Escolar Documentos
Profissional Documentos
Cultura Documentos
CrossTec Corporation | 500 NE Spanish River Blvd, Suite 201 | Boca Raton, FL 33431 www.CrossTecCorp.com | PH: 561.391.6560 | Toll: 800.675.0729 | Fax: 561.391.5820
By: Albert Caballero CISSP, GSEC, BA MIS Security Stanley Fidge MCSA, CCNA, Security +, BA MIS Security
Abstract
Vulnerability assessments, forensic investigations, and incident responses are the cornerstones for building a secure and compliant computing environment. Information Technology professionals have a need to monitor and correlate all of their network and system security events; otherwise it is difficult to effectively manage and maintain relative security. Network forensics is basically the investigation of all of the packets and events generated on any given network. The better these events can be understood and correlated, the better the possibility of detecting an incident, in the past or present., Security events are at the root of all incidents, and in the digital world, without some combination of correlated security events, it is nearly impossible to know if an incident has actually occurred. Network events are generated by almost every system, application or device on a network.I If there is no monitoring of these events, incidents can occur quite often and go completely unnoticed, or worse, become untraceable. In this case, what you dont know WILL hurt you! The importance of responding to incidents, identifying anomalous or unauthorized behavior, and securing intellectual property has never been more important. Without security event and vulnerability monitoring, identifying threats and attacks to confidentiality, integrity, or availability becomes much more difficult. Furthermore, there is a limited chance that any network forensic investigation will be properly conducted, much less successfully, without the retention and correlation of network security event logs. Ideally, an organization should develop clear and concise log management policies, continually train staff in security awareness, and implement new and effective technologies to successfully detect and respond to security incidents. This will also ease the burden of network forensic investigations. Our focus is Security Information and Event Management (SIEM), as it pertains to network forensic investigations, vulnerability management and incident response. Modern voice and data networks integrate past, present, and future technologies in ways that have revolutionized all methods of conducting business in our global economy. This IT revolution has posed some significant challenges to network forensics, including: New multi-vendor vulnerabilities are discovered everyday, and many unknown vulnerabilities are exploited without ever being detected. Tons of dynamic, network event data from disparate devices is rarely audited, easily lost, and inadequately stored, making maintaining log integrity difficult. High IDS/IPS false positive rates and information overload from millions of event logs every day haze the accuracy with which IT staff can detect true incidents.
CrossTec Corporation | 500 NE Spanish River Blvd, Suite 201 | Boca Raton, FL 33431 www.CrossTecCorp.com | PH: 561.391.6560 | Toll: 800.675.0729 | Fax: 561.391.5820
Correlation of security events to vulnerabilities isnt easy to understand or implement, always requires significant computer security expertise, and is usually quite expensive and time consuming. Our goal as a research group is to reveal that before conducting a network forensics investigation, it is critical to assess vulnerabilities and correlate them to intrusion detection alerts using new technologies such as SIEM. We will be using Activeworx Security Center as our network forensic tool of choice.
Finally, there is general information overload with millions of appliance, application and system event logs being generated everyday. The final result and primary problem with network forensics is the dynamic nature of network event data, and the fact that it is rarely audited, inadequately archived, and easily lost, deleted, or copied. 65% of organizations report that they do not have established any Return on Investment (ROI) metrics for security risk management regarding their enterprise networks. 56% of organizational upper management and decision makers rarely or never discuss policies and the need for procedures regarding access to critical information, leaving the tasks solely to IT Security Management and IT Security Technicians to comply with Federal regulations.
Implementing real-time network forensic techniques is an effective method of initially identifying and responding to computer crimes and policy violations. With a
CrossTec Corporation | 500 NE Spanish River Blvd, Suite 201 | Boca Raton, FL 33431 www.CrossTecCorp.com | PH: 561.391.6560 | Toll: 800.675.0729 | Fax: 561.391.5820
Security Information and Event Management tool an analyst can monitor, automate and investigate network forensic event data, as well as respond much quicker to IDS events by minimizing false positives. Correlating security events, investigating and acting according to policy, and properly archiving network and system events over time, are critical elements of preparing an organization to be successful in current and future network forensic investigations. In tandem, vulnerability assessment and risk management are required elements of any investigation, to test and verify the integrity of computer systems, servers, and enterprise networks. SIEM, as used to monitor network IDS and provide incident response functions, is desirable because it helps identify anomalies, such as covert channels and intruder attacks using automated tools, and of course helps in correlating these anomalies on the network with system and firewall logs. Computer investigative functions are necessary to manage, protect and maintain the forensic integrity of network-based systems and devices.
