Effective Use of Security Event Correlation Mark G. Clancy Chief Information Security Officer The Depository Trust & Clearing Corporation DTCC Non-Confidential (White)
About DTCC DTCC provides custody and asset servicing for $36.5 trillion in securities Most of which are dematerilized or only exist in book entry form DTCC provides clearance and settlement for all cash equity transactions completed by the 50+ exchanges and alternative trading platforms (ECNs) operating in U.S. capital markets and also in fixed income markets in the U.S. for government, agency-backed, and mortgage backed securities. In 2010 DTCC settled more than $1.66 quadrillion in securities transactions.
Information Security Program Overview Access Recertification Provisioning De-Provisioning Input Access Control TVA Output Security Monitoring Configuration Management Policy Management Top TV Remediation Vulnerability Management Application Risk Program KPIs Information Technology Risk Security Awareness, Education and Communication
Security Monitoring Program: Cornerstones Baseline Security Settings - 66 Baselines from STIG, CIS, & in house standards - Risk Rate Devices: High, Medium, Low Compliance to Settings - 1000+ servers - 99.9% convergence to baselines Cornerstone 1 Security Event Monitoring -4000 Device Logs -345mm daily events
Security Monitoring with SEIM SIEM captures, aggregates, correlates and analyzes log information from over 4,000 DTCC devices, such as Servers, Routers, Firewalls, etc. SIEM creates rules that aggregate and correlate the data creating immediate alerts of security events for TVA staff response These alerts leads to identification of security incident(s) feeding the DTCC Incident Response Process or events that require further analysis and/or remediation - SIEM generates Daily, Weekly, Monthly and ondemand Security Reports, which include both summary and descriptive reports for logged anomalies that CIS and Infrastructure technology subject matter experts (SMEs) identify require immediate investigation.
DTCC SIEM Architecture Main Site A-SRV NAS D-SRV Remote Site LC Replication A-SRV NAS D-SRV LC
Collecting Data from Supported Device Types Collect Data using various Supported Methods SFTP, FTP, WMI, Syslog, ODBC, and LEA for a variety of device types, such as: Network - Checkpoint, Cisco Pix, Cisco Routers Host - Windows, Unix Solaris, AIX, Linux Mainframe - IBM RACF Web Access - Blue Coat Anti Malware/IPS/IDS - SEP11, CA Etrust, Sourcefire Access Based- RSA Access Server, Citrix Netscaler Storage- Brocade, FabricOS
Collecting Data from Unsupported Device Types Requires Additional Custom Coding Middleware IBM Webseal Wharelock IP Authentication Cleartrust CMAN EAI Cookie Monitoring Desktop Monitoring Systrack Database DB2 Universal Database
Custom Correlation Rules Examples of DTCC s Custom Correlation Rules Suspicious Data upload Malware not Cleaned by SEP11 Malware detected on External Drives Multiple systems affected by Malware Windows Log Tampering Account Lockout Monitoring Privileged Account Changes Watch list Monitoring
Custom Reports (Scheduled and Ad-Hoc) Examples of Custom Reports: Network Top Usage (Bandwidth, Ports, drops, etc) Web Activity - Executable Downloads, Top 25 Sites - Uploaded Data, User Agent Monitoring Windows - Privileged Monitoring, Logon Failure Activity, Account Modification, Remote Access Activity Unix - Summary - Daily Successful /Unsuccessful Super User Activity Symantec Antivirus - Malware Detection Details Storage - FabricOS/Brocade - Successful logins/configuration and User Changes Midlleware - Administrative Lockouts, Failed Logins, Illegal User
1/20/2010 1/27/2010 2/3/2010 2/10/2010 2/17/2010 2/24/2010 3/3/2010 3/10/2010 3/17/2010 3/24/2010 3/31/2010 4/7/2010 4/14/2010 4/21/2010 4/28/2010 5/5/2010 5/12/2010 5/19/2010 5/26/2010 6/2/2010 6/9/2010 6/16/2010 6/23/2010 6/30/2010 7/7/2010 7/14/2010 7/21/2010 7/28/2010 8/4/2010 8/11/2010 8/18/2010 8/25/2010 Asset Tracking Inventory Check of Security Eligible Devices Automated process to verify that system is active and reporting to SIEM Requires combination of SIEM reports and Asset Management Tool 10 8 6 4 2 0 Servers Not Registered to Envision 9 8 7 6 5 5 5 4 4 2 0 0 1 1 1 1 0 1 1 0 1 2 1 1 2 2 2 2 2 0 0 0 Envision: Routers and Switches (Security Event Monitoring) Group Eligible Registere Devices d * Percentage Eligible Devices Registered Remarks Team A 76 71 93% Team B 168 133 79% Team C 734 702 96%
Universal Device Support Life Cycle UDS Support 1. Collection 2. Requirement Gathering 7 - Final Testing and Confirmation 1- Log Collection (Device log file through FTP) 2- Requirement Gathering (Event ID List, Msg type, Count, Device Classification - {type/class}, Reports, Correlation rules) 3. UDS Development 4. Testing 5. Validation 6. Production Deployment 6- Production Deployment (Deploy the device XML into RSA envision production environment) 3- UDS Development (Log Parsing, Analysis, Coding) 7. Final Testing and Confirmation 5- Customer Validation (Validation of Device Discovery and Event Categorization 4- Testing (Code testing at LAB environment)
Common Attack Scenario - Adversary Gains Foothold Adversary determines that it has an interest in an organization s protected information Adversary Tainted e-mail sent to organization s users Compromised Website www.hackedsite.com User clicks on link to compromised website, remote admin tool installed Additional tools uploaded Using credentials gained, adversary works to establish additional footholds Host 1 Host 2
Using SEIM to Increase Your Luck Inbound emails headers get logged to SEIM compare vs. intellegence to/from/subject and source IPs Adversary End user web traffic (proxy) logs to SIEM - beaconing Network traffic data upload Account login Activity unsual sources Compromised Website www.hackedsite.com Host 1 Host 2
Common Attack Scenario - Data Mining Adversary Host 1 Host 2 File Server Using network flow data to see connections from host 1 to host 2 (forensic) Remote host may or may not be the same IP/domain as initial attack Data mining typically occurs on file servers via share permissions Multiple files are typically extracted as an encrypted bundle
SEIM on Data Mining Attacks Adversary Host 1 Adversary frequently will perform data mining through a host (Host 2) other than the initially compromised host (Host 1) Today s SEIM can t tie all these threads together - Host 2 File Server Good question!?! - some folks have tried using usage activity monitoring Use DLP or other tools to watch for encrypted payloads from unusal places
Questions? Email: MClancy [@] dtcc.com Phone: 212.855.8842