Exploring the Interactions Between Network Data Analysis and Security Information/Event Management



Similar documents
2012 CyberSecurity Watch Survey

Monitoring Trends in Network Flow for Situational Awareness

Supply-Chain Risk Management Framework

Network Analysis with isilk

Network Monitoring for Cyber Security

Moving Target Reference Implementation

Overview. CMU/SEI Cyber Innovation Center. Dynamic On-Demand High-Performance Computing System. KVM and Hypervisor Security.

VoIP in Flow A Beginning

Contracting Officer s Representative (COR) Interactive SharePoint Wiki

Assurance Cases for Design Analysis of Complex System of Systems Software

Cyber Intelligence Workforce

SOA for Healthcare: Promises and Pitfalls

CERT Virtual Flow Collection and Analysis

How To Use Elasticsearch

Risk Management Framework

Getting Started with Service- Oriented Architecture (SOA) Terminology

Architectural Implications of Cloud Computing

Copyright 2014 Carnegie Mellon University The Cyber Resilience Review is based on the Cyber Resilience Evaluation Method and the CERT Resilience

Abuse of CPE Devices and Recommended Fixes

A Study of Systems Engineering Effectiveness. Building a Business Case for Systems Engineering

CMMI for SCAMPI SM Class A Appraisal Results 2011 End-Year Update

Electricity Subsector Cybersecurity Capability Maturity Model (ES-C2M2) (Case Study) James Stevens Senior Member, Technical Staff - CERT Division

Applying Software Quality Models to Software Security

Department of Homeland Security Cyber Resilience Review (Case Study) Matthew Butkovic Technical Manager - Cybersecurity Assurance, CERT Division

How To Ensure Security In A System

$100 SiLK Network Flow Sensor

The Key to Successful Monitoring for Detection of Insider Attacks

Extending AADL for Security Design Assurance of the Internet of Things

CMMI: What do we need to do in Requirements Management & Engineering?

Agile Development and Software Architecture: Understanding Scale and Risk

emontage: An Architecture for Rapid Integration of Situational Awareness Data at the Edge

Sustaining Operational Resiliency: A Process Improvement Approach to Security Management

An Application of an Iterative Approach to DoD Software Migration Planning

UFO: Verification with Interpolants and Abstract Interpretation

Building Resilient Systems: The Secure Software Development Lifecycle

Incident Management Capability Metrics Version 0.1

Operationally Critical Threat, Asset, and Vulnerability Evaluation SM (OCTAVE SM ) Framework, Version 1.0

Information Asset Profiling

Buyer Beware: How To Be a Better Consumer of Security Maturity Models

Arcade Game Maker Pedagogical Product Line: Marketing and Product Plan

A Systematic Method for Big Data Technology Selection

Service Measurement Index Framework Version 2.1

Common Testing Problems: Pitfalls to Prevent and Mitigate

The CERT Top 10 List for Winning the Battle Against Insider Threats

Penetration Testing Tools

Introduction to the OCTAVE Approach

Copyright 2014 Carnegie Mellon University The Cyber Resilience Review is based on the Cyber Resilience Evaluation Method and the CERT Resilience

Interpreting Capability Maturity Model Integration (CMMI ) for Business Development Organizations in the Government and Industrial Business Sectors

Software Assurance Competency Model

Data Management Maturity (DMM) Model Update

CMMI for Acquisition, Version 1.3

Configuring and Monitoring SharePoint Servers

A Framework for Categorizing Key Drivers of Risk

Deriving Software Security Measures from Information Security Standards of Practice

Best Practices for National Cyber Security: Building a National Computer Security Incident Management Capability, Version 2.0

Managing Security Risks in Modern IT Networks

CMMI for Development, Version 1.3

CRR Supplemental Resource Guide. Volume 5. Incident Management. Version 1.1

Software Vulnerabilities in Java

Guidelines for Developing a Product Line Production Plan

Software Security Engineering: A Guide for Project Managers

Introducing OCTAVE Allegro: Improving the Information Security Risk Assessment Process

A Step-By-Step Guide

ORACLE OPS CENTER: VIRTUALIZATION MANAGEMENT PACK

Advanced Visibility. Moving Beyond a Log Centric View. Matthew Gardiner, RSA & Richard Nichols, RSA

Third Party Software Used In PLEK500 (Utility for Win) v1.x.xx.xxx

CMMI for Development, Version 1.3

Open Source Used In Cisco Instant Connect for ios Devices 4.9(1)

