Security Information Management New approaches Eurosec 2006 David Bizeul - CISSP
Welcome message from author
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
Security Information Management
New approaches
Eurosec 2006
David Bizeul - CISSP
SIM/SEM state of art Correlation : difficulties Correlation mode and new approaches Algorithms and principles
Synopsys
Today, information is Everywhere Unclassified In multiple formats
How to unify data? How to consolidate date? How to analyze data ?
Security information
Security All interesting security information
Real threat Risk evolution Unavailability
Information Vulnerability audit report Inventory base Trend report
Event Logs Network flows
Management Regulation conformity Centralized data management
SIM / SEM differences
Rapprochement SIM et SEM
Visibility Information standardization Data consolidation Results analysis
Regulation compliance Bâle II SOX
Security team initialization SOC CSIRT
Help security team to post analyze
Investment trends/ dashboards
SIM, why ?
Multiple collectors Centralized management Reaction processes Multi-layered views
SIM principles
SIM/SEM state of art Correlation : difficulties Correlation mode and new approaches Algorithms and principles
Synopsys
Standardization
Know the event type Information taxonomy
Many editors Huge load of work
Logging types SNMP, Syslog Different editor formats
Standardize Place data field in different containers Some data may be lost
15;29Aug2005;14:00:59;62.229.98.130;account;accept;;daemon;inbound;tcp;141.176.125.66;145.58.30.9;http;2736;3;0:00:04;29Aug2000 14:00:07;18;6400;http://teletekst.nos.nl/cgi-bin/tt/nos/page/m/650;
Timestamp : 1123359609Sensortype : firewallSensorid : 14Action : acceptSource :141.176.125.66Destination : 145.58.30.9
SPort : 2736DPort : 80Information : http://teletekst.nos.nl/cgi-bin/tt/nos/page/m/650
Volumetry
Correct visibility != Send everything Useless consumption (network, storage, memory….) Necessity to act early (product config, local agent , collector) Some componants are useless (accept proxy log )
50 EPS = 1000 EPS E_SNMP_antivirus != E_log_IDS
Real time correlation = Sytem calculation Context = memory RAM Database
Storage Heavy disk space
Correlation and Aggregation
Aggregation Anonymisation issue Bad standardization issue
Correlation rules IP src : spoofing and anonymization issue Sliding windows…. Hell direction Vulnerability : IDS avoidance
Corrélation statistique Prendre son temps
Efficient alarm
Good and early configuration to obtain an adapted result
SIM/SEM state of art Correlation : difficulties Correlation mode and new approaches Algorithms and principles
Synopsys
Severity
Before standardization
After standardization
Result
Alert severity drop fw.reject 5/10
Asset weigh 10.0.10.150 Business Zone 3/4
Atomic alarmmedium severity
Rules
Stateless Statefull
Alarme std
IF Adress=A
IF TYPE=fw.reject AND
TYPE=proxy.accept
Atomic alarmmedium severity
Atomic alarm medium severity
Correlated alarmhigh severity
Context
severity+1
severity+1
Context
Time analisys Window = Attack time
Atomic alarmmedium severity
Start
Atomic alarmminor severity
Context improvement
Atomic alarmmedium severity
Newcontext
Time
Atomic alarmmedium severity
IP addresses
Vulnerability correlation
Statistical
Scenario
Risk
Predictable
Correlation approaches
First steps
Real view
Mathematical analysis
Security analisys
Close to business
Active tool
time
Multi hosting supervision
Each site may have its own collector and analyzer
Centralized SOC
Centralized or multiple supervision
Statistical correlation
EPS Threshold
Auto learningMobile average / varianceNever Before seen approch
Evolutions Constant issues
Hard to define thresholdNew application, special event….
Vulnérability correlation
Between a vulnerability scanner and a detection engine
Asset identificationRisk correlation Manual/auto mode for assets
Evolutions
Constant issues
Internal scanners hard to be acceptedNecessary updates
Scenario correlation
Rule based correlation
Complete defined product databaseBusiness rules builtCompliance rules integratedPredictable mode/ non finite state automate
Evolutions
Constant issue
StandardizationForgotten scenario What if step in scenario defeated
Threat visibility IDS (CVE, bugtraq….) Antivirus
Vulnérability visibility Vulnerability audit / scanner
Asset identication and values Via internal scanner
Risk defined as : R=Threat * Vulnerability * Impact Alert severity or even risk assesment can be defined into a
product
Dynamic risk analysis
Product feature
Automatic or manual detection mode or
Business knowledge
Manual SOC/MSSP 24/24
Automatic Threat responses CIDF
Risk Mitigation
SIM/SEM state of art Correlation : difficulties Correlation mode and new approaches Algorithms and principles Conclusion
Synopsys
50 % new IDS/IPS solutions use SIM/SEM to deploy
Many security composants standardized
Combinated correlation modes
Nearest with business goals
Advanced features
All inclusive possibilities
Evolutions and trends
SIM and Enterprise Goal
Events refered as security policy leakage
Sécurity information
Security alarm
Reaction processes
Security componants
SIM
Supervision
TechnicalOrganisation
Relevance
Risk mitigation
Special thanks
Questions
© DEVOTEAM GROUPThis document is not to be copied or
reproduced in any way without Devoteam express permission. Copies of this document must be accompanied by title, date and this
copyright notice.
CONTACT
Contact Member David Bizeul
www.devoteam.com
AUSTRIA
BELGIUM
CZECH REPUBLIC
DENMARK
FRANCE
MOROCCO
MIDDLE EAST
NETHERLANDS
SPAIN
SWITZERLAND
UNITED KINGDOM
Authors David BizeulE-mail [email protected] of release 20/02/2006File Info Evolutions SIM
Related Documents
