Security Infrmatin and Event Management Prject Prpsal Submissin: Mr. Ken Fster 1
Cntents Recmmendatin:... 3 What is Security Infrmatin and Event Management:... 3 Business Case fr SEIM Deplyment:... 3 Cre Functins f an effective SEIM:... 4 T be effective a SEIM slutin must be able t cnsume:... 4 Examples f an Attack with and withut SEIM integratin:... 5 References:... 8 2
SEIM Prcurement Prject: Recmmendatin: Tday s security infrastructure is cmprised f stand-alne security slutins, designed t prvide a defense in depth apprach. The slutin lacks a central pint f analysis fr the identificatin f cmplex blended attacks and the ability t implement cnsistent plices fr event handling acrss netwrks. This rganizatin must implement a Security Infrmatin and Event Management (SEIM) slutin t identify and inhibit blended attacks frm successfully penetrating and remaining undetected within the existing netwrk infrastructure. What is Security Infrmatin and Event Management: A Security Infrmatin and Event Management (SEIM) appliance prvides an autmated analysis f multiple events frm acrss the netwrk seeking relatinships which may indicate an effrt t attack r exfiltrate sensitive data. SEIM appliances are able t handle events based n levels f severity and predetermined plicies. These plicies determine severity f event, pre-determined islatin and actin requirements, and reprt ntificatin prcedures. These plicies in additin t increasing the verall security f the netwrk may be utilized fr mandatry auditing cmpliance verificatin and prvide additinal frensic evidence which may be prvided t authrities fr prsecutin. Business Case fr SEIM Deplyment: There are tw cmpelling business cases fr deplyment f a SEIM in ur envirnment. 1. Cunter-Measure Effectiveness: SEIM s prvide enhanced peratinal awareness f ur attack surface and their effectiveness against bth internal and external penetratin attempts. These devices prvide bth a preventative (perimeter) and reactive (pst-intrusin) slutin t plicy-based vilatins. Currently a typical rganizatin with an OC3 cnnectin see s an average f 2,204 critical/majr alerts each mnth n its intrusin detectin/preventin systems. This equates t ne serius event every 19 secnds n average. These alerts d nt include denials n the firewalls which ccur prir t the IPS s visibility but shuld a SEIM be integrated wuld prvide a mre detailed verview f the attack vectrs used. 2. Cmpliance Mnitring, Reprting, and Scring: SEIM s prvide bth prebuilt and ptinal custm built reprts t prvide an verview f the effectiveness and security psture f the netwrk. These reprts can be used as tls fr determining activity trends, cmpliance ratings, dcument pstintrusin event analysis, and prvide metrics fr plicy review and imprvement. Dependent upn the sectr f the rganizatin, these reprts may be mandated by SOX, HIPPA, and ther cmpliance requirements. 3
Cre Functins f an effective SEIM: A SEIM has five primary functins that is must address t be cnsidered an effective Security Infrmatin and Event Management tl: Lg Cnslidatin: Centralized lg cllectin based n standardized frmats and cnsumptin. This includes deplyment and mnitring f cllectr devices / sensrs n surces. Event Nrmalizatin: Events cme frm many surces and in many frmats. The SEIM must be able t cnsume the lgs and analyze the data elements t crss crrelate the native values frm ne vender t the equivalent frm anther surce. Fr example the explit Sasser Wrm is: Cisc event 3338: IDS Signature Windws LSASS RPC Overflw Symantec anti-virus explit: W32/Sasser.wrm SNORT IDS event 2512: NETBIOS SMB-DS DCERPCLASS bind attempt. Threat Crrelatin: An artificial intelligence engine that uses cllected events and either event signatures r anmaly-based detectin algrithms t identify plicy vilatins. Incident Management: Execute a wrkflw that ccurs as the result f plicy vilatin detectin. These