Security Information and Event Management for Private Clouds

Security Information and Event Management for Private Clouds Dr. Athar Mahboob Dean Faculty of Engineering & Applied Sciences Director Information Technology Professor of Electrical Engineering DHA Suffa University Karachi, Pakistan Pakistan CIO Summit 2013 May 21-22, 2013

Agenda Introduction to Security Information and Event Management Understand the business case for a SIEM solution Understand the technical architecture of a SIEM solution Get familiar with an economical and open source SIEM solution OSSIM 2

Typical Private Cloud Wireless Network Thin Clients Infrastructure Access Points and smaller access points provide wireless networking coverage to entire DSU campus. High Speed Campus Network 600+ network nodes in 8 segments covering all offices and Labs at DSU connecting to a High Performance Network Core Laptop IT Applications LMS Email Timetable Student Feedback Online Admission Test Instant Messaging Network Mgmt Service Directory Services Terminals Services Desktop Applications Engineering Design Apps Online Admission Application Storage Services Video Conference Service ERP Accounting Student Records Library Management PDA DSU Data DSU Private Cloud (Data Center) ERP, LMS, Email Virtual Private Network VPN DSU Firewall SAN Xen Hypervisor VPN access to DSU Network for Faculty and Students. Through VPN all IT services can be accessed securely from any remote location Email Multiple redundant media high-speed Internet Links Servers PERN Video Conferencing Web Internet 10 + 10 MBPS HEC Digital Library Social Media 3

Threat Economy: Historic Attacker Motivations Writers Asset End Value Tool and Toolkit Writers Compromise Individual Host or Application Fame Malware Writers Worms Viruses Compromise Environment Theft Espionage (Corporate/ Government) Trojans Take Away: Fame was by far the dominant motivator From: Security Information Management (SIM) Technology Brief, Ken Kaminski, Cisco Systems, Security Architect Northeast US, CISSP, GCIA 4

Threat Economy: Today Writers First Stage Abusers Tool and Toolkit Writers Hacker/Direct Attack Middle Men Second Stage Abusers Fame Compromised Host and Application Theft Malware Writers Worms Machine Harvesting Bot-Net Creation Extortionist/ DDoS-for-Hire Bot-Net Management: For Rent, for Lease, for Sale Trojans Information Harvesting Personal Information Spammer Commercial Sales Phisher Pharmer/DNS Poisoning Information Brokerage Take Away 2: Multiple methods to achieve goal Espionage (Corporate/ Government) Extorted Pay-Offs Viruses Spyware End Value Internal Theft: Abuse of Privilege Identity Theft Electronic IP Leakage Take Away 3: Sustainable economy, resilient to shocks Fraudulent Sales Advertising Revenue Financial Fraud Take Away 1: For-Profit end values From: Security Information Management (SIM) Technology Brief, Ken Kaminski, Cisco Systems, Security Architect Northeast US, CISSP, GCIA 5

New Threat Economy From: http://www.scmagazineus.com/hacker-arrested-in-greece-for-stealing-selling-weapons-data/article/104718/ 6

New Threat Economy From: http://www.wired.com/threatlevel/2008/10/fed-blotter-new/ 7

All is fair in love and war!!! STATE ACTORS ARE PART OF THE THREAT ECONOMY TOO PUBLIC-PRIVATE PARTNERSHIP :-) 8

APT - Example June, 2010 StuxNet Worm Target: Natanz Nuclear Facility Motivation: Cyber Sabotage? 9

Advanced Persistent Threat APT The attack techniques started from self replicating code evolved into Advanced Persistent Threat Use 0-day Be stealthy Target users Target indirectly Exploit multi-attack vectors Use state-of-the-art technique Be Persistent Hacking is no more about fun Corporate Espionage State Secrets Cyber Sabotage 10

