Cesario Di Sarno Ph.D. Student in Information Engineering University of Naples «Parthenope» Security Information and Event Management in Critical Infrastructures Fai della Paganella 11 Febbraio 2014
Critical Infrastructures Critical Infrastructures need to be protected since their failure would have a debilitating impact on security or safety of a nation. U.S. Critical Infrastructure Protection (CIP) is a national program that ensures the security of vulnerable and interconnected infrastructures of the United States. CIP defines sectors and organizational responsibilities in a standard way: Banking and finance Transportation Information and communications Emergency services Law enforcement agencies
Trend of attacks against CIs From 2009 through 2011 the number of attacks against CIs has increased Incidents specific to Water and Energy Sectors represent over half of the total incidents Independent researchers state the growth of attacks is due to a large number of control systems connected to the Internet Source: [ICS-CERT Incident Response Summary Report]
Security Information and Event Management SIEM systems offer a centralized view of the security of the IT infrastructure. They allow: Log Management from different nodes of the IT infrastructure To build filters or rules to audit and validate compliance to standards Log Management To take actions and perform incident response for all verified security events To monitor endpoint security to centrally validate the security health of a system Endpoint Security SIEM IT Regulatory Compliance To correlate events from different domains and layers Active Response Event Correlation
SIEM Operational Flow Information Sources: SCADAs, video surveillance systems, RFID systems or any device that can generate and send logs Parsing: Extraction of information from logs Normalization: Representation of information in a standard format Correlation: identification of a pattern of attack through analysis of events Risk Assessment: evaluation of the hazard of an event Log Storage: database where all events are stored Monitoring Web Interface: analysis of the security IT infrastructure
Comparison between the most widely adopted SIEMs: OSSIM and Prelude OSS General SIEM Architecture OSSIM normalized event format is proprietary correlation rules are written using XML syntax risk assessment is computed through a static formula Stored data format: proprietary No capability to ensure the integrity of data stored Prelude OSS normalized event format is IDMEF RFC4765 correlation rules are written using Python programming language risk assessment is not available Stored data format: proprietary No capability to ensure the integrity of data stored
Limits of current SIEM solutions 1. Correlation rules are written by the administrator in order to find a specific attack through incoming events. This approach does not allow the system to improve the ability to discover new unknown attacks 2. Risk assessment is based on a static formula. The formula depends on: asset value, event priority and event reliability (OSSIM) 3. The exchange of events from different types of SIEMs is difficult because of proprietary protocols. 4. The data stored in a SIEM cannot be easily exported 5. The log storage systems used in many SIEMs are not designed to ensure integrity and unforgeability of data stored. Also these systems are not tolerant to faults and intrusions 6. Integration of third party log storage system into a SIEM is very complex. Also integration solutions depend on specific SIEM used
Need of Secure Data Storage Why is it important that the log storage system ensures integrity and unforgeability of data stored? Why should the architectures of the log storage systems be tolerant to intrusions and faults?
Solution Proposed: Resilient Event Storage
Integration of Resilient Event Storage in SIEMs Problems: communications between components are encrypted No native support to export data from the storage system is provided. In literature the standard that allows to exchange data between systems is called multi server configuration. Today, providers include multi server configuration only in professional version The solutions proposed only allow to exchange data between the same type of SIEMs No relational schemas of the databases are provided Each SIEM vendor uses a different format to store the events in the log storage system
Integration of Resilient Event Storage in OSSIM and Prelude SIEM Solution: Reverse engineering from data stored in databases in order to retrieve information about tables and relations between them A query is defined to extract only the events and sub-events related to the security breaches Redirect the results of the query to the nodes of our Forensic Storage pull protocol
OSSIM RES integration Events generation multiple login failure detection RES records generated 11
Prelude - RES with Node 1 compromised events generation Correlation Multiple failed logins activated multiple login failures detection Events chain identifier of faulty node RES records generated 12
Electronic Health Record An electronic health record (EHR) is an evolving concept defined as a systematic collection of electronic health information about individual patients or populations. Source: [Gunter, Tracy D; Terry, Nicolas P (2005). "The Emergence of National Electronic Health Record Architectures in the United States and Australia: Models, Costs, and Questions"] InFSE is a project led by the Institute of High-Performance Computing and Networking of the National Research Council (ICAR-CNR) and funded by the Italian Government InFSE defines specifics and provides an implementation of a national framework to integrate the regional Electronic Health Record (EHR) systems The framework implements functionalities for: document research, document download, patient event notification and others. Also it provides business layer services for: eprescribing, Reporting, Patient Summary InFSE infrastructure is modeled as a Service Oriented Architecture (SOA)
Privacy violations in InFSE: examples 1. Excessive download/search rate of the citizens records by a general practitioner as malicious physician or someone authenticated. The attack is performed when he/she searches more than 5 patients in less than 10 minutes 2. Emergency state abuse A malicious physician searches for people EHRs stored in various regions off his operational context
SIEM deployment on InFSE
Integrating SIEMs with other systems The success of a SIEM solution mainly depends on compatibility with other devices For this purpose, SIEM products are compliant with many devices that the market offers. So, they provide many types of agents ready for use in order to process different types of logs (snare, ossec, snort ) The adaptation of a new information source to a SIEM can be performed in two ways: Information Source side: The Information Source generates and sends the logs (e.g. in native Syslog format or another format known to the SIEM) SIEM side: A new agent must be written. In particular a regular expression is required in order to parse new types of logs
Integrating SIEMs with DaMon DaMon (Dam Monitor) is an extension of the open-source project Mango M2M. It is an advanced prototype of a SCADA system for monitoring and control of dams
Integrating SIEMs with DaMon DaMoN architecture is compliant to the architectural pattern Model-View- Controller Following this pattern and using the source code of project Mango M2M we have designed and developed a new module that allows to generate and send the logs in Syslog format to the Syslog Server available in SIEM solutions
Thank you