Brian Albrecht, MIS, CISSP Senior Knowledge Engineer LogRhythm, Inc.

Transcription

1 Brian Albrecht, MIS, CISSP Senior Knowledge Engineer LogRhythm, Inc.

2 Case Study Disgruntled Employee Data Breach Council of Community Health Clinics (CCC), hacked by former employee Employee resigned following a bad review Accessed corporate server through RDP connection Server contained personally identifiable medical data Former employee disabled the automatic backup process; later deleted patient data Consequences to the organization Significant fines if breach had occurred after January 1, 2009 (SB 541 and AB 211) Loss of patient data could have led to loss of life Patients had to wait hours to see doctors Consequences to Ex-employee Convicted and sentenced to more than 5 years in prison Forced to pay more than $400,000 in restitution Claburn, Thomas Network engineer gets five years for destroying former employer s data June, 2008 (accessed 12 August 2009)

3 Introduction to SIEM Technology What is a Security Information Event Manager? Gartner s Definition: SIEM solutions analyze security event data in real time to identify threats, and analyze and report on log data for compliance monitoring. Goal: to give the user(s) the on-demand ability to utilize real time and historical records of activity for all nodes in an enterprise network. Objectives: Allow for identification of security breaches and attempts through increased awareness. Diagnostic identification and remediation of errors and critical events. Collection and reporting on data relevant to auditing of GRC requirements.

4 Compliance And beyond... PCI Security Standards Council Statement on Recent Data Breaches A layered approach to security is absolutely necessary to protect sensitive payment card data without ongoing vigilance or a comprehensive security strategy, organizations may be just a change control away from noncompliance. Validation to the principles and practices mandated in the PCI DSS plays an integral part in an organization s security posture, but basic monitoring and logging cannot be set aside after a security assessment is complete. Reports by forensics companies suggest that this is an area of weakness among organizations.

5 What Happens WITHOUT Protective Monitoring?

6 The Process Collect Logs from Log Sources (Software, Appliances, Switches, Routers, Firewalls, etc.) Extract Meaningful Information from Logs Enrichment of Log Information (Correlation, Geo- Information, Locality, etc.) Presentation and Tools (Alarms, Reports, Investigations, Visualization, etc.)

7 The Challenge: Collect, Organize & Analyze Millions of these :12: id=firewall sn=0006b11f3b34 time=" :14:08" fw= pri=6 c=1024 m=537 msg="connection Closed" n= src= :138:lan dst= proto=udp/netbios-dgm sent=229 rcvd=0 PER DAY

8 and these 11/28/2005 5:46 PM TYPE=Warning USER= COMP=SHIRE SORC=RemoteAccess CATG=(0) EVID=20189 MESG=The user matt connected from but failed an authentication attempt due to the following reason: %The user must change his or her password. Nov 27 18:35:19 HelmsDeep sshd[12767]: Failed password for root from port 1298 ssh :12: id=firewall sn=0006b11f3b34 time=" :14:08" fw= pri=6 c=1024 m=537 msg="connection Closed" n= src= :138:lan dst= proto=udp/netbios-dgm sent=229 rcvd=0 11/28/ :56 AM TYPE=Information USER=SECIOUS\andy.grolnick COMP=DELL600SC SORC=Print CATG=(0) EVID=10 MESG=Document 203, PODNOTICE (TA ) PDF owned by andy.grolnick was printed on Brother HL-1250 series via port LPT1:. Size in bytes: ; pages printed: [28/Nov/2005:14:48: ] "GET / HTTP/1.1" " "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0;.NET CLR )" 11/28/2005 7:05 AM TYPE=Error USER= COMP=ELVIS SORC=Application Hang CATG=(0) EVID=1002 MESG=Hanging application notepad.exe, version , hang module hungapp, version , hang address 0x Cryptic text records of server, application, workstation and network device activity

9

10 SIEM Philosophy Security Information Event Managers (SIEM) analyze data from multiple sources to determine problems more accurately than a single device SIEMs provide Safety in Numbers Investigations: more detail mean more accuracy Scope is possible to determine instead of just action Overall: the more sources of information, the more benefit the SIEM gives Maximizing SIEM effectiveness is determined by the SIEM Architecture and by its deployment

11 Where Logs are Harvested Syslog Format (Industry recognized standard) Flat Files (Apache, Bind, MS Exchange Tracking Logs, many ) Database Tables (Oracle, Web Based Applications) SNMP Generated Reports (Vulnerability, Change Logs, etc.) Web Pages, XML files (Netgear, Cisco LMS) Custom Protocols (OPSEC LEA, SDEE, Netflow, etc.) Binary Formats Audit Logs (Solaris, Linux, etc.) Misc. structured formats (SAP) API Based (Novell Netware, etc.) Integrated agent tools

12 Automated Interpretation The SIEM s ability to interpret log and event data is the single most important step Capturing logs is not enough they need to capture details (IP address, host name, user id, etc.) The most desirable features of log collection would be: Enterprise-Wide Visibility & Awareness Advanced Data Management Flexible Deployment & Configuration Options Comprehensive Compliance Support (Out-of-the-Box) Universal Customizable Console

13 Extraction of Critical Data

14 Process of Interpretation Classifications Audit, Security, Operations Categories Compromise, Malware, Denial of Service, Vulnerability, etc. Log Event Type Buffer Overflow Attempt, CVE #, etc. Details: IP Addresses, IDs, Ports, Traffic, etc. Risk Ratings and Handling Policies

15 Enrichment of Logs All about applying Context: Does the log originate from a computer inside the network or outside of the network? Add entity definition: does the log come from Engineering, Hong Kong, or 3 rd Floor, rather than /24, /24, or /16? Add geo-location: the log came from Kiev, Ukraine rather than Use Latitude and Longitude to determine location on map. Use DNS servers to identify IP address or host name Identify proper affected application using context from log source type, port number, or based on matched rule. Providing context to logs creates new ways of identifying anomalies, such as knowing: When a very large file is transferred outside of the organization When a connection enters the organization from a foreign location where the company doesn t have employees. When a rival company is probing the web site.

