online Admission Test Instant Messaging Network Mgmt Service Directory Services Terminals Services Desktop Applications Engineering Design Apps Online Admission Application Storage Services Video Conference Service ERP Accounting Student Records Library Management

Multiple redundant media high-speed Internet Links

DSU Private Cloud (Data Center)

SAN

Servers

DSU Data ERP, LMS, Email

Internet 10 + 10 MBPS

Email

Web

HEC Digital Library

Social Media

Xen Hypervisor

DSU Firewall

Laptop PDA

Wireless Network Infrastructure Access Points and smaller access points provide wireless networking coverage to entire DSU campus.

Virtual Private Network – VPN VPN access to DSU Network for Faculty and Students. Through VPN all IT services can be accessed securely from any remote location

Thin Clients

High Speed Campus Network 600+ network nodes in 8 segments covering all offices and Labs at DSU connecting to a High Performance Network Core

PERN Video Conferencing

4

Threat Economy: Historic Attacker Motivations

End Value

Espionage (Corporate/ Government)

Fame

Theft

Writers Asset

Worms

Tool and Toolkit Writers

Viruses

Trojans

Malware Writers

Compromise Individual

Host or Application

Compromise Environment

Take Away: Fame was by far the dominant motivator

From: Security Information Management (SIM) Technology Brief, Ken Kaminski, Cisco Systems, Security Architect – Northeast US, CISSP, GCIA

5

Threat Economy: TodayWriters Middle Men Second Stage

Abusers

●Bot-Net Management: For

Rent, for Lease, for Sale

Bot-Net Creation

Personal Information

Electronic IP Leakage

Worms

Spyware

Tool and Toolkit Writers

Viruses

Trojans

Malware Writers

First Stage Abusers

Machine Harvesting

Information Harvesting

Hacker/Direct Attack

Internal Theft: Abuse of Privilege

Information Brokerage

Spammer

Phisher

Extortionist/ DDoS-for-Hire

Pharmer/DNS Poisoning

Identity Theft

Compromised Host and

Application

End Value

Financial Fraud

Commercial Sales

Fraudulent Sales

Advertising Revenue

Espionage (Corporate/

Government)

Fame

Extorted Pay-Offs

Theft

Take Away 1: For-Profit end values

Take Away 2: Multiple methods to achieve goal

Take Away 3: Sustainable economy, resilient to shocks

From: Security Information Management (SIM) Technology Brief, Ken Kaminski, Cisco Systems, Security Architect – Northeast US, CISSP, GCIA

6

New Threat Economy

From: http://www.scmagazineus.com/hacker-arrested-in-greece-for-stealing-selling-weapons-data/article/104718/

7

New Threat Economy

From: http://www.wired.com/threatlevel/2008/10/fed-blotter-new/

8

All is fair in love and war !!!STATE ACTORS ARE PART OF THE THREAT ECONOMY TOO

PUBLIC-PRIVATE PARTNERSHIP :-)

9

APT - Example

June, 2010 – StuxNet Worm

Target: Natanz Nuclear Facility

Motivation: Cyber Sabotage?

10

Advanced Persistent Threat - APT

The attack techniques started from self replicating code evolved into Advanced Persistent Threat Use 0-day Be stealthy Target users Target indirectly Exploit multi-attack vectors Use “state-of-the-art” technique Be Persistent

Hacking is no more about fun Corporate Espionage State Secrets Cyber “Sabotage”

11

StuxNet – How It Spread?

Exploited Four Zero Day Vulnerabilities

12

13

US Killer Spy Drones Controls Switch to Linux

14

Old – Windows

15

New – Linux

16

Drivers for Information Security Management

● Regulatory Compliance● HIPAA, SOX, FISMA, GLBA, FDA, PCI, Basel II,

OSHA and ISO 27002● Information security breaches are costly

● Need to respond timely to security events● Information systems environment is heterogeneous,

multi-vendor, and complexcompliance - a state or acts of accordance with established standards, specifications, regulations, or laws. Compliance more often connotes a very specific following of the provided model and is usually the term used for the adherence to government regulations and laws

http://searchcio.techtarget.com/sDefinition/0,,sid182_gci947386,00.html

HIPAA: Health Insurance Portability and Accountability ActSOX: Public Company Accounting Reform and Investor Protection Act of 2002 and commonly called SOXFISMA: The Federal Information Security Management Act of 2002FDA: The Food and Drug AdministrationPCI Data Security Standard (PCI DSS): The Payment Card Industry (PCI) and Validation RegulationsBasel II: The New Accord: International Convergence of Capital Measurement and Capital StandardsGLBA: Gramm-Leach-Bliley Act, also known as the Gramm-Leach-Bliley Financial Services Modernization ActISO/IEC 27002 (formerly 17799) is an information security standard published and most recently revised in June 2005 by the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC)OSHA: The United States Occupational Safety and Health Administration

