|
Vendor Accent
Security Event Management
Preventing blended attacks using Event Correlation
 The
number of vulnerabilities reported in 2006 was 7,247 which represent a 39.5
percent increase from 2005. Along with a rise in security incidents, there is
a corresponding exponential increase in spending on security. Securing business
infrastructure has become a task of vital importance.
Security threats are increasing in both frequency and complexity.
Network devices like IDS or Firewall, Web servers, applications and databases
produce enormous logs which are practically impossible to monitor manually.
The problem is, much of the information generated by these security systems
is dominated by false positives (an indication of hostile activity when there
is none).Security systems like IDSes or firewalls used today are not a total
solution for an organisation’s security needs! The challenge is to isolate
and prioritise the few messages produced be these systems that do indeed indicate
real security threats.
This is the reason ‘Security Event Consolidation’
and ‘Correlation’ becomes vital to the successful identification
and handling of security incidents. Event consolidation brings together events
from different systems into a central repository and event correlation monitors
the various security events to determine which events are significant and which
ones relate to a particular attack. Event correlation helps organisations respond
to critical threats in real time. This is achieved by Security Event Management
(SEM) also sometimes referred to as Security Information Management. The relatively
new field of Security Event Management is fast becoming a force to reckon with.
According to SearchSecurity: “A blended threat is a
computer network attack that seeks to maximize the severity of damage and speed
of contagion by combining methods, for example using characteristics of both
viruses and worms, while also taking advantage of vulnerabilities in computers,
networks, or other physical systems”. A blended threat exploits one or
more vulnerabilities as the main vector of infection and may perform additional
network attacks such as a denial of service against other systems.
The question that comes to mind is how does one mitigate the risk involved?
The answer is Event Correlation. Correlation of security events generated is
an effective tool to mitigate the risk involved with a Blended-Threat.
So how does Event Correlation works? There exits various
kinds of correlation methods but here we discuss about three major approaches:
Rule-Based Correlation, Statistical Correlation and Vulnerability-Based Correlation.
Rule-Based Correlation
Rule-based correlation has some pre-existing knowledge of the attack (the rule)
and from this it is possible to define what has actually been detected in precise
terms. Such attack knowledge is used to relate events and analyse them in a
common context. These patterns can be pre-defined rules developed by the systems
administrator over time.
Statistical Correlation
This kind of correlation does not employ any pre-existing knowledge of the malicious
activity, but instead relies upon statistical algorithms to detect patterns.
It is a mathematical technique which can show whether and how strongly pairs
of Security Events are related.
|
Host
|
Vulnerability
|
Type
|
Severity rating
|
|
10.10.10.1
|
XYZ Vulnerability
|
Privilege escalation
|
3
|
Vulnerability-Based Correlation
This technique correlates Security Events with the destined host’s vulnerability
profile and checks if the activity IDS detected is associated with a vulnerability
that the destination host in fact has and in turn prioritising events accordingly.
This requires the creation of a vulnerability profile as well as an asset repository
with a criticality rating assigned to vulnerabilities as well as each asset.
When security events are correlated these ratings are used to come at a final
criticality rating of the incident and help in assessing and quantifying the
risk involved with the incident. Let’s take an example.
A vulnerability profile may look as below and should be created using a good
vulnerability scanner like Nessus:
Now if we get an IDS Alert from ‘Snort-sensor’
as given below:
[**] [1:1917:6] XYZ Vulnerability Exploit Attempt [**]
[Priority: 5]
10/05-14:15:49.144095
192.168.1.145:1035 -> 10.10.10.1:1900
UDP TTL:4 TOS:0x0 ID:41 IpLen:20 DgmLen:161
Len: 133
The above IDS Event Correlates with the vulnerability profile and increases
the probability that an actual attack might be in progress and the security
administrator can be sure that he is not dealing with a false-positive.
Lets see how correlating security events can mitigate the risk involved in the
case of blended threats by taking a an example of a worm. Consider the following
scenario.
1. John opens an e-mail attachment and unknowingly downloads a malware
2. The malware periodically tries to send HTTP Requests to a remote Web server
3. The HTTP Response is used to infect the machine with a worm.
4. The worm periodically scans network blocks to find out vulnerable machines.
5. It exploits a particular vulnerability and propagates to Ram’s machine
6. At Ram’s machine it installs a DDoS Server
7. It again scans network blocks for vulnerable machine.
Rule
Scan from John’s machine will generate logs.
Exploitation of vulnerability will generate logs
Scan from Ram’s machine will generate logs
The correlation rule can be
Rule Part-1 – Scanning Events from John’s
IP
These will immediately initiate correlation against Ram’s vulnerability
profile which will give a match.
Rule Part-2 – Look for exploitation of the vulnerability
(Reported by the IDS)
This will trigger an alert as the above two events have been correlated as well
as the vulnerability profile has been matched and found to be true.
Rule Part-3 – Look for Scanning Events from Ram’s
IP
All the above three security events will generate a high priority single alert
of suspicious activity and alert the security administrators of a virus infection
which can be immediately contained.
The impending threat of a Distributed Denial-of-Service attack carried out by
all infected machines which will have a DDoS server is prevented and the loss
in business continuity and in revenue would not happen.
Using a combined approach of Rule-based as well as vulnerability-based correlation
as shown in the example above this worm propagation can be stopped and the infection
contained.
Yogesh M Badwe works as a Security Engineer (Managed Services).
Apart from being CCNP and ITIL certified, he also holds the ‘Certified
Vulnerability Assessor [cVa]’ certification
|
