Top Banner
Security Information Management New approaches Eurosec 2006 David Bizeul - CISSP
28

Security Information Management New approaches Eurosec 2006 David Bizeul - CISSP.

Dec 12, 2015

Download

Documents

Jamya Snowden
Welcome message from author
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
Page 1: Security Information Management New approaches Eurosec 2006 David Bizeul - CISSP.

Security Information Management

New approaches

Eurosec 2006

David Bizeul - CISSP

Page 2: Security Information Management New approaches Eurosec 2006 David Bizeul - CISSP.

SIM/SEM state of art Correlation : difficulties Correlation mode and new approaches Algorithms and principles

Synopsys

Page 3: Security Information Management New approaches Eurosec 2006 David Bizeul - CISSP.

Today, information is Everywhere Unclassified In multiple formats

How to unify data? How to consolidate date? How to analyze data ?

Security information

Page 4: Security Information Management New approaches Eurosec 2006 David Bizeul - CISSP.

Security All interesting security information

Real threat Risk evolution Unavailability

Information Vulnerability audit report Inventory base Trend report

Event Logs Network flows

Management Regulation conformity Centralized data management

SIM / SEM differences

Rapprochement SIM et SEM

Page 5: Security Information Management New approaches Eurosec 2006 David Bizeul - CISSP.

Visibility Information standardization Data consolidation Results analysis

Regulation compliance Bâle II SOX

Security team initialization SOC CSIRT

Help security team to post analyze

Investment trends/ dashboards

SIM, why ?

Page 6: Security Information Management New approaches Eurosec 2006 David Bizeul - CISSP.

Multiple collectors Centralized management Reaction processes Multi-layered views

SIM principles

Page 7: Security Information Management New approaches Eurosec 2006 David Bizeul - CISSP.

SIM/SEM state of art Correlation : difficulties Correlation mode and new approaches Algorithms and principles

Synopsys

Page 8: Security Information Management New approaches Eurosec 2006 David Bizeul - CISSP.

Standardization

Know the event type Information taxonomy

Many editors Huge load of work

Logging types SNMP, Syslog Different editor formats

Standardize Place data field in different containers Some data may be lost

15;29Aug2005;14:00:59;62.229.98.130;account;accept;;daemon;inbound;tcp;141.176.125.66;145.58.30.9;http;2736;3;0:00:04;29Aug2000 14:00:07;18;6400;http://teletekst.nos.nl/cgi-bin/tt/nos/page/m/650;

Timestamp : 1123359609Sensortype : firewallSensorid : 14Action : acceptSource :141.176.125.66Destination : 145.58.30.9

SPort : 2736DPort : 80Information : http://teletekst.nos.nl/cgi-bin/tt/nos/page/m/650

Page 9: Security Information Management New approaches Eurosec 2006 David Bizeul - CISSP.

Volumetry

Correct visibility != Send everything Useless consumption (network, storage, memory….) Necessity to act early (product config, local agent , collector) Some componants are useless (accept proxy log )

50 EPS = 1000 EPS E_SNMP_antivirus != E_log_IDS

Real time correlation = Sytem calculation Context = memory RAM Database

Storage Heavy disk space

Page 10: Security Information Management New approaches Eurosec 2006 David Bizeul - CISSP.

Correlation and Aggregation

Aggregation Anonymisation issue Bad standardization issue

Correlation rules IP src : spoofing and anonymization issue Sliding windows…. Hell direction Vulnerability : IDS avoidance

Corrélation statistique Prendre son temps

Page 11: Security Information Management New approaches Eurosec 2006 David Bizeul - CISSP.

Efficient alarm

Good and early configuration to obtain an adapted result

Page 12: Security Information Management New approaches Eurosec 2006 David Bizeul - CISSP.

SIM/SEM state of art Correlation : difficulties Correlation mode and new approaches Algorithms and principles

Synopsys

Page 13: Security Information Management New approaches Eurosec 2006 David Bizeul - CISSP.

Severity

Before standardization

After standardization

Result

Alert severity drop fw.reject 5/10

Asset weigh 10.0.10.150 Business Zone 3/4

Atomic alarmmedium severity

Page 14: Security Information Management New approaches Eurosec 2006 David Bizeul - CISSP.