17

18

Information Security Management

SIEMSecurity Information and Event

Management

SIEM versus ISM

SIMSecurity

Information Management

SEMSecurity Event

Management

19

SIEM

● “A SIEM or SIM is a computerized tool used on enterprise data networks to centralize the storage and interpretation of logs, or events, generated by other software [or hardware] running on the network”

● A new concept (About 10 Years old)● A natural evolution of log management● A SIEM enables organizations to achieve round-

the-clock ‘pro-active’ security and compliance.

20

Beginnings of SIEM are in Log Management

● Log management● Automation in collection of logs in a central

place – e.g. syslog-ng● Tools for log searching and analysis● Still a dependence on expert human for

analysis● Typical human expert cannot process

more than a 1000 events a day● Conclusion - automate more

21

LogsWhat Logs?

Audit Logs

Transaction Logs

Intrusion Logs

Connection Logs

System Performance Records

User Activity Logs

Misc. alerts and other messages

From Where?

Firewalls/Intrusion Prevention

Routers/switches

Intrusion Detection

Servers, Desktops, Mainframes

Business Applications

Databases

Anti-virus

VPNs

22

Inverted Pyramid of Event Significance

3 MILLION

15,000

24

8

TOTAL EVENTS

CORRELATED EVENTS

DISTINCTIVE SECURITY ISSUES

INCIDENTS REQUIRING ACTION

UNIX Syslogs

85,000 Events

Windows Event Logs

1,036,800 Events

IDS and Access Logs

1,100,000 Events

Firewall787,000 Events

Antivirus12,000 Events

23

The Challenge of SIEM

● “Billions and Billions” of events● Firewalls, IDS, IPS, Anti-Virus, Databases,

Operating Systems, Content filters● Information overload

● Lack of standards● Difficult correlation

● Making sense of event sequences that appear unrelated

● False positives and validation issues● Heterogeneous IT environment

24

Technical Drivers of SIEM

React Faster!● Too much data, but not enough information

● High Signal To Noise Ratio

● No “situational awareness”

● Too many tools to isolate root cause

Improve Efficiency● Compliance requirements

● Nothing gets shut down

● Cost center reality

25

Reduce risk and cost

Time to remediate

Reduce risk and cost by dramatically reducing the time it takes to effectively respond

Ris

k/C

ost

26

Business Objectives of SIEM● Increase overall security posture of an

organization● Turn chaos into order● Aggregate log file data from disparate

sources ● Create holistic security views for compliance

reporting● Identify and track causal relationships in the

network in near real-time● Build a historical forensic foundation

27

Generic SIEM Architecture

Collect Inputs from target sourcesAgent and agentless methods

AggregateBring all the information to a central point

NormalizeTranslate disparate syntax into a standardized one

CorrelateIf A and B then C

ReportState of healthPolicy conformance

Archive

R Box

A Box K Box

D Box

C Box C Box

E Box E Box E Box E Box E BoxE BoxesEvent generators: sensors & pollers

C BoxesCollection boxes

D BoxFormatted messages database

A Box + K BoxIncident Analysis Knowledge base

R BoxReaction and reporting

28

NOC vs SOC

Separates auditing role from operations role

29

State-of-the-art Cyber Security Operations Center, a comprehensive cyber threat detection and response center that focuses on protecting Northrop Grumman and its customers’ networks and data worldwide.

(Northrop Grumman)

http://www.armybase.us/2009/07/northrop-grumman-opens-cyber-security-operations-center/

30

Reactive Proactive Predictive

SOC

Incident Response, Notification, Tracking, Analysis, Containment, Eradication, and Remediation

Network Vulnerability Scanning: Network, Systems

Strategic Analysis

Incident Detection Systems (IDS)

Vulnerability Handling Threat Management & Correlation System

Computer Forensics & MalwareAnalysis

Third-Party Pen. Testing (3rd Party)

Email Filtering & Blocking

DNS Sinkhole

Threat Tracking, Monitoring, & Mitigation

Patch/Asset Management

Situational Awareness: Log Monitoring, Event Aggregation and Correlation (SIM)

Flow/Network Behavior Monitoring

Host Based Monitoring System (HBSS): Antivirus, Firewall, Anti-Malware, Application White listing

