2. Disclaimer
IP addresses and host names showing
up in graphs and descriptions were
obfuscated/changed. The addresses are
completely random and any resemblance
with well-known addresses or host names
are purely coincidental.
3. Who Am I?
● Raffael Marty, GCIA, CISSP
● Strategic Application Solutions @ ArcSight, Inc.
● Intrusion Detection Research @ IBM Research
● IT Security Consultant @ PriceWaterhouse Coopers
● Open Vulnerability and Assessment Language (OVAL) board
member
● Speaker at Various Security Conferences
● Passion for Visual Security Event Analysis
see http://afterglow.sourceforge.net
5. A Picture is Worth a Thousand Log Entries
Detect the Expected
Detect the Expected
& Discover the Unexpected
& Discover the Unexpected
Reduce Analysis and Response Times
Reduce Analysis and Response Times
Make Better Decisions
Make Better Decisions
6. Typical Security Monitoring Challenges
?
Complexity
?
“ How can I Accuracy
manage this flood
of data?” “ I wish I could see
prioritized and
relevant
information!”
Efficiency
“ How can we prioritize
?
and communicate
efficiently?”
?
Reporting
“ How can I
demonstrate
compliance?”
… and do it all cost effectively
7. The Needle in the Haystack
Security information / events
Tens of millions
per day Millions
Less than
per day
1 million
per month A few thousand
Defense per month
in Depth
Insider Threat
Com pliance
Attack Verified
Pre-attacks formation
Normal breaches
Raw events Audit trail Policy Potential
violations breaches
Failed attacks
Identified
False alarms Misuse
vulnerabilities
9. Data Analysis Components
• Collection, Normalization, and Aggregation
• Risk-based Prioritization with Vulnerability and Asset Information
• Real-time Correlation across event sources
— Rule-based Correlation
— Statistical Correlation
Intelligence
• Advanced Analytics
— Pattern Detection
10. Event Normalization and Categorization
Normalization: Categorization:
Sample Raw Pix Events:
Jun 01 2005 00:00:12: %PIX-3-106011: Deny inbound (No xlate) udp src
outside:10.50.215.97/6346 dst outside:204.110.228.254/6346
Jun 01 2005 00:00:12: %PIX-6-305011: Built dynamic TCP translation from
isp:10.50.107.51/1967 to outside:204.110.228.254/62013
Jun 01 2005 00:00:12: %PIX-6-302013: Built outbound TCP connection
2044303174 for outside:213.189.13.17/80 (213.189.13.17/80) to
Jun 02 2005 12:16:03: %PIX-6-106015:
Deny TCP (no connection) from
isp:10.50.107.51/1967 (204.110.228.254/62013)
Jun 02 2005 12:16:03: %PIX-6-106015: Deny TCP (no204.110.227.16/443
10.50.215.102/15605 to connection) from
flags FIN ACK on interface outside
10.50.215.102/15605 to 204.110.227.16/443 flags FIN ACK on interface
outside
11. Risk-based Prioritization
Vulnerability Agents
Scanner
Asset
Information Agent Severity Asset Criticality
Unix/Linux/
AIX/Solaris
Severity Relevance
Security Model Confidence
Device
Agents
Security
Device
Event
Mainframe
& Apps Prioritized
Event
Databases
Collector
Windows
Systems
12. Event Correlation
• Most overused and least well-defined concept in ESM.
• Combine multiple events through predefined rules
or analyze statistical properties of event streams
—Across devices
—Heavily utilizing event categorization
• Helps eliminate false positives
• Correlation is not prioritization!
—Can use priorities of individual events
13. Four Types of Real-time Correlation
• Simple Event Match
Failed logins
on UNIX systems
5 or more failed
Attempted Brute
Failed logins logins in a minute
Force Attack
on Windows systems from same source
• Complex Multi-Event Match
Attempted Brute
Force Attack +
Successful login Successful Login
to Windows systems
14. Four Types of Real-time Correlation
• Statistical
— Mathematical model
50% increase
in traffic per port
and machine
?
Traffic per port going to 10.0.0.2
• Stateful user
Simple
jdoe user
jdoe
Compex Correlation ram
ram 3
jdoe
… ram 3 User on terminated
Statistical … employee list
…
Manual Population tries to login
Login attempt
from user ram
15. Advanced Analytics - Pattern Detection
• Automatically detect repetitive event patterns
Name Device Product
NETBIOS DCERPC Activation Snort
little endian bind attempting
NETBIOS DCERPC System Snort
Activity path overflow attempt
litlen endian unicode
Tagged Packet Snort
SHELLCODE x86 NOOP Snort
NETBIOS DCERPC Remote Snort
activity bind attempt
• Capability to detect new worms,
malware, system misconfigurations, etc.
• Automatically create correlation rules to
flag new occurrences of attack
19. Visual Approach – Benefits II
• Selection and drill-down
• Color by sifferent properties
20. Three Aspects of Visual Security Event Analysis
• Situational Awareness
— What is happening in a specific business area
(e.g., compliance monitoring)
— What is happening on a specific network
— What are certain servers doing
• Real-Time Monitoring and Incident Response
— Capture important activities and take action
— Event Workflow
— Collaboration
• Forensic and Historic Investigation
— Selecting arbitrary set of events for investigation
— Understanding big picture
— Analyzing relationships - Exploration
— Reporting
28. Analysis Process
Real-time
Visual
Data
Detection
Processing Automatic
Action
Rem
ed
Auto iation
m a ti
Creation of new Filters c Visual
and Correlation Components Investigation
is
a lys
An nd
al
ric sic a
to n
His Fore
Assign to Assign Ticket
2 Level Analysis
nd for Operations
32. Define New Correlation Rules and Filters
1. Rule
Assign for further analysis if
More than 20 firewall drops
from an external machine
to an internal machine
3. Open a ticket for Operations to
quarantine and clean infected machines
2. Filter
• Internal machines on white-list
• connecting to active directory servers
33. Real-time Analysis - Summary
• Benefits of Visual Analysis
— Visually driven process for investigating events
— Visual investigation helps
• getting a quick turn-around
• detected new and previously unknown patterns (i.e. incidents)
— Reduced event load for analysts by feeding gained knowledge back
into analysis work-flow.
42. Summary
Detect the expected
& discover the unexpected
Reduce analysis and response times
Make better decisions
43. Q&A
Raffael Marty
ArcSight, Inc.
Email: raffy@arcsight.com
Editor's Notes
Reduce analysis and response times Quickly visualize thousands of events Facilitate communication Graphs are easier to understand than textual events Make better decisions Situational awareness Visualize status of business posture Visual display of most important properties Detecte the Expected & Discover the Unexpected Reporting Visually identify patterns and outliers
The graph shows a configuration that uses the destination address (green nodes) and target ports (white nodes). The contiguous port numbers either represent a part of a portscan or, what is more likely, a device which reports source ports as destination ports for some of the events.