2005 HR Retreat: Employment Team priority-health.comSecurity Event ManagementFebruary GR ISSA Meeting
Security Event Management
Correlation, Categorization,
and Threat Modeling
2005 HR Retreat: Employment Team priority-health.comSecurity Event ManagementFebruary GR ISSA Meeting
SEM/SIM
• Security Event/Information Management
• Collect and analyze log & alert data from multiple sources
• Manage and modify event data within a single application
• Make pretty graphs & reports that impress the boss and mean something!
2005 HR Retreat: Employment Team priority-health.comSecurity Event ManagementFebruary GR ISSA Meeting
Correlation
• Find commonalities between events from different data sources
• Quickly find and analyze the log trail of an attack
• Lay the foundation for finding patterns and anomalies in security data
2005 HR Retreat: Employment Team priority-health.comSecurity Event ManagementFebruary GR ISSA Meeting
Firewall Log Event IDS Log Event
Event Name
accept
Event Name
XML-RPC for PHP Remote Code Injection
Source Address
12.34.56.78
Source Address
12.34.56.78
Source Port
1024
Source Port
1024
Destination Address
98.76.54.32
Destination Address
10.0.0.20
Destination Port
80
Destination Port
80
Timestamp
7/12/2005 21:09:12 GMT-5
Timestamp
7/12/2005 21:09:12 GMT-5
2005 HR Retreat: Employment Team priority-health.comSecurity Event ManagementFebruary GR ISSA Meeting
Correlation
• Practical application is straightforward– Firewall + IDS Correlation
• “Did that attack get through my firewall?”
– Firewall + Server Correlation• “Did that connection successfully
authenticate?”
– IDS + Monitoring Tools Correlation• “Did that DoS attack take its target down?”
2005 HR Retreat: Employment Team priority-health.comSecurity Event ManagementFebruary GR ISSA Meeting
Categorization
• Group similar event types from different sources
• Determine event outcomes such as success or failure
• Add “intelligence” to correlation• Done primarily through parsing
2005 HR Retreat: Employment Team priority-health.comSecurity Event ManagementFebruary GR ISSA Meeting
Firewall Log Event IDS Log Event
Event Name
accept
Event Name
XML-RPC for PHP Remote Code Injection
Source Address
12.34.56.78
Source Address
12.34.56.78
Source Port
1024
Source Port
1024
Destination Address
98.76.54.32
Destination Address
10.0.0.20
Destination Port
80
Destination Port
80
Timestamp
7/12/2005 21:09:12GMT-5
Timestamp
7/12/2005 21:09:12GMT-5
New SEM Event
Source Address
12.34.56.78
Source Port
1024
Destination Port
80
Timestamp
7/12/2005 21:09:12GMT-5
Event Name
Possible Successful Attack
Success
Attack
2005 HR Retreat: Employment Team priority-health.comSecurity Event ManagementFebruary GR ISSA Meeting
Categorization
• Practical application– Combine and manage events of
similar type• RealSecure + Snort = NIDS• PIX + SonicWall = Firewall
– Use outcomes and correlation to identify significant security events
• IDS attack + Firewall pass = Big Deal• IDS attack + Firewall drop = No Big Deal
2005 HR Retreat: Employment Team priority-health.comSecurity Event ManagementFebruary GR ISSA Meeting
Threat Modeling
• Additional data layer designed to provide higher degree of intelligence to event prioritization
• Typically asset-based (e.g. IP Address)
• Integrate network scanner results into the security event equation
• Good data requires lots of discovery and data entry
2005 HR Retreat: Employment Team priority-health.comSecurity Event ManagementFebruary GR ISSA Meeting
Asset Model Data IDS Log Event
Asset Type
Server/Web
Event Name
XML-RPC for PHP Remote Code Injection
Asset Importance
Business/Critical
Source Address
12.34.56.78
Asset Location
USA/MI/Grand Rapids
Source Port
1024
Asset Address
10.0.0.20
Destination Address
10.0.0.20
Vulnerability Data
TCP/80 TCP/443 UDP/53
Destination Port
80
Timestamp
7/12/2005 21:09:12 GMT+5
New SEM Event
Source Address
12.34.56.78
Source Port
1024
Destination Port
80
Timestamp
7/12/2005 21:09:12 GMT+5
Event Name
Successful Attack on Critical Server
Destination Address
10.0.0.20
2005 HR Retreat: Employment Team priority-health.comSecurity Event ManagementFebruary GR ISSA Meeting
Threat Modeling
• Practical Application– Use asset and vulnerability data to
prioritize relevant events• Web attack on web server = Medium
Priority• Attack on vulnerable server/port = High
Priority
– Note: This is only as useful as your asset data is accurate.
2005 HR Retreat: Employment Team priority-health.comSecurity Event ManagementFebruary GR ISSA Meeting
Real Life
• Priority Health uses ArcSight v3– Security event monitoring– Threshold and pattern based alerting – Case management & reporting– Compliance monitoring and log
review
• NTP or some other form of time synchronization is critical to getting the most out of any SIM/SEM product.
2005 HR Retreat: Employment Team priority-health.comSecurity Event ManagementFebruary GR ISSA Meeting
2005 HR Retreat: Employment Team priority-health.comSecurity Event ManagementFebruary GR ISSA Meeting
2005 HR Retreat: Employment Team priority-health.comSecurity Event ManagementFebruary GR ISSA Meeting
2005 HR Retreat: Employment Team priority-health.comSecurity Event ManagementFebruary GR ISSA Meeting
2005 HR Retreat: Employment Team priority-health.comSecurity Event ManagementFebruary GR ISSA Meeting
2005 HR Retreat: Employment Team priority-health.comSecurity Event ManagementFebruary GR ISSA Meeting
2005 HR Retreat: Employment Team priority-health.comSecurity Event ManagementFebruary GR ISSA Meeting
2005 HR Retreat: Employment Team priority-health.comSecurity Event ManagementFebruary GR ISSA Meeting
2005 HR Retreat: Employment Team priority-health.comSecurity Event ManagementFebruary GR ISSA Meeting
2005 HR Retreat: Employment Team priority-health.comSecurity Event ManagementFebruary GR ISSA Meeting
2005 HR Retreat: Employment Team priority-health.comSecurity Event ManagementFebruary GR ISSA Meeting
2005 HR Retreat: Employment Team priority-health.comSecurity Event ManagementFebruary GR ISSA Meeting
2005 HR Retreat: Employment Team priority-health.comSecurity Event ManagementFebruary GR ISSA Meeting
2005 HR Retreat: Employment Team priority-health.comSecurity Event ManagementFebruary GR ISSA Meeting
2005 HR Retreat: Employment Team priority-health.comSecurity Event ManagementFebruary GR ISSA Meeting
2005 HR Retreat: Employment Team priority-health.comSecurity Event ManagementFebruary GR ISSA Meeting
2005 HR Retreat: Employment Team priority-health.comSecurity Event ManagementFebruary GR ISSA Meeting
2005 HR Retreat: Employment Team priority-health.comSecurity Event ManagementFebruary GR ISSA Meeting
2005 HR Retreat: Employment Team priority-health.comSecurity Event ManagementFebruary GR ISSA Meeting
Questions?