Active Protection: Intrusion Prevention System (IPS)

Web & Application Scanning

Incident Scope Analysis & Remote Forensics

Content Monitoring/Data Loss Prevention

Red Team/Blue Team

31

Linux and Open Source

● Business model is based on services alone:– Implementation

– Customizations

– Training

– Documentation

– Support

● A fair and consumer friendly business model for software because:

● Software is incrementally developed● Software is infinitely replicable

32

Clearing Misconceptions About Open Source

● Open source is free software !● Software is free, people are not !● Free as in “freedom” not necessarily as in

“free beer”● Open source is a viable business model● Open source is a better software

engineering methodology

“Given enough eye-balls, all bugs are shallow”

Linus' Law

33

Why Open Source for SIEM?

● Commercial products have a high cost of entry barrier

● User can become confused with the:● Marketing terms● Feature bloat

● Open source SIEM has matured – can compete head-on with commercial offerings

● Open Source SIEM can even be used as a learning tool – requirements analysis tool for a commercial SIEM specifications

34

Open Source Security Information Management - OSSIM

● Made of best of breed open source security tools: snort, ntop, nmap, nagios

● Full installer – plug & play● Integrated Graphical Management Console● Includes Reporting Engine (JasperReports)

with pre-designed reports● Commercially supported - AlienVault● Implemented in local companies

35

Magic Quadrant for Security Information and Event Management - 2011

36

Magic Quadrant for Security Information and Event Management - 2012

Source: Gartner (May 2012)

37

OSSIM Pros

● Extendable● Stable● Low cost● Works with native tools and mechanisms

● Easier to integrate● Less overhead

● Wide range of tools combined into one solution

38

Snort Ntop Fprobe NFDump NFSen OCS Nagios

OpenVASNiktoOSVDBOSSECKISMETNMAPP0fArpWatch

OSSIM - Integrated Tools

39

OSSIM Web Interface

40

SIEM Concepts

Detection and Collection

41

Active Versus Passive Tools

● The different tools integrated in OSSIM can be classified into two categories:

● Active: They generate traffic within the network which is being monitored.

● Passive: They analyze network traffic without generating any traffic within the network being monitored.

The passive tools require a port mirroring /port span configured in the network equipment.

42

Data Source

Any application or device that generates events within the network that is being monitored

External Data Sources Network Devices: Routers, Switches, Wireless AP... Servers: Domain Controller, Email server, LDAP... Applications: Web Servers, Databases, Proxy... Operating Systems: Linux, Windows, Solaris...

Internal Data Sources Collect information on the network level

Intrusion Detection Vulnerability Detection Anomaly Detection Discovery, Learning & Network Profiling Inventory Systems

Collectors

Detectors

Sensors: Data Sources

43

The Sensor can aggregate events using multiple collection methods

Sensor: Collection

44

Detection is done by setting the Sensors NIC into promiscuous mode to collect all the traffic on the monitored network HUB Port Mirroring/Spanning Network Tap

Sensor: Detection

45

Any log entry generated by any Data Source at application, system or network level will be called an event.

For SIEM it is important to know: When has the event been generated? What is involved? (Systems, users, …) Which application generated the event? What’s the event type?

Event

46

The SIEM component provides the system with Security Intelligence and Data Mining capacities, featuring: Real-time Event processing Risk metrics Risk assessment Correlation Policies Management Active Response Incident Management Reporting

The SIEM

47

The Logger component stores events in raw format in the file system.

Events are digitally signed and stored en masse ensuring their admissibility as evidence in a court of law.

The logger component allows storage of an unlimited number of events for forensic purpose.

For this purpose the logger is usually configured so that events are stored in a NAS / SAN network storage system.

10:1 Compression to save Disk Space

Logger – Secure Reliable Storage

48

The AlienVault database runs on a MySQL server SIEM Events, configurations, and inventory

information are stored in the Database Database is a required component in any

AlienVault deployment, even if no Logger is being used

Database

49

Detection The process of identifying behavior that leads to

the generation of an event Multiple elements that can be used by SIEM to

provide detection capabilities:• Snort, Ntop, Arpwatch… (Example Data Sources included in

AlienVault)• Existing corporate applications/tools• Tools that have been deployed prior to SIEM installation

(Firewalls, Antivirus…)

50

The task that determines which events shall be collected into the Server

Collection is done by the Sensors Server can collect events using multiple methods:

• Some require configuring the Data Source to send events to the Sensor (E.g.: Syslog, FTP...)

