This document discusses correlation in security monitoring. Correlation involves relating different security-related events together to produce more useful information and detect threats. It works by applying correlation rules to incoming events to increase their priority and risk level if they match specified criteria. This helps reduce noise and manual monitoring while automating security. Complex correlation allows matching events across multiple levels and timeframes. Correlation directives can be used to detect common attacks and map events to compliance objectives.
5. Correlation to the rescue
What correlation does for us
Increase evidence
Does the event have business impact?
Is the event dangerous?
Is the event a false positive?
6. Correlation to the rescue
What correlation does for us
Security automation
Relate data together to produce
information
Get rid of manual monitoring of logs
Find well-known threats in the millions of
events you are receiving
8. Correlation explained
A simple use case
Correlation rule will
Matches correlation
raise priority and
criteria (e.g.
reliability of the Increased risk will
Incoming event Destination belongs
event as specified in create an alert
to our VIP server
the correlation
zone)
directive
9. Features
Correlation rules can nest any level
AND condition: branch another level
OR condition: insert a new rule on
same level
10. Examples
Somebody does a config change to an
internal asset
Give more meaning to authentications to
a very important host or zone of your
network
Give an event a more meaningful
signature
Map event to PCI/ISO objectives to get
rapid reports on compliance
11. Correlation explained
Sample complex use cases
Incoming events Alert reinserted
into event queue
One failed ssh login to VIP host
3 failed logins in the next 60 seconds
3 more failed logins in the next 5 minutes
Correlation rule will generate an alert
12. Threat detetion examples
Correlate firewall events to detect common
DoS and DDoS attacks
Prebuilt AlienVault correlation directives
cover a lot of those already
Modify for your environment
Build Security Intelligence
13. Correlation explained
Complex use case with mixed events
Alert reinserted
Incoming events into event queue
Succesful SSH login to VIP host
Service going down on host
Correlation rule will generate an alert
14. Threat detetion examples
Correlate firewall events to detect common
DoS and DDoS attacks
Prebuilt AlienVault correlation directives
cover a lot of those already
Modify for your environment
Build Security Intelligence
16. Top level
Directive name
e.g. „Login to DMZ host from outside“
Priority
Value of 0-5 stating the initial importance of
the event
Rule ID
Correlation editor automatically creates one
CLI editing requires you to choose a unique
ID
18. First level
Every event received can activate directives
Firewall permits
Logins
Oracle audit events
No limits
Limitations
Only one event will activate a directive
Only events from detector plugins allowed
No timeout required
19. Editor only: Create first level rule
Create rule, explain dialogs
Save directive
Restart server
20. Deeper correlation levels
Any number of events within a specified
timeout
Match on any attribute from previous rules
Event must have same source IP
Event must have same destination IP
Event must have same event type as on previous
levels
21. Editor only:
Create deeper rules for sample
complex use case.
23. What‘s next
Generated event has a risk > 1
automatically becomes alert
Use Policies & Actions
Email notification
Custom user script
Open a internal ticket
Map to compliance objectives
PCI: e.g. Access to a PCI host from the internet
ISO: monitor firewall changes