neuSECURE

Transcription

neuSECURE

neuSECURE
Security Operations and Threat Management
Software for the Enterprise
© Copyright 2002 GENESIS COMMUNICATION
GENESISCOM-V4.1-E./ UZ / 26.03.2002
1
•The neuSECURe product was designed for the Security Analyst by Security Analysts
who understood what was needed to battle with a real-time threat
•The neuSECURE product was designed to be a complete self contained system with an
Operating System that was already stripped down and harden, a database system with a
pre-built schema, a built-in trouble ticketing system and an easy to access browser
interface for both the operations and administration functions.
•The neuSECURE architecture was designed to handle and correlate large amounts of
data in real-time so that a true threat could be established and dealt with in real-time.
1
Finding Security Events in the
Noise
20‘000‘000
5000
50
24 hours data
• 20 Million Events from
different Sources
• 5000 Alerts
• 50 Tickets
• 2 Severe Issues
2
2
2
Product
Architecture
3
•The neuSECURE product features a modular architecture.
•The EAM’s are standalone devices placed at logical points on the network near the
security devices that are reporting events. The EAM handles the collection, normalization,
encryption and forwarding of the event logs to the Central Management System.
•Sensors typically are sending their information UDP and in the Clear - no security. The
EAM encrypts the security event information and assures that it arrives at the CMS.
•In the event that the communications between the EAM and the CMS is disrupted, the
EAM will buffer the event information until communications is restored.
•The CMS is responsible for the Event Correlation, Event Analysis, Threat Validation and
the Threat Prioritization
•The CMS uses a patent pending multi-variant correlation analysis to evaluate and
prioritize the threats.
• The CMS is modular in that each of the core components can reside on a single system
or can be distributed into multiple hardware platforms in order to handle very large loads
of events.
•Unlike competing products, all of the access to the neuSECURE software for things such
as threat monitoring, counter measures and administration is all done from a web browser
based interface. This web browser access can be done over SSL running HTTPS.
3
EAM Architecture
4
•The EAM takes the raw data from the sensor devices and normalizes it for processing by
the CMS. Normalization is the process where all the common information such as
Source IP, Source Port, Sensor Name etc. are places in their appropriate fields.
•Any extra information such as the translated destination and source IP and Port from a
Checkpoint firewall is stored in a special field call “Info”. GuardedNet does not throw any
sensor information away.
•After the information is normalized it is encrypted using ARC4 and sent to the CMS.
•The EAM receives the majority of event information via Syslog or SNMP.
•The EAM can also take in event information in the raw form directly from selected
sensors such as ISS RealSecure.
•The EAM can also take in event information using Checkpoints OPSEC protocol or
CISCO’s POP protocol.
•GuardedNet currently supports approximately 50 sensor devices which are listed on the
GuardedNet web sight.. We can test and add any new devices that you may have that
support SNMP or Syslog within approximately 2 weeks.
4
CMS Architecture
Email,
Paging, Alert
API
Ticketing
System
API
Network
Management
API
Policy
Enforcement
API
Alerting &
Response
Module
Correlation
Management
Module
Event Ticketing
Module
Relational
Database
Historical
Reporting
Module
Event
Aggregation
Module(s)
(EAM)TM
Web-based Console
Manager
(WCM)TM
Central Management System
(CMSTM)
Architecture
5
•The CMS has a number of built in modules to do Alerting, Trouble Ticketing and
Historical Reporting, etc.
•In order to interface with third party packages the CMS has also built in APIs for E-mail,
Customer Ticketing systems, Network Management and Policy Enforcement systems.
•Once the CMS has received the event information and performed a correlation analysis
on it, the event information is stored in a MySQL database.
•MySQL was found to be 10 times faster that the most popular Data Bases on the market,
and the price is affordable.
•For those customers who prefer to have their event information stored on their own
existing standard commercial data base system, neuSECURE has the data base APIs to
interface to.
5
Correlation Management
Module
6
•neuSECURE is an anomaly based correlation instead of a rules based correlation
system.
•A rules based system is difficult to maintain and easy to evade.
•Every IDS system adds 300 or more signatures to their inventory every year. A rules
based system would have to account for all of the new signatures and since the
signatures come out every week, every week the rules based correlation would have to
be updated.
•Rules are fixed and if you have a rule that states an alert is to be generated if a “reject
event” is found on a firewall from the same host name once every 5 minutes then the
hacker who is accessing the system once every 10 minutes is going to be passed by.
•An anomaly system is looking for things that are out of the ordinary and can account not
only for known intrusion routines but also will be able to detect the new and unknown
routines more successfully than a rules based system can.
•GuardedNet has produced an 8 page document that explains in detail how the anomaly
correlation is done called “”Correlation – Security’s Holy Grail?” which is available to you
through the GuardedNet web sight.
•Our correlation engine uses a patented process refered to as a “multivariate correlation
analysis”. This correlation takes into account many variables such as the frequency of
events, the geographical locations of the source of the events, the type of event, etc. all
with varying weights to be used in the final determination of the level and secerity of the
threat.
•The customer is able to influence the outcome of the threat severity by having the
capability to change the weight of some of the variables such as the source and
destination weights of the network and hosts and the validity and priority of the individual
events. This is also used to minimize the number and frequency of the false positives.
•During the initial installation GENESISCOM will work with the customer to establish a
base line for the anomaly correlation system and tune-out the false-positives.
6
Scalability
7
•NeuSECURE is modularized for scalability so that it can all be placed on a single piece
of hardware or distributed globally on multiple hardware platforms.
•The scalability allows a customer to not only grow in size but will also allow the customer
to take on new sensors in the future that can produce thousands of events per second
such as adding Server and Workstation HIDS software.
•The modular systems (correlation engine, reporting system, interface system and