• Other require the Sensor gathers the events from the application or device (WMI, SQL, SCP...)

Collection

51

End Device/App

The process of translating the events generated by different tools into a unique and normalized format Normalization is done in the Sensor Log information is normalized using regular expressions by

AlienVault Sensors

Raw EventNormalized Event

SIEM Server

Sensor

Mar 22 20:40:15 ossim-A su[27992]: Successful su for root by root

event type="detector" date="2008-03-22 20:40:15" sensor="192.168.1.109" interface="eth0“plugin_id="4005" plugin_sid="2" src_ip="192.168.1.109" dst_ip="192.168.1.109" username="root"log="Mar 22 20:40:15 ossim-A su[27992]: Successful su for root by root"

Normalization

52

A Data Source is any application or device that generates logs, events and information

AlienVault can collect events from any Data Source by using a Data Source Connector (Plugin)

Data Source

53

The Data Source ID (Formerly known as Plugin_id) is a unique number used by AlienVault to identify each of the Data Source types that send events to AlienVault This number is used in correlation rules and when defining Policy

Rules

Data Source ID

54

The Event Type (Formerly known as Plugin_sid) is a unique number (Within each Data Source) that identifies the different events a Data Source is able to generate. The Event Type always has to be associated to a Data Source ID,

since multiple Data Source ID can share common Event Types.

• (E.g.: 404 Event Type in Apache and IIS)

Event Type

55

An Asset is any device available on a network that is being monitored by SIEM Assets in AlienVault have a value (0-5). Each Asset will have a

different value depending on their task within the network Assets in AlienVault:

Assets

56

Every Asset in AlienVault has an Asset Value (0-5) Assets not defined within the AlienVault Inventory have a default

Asset Value of 2 Assets will have different values depending on their role within the

monitored network E.g.: A printing company

• Printers will be a very high asset value

E.g.: A company offering Web hosting

• Web servers and database servers will be a valuable asset while printers on the other hand won’t be so important.

Asset Value

57

Defining an Asset in OSSIM

58

Priority is the importance of the event itself It is a measure which tries to determine the relative impact

an event could have in our network. Priority is a value between 0 and 5

• 0 No importance• 1 Very Low• 2 Low• 3 Average• 4 Important• 5 Very Important

Event Priority

59

Reliability determines the probability of an attack being real or not. E.g.: A single authentication failure.

• Would you be able to determine if it is a real attack (Brute Force attack) using a single event?

Reliability can be a value between 0 and 10

• 0 False Positive• 1 – 10% chance of being an attack• 2 – 20% chance of being an attack• …• 10 Real attack

Event Reliability

60

The SIEM calculates a risk for each event processed in the SIEM The Event Risk is a numeric value (0-10)

Event Risk

61

Any event with a risk value greater than or equal to 1 will become an alarm. An alarm is a special type of event since it can have more

than one event originating it. Correlation doesn’t generate alarms (done by server

during R.A), it will generate new events that may or may not become alarms.

Alarm

62

Correlation is the process of transforming various input data into a new output data element

Using correlation we can transform two or more input events into a more reliable output event

Through correlation of various events from disparate data sources a SIEM delivers greater Security Intelligence

Correlation

63

Apart from calculating a risk value for each event, the AlienVault SIEM also maintains an Aggregated risk indicator for each asset of the network This aggregated risk is stored in two properties of each asset

within AlienVault

• Compromise: Compromise means a network element is generating lots of events as source, this is, it’s behaving like if it’s been compromised

• Attack: Attack is a value that measures the level of attack an element has received in our network, that is, how much it has been attacked

Aggregated Risk

64

Compromise value is increased by taking into account the risk of the event calculated using the Asset Value of the source (The Asset value of the destination is ignored even if it is higher) This value increases the compromise value of the host, the

compromise value of the host groups, networks and network groups the host belongs to, as well as the global compromise

Compromise Value

65

Attack value is increased by taking into account the risk of the event calculated using the Asset Value of the destination (The Asset value of the source is ignored even if it is higher) This value increases the attack value of the host, the attack

value of the host groups, networks and network groups the host belongs to, as well as the global attack value

Attack Value

66

From Alarm to Ticket Alarms can be ignored or can be converted to tickets Tickets can be assigned to IS or IT officers The ticket life cycle is the Security Event

handling/management

67

Security Event Management

68

Conclusions

OSSIM provides SIEM capabilities to small and medium sized organizations

OSSIM leverages best of breed open source tools and combines them into integrated SIEM to manage security events

OSSIM can be setup quickly – time is money

69

Thank You !