CrossTec Corporation | 500 NE Spanish River Blvd, Suite 201 | Boca Raton, FL 33431 www.CrossTecCorp.com | PH: 561.391.6560 | Toll: 800.675.0729 | Fax: 561.391.5820
Activeworx Security Center (ASC) is a SIEM software tool that can monitor, analyze, and alert on almost any event generated on your network to ascertain security and forensic information. ASC can also correlate events from different assets with vulnerability scanners in real-time. To ease the pain of compliance, the enterprise version of ASC can collect; MD5 checksum and rotate audit logs for every network device, system or application on a network. This helps organizations meet regulatory compliance and be ready for future audits and investigations. Specifically, ASC makes it easy to be compliant and also gives you the power to analyze network events in the way you think is important. When trying to make heads or tails out of how to cover the core components of the Investigation Triad, it becomes difficult to translate these ideas into actual technologies that can do the job. We will provide an example of how each component can be addressed by ASC and SIEM in general. Vulnerabilities are a crucial and often neglected component of all security programs. Without current vulnerability information of systems, applications and network devices it is impossible to know where the systems of highest risk or those most susceptible to attack are. It is difficult to run vulnerability scans on a consistent basis, primarily because they are time consuming, require a certain level of expertise, and really: What are you going to do with them once you have them anyway? Who even knows which vulnerabilities are important and which ones arent? Who can tell me when
CrossTec Corporation | 500 NE Spanish River Blvd, Suite 201 | Boca Raton, FL 33431 www.CrossTecCorp.com | PH: 561.391.6560 | Toll: 800.675.0729 | Fax: 561.391.5820
one of these vulnerabilities is being exploited? Well the answers are: ASC will correlate them with IDS events, ASC knows what your vulnerabilities are, SANS/FBI knows which are important, and your IDS/IPS devices are the ones that know when youre being attacked! The SANS Institute combined with the FBI maintains a list of the Top 20 Internet Vulnerabilities. Using this as our framework, we can use ASC and its Correlation Engine to automate the correlation of IDS events to Vulnerability Scans by CVE Reference to alert us of important events in real time. (To find out more about CVE Reference, see below under Sans Top 20 Vulnerabilities.)
Figure 3 ASC Built-in IDS Event to High Risk Vulnerability Correlation Rule
Intrusion Response (IR) is not typically associated with network forensic investigations; however, in reality, it remains one of its most important components. Proper IR techniques are what network forensics are all about, and they can make or break an investigation according to how a first response is handled. IR is made more efficient by three main SIEM components: the use of automated Event to Vulnerability correlation as described above, visualization and diagramming of events with drill-down analysis capabilities, and correlation of Event to Event activity on the network.
Figure 4 Event Diagram and Visualization of High Priority Security Events Helps IR
CrossTec Corporation | 500 NE Spanish River Blvd, Suite 201 | Boca Raton, FL 33431 www.CrossTecCorp.com | PH: 561.391.6560 | Toll: 800.675.0729 | Fax: 561.391.5820
In scenarios where it is necessary to immediately correlate certain types of events to other events which are happening on the network, there needs to be a quick and effective way to be able to get more related information from other devices.
Figure 5 ASC Event to Event Correlation Rule Helps Finds Anomalies
Investigations many times are conducted after the incident occurred. To show that the information you have is forensically sound, the network logs of all assets need to be handled correctly as they are generated on the network. No longer is it sufficient to store logs on end systems and let them overwrite themselves every few days. Regulatory compliance and the need to forensically analyze events is forcing organizations to store network event data over long periods of time and find a mechanism that will allow them
CrossTec Corporation | 500 NE Spanish River Blvd, Suite 201 | Boca Raton, FL 33431 www.CrossTecCorp.com | PH: 561.391.6560 | Toll: 800.675.0729 | Fax: 561.391.5820
to prove their integrity at a future date. ASC allows for this capability in its new v4 ASCe, which is an enterprise version of the SIEM tool that includes complete log management. Interestingly enough, although SIEM and Log Management are so tightly related, their purposes are completely opposed. Whereas SIEM allows an analyst to discard tons of unnecessary events to pick out the few that are important, the goal of a good Log Management solution is to log every single event from every single device or system on the network and store them to disk for regulatory compliance and future analysis. ASCe will be released this Summer according to the manufacturer, and it will support the logging of over 20,000 30,000 Events Per Second (EPS), 20 to 1 compression of all logs daily, MD5 check summing and rotation of log files, easy search capabilities on archived audit data, and full integration with its SIEM tool so you can import events that occurred in the past and analyze them today.
