Protecting Communication in SIEM systems



Similar documents
INF3510 Information Security University of Oslo Spring Lecture 9 Communication Security. Audun Jøsang

State of New Mexico Statewide Architectural Configuration Requirements. Title: Network Security Standard S-STD Effective Date: April 7, 2005

FileCloud Security FAQ

Cesario Di Sarno. Security Information and Event Management in Critical Infrastructures

NETWORK ACCESS CONTROL AND CLOUD SECURITY. Tran Song Dat Phuc SeoulTech 2015

ADMINISTRATIVE POLICY # (2014) Remote Access. Policy Number: ADMINISTRATIVE POLICY # (2014) Remote Access

Security Information and

Comparing Mobile VPN Technologies WHITE PAPER

Security Policy Revision Date: 23 April 2009

Executive Summary and Purpose

A Resilient Protection Device for SIEM Systems

PCI DSS Policies Outline. PCI DSS Policies. All Rights Reserved. ecfirst Page 1 of 7

Privacy + Security + Integrity

Information Security Basic Concepts

TOP SECRETS OF CLOUD SECURITY

SonicWALL PCI 1.1 Implementation Guide

WHITE PAPER. FortiWeb and the OWASP Top 10 Mitigating the most dangerous application security threats

Considerations In Developing Firewall Selection Criteria. Adeptech Systems, Inc.

Security (II) ISO : Security Architecture of OSI Reference Model. Outline. Course Outline: Fundamental Topics. EE5723/EE4723 Spring 2012

1. Cyber Security. White Paper Data Communication in Substation Automation System (SAS) Cyber security in substation communication network

NETASQ & PCI DSS. Is NETASQ compatible with PCI DSS? NG Firewall version 9

The Comprehensive Guide to PCI Security Standards Compliance

Computer Security Log Files as Evidence

What IT Auditors Need to Know About Secure Shell. SSH Communications Security

A Websense Research Brief Prevent Data Loss and Comply with Payment Card Industry Data Security Standards

How To Write A Transport Layer Protocol For Wireless Networks

Subject: Request for Information (RFI) Franchise Tax Board (FTB) Security Information and Event Management (SIEM) Project.

PA-DSS Implementation Guide for. Sage MAS 90 and 200 ERP. Credit Card Processing

Secure SCADA Network Technology and Methods

Distributed syslog architectures with syslog-ng Premium Edition

Standard: Event Monitoring

Overview of Network Security The need for network security Desirable security properties Common vulnerabilities Security policy designs

Alliance Key Manager Solution Brief

Contents Huntcliff, Suite 1350, Atlanta, Georgia, 30350, USA

Security in IPv6. Basic Security Requirements and Techniques. Confidentiality. Integrity

March PGP White Paper. Transport Layer Security (TLS) & Encryption: Complementary Security Tools

IBX Business Network Platform Information Security Controls Document Classification [Public]

CorreLog Alignment to PCI Security Standards Compliance

PRIVACY, SECURITY AND THE VOLLY SERVICE

PCI Requirements Coverage Summary Table

TrustNet CryptoFlow. Group Encryption WHITE PAPER. Executive Summary. Table of Contents

APNIC elearning: IPSec Basics. Contact: esec03_v1.0

End-user Security Analytics Strengthens Protection with ArcSight

Permeo Technologies WHITE PAPER. HIPAA Compliancy and Secure Remote Access: Challenges and Solutions

Achieving PCI-Compliance through Cyberoam

Complying with PCI Data Security

Virtual Private Networks

Systems for Personal Data Storage Services

Guideline on Auditing and Log Management

What is SIEM? Security Information and Event Management. Comes in a software format or as an appliance.

