Concierge SIEM Reporting Overview

Transcription

1 Concierge SIEM Reporting Overview

2 Table of Contents Introduction... 2 Inventory View... 3 Internal Traffic View (IP Flow Data)... 4 External Traffic View (HTTP, SSL and DNS)... 5 Risk View (IPS Alerts and Vulnerabilities)... 8 Perimeter Security View Identity View Ad Hoc Requests Summary Arctic Wolf Networks 1

3 Introduction As a Concierge SIEM TM (Security Incident and Event Management), the Arctic Cloud and related network vsensors collect, normalize and correlate various security events for analysis to produce actionable security intelligence delivered from Concierge Security Engineers (CSE) to customers. The primary data sources include Inventory, IP Flow, HTTP, SSL and DNS network traffic, plus Vulnerability Assessment and the use an IDS/IPS with the option of packet captures for deeper analysis as required. The intersection of multiple security data sources supports critical security controls for continuous network security monitoring and protection including the detection threat opportunities and infections. Security Data Views within the Arctic Cloud: Inventory Data (Any IP accessible device) Internal Traffic (IP Flows) External Traffic (HTTP, SSL, DNS) Risk Analysis (IPS Alerts, Vulnerabilities, Exploits) Perimeter Data (Firewall, Ports, Apps, Network Zones) Identity Data (Users, Groups, Hosts) Arctic Wolf also imports third party security intelligence and feeds from multiple sources, including open source data, commercial vendors and industry research reports. This paper contains samples of reporting within views that tap into a wealth of information also open to ad hoc requests and analysis. Arctic Wolf uniquely provides Concierge Security Engineer (CSE) services as part of its solution, thus pairing security expertise with reporting data for comprehensive analysis, alerts and actionable security intelligence. Arctic Wolf Concierge SIEM Features: SIEM-as-a-Service cloud service to manage security incidents and events Security Engineer(s) your security concierge and expert. Actionable Security Intelligence o Security event management focused on threat opportunities and infection o Behavioral analysis of network traffic for anomalies and suspicious events o Baseline of inventories, traffic flows, vulnerabilities, apps and user profiles o Security summary and detail profile reports highlighting key events and risks o Ad hoc queries for increased visibility and knowledge Arctic Wolf Concierge SIEM Benefits: No capital expense No systems to install, trial or manage No mountains of data to analyze No SIEM or query expertise required Secure in the knowledge you are protected Prepared for security incident analysis and response 2014 Arctic Wolf Networks 2

4 Inventory View Key to critical security controls is to know yourself as well as the enemy. Inventory data provides an important baseline for systems, networking equipment, end user devices, printers or basically anything with an IP address. Attackers commonly look for new systems via scanning to quickly assess them, as they are likely not fully protected as they come online. End users may also deploy test systems for short-term use, new Wireless Access Points (WAPs), small firewalls or network-enabled devices without IT notification or security controls. Working with your CSE to identify critical systems, data stores, user profiles, network mapping and expectations for new or dropped devices increases risk assessment depth and value. An example of reporting within the Inventory View is a Network Summary: The Network Summary report provides a table of core network device groups (group label, subnet/ranges, number of devices), plus mapping network groups accessed for the specific group, and what networks the group is accessed from highlighting network access between groups and the Internet. Another example is a Device Summary: 2014 Arctic Wolf Networks 3

5 Internal Traffic View (IP Flow Data) IP Flow data from common exporters (e.g. vsensors, firewalls, switches, routers) provides a wealth of information for security analysis, plus overall bandwidth usage and investigating performance. This data source also enables detection of scanning and recon, large data transfers, possible data theft, botnet communications, plus analyzing user activities. Correlated with inventory data enables forensic analysis of Indicators of Compromise (IOCs) with the ability to find attack pivot points and reconnaissance to determine the depth and breadth of an attack. Security labs frequently publish IOC details on attacks that can be analyzed against archived IP Flow data to determine possible impact. An example of reporting within the Internal Traffic View is a Scanning Devices Summary: This summary provides profiles on devices scanning (device, network group, scan type, target count, and IP Flow count), plus devices being scanned (device, network group, scan type, and number of scans), plus a summary of actionable alerts with date/time, status, alert, ticket number and notes Arctic Wolf Networks 4

6 External Traffic View (HTTP, SSL and DNS) HTTP and SSL are the foundation for data communications on the web. Driven mainly by web browsers and increasingly apps, this data source is extremely valuable for continuous security monitoring and protection. Attack kills chains often begin with lures that socially profile users via web, and social networking that invoke hidden web redirects to exploit kits designed to find exploitable vulnerabilities in target systems. Given an open door, dropper files can infect to provide an attack pivot point for recon, C2 communications and malware delivery. Inbound and outbound web traffic analysis is critical, unfortunately many defenses only rate inbound web traffic. An example of reporting within the External Traffic View is the Reputation Class Overview: 2014 Arctic Wolf Networks 5