Rules

Stateless Statefull

Alarme std

IF Adress=A

IF TYPE=fw.reject AND

TYPE=proxy.accept

Atomic alarmmedium severity

Atomic alarm medium severity

Correlated alarmhigh severity

Context

severity+1

severity+1

Page 15: Security Information Management New approaches Eurosec 2006 David Bizeul - CISSP.

Context

Time analisys Window = Attack time

Atomic alarmmedium severity

Start

Atomic alarmminor severity

Context improvement

Atomic alarmmedium severity

Newcontext

Time

Atomic alarmmedium severity

Page 16: Security Information Management New approaches Eurosec 2006 David Bizeul - CISSP.

IP addresses

Vulnerability correlation

Statistical

Scenario

Risk

Predictable

Correlation approaches

First steps

Real view

Mathematical analysis

Security analisys

Close to business

Active tool

time

Page 17: Security Information Management New approaches Eurosec 2006 David Bizeul - CISSP.

Multi hosting supervision

Each site may have its own collector and analyzer

Centralized SOC

Centralized or multiple supervision

Page 18: Security Information Management New approaches Eurosec 2006 David Bizeul - CISSP.

Statistical correlation

EPS Threshold

Auto learningMobile average / varianceNever Before seen approch

Evolutions Constant issues

Hard to define thresholdNew application, special event….

Page 19: Security Information Management New approaches Eurosec 2006 David Bizeul - CISSP.

Vulnérability correlation

Between a vulnerability scanner and a detection engine

Asset identificationRisk correlation Manual/auto mode for assets

Evolutions

Constant issues

Internal scanners hard to be acceptedNecessary updates

Page 20: Security Information Management New approaches Eurosec 2006 David Bizeul - CISSP.

Scenario correlation

Rule based correlation

Complete defined product databaseBusiness rules builtCompliance rules integratedPredictable mode/ non finite state automate

Evolutions

Constant issue

StandardizationForgotten scenario What if step in scenario defeated

Page 21: Security Information Management New approaches Eurosec 2006 David Bizeul - CISSP.

Threat visibility IDS (CVE, bugtraq….) Antivirus

Vulnérability visibility Vulnerability audit / scanner

Asset identication and values Via internal scanner

Risk defined as : R=Threat * Vulnerability * Impact Alert severity or even risk assesment can be defined into a

product

Dynamic risk analysis

Product feature

Automatic or manual detection mode or

Business knowledge

Page 22: Security Information Management New approaches Eurosec 2006 David Bizeul - CISSP.

Manual SOC/MSSP 24/24

Automatic Threat responses CIDF

Risk Mitigation

Page 23: Security Information Management New approaches Eurosec 2006 David Bizeul - CISSP.

SIM/SEM state of art Correlation : difficulties Correlation mode and new approaches Algorithms and principles Conclusion

Synopsys

Page 24: Security Information Management New approaches Eurosec 2006 David Bizeul - CISSP.

50 % new IDS/IPS solutions use SIM/SEM to deploy

Many security composants standardized

Combinated correlation modes

Nearest with business goals

Advanced features

All inclusive possibilities

Evolutions and trends

Page 25: Security Information Management New approaches Eurosec 2006 David Bizeul - CISSP.

SIM and Enterprise Goal

Events refered as security policy leakage

Sécurity information

Security alarm

Reaction processes

Security componants

SIM

Supervision

TechnicalOrganisation

Relevance

Risk mitigation

Page 26: Security Information Management New approaches Eurosec 2006 David Bizeul - CISSP.

Special thanks

Page 27: Security Information Management New approaches Eurosec 2006 David Bizeul - CISSP.

Questions

Page 28: Security Information Management New approaches Eurosec 2006 David Bizeul - CISSP.

© DEVOTEAM GROUPThis document is not to be copied or

reproduced in any way without Devoteam express permission. Copies of this document must be accompanied by title, date and this

copyright notice.

CONTACT

Contact Member David Bizeul

www.devoteam.com

AUSTRIA

BELGIUM

CZECH REPUBLIC

DENMARK

FRANCE

MOROCCO

MIDDLE EAST

NETHERLANDS

SPAIN

SWITZERLAND

UNITED KINGDOM

Authors David BizeulE-mail [email protected] of release 20/02/2006File Info Evolutions SIM