Figure 6 ASCe Version 4 Complete Log Management with SIEM Integration
Six years ago the SANS Institute and the National Infrastructure Protection Center (NIPC) at the FBI created a Top10 list of most exploited vulnerabilities on the Internet. In the past several years thousands of organizations, public and private, have helped enhance this list to include the Top-20 Internet Security Attack Vectors. Every year SANS and the FBI update this list with the latest vulnerabilities, and it has become the Incident Handlers point of reference when attempting to define a starting point for tracking and monitoring vulnerabilities on any given network. Vulnerable services leading to worms like Blaster, Slammer, and Code Red were all on SANS Top-20 lists before the worms hit the Net, and indeed couldve been prevented, or at least detected, should these vulnerabilities have been monitored for activity on a network. The SANS Top-20 2006 is a consensus list of vulnerabilities that require immediate remediation and can be found here http://www.sans.org/top20/ The idea of this document is to effectively monitor events coming from IDS/IPS sensors to see if one of these Top-20 vulnerabilities is being attacked, furthermore, they will be compared to these events only if we know the vulnerability exists on our network. Activeworx Security Center will begin to include these rules built into the product in v4 by using CVE references. CVEs are Common Vulnerabilities and Exposures that are provided by the National Institute of Standards and Technologies (NIST), in list format, to help keep track of all the significant vulnerabilities that are discovered throughout the year. Both IDS/IPS sensors and most Vulnerability Scanners have CVE references built into their events already which give security teams the ability to correlate, index and easily reference common vulnerabilities and threats on their network as they are happening. The National Vulnerability Database where you can look up these CVEs is found here http://nvd.nist.gov/
Figure 7 SANS Top-20 Vulnerability Correlation to IDS/IPS Event
CrossTec Corporation | 500 NE Spanish River Blvd, Suite 201 | Boca Raton, FL 33431 www.CrossTecCorp.com | PH: 561.391.6560 | Toll: 800.675.0729 | Fax: 561.391.5820
CrossTec Corporation | 500 NE Spanish River Blvd, Suite 201 | Boca Raton, FL 33431 www.CrossTecCorp.com | PH: 561.391.6560 | Toll: 800.675.0729 | Fax: 561.391.5820
SIEM and Log Management solutions in general, like ASC, can assist in security information and log management as well as regulatory compliance by: Aggregating and normalizing event data from unrelated network devices, security devices, and application servers into useable information. Analyze and correlate information from various devices to identify attacks as soon as possible and help respond quicker to intrusions. Conduct network forensic analysis on historical or real-time events through visualization and replay of events. Create customized report formats to adhere to specific compliance regulations. Increase the value and performance of existing security devices by providing a consolidated event management and analysis platform. Improve the effectiveness and help focus IT Risk Management personnel on what events are important.
Conclusion
As enterprise networks, voice and data traffic, and the amount of end users continue to grow, the need and requirements for stable and all inclusive SIEM and Log Management also grows. Tools such as these are rising to the forefront of information warfare as one of the best methods of strategically detecting and responding to attacks. Integrating the layers of security devices already in place with any future information
CrossTec Corporation | 500 NE Spanish River Blvd, Suite 201 | Boca Raton, FL 33431 www.CrossTecCorp.com | PH: 561.391.6560 | Toll: 800.675.0729 | Fax: 561.391.5820
assurance technologies is not an easy task. In order to efficiently monitor and understand your attackers, a SIEM tool is a huge help. Many surveys reveal that 60% of security breaches are internal, but 70% of the IT and IT security staff is more concerned about attackers on the outside. Some organizations even spend 90% of their security efforts on firewalls alone. Project Management and Cost/Benefit Analysis need to be implemented in order to save time and money in deciding at which layer to implement new information assurance measures, what policies and procedures to create, and what software and hardware to purchase. SIEM and Log Management help to focus IT security measures to more effectively protect hosts as well as the network perimeter, perform and automate network forensic analysis, automate regulatory compliance as it pertains to log retention and help you visualize and report on your network in real-time. Network forensics is a real world method of initially identifying and responding to computer crimes and policy violations, not just investigating historical incidents. Major advances in event analysis and correlation allow Information Assurance technicians to counteract threats quicker than ever, and these advances have been made available for the benefit of all Information Technology (IT) staff, especially IT Security Managers, Auditors, and CISOs who are the ones held accountable. With a SIEM an analyst can analyze, replay, and investigate network forensic data for analysis. Moreover, the correlation and proper storage of these network security events is a crucial part of preparing an organization to be successful in present and future forensic investigations. A substantial amount of suspicious security events occur and go undetected within most enterprise networks and computer systems every day.
CrossTec Corporation | 500 NE Spanish River Blvd, Suite 201 | Boca Raton, FL 33431 www.CrossTecCorp.com | PH: 561.391.6560 | Toll: 800.675.0729 | Fax: 561.391.5820