Binonymizer A Two-Way Web-Browsing Anonymizer

INFORMATION SUPPLEMENT. Migrating from SSL and Early TLS. Version 1.0 Date: April 2015 Author: PCI Security Standards Council

How Reflection Software Facilitates PCI DSS Compliance

Evaluating the Cisco ASA Adaptive Security Appliance VPN Subsystem Architecture

White Paper: Meeting and Exceeding GSI/GCSx Information Security Monitoring Requirements

Brainloop Cloud Security

PCI COMPLIANCE ON AWS: HOW TREND MICRO CAN HELP

Enhancing Security and Trustworthiness with Next-Generation Security Information and Event Management

Cornerstones of Security

MANAGED FILE TRANSFER: 10 STEPS TO PCI DSS COMPLIANCE

Audit Logging. Overall Goals

VPN. Date: 4/15/2004 By: Heena Patel

Plain English Guide To Common Criteria Requirements In The. Field Device Protection Profile Version 0.75

Application Note. Providing Secure Remote Access to Industrial Control Systems Using McAfee Firewall Enterprise (Sidewinder )

Chap. 1: Introduction

Simone Brunozzi, AWS Technology Evangelist, APAC. Fortress in the Cloud

McAfee Firewall Enterprise System Administration Intel Security Education Services Administration Course

Achieving PCI Compliance Using F5 Products

March

Chapter 9. IP Secure

Chapter 7 Transport-Level Security

CHAPTER 4 DEPLOYMENT OF ESGC-PKC IN NON-COMMERCIAL E-COMMERCE APPLICATIONS

BAE Systems PCI Essentail. PCI Requirements Coverage Summary Table

Information Security Office. Logging Standard

SECUR IN MIRTH CONNECT. Best Practices and Vulnerabilities of Mirth Connect. Author: Jeff Campbell Technical Consultant, Galen Healthcare Solutions

Security Overview Enterprise-Class Secure Mobile File Sharing

SCADA SYSTEMS AND SECURITY WHITEPAPER

Oracle Database Security and Audit

SolarWinds Security Information Management in the Payment Card Industry: Using SolarWinds Log & Event Manager (LEM) to Meet PCI Requirements

Network Defense Tools

Security Controls for the Autodesk 360 Managed Services

Vs Encryption Suites

A Survey on Cloud Security Issues and Techniques

Security Considerations for Intrinsic Monitoring within IPv6 Networks: Work in Progress

Secure Access Link. Table of Contents. Introduction. Background. avaya.com. Introduction Background Secure Access Link...

Projectplace: A Secure Project Collaboration Solution

HIPAA Security Considerations for Broadband Fixed Wireless Access Systems White Paper

Data Security and Governance with Enterprise Enabler

MESSAGING SECURITY USING GLASSFISH AND OPEN MESSAGE QUEUE

Scalability in Log Management

Overview. Securing TCP/IP. Introduction to TCP/IP (cont d) Introduction to TCP/IP

Kenna Platform Security. A technical overview of the comprehensive security measures Kenna uses to protect your data

RFI Template for Enterprise MDM Solutions

Oracle 1Z0-528 Exam Questions & Answers

Firewalls, Tunnels, and Network Intrusion Detection. Firewalls

QRadar SIEM 6.3 Datasheet

The Payment Card Industry (PCI) Data Security Standards (DSS) v1.2 Requirements:

Security Protocols HTTPS/ DNSSEC TLS. Internet (IPSEC) Network (802.1x) Application (HTTP,DNS) Transport (TCP/UDP) Transport (TCP/UDP) Internet (IP)

Transcription:

Protecting Communication in SIEM systems Valerio Formicola Università di Napoli Parthenope Winter School: Hot Topics in Secure and Dependable Computing for Critical Infrastructures SDCI 2012 January 15th - 19th, Cortina d'ampezzo, Italy

Project description A Security Information and Event Management (SIEM) deployment Design a solution for the protection of the communication between the collectors and the correlation engine.