7 This overview provides profiles on specific reputation classes for top users and devices with bandwidth profile, top destination hosts, protocol distribution chart, geo-destination traffic map, plus a summary of actionable alerts with date/time, status, alert, ticket number and notes. The Domain Name System (DNS) is the phone book to map user consumable destination names into IP addresses for machine delivery. The security issues of DNS cache poisoning, international fonts types that disguise characters in domains, and typo-squatting domains enables the direction of users to malicious destinations. Attacks on DNS accounts have enabled attackers to quickly change destinations for popular web sites where in minutes and hours a large harvest of users is collected. More recently, DNS communications have been used to hide C2 communications from detection Arctic Wolf Networks 6

8 An example of reporting on DNS traffic within the External Traffic View is the DNS Summary: This summary provides tables on corporate required DNS servers (name, requests, bytes, devices, users and notes), plus rogue DNS servers with reputation, and devices using rogue DNS servers (device, requests, bytes, reputation profile, and notes), plus a table of actionable alerts by device with ticket number and notes Arctic Wolf Networks 7

9 Risk View (IPS Alerts and Vulnerabilities) The traditional IDS/IPS has advanced into a network security monitoring system with the ability to detect protocols on any port and apply the correct rules and logging, log HTTP requests, log and store TLS/SSL certificates plus analyzing handshake variables, extract and store files, keyword matching, plus utilize PCAP for full packet captures providing deep content analysis. Also the ability to apply IP reputation ratings, use of MD5 file hash sums, type, size and magic byte in rules, and detecting less than reputable certificate authorities. This makes the modern IPS a command and control (CnC) and malware hunter unlike any other tool. An example reporting on IDS activity within the Risk View is the IDS Summary: This summary provides profiles on top IDS alerts noting number of devices, occurrences and direction, plus tables with top alerts by device, user and device type/os. An event action log summary notes date/time, status, device/ip, alert and notes Arctic Wolf Networks 8

10 Identifying and correcting the root cause of vulnerabilities is key to a vulnerability management program that may also include penetration testing, grey box application testing, web application testing, and security training. The end goal is identifying weaknesses in patch management, firewall and router configurations, minimum-security baselines, policies and procedures. Often overwhelming reports on detected vulnerabilities result in practices to address only high risk ones to limit the workload. However risk profile analysis notes the automation of exploitable vulnerabilities of any risk rating are the most dangerous and should have immediate attention. In the end, vulnerability assessment without remediation has little value. An example of reporting for Vulnerability Assessment within the Risk View is Vulnerability Summary: This summary provides a profile of high-risk vulnerabilities where risk is a function of resource value, exposure, vulnerability severity, age and availability of exploit/automation. Table notes vulnerability, device, CVE identity, risk score and associated variables Arctic Wolf Networks 9

11 Perimeter Security View While the concept of single perimeter has faded and should be viewed as another security layer in a honeycomb design, it remains important to secure. Virtualized cloud apps and BYOD are distributing where security perimeters exist and changing the definition to multiple security perimeters. For a fragmented IT data center, the concept of identity as the new security perimeter is surfacing. Locks on the doors remain important even if you have data secured in a safe, these security concepts should work together to defend and reduce risk. Smaller businesses with flat network designs should be even more inclined to secure their perimeter as one infection provides a pivot point to the majority of systems. An example of reporting within the Perimeter Security View is the Firewall Audit: This audit report exposes observed firewall policies for source and destination network groups from the Network Summary or IP ranges, service, direction, action and a heartbeat chart on bandwidth for the reporting time period Arctic Wolf Networks 10

12 Identity View Given the growth of BYOD mobile devices, virtualized cloud apps and fragmented data centers, identity is becoming a new security perimeter. Initial logins are becoming very important due to federated authentication and single-sign-on (SSO) access. Correlating the activity of top users and groups with adjacent security information silos is an important perspective. An example of reporting for the Identity View is a User Focus report: 2014 Arctic Wolf Networks 11

13 This user detail focus report provides a user network presence map, bandwidth profile, protocols & usage map, devices accessed, risk factor trending (logins, reputations, AUP violations, SSL certs, BW), SaaS App profile, traffic reputation map, and geo-destination traffic map Arctic Wolf Networks 12

14 Ad Hoc Requests The Arctic Cloud platform collects and correlates information across multiple security data silos that normally exist within individual solutions, and often from different vendors. This ability to associate two or more data elements from various silos into a reporting view is unique and infinite in what can be analyzed. This becomes valuable to determine risk in proactive security assessments and in forensic analysis for incidents or when leveraging IOCs to determine impact. Concierge Security Engineers (CSEs) with our customers are key to surfacing new areas of reporting. An example of Ad Hoc Request reporting is a Device Focus Report: 2014 Arctic Wolf Networks 13

15 This device focus report provides a device services profile, protocols & usage map, user logins, IP address usage, uptime, OS profile, vulnerability count, bandwidth profile, risk factor trending, inbound/outbound security events, traffic reputation map, and geo-destination traffic map. Summary Our objective is to provide actionable security intelligence delivered from Concierge Security Engineers without the cost, complexity and overhead of a SIEM. This paper has a few examples of reporting from our security data views; a trial and security audit provides a richer experience for your network and data. Contact us for more details at info@arcticwolf.com or ARCTICWOLF Arctic Wolf Networks 14