16 Case Study Bot Detection Telecom company recently deployed a SIEM solution Soon after deployment, IDS traffic picked up internal port scans Using SIEM aggregation and investigation tools, isolated the IP address of the host performing scans Performed an investigation on the specific host, monitored traffic Noticed unusual SMTP traffic coming from host Putting all of the information together, determined that host machine had been infected by malware, was being used as a spambot

17 SIEM Advantage Bot Detection In the Bot Detection scenario, SIEM allowed organization to correlate events from several devices Those involved were able to analyze the data gathered and parse out useful data only Able to pull data from a previous time to create a timeline; analyze the trending of events over time

18 Log/Event Management Overview Data Architecture Logs Events Alerts Raw log data collected and automatically archived Logs having more immediate operational, security, or compliance relevance. Events, or combination of correlated events, requiring immediate notification & response. Effective LM/SEM functionality requires a cohesive integration accomplished only when architected as a single solution.

19 What is an Event? An Event is when a log is flagged as being important compared to other logs. Examples: Privileged User Login Malware discovered on a workstation Power failure SIEM 2.0 requires Events to exist in some form so that the users can identify key issues quickly. Events can be identified by meeting conditions based on extracted data or enriched data. Examples: Log Type Log Severity (Panic, Critical, Error, Warning, etc.) Location (rogue state list)

20 Alarming An alarm is an Event of higher note than a basic log or event, it adds the context of urgency. When an alarm condition is met, direct notification is made by , text message, pager, etc. Alarms can be considered a Call to Action and ideally happen infrequently.

21 Correlation Correlation is another process that identifies or creates Events and/or Alarms Provides a link between conditions For example, a potential brute force attack is detected, followed by a successful authentication from the same origin host. A user logs in after being terminated (after account disabled, after employee status changed in HRM, etc.) Many types of correlation: On multiple occurrences of an event in a time threshold. From a location, country, IP address, domain name. Involving a user account, application, or specific file. In close time proximity with a different event. When an event is not witnessed. From common sense to applied mathematics.

22 Case Study: Ford Espionage (Source: The Detroit News) 10-year employee ( ) at Ford Motor Company copied 4,000 documents onto a portable hard drive. Documents included design specifications Employee attempted to use the documents to secure a job in a Chinese automobile company in 2005 (while still working for Ford) Employee was arrested (Oct 15 th, 2009)

23 Where are my logs? Once logs have been processed, they reside in a database until searched for. Some are sent to real-time systems, such as a dashboard or tail display of the most recent logs. At this point, tools are provided for the actors to use the SIEM to accomplish their goals: Stopping intrusions, malware, and internal security concerns Detecting, diagnosing and fixing problems Working within organizational procedure (ITIL, etc.) Proving compliance with GRC (Governance, Regulation and Compliance)

24 Dashboard The SIEM Dashboard is a major launching point for investigations Provides real-time awareness Most simplified display

25 Investigations Investigations are searches based on facts we know (who, when, where) and are expanded or restricted based on clues Example: Employee termination may be the trigger for the investigation, by company policy If we noticed user SMITH doing something suspicious, we might investigate what SMITH was doing for the last month, or what SMITH s computer was doing at the time of the event, or other computers SMITH accessed

26

27 Visualization

28 Reporting Reports allow for post-event review, in case a critical situation was missed Report collections have better visibility than the Dashboard alone Basic security and auditing summaries should be generated frequently to supplement the Dashboard Report reviews should be a part of any organizational security plan and/or policy Typically MSSPs provide weekly reviews of reports Compliance often mandates daily, weekly or monthly review

29 Could the Disgruntled Employee Breach have been detected and prevented? Council of Community Health Clinics (CCHC), hacked by former employee Employee resigned following a bad review Accessed corporate server through RDP connection Server contained personally identifiable medical data Ex-employee disabled the automatic backup process; later deleted patient data Potential consequences to the organization Patients had to wait hours to see doctors Loss of patient data could have led to loss of life Consequences to Ex-employee Convicted and sentenced to more than 5 years in prison Forced to pay more than $400,000 in restitution

30 Could the Disgruntled Employee Breach have been detected and prevented? Highlights from the case study: Employee resigned following a bad review Use SIEM to instantly begin monitoring employee s user account, even if access has been terminated Accessed corporate server through RDP connection SIEM would be able to monitor and detect remote connections Server contained personally identifiable medical data Confidential and proprietary information on this server would be monitored for access attempts Ex-employee disabled the automatic backup process, later deleted patient data Process monitoring could detect the change made to the backup process; confidential patient data monitored

31 Conclusion SIEMs provide a way to collect and process logs Enrich logs to add meaningful context Escalates meaningful logs to Events Escalates urgent Events to Alarms SIEMs provide tools for investigating activities on a network Enhance activities involving Security, Operations and Auditing Tools include: Dashboard Reporting Investigations Visualization

32 Q&A