wrkflws may include any cmbinatin f: Ntificatin Facilities (e.g. Email, SNMP Traps t Netwrk mnitring sftware, etc ) Truble Ticket Creatin Executin f Autmated Scripts Plicy-based Respnse and Remediatin Crrelated Event Lgging Reprting: Prduct generatin f events that cmply with FISMA, HIPPA, and Frensics Investigatin frmats in additin t actinable metrics fr perfrmance measurement. T be effective a SEIM slutin must be able t cnsume: Firewall Events IDS Sensr Events AAA LDAP r AD (as applicable) Vulnerability Scanner results Server and Wrkstatin event lgs Anti-Virus / Malware Hst-base Intrusin Detectin Lgs 4
Examples f an Attack with and withut SEIM integratin: Discussin f SEIM s is best undertaken thrugh the visualizatin f a simulated attack against a netwrk. Using the cmmn industry established practices fr netwrk penetratin; a standardized prcess can be analyzed. Belw are tw examples f a simulated cmmn explitatin f a netwrk frm the perimeter. In example ne, the netwrk prvides cmmn anti-penetratin tactics withut any event crrelatin. In example tw, a SEIM is integrated int the slutin t demnstrate hw plicies and applied based n artificial intelligence engine and cmbined lg analysis (which ccurs in near-realtime). 5
Example 1: Current Netwrk (IPS w/ SEIM): Phase 1 Recnnaissance: Attacker uses HPING, NMAP, r Firewalker t execute a scan f the firewall t determine which prts are pen. Once pen prts are determined, OS and infrastructure fingerprinting attempt t identify devices fr targeted attacks. In the recnnaissance phase these prbes are dne slwly t attempt t avid firewall and IPS explit signatures. Phase 2 Stealth Targeting Paylads: Once the attacker has selected a target fr cmprmise, they must send packets t the target that will prvide them a mechanism t launch their cmprmise. This must be dne in a manner that prevents the Intrusin Preventin System frm detecting this actin. Cmmn tls in this space include nemesis, fragrute, admutate, and metasplit. In Phase 3 tw way cmmunicatins begin via stealth channels and data exfiltratin begins. System can be used as internal Cmmand and Cntrl fr further internal system cmprmise and recnnaissance Phase 3 System Cmprmise: The packets arrive t the hst causing a buffer verflw and allwing fr the installatin f backdrs, rtkits, and btnets. The cmprmised system then reprts in that it is ready fr cntrl t the attacker. This prtin may include fuling Anti-virus /Malware detectin mechanisms. Site x 6
Example 2: Current Netwrk (IPS with SEIM Intergratin): Phase 1 Recnnaissance: Attacker uses HPING, NMAP, r Firewalker t execute a scan f the firewall t determine which prts are pen. Events are sent t the SEIM which using artificial intelligence detects the prt scans and creates an event at the minr / warning level. It tracks this event. When OS and infrastructure fingerprinting begin, the SEIM crrelates this event with the previus tracked event and raises the event the elevated, triggering a wrkflw alert t the security team. Phase 2 Stealth Targeting Paylads: The firewall reprts fragmented packets r the IPS detects pssible explit patterns. The SEIM raises the event t critical, and executes the Plicy and wrkflw fr the event. This may include prt r IP blcking, system islatin, and security team ntificatin.! Plicy-based Actin (e.g. Alert, blck, etc ) Phase 3 System Cmprmise: If the attacker is successful in evading the Firewall, IPS, and Anti-virus in rder t deply a paylad n the system, cmmunicatin traffic back frm the cmprmised hst t the attacker wuld trigger a Majr Threat event and the Majr Event Plicy and ntificatin actins wuld be executed. Site x 7
References: Infrmatin Security Magazine. (nd). SIM and Lg Management. Needham, MA: Garland, Jsh. Swift, D. (2006). A Practical Applicatin f SIM/SEM/SIEM - Autmating Threat Identificatin. Bethesda, Maryland: SANS Institute. 8