StuxNet How It Spread? Exploited Four Zero Day Vulnerabilities 11

12

US Killer Spy Drones Controls Switch to Linux 13

Old Windows 14

New Linux 15

Drivers for Information Security Management Regulatory Compliance Information security breaches are costly HIPAA, SOX, FISMA, GLBA, FDA, PCI, Basel II, OSHA and ISO 27002 Need to respond timely to security events Information systems environment is heterogeneous, multi-vendor, and complex compliance - a state or acts of accordance with established standards, specifications, regulations, or laws. Compliance more often connotes a very specific following of the provided model and is usually the term used for the adherence to government regulations and laws http://searchcio.techtarget.com/sdefinition/0,,sid182_gci947386,00.html HIPAA: Health Insurance Portability and Accountability Act SOX: Public Company Accounting Reform and Investor Protection Act of 2002 and commonly called SOX FISMA: The Federal Information Security Management Act of 2002 FDA: The Food and Drug Administration PCI Data Security Standard (PCI DSS): The Payment Card Industry (PCI) and Validation Regulations Basel II: The New Accord: International Convergence of Capital Measurement and Capital Standards GLBA: Gramm-Leach-Bliley Act, also known as the Gramm-Leach-Bliley Financial Services Modernization Act ISO/IEC 27002 (formerly 17799) is an information security standard published and most recently revised in June 2005 by the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC) OSHA: The United States Occupational Safety and Health Administration 16

17

SIEM versus ISM Information Security Management SIEM Security Information and Event Management SIM Security Information Management SEM Security Event Management 18

SIEM A SIEM or SIM is a computerized tool used on enterprise data networks to centralize the storage and interpretation of logs, or events, generated by other software [or hardware] running on the network A new concept (About 10 Years old) A natural evolution of log management A SIEM enables organizations to achieve roundthe-clock pro-active security and compliance. 19

Beginnings of SIEM are in Log Management Log management Automation in collection of logs in a central place e.g. syslog-ng Tools for log searching and analysis Still a dependence on expert human for analysis Typical human expert cannot process more than a 1000 events a day Conclusion - automate more 20

Logs What Logs? From Where? Audit Logs Firewalls/Intrusion Prevention Transaction Logs Routers/switches Intrusion Logs Intrusion Detection Connection Logs Servers, Desktops, Mainframes System Performance Records Business Applications User Activity Logs Misc. alerts and other messages Databases Anti-virus VPNs 21

Inverted Pyramid of Event Significance UNIX Syslogs 85,000 Events Windows Event Logs 1,036,800 Events Firewall IDS and Access Logs 1,100,000 Events Antivirus 787,000 Events 12,000 Events 3 MILLION TOTAL EVENTS 15,000 CORRELATED EVENTS 24 DISTINCTIVE SECURITY ISSUES 8 INCIDENTS REQUIRING ACTION 22

The Challenge of SIEM Billions and Billions of events Firewalls, IDS, IPS, Anti-Virus, Databases, Operating Systems, Content filters Information overload Lack of standards Difficult correlation Making sense of event sequences that appear unrelated False positives and validation issues Heterogeneous IT environment 23

Technical Drivers of SIEM React Faster! Too much data, but not enough information High Signal To Noise Ratio No situational awareness Too many tools to isolate root cause Improve Efficiency Compliance requirements Nothing gets shut down Cost center reality 24

Reduce risk and cost by dramatically reducing the time it takes to effectively respond Risk/Cost Reduce risk and cost Time to remediate 25

Business Objectives of SIEM Increase overall security posture of an organization Turn chaos into order Aggregate log file data from disparate sources Create holistic security views for compliance reporting Identify and track causal relationships in the network in near real-time Build a historical forensic foundation 26

Generic SIEM Architecture R Box R Box Reaction and reporting Collect A Box K Box A Box Incident Analysis + K Box Knowledge base Inputs from target sources Agent and agentless methods Aggregate D Box Formatted messages database D Box Bring all the information to a central point Normalize Translate disparate syntax into a standardized one C Box E Box C Boxes C Box E Box E Box E Box Collection boxes E Box E Boxes Event generators: sensors & pollers Correlate If A and B then C Report State of health Policy conformance Archive 27

NOC vs SOC Separates auditing role from operations role 28

State-of-the-art Cyber Security Operations Center, a comprehensive cyber threat detection and response center that focuses on protecting Northrop Grumman and its customers networks and data worldwide. (Northrop Grumman) 29 http://www.armybase.us/2009/07/northrop-grumman-opens-cyber-security-operations-center/

Reactive Incident Response, Notification, Tracking, Analysis, Containment, Eradication, and Remediation S O C Incident Detection Systems (IDS) Computer Forensics & Malware Analysis Proactive Predictive Network Vulnerability Scanning: Network, Systems Strategic Analysis Vulnerability Handling Threat Management & Correlation System Third-Party Pen. Testing (3rd Party) Email Filtering & Blocking DNS Sinkhole Threat Tracking, Monitoring, & Mitigation Patch/Asset Management Situational Awareness: Log Monitoring, Event Aggregation and Correlation (SIM) Flow/Network Behavior Monitoring Host Based Monitoring System (HBSS): Antivirus, Firewall, Anti-Malware, Application White listing Active Protection: Intrusion Prevention System (IPS) Web & Application Scanning 30