SIEM systems SIM + SEM = SIEM SIM: log management and compliancy report (i.e. ISO 27001-2, PCI DSS, NERC, ) SEM: real-time monitoring and incident management

Market analysis of SIEM products

ArcSight Enterprise Security Manager (ESM): deployment Every path between components is protected with encryption and authentication. Communication between ArcSight ESM and ArcSight Connectors, ArcSight Consoles and Web Browsers is encrypted with 128-bit SSL encryption and 1024-bit key exchange. ArcSight ESM also supports authentication techniques such as RADIUS, LDAP, Active Directory, Two-Factor Authentication, and Public Key Infrastructure. ArcSight protects communications by focusing on C-I-A properties. Moreover components must be synchronized by means of NTP Common Event Format (CEF)

ArcSight ESM: protecting communications Confidentiality ArcSight Connectors use a 128-bit encrypted SSL connection to communicate event data between other components such as ArcSight Logger and ArcSight ESM. The connector can be installed directly on the end device or within a protected DMZ to further protect the confidentiality of the log data. Integrity ArcSight Connectors normalize security event data in accordance with the NIST 80092 standards and 100% of the data from the original event is preserved and no data is changed during normalization. Additionally, ArcSight establishes chain of custody by appending a timestamp from each ArcSight component that processes the event. Availability ArcSight Connectors provide local caching at remote sites, which mitigates the impact of a connectivity loss between remote offices and central log aggregation points that would otherwise lead to a loss of critical event data that may be the missing link in an audit or investigation. Connectors support automated failover to a secondary centralized ArcSight destination (Logger or ESM) in the event that the primary destination is unavailable. Logs are transmitted and stored reliably - to ensure that critical events (such as logs that indicate compliance violations) are not dropped or lost due to saturated transmissions links, lack of buffers at the source, or unreliable transport protocols. Availability 2 ArcSight ESM is architected for high availability through the use of discrete components, automatic component restart, and cached event queues. For example, if the Manager is restarted for some reason, ArcSight SmartConnectors simply cache events to send when the Manager is running again. Likewise, the Manager will automatically suspend and resume operations in the event of Database failure. The storage system underlying the ArcSight Database component is the largest single failure point in the ArcSight ESM system. For this reason, and for any production system, ArcSight recommends a high-reliability RAID or SAN subsystem with tens of spindles, striping and redundancy. Other storage clustering solutions are available, ranging from Oracle Cluster File System (OCFS) to solutions from Veritas and EMC AutoStart.

AlienVault OSSIM: deployment and communications OSSIM normalized event Communications may be protected by means of VPNs (typically ssh, ssl channels, IPSec). Agents (Collectors), Probes and other components may be synchronized by means of NTP.

6Cure Prelude: deployment and communications Components: Prelude Manager, Libprelude, LibprelueDB, Prelude-LML, Prelude-Correlator, Prewikka Interface, Prelude-PFLogger IDMEF Libprelude ensures that re-transmission of data is performed if an interruption occurs between any of the components in the system. In cases when a connection to a manager is lost, the library provides a transparent mechanism which makes periodic reconnection attempts (using exponential backoff). Libprelude can communicate with Prelude Manager over an UNIX socket (within the same host), encrypted TCP connection (using OpenSSL, preferred for communication with remote host) and unencrypted TCP connection

GAP analysis: scenario description The edge networks can be very heterogeneous and expose Correlation components to several kinds of threats and failures. The networks between the Collectors and the SIEM engine can be very heterogeneous, large-scale, multi-tenant, What gives a correct analysis (from communication perspective)? Correct values in the messages: the log content and a trusted time reference for meaningful correlations Message Order Timeliness (transmission): both for near real-time analysis and effective correlation process Which kinds of failures we have to consider? Intermediate nodes forward wrong messages (failures or forged messages) Messages are re-played, re-ordered, dropped, delayed at intermediate nodes Are TLS/SSL, IPSec, the protection mechanisms and the communication solutions adopted by the SIEM vendors able to face such issues?