MS Skype for Business and Lync. Integration Guide

Intel Ethernet Switch Load Balancing System Design Using Advanced Features in Intel Ethernet Switch Family

Insider Threat Control: Using Centralized Logging to Detect Data Exfiltration Near Insider Termination

Insider Threat Control: Using a SIEM signature to detect potential precursors to IT Sabotage. CERT Insider Threat Center

Monitoring Windows Workstations Seven Important Events

GEO Sticky DNS. GEO Sticky DNS. Feature Description

Allscripts Professional EHR

Oracle Net Services for Oracle10g. An Oracle White Paper May 2005

z/os V1R11 Communications Server system management and monitoring

Interpreting Capability Maturity Model Integration (CMMI ) for Service Organizations a Systems Engineering and Integration Services Example

Transcription:

Exploring the Interactions Between Network Data Analysis and Security Information/Event Management Timothy J. Shimeall CERT Network Situational Awareness (NetSA) Group January 2011 2011 Carnegie Mellon University

2011 Carnegie Mellon University NO WARRANTY THIS MATERIAL OF CARNEGIE MELLON UNIVERSITY AND ITS SOFTWARE ENGINEERING INSTITUTE IS FURNISHED ON AN AS-IS" BASIS. CARNEGIE MELLON UNIVERSITY MAKES NO WARRANTIES OF ANY KIND, EITHER EXPRESSED OR IMPLIED, AS TO ANY MATTER INCLUDING, BUT NOT LIMITED TO, WARRANTY OF FITNESS FOR PURPOSE OR MERCHANTABILITY, EXCLUSIVITY, OR RESULTS OBTAINED FROM USE OF THE MATERIAL. CARNEGIE MELLON UNIVERSITY DOES NOT MAKE ANY WARRANTY OF ANY KIND WITH RESPECT TO FREEDOM FROM PATENT, TRADEMARK, OR COPYRIGHT INFRINGEMENT. This presentation may be reproduced in its entirety, without modification, and freely distributed in written or electronic form without requesting formal permission. Permission is required for any other use. Requests for permission should be directed to the Software Engineering Institute at permission@sei.cmu.edu. This work was created in the performance of Federal Government Contract Number FA8721-05-C-0003 with Carnegie Mellon University for the operation of the Software Engineering Institute, a federally funded research and development center. The government of the United States has a royalty-free governmentpurpose license to use, duplicate, or disclose the work, in whole or in part and in any manner, and to have or permit others to do so, for government purposes pursuant to the copyright license under the clause at 252.227-7013. CERT is a registered mark owned by Carnegie Mellon University. 2

Overview Network Data Security Information/Events The Problem Events, Revisited Analysis leading to Events The Problem, Revisited Summary 3

Network Data larger network, more security data Data: Packets, Flows, DNS resolutions, host log entries, firewall log entries, etc. Data (in general) -> Low security information density Analysis (in part) -> Use goal/context to focus on higher-density data subsets, convert to aggregated form 4

Security Information/Events Commonly: Event: Something that happens SIEM: Event: Something describable via the schema Instance of security-sensitive activity observed at a device Aggregations of security-sensitive activity Chains of security-sensitive activity Information: Context for analyzing or processing events 5

The Problem If generation of data instance = event, too many events For collection and processing For human analysts Candidate solutions: Sampling Reduce data on arrival Restrict scope Restrict classes of data 6

Events, Revisited Definition: Security sensitive event -- instance of activity that, in context, is associated with a threat to the network or with its defensive strategy. Security sensitivity depends on context Effective security depends on strategy Edge devices (router, firewall, proxy, etc.) can not have that context (or time to process it) 7

Analysis as Event Mediator Event mediator: Automated actors receiving instances of network activity and applying context and strategy information to filter for securitysensitive events. Application: Process-mapping approach, isolating critical tipping points sensitive for security Rule-based approach, identifying specific events with high security sensitivity Learning approach, using historical data to build indicators of security sensitivity All three approaches are based on analysis. 8

Moving Closer to Reality Mediators provide more achievable information distribution Core-outward: context information, strategy rules Edge-inward: filtering (and re-filtering) event stream to isolate security sensitivity. Mediators simplify handling By automation: fewer intervening cases By humans: lower event rates Internal Network 9

The Problem, Revisited How often to publish context Rule updates Repeated training How to incorporate strategy Deception Frustration Resistance Isolation/Recovery 10

Summary Initial definition of security sensitive event Decomposition of problem Strategies for further development Experience and experimentation needed 11

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information