Linux and Open Source Business model is based on services alone: Implementation Customizations Training Documentation Support A fair and consumer friendly business model for software because: Software is incrementally developed Software is infinitely replicable 31

Clearing Misconceptions About Open Source Open source is free software! Software is free, people are not! Free as in freedom not necessarily as in free beer Open source is a viable business model Open source is a better software engineering methodology Given enough eye-balls, all bugs are shallow Linus' Law 32

Why Open Source for SIEM? Commercial products have a high cost of entry barrier User can become confused with the: Marketing terms Feature bloat Open source SIEM has matured can compete head-on with commercial offerings Open Source SIEM can even be used as a learning tool requirements analysis tool for a commercial SIEM specifications 33

Open Source Security Information Management - OSSIM Made of best of breed open source security tools: snort, ntop, nmap, nagios Full installer plug & play Integrated Graphical Management Console Includes Reporting Engine (JasperReports) with pre-designed reports Commercially supported - AlienVault Implemented in local companies 34

Magic Quadrant for Security Information and Event Management - 2011 35

Magic Quadrant for Security Information and Event Management - 2012 Source: Gartner (May 2012) 36

OSSIM Pros Extendable Stable Low cost Works with native tools and mechanisms Easier to integrate Less overhead Wide range of tools combined into one solution 37

OSSIM - Integrated Tools Snort Ntop Fprobe NFDump NFSen OCS Nagios OpenVAS Nikto OSVDB OSSEC KISMET NMAP P0f ArpWatch 38

OSSIM Web Interface 39

SIEM Concepts Detection and Collection 40

Active Versus Passive Tools The different tools integrated in OSSIM can be classified into two categories: Active: They generate traffic within the network which is being monitored. Passive: They analyze network traffic without generating any traffic within the network being monitored. The passive tools require a port mirroring /port span configured in the network equipment. 41

Sensors: Data Sources Data Source Any application or device that generates events within the network that is being monitored External Data Sources Network Devices: Routers, Switches, Wireless AP... Servers: Domain Controller, Email server, LDAP... Applications: Web Servers, Databases, Proxy... Operating Systems: Linux, Windows, Solaris... Collectors Internal Data Sources Collect information on the network level Intrusion Detection Vulnerability Detection Anomaly Detection Discovery, Learning & Network Profiling Inventory Systems Detectors 42

Sensor: Collection The Sensor can aggregate events using multiple collection methods 43

Sensor: Detection Detection is done by setting the Sensors NIC into promiscuous mode to collect all the traffic on the monitored network HUB Port Mirroring/Spanning Network Tap 44

Event Any log entry generated by any Data Source at application, system or network level will be called an event. For SIEM it is important to know: When has the event been generated? What is involved? (Systems, users, ) Which application generated the event? What s the event type? 45

The SIEM The SIEM component provides the system with Security Intelligence and Data Mining capacities, featuring: Real-time Event processing Risk metrics Risk assessment Correlation Policies Management Active Response Incident Management Reporting 46

Logger Secure Reliable Storage The Logger component stores events in raw format in the file system. Events are digitally signed and stored en masse ensuring their admissibility as evidence in a court of law. The logger component allows storage of an unlimited number of events for forensic purpose. For this purpose the logger is usually configured so that events are stored in a NAS / SAN network storage system. 10:1 Compression to save Disk Space 47

Database The AlienVault database runs on a MySQL server SIEM Events, configurations, and inventory information are stored in the Database Database is a required component in any AlienVault deployment, even if no Logger is being used 48

Detection The process of identifying behavior that leads to the generation of an event Multiple elements that can be used by SIEM to provide detection capabilities: Snort, Ntop, Arpwatch (Example Data Sources included in AlienVault) Existing corporate applications/tools Tools that have been deployed prior to SIEM installation (Firewalls, Antivirus ) 49

Collection The task that determines which events shall be collected into the Server Collection is done by the Sensors Server can collect events using multiple methods: Some require configuring the Data Source to send events to the Sensor (E.g.: Syslog, FTP...) Other require the Sensor gathers the events from the application or device (WMI, SQL, SCP...) 50