GAP analysis: SSL and IPSec Confidentiality. IPsec and SSL can ensure that data cannot be read by unauthorized parties. This is accomplished by encrypting data using a cryptographic algorithm and a secret key a value known only to the two parties exchanging data. The data can only be decrypted by someone who has the secret key. Integrity. IPsec and SSL can determine if data has been changed (intentionally or unintentionally) during transit. The integrity of data can be assured by generating a message authentication code (MAC) value, which is a keyed cryptographic checksum of the data. If the data is altered and the MAC is recalculated, the old and new MACs will differ. Peer Authentication. Each IPsec endpoint confirms the identity of the other IPsec endpoint with which it wishes to communicate, ensuring that the network traffic and data is being sent from the expected host. SSL authentication is typically performed one-way, authenticating the server to the client; however, SSL VPNs require authentication for both endpoints. Replay Protection. The same data is not delivered multiple times, and data is not delivered grossly out of order. Traffic Analysis Protection. A person monitoring network traffic cannot determine the contents of the network traffic or how much data is being exchanged. IPsec can also conceal which parties are communicating, whereas SSL leaves this information exposed. Frequency of communication may also be protected depending on implementation. Nevertheless, the number of packets being exchanged can be counted. Access Control. IPsec and SSL endpoints can perform filtering to ensure that only authorized users can access particular network resources. IPsec and SSL endpoints can also allow or block certain types of network traffic, such as allowing Web server access but denying file sharing. 1. These protocols don t focus on providing timely messages delivery (specifically application level delivery deadline), which is a key feature for a SIEM s quality -> they do the best of the underlying network (especially for SSL, which is the widely adopted solution) 2. Time reference in such systems is considered a trusted part. 3. No mechanism has been considered to protect from intermediate malicious nodes (or some other Collectors), especially important in large-scale systems 4. Vendors adopt point-to-point communications and do not abstract an Event Bus layer: they suppose to have strictly coupled components

A solution for a Reliable Event Bus How does an Event Bus work? When a module wishes to communicate with another module or other modules, it places a message on the Event Bus. The Event Bus takes care of delivering the message to the recipients. Communication paradigms: Publish-Subscribe: Modules may subscribe to certain message types. Whenever a module publishes a message to the bus, it will be delivered to all modules that subscribed to its message type. Broadcast: The message will be delivered to all (other) modules. Point-to-point: The message has one and only one recipient. Reliable Event Bus: an Event Bus addressing requirements in terms of Confidentiality and Integrity properties Fault Tolerance: i.e. Byzantine fault protection mechanisms Delivery time constraints Message ordering

Reliable Event Bus solution We can consider a REB as an overlay network: the infrastructure is built on the underlying, unreliable network: the components in charge of providing access to this overlay are the Collectors or better, the additional services they could provide to the framework, a part of SIEM functionalities. Design and implementation ideas: Event Bus: JMS message system can be considered as messaging system, based on publish-subscribe mechanisms SSL and IPSec - in charge of implementing several configurable mechanisms to guarantee Confidentiality, Integrity and Authenticity can be placed at the ends of the communication: OpenSSL and the IPSec framework can do the job Byzantine faults in intermediate nodes can be protected by application layer protocols based on consensus mechanisms and broadcasting; moreover more complex mechanisms can be considered to offer message order delivery: i.e. the Byzantine Paxos solution presented by Prof. Nuno Neves in his presentation, shows that we can also have time constraints, by using proper timers in the algorithm mechanisms A reliable timestamp mechanism must be provided in order enforce trustworthiness in the time reference (GPS + NTP?...)

Reliable Event Bus solution Collection services REB overlay access point Reliable Time reference

References NIST Guide to SSL VPNs Recommendations of the National Institute of Standards and Technologies SANS Institute InfoSec Reading Room Prelude as a Hybrid IDS Framework K. Zaraska - Prelude IDS: current state and development perspectives J. Casal OSSIM fast guide Gartner GAS Core Research Note Critical Capabilities for Security Information and Event Management Technology 2008 ArcSight Audit Quality SIEM solution 2008 Khan Consulting Inc. Computer Security Log Files as Evidence An Evaluation of ArcSight ESM Gartner - The Gartner Security Information And Event Management Magic Quadrant 2010: Dealing with Targeted Attacks Miller, Harris, Arper, Vanyke, Blask Security Information and Event Management (SIEM) Implementation - McGraw Hill Nuno Neves (FFCUL), MASSIF Project FP7-257475 - D5.1.1, Preliminary Resilient Framework Architecture - 2011

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information