Normalization The process of translating the events generated by different tools into a unique and normalized format Normalization is done in the Sensor Log information is normalized using regular expressions by AlienVault Sensors End Device/App Mar 22 20:40:15 ossim-a su[27992]: Successful su for root by root Sensor event type="detector" date="2008-03-22 20:40:15" sensor="192.168.1.109" interface="eth0 plugin_id="4005" plugin_sid="2" src_ip="192.168.1.109" dst_ip="192.168.1.109" username="root" log="mar 22 20:40:15 ossim-a su[27992]: Successful su for root by root" SIEM Server 51

Data Source A Data Source is any application or device that generates logs, events and information AlienVault can collect events from any Data Source by using a Data Source Connector (Plugin) 52

Data Source ID The Data Source ID (Formerly known as Plugin_id) is a unique number used by AlienVault to identify each of the Data Source types that send events to AlienVault This number is used in correlation rules and when defining Policy Rules 53

Event Type The Event Type (Formerly known as Plugin_sid) is a unique number (Within each Data Source) that identifies the different events a Data Source is able to generate. The Event Type always has to be associated to a Data Source ID, since multiple Data Source ID can share common Event Types. (E.g.: 404 Event Type in Apache and IIS) 54

Assets An Asset is any device available on a network that is being monitored by SIEM Assets in AlienVault have a value (0-5). Each Asset will have a different value depending on their task within the network Assets in AlienVault: 55

Asset Value Every Asset in AlienVault has an Asset Value (0-5) Assets not defined within the AlienVault Inventory have a default Asset Value of 2 Assets will have different values depending on their role within the monitored network E.g.: A printing company Printers will be a very high asset value E.g.: A company offering Web hosting Web servers and database servers will be a valuable asset while printers on the other hand won t be so important. 56

Defining an Asset in OSSIM 57

Event Priority Priority is the importance of the event itself It is a measure which tries to determine the relative impact an event could have in our network. Priority is a value between 0 and 5 0 1 2 3 4 5 No importance Very Low Low Average Important Very Important 58

Event Reliability Reliability determines the probability of an attack being real or not. E.g.: A single authentication failure. Would you be able to determine if it is a real attack (Brute Force attack) using a single event? Reliability can be a value between 0 and 10 0 False Positive 1 10% chance of being an attack 2 20% chance of being an attack 10 Real attack 59

Event Risk The SIEM calculates a risk for each event processed in the SIEM The Event Risk is a numeric value (0-10) 60

Alarm Any event with a risk value greater than or equal to 1 will become an alarm. An alarm is a special type of event since it can have more than one event originating it. Correlation doesn t generate alarms (done by server during R.A), it will generate new events that may or may not become alarms. 61

Correlation Correlation is the process of transforming various input data into a new output data element Using correlation we can transform two or more input events into a more reliable output event Through correlation of various events from disparate data sources a SIEM delivers greater Security Intelligence 62

Aggregated Risk Apart from calculating a risk value for each event, the AlienVault SIEM also maintains an Aggregated risk indicator for each asset of the network This aggregated risk is stored in two properties of each asset within AlienVault Compromise: Compromise means a network element is generating lots of events as source, this is, it s behaving like if it s been compromised Attack: Attack is a value that measures the level of attack an element has received in our network, that is, how much it has been attacked 63

Compromise Value Compromise value is increased by taking into account the risk of the event calculated using the Asset Value of the source (The Asset value of the destination is ignored even if it is higher) This value increases the compromise value of the host, the compromise value of the host groups, networks and network groups the host belongs to, as well as the global compromise 64

Attack Value Attack value is increased by taking into account the risk of the event calculated using the Asset Value of the destination (The Asset value of the source is ignored even if it is higher) This value increases the attack value of the host, the attack value of the host groups, networks and network groups the host belongs to, as well as the global attack value 65

From Alarm to Ticket Alarms can be ignored or can be converted to tickets Tickets can be assigned to IS or IT officers The ticket life cycle is the Security Event handling/management 66

Security Event Management 67

Conclusions OSSIM provides SIEM capabilities to small and medium sized organizations OSSIM leverages best of breed open source tools and combines them into integrated SIEM to manage security events OSSIM can be setup quickly time is money 68

Thank You! 69