database management system) that make up the CMS can be distributed among
multiple hardware devices in order to grow as the events per second grow and outstrip
the existing hardware capabilities.
•NeuSECURE modularity also allows the customer high availability by providing the
capability of having redundant EAMs and/or CMSes, in order to have an active/active
configuration that allows the slave device to take control if the Master device fails.
7
Web-based Console Manager
• Secure, Anytime, Anywhere
access to centralized view
of security environment.
• Internet Explorer 5.5 or
greater.
• Provides world-wide
accessibility to
management console.
• Security through SSL
(HTTPS).
8
•neuSECURE uses a Web-based console Manager instead of a Windows base manager.
•The disadvantage of a windows based manager requires a client software to be added to
the laptop or PC. Since the security analyst typically does not sit in front of a screen
monitoring the threat activity, it is important to be able to give the security analyst access
to neuSECURE from anywhere, with what ever device is available at the time of the
incident. This can more readily be done with a browser based access then it can be done
with a client initiated windows GUI.
•Security for access is available through an SSL connection using HTTPS and can be
used in conjunction with all of the other security measures that the customer has such as
PKI, VPN and Radius Services, etc.
8
Web-based Console Manager
9
•neuSECURE uses a Web-based console Manager instead of a Windows base manager.
•The disadvantage of a windows based manager requires a client software to be added to
the laptop or PC. Since the security analyst typically does not sit in front of a screen
monitoring the threat activity, it is important to be able to give the security analyst access
to neuSECURE from anywhere, with what ever device is available at the time of the
incident. This can more readily be done with a browser based access then it can be done
with a client initiated windows GUI.
•Security for access is available through an SSL connection using HTTPS and can be
used in conjunction with all of the other security measures that the customer has such as
PKI, VPN and Radius Services, etc.
9
Host Information
10
•Clicking an IP address (either as a source or destination of a threat) from within the
Dashboard will open the Host Window.
•The Host window provides an increasingly granular view of information about the IP
threat.
•The first field ‘Security Domain Membership” will show whether the IP address belongs
to one of the internal domains of the enterprise (where 60 -70% of attacks occur) or
whether the IP address is outside of the Enterprise.
•The second field “Destination Security Domain” will show what domains in the Enterprise
are under attack from this particular IP address.
•The third field “Destination Hosts” show which hosts within the enterprise are being
threatened.
•The fourth field “Event Statistics’ show a summary of the events that lead to this attack.
•The fifth field “Vulnerabilities” will show whether the Nessus program had found any
vulnerabilities associated with this IP address.
•The sixth field “Firewall Rules” will show if any time in the past, temporary firewall rules
were activated against this IP address.
•The seventh field ‘Notes” is used by the user to add information to this record that can
show things like, what actions were takes, what e-mails or formal “decease letters” were
sent, or any information that the Security Analyst would like to become a permanent part
of this IP address record.
•Optional views are Host as a Source or Destination and the Time of events from 0ne to
Twelve months.
10
Host Information
11
•At the top of the window are two pull down menus “Watchlist” and “Action”
•The Watchlist provides a visual enhancement of networks (colored boarder) and hosts
(solid color) by using color coding.
•Watchlists are created by the user and can be used for things such as to show when a
terrorist (information provided by the FBi through InfraGuard) is threatening your
enterprise.
•Watchlists can also be used to track secure zones, critical computers, competitors, etc.
•If a Security Analyst feels they have enough information pertaining to this threat then
they can use the “Actions” tool menu to respond to the threat.
•The Actions options are Open a New Ticket, View the Last 200 Events for this Host,
View Detailed Information on the Parent Network, View the Host Definition, Initiate a set
of firewall Rules against this Host.
•The Actions menu allow a Security Analyst to take countermeasures immediately without
ever having to leave the neuSECURE program.
11
Host Information Toolkit
12
•neuSecure does the initial “whois” query of the attacking Host IP address through ARIN
(or other geographically appropriate registries). Because ARIN has limits on how many
queries can be made and how often, neuSecure does this in the background for the
analyst so that the information is ready when the Security Analyst is ready to do the
investigation.
•This information can include mailing address for formal letter notification, e-mail address
for sending a quick decease message and phone numbers for calling directly.
•There also are a dozen scanning tools available to help the Security Analyst gather
additional information on the attacking host.
•Release 1.6 of neuSECURE will also allow the Security Analyst the capability of adding
their own pet scanning programs or scripts.
•The scanned information becomes a permanent part of the record and avoids having
multiple people perform the same scan. This information is refreshed when the scan is
redone.
•Some of the scans are highly visible and can be restricted to just those analysts who
know how to use the tools properly.
12
Event Search Criteria
13
•If additional event information is required, one of the options in the Actions pull down
menu is “View Events from This Host”.
•By clicking on this option you will bring up an event search window that is filled in for the
analyst to find the last 200 events over the last 3 months that are associated with this IP
address.
•If the Analyst wishes they can change the default search by filling in the fields to do a
more granular search. This is done by filling in the optional fields such as sensor name,
sensor type, threat priority, event type, etc.
•By clicking on the “Search” button you will bring up the list of events that are associated
with the threatening IP address.
•Very complex searches can be done by using “regular expressions” in the search fields.
13
Event Search Results
14
The following is the list of fields fount in the Event Search Window. It is important to note
that all of the data from the original event has been preserved to allow for forensic
investigation.
•ID – A unique identifier given to every event within the neuSECURE system that is based
upon the EAM time.
•EAM Time – a NTP synced time that provides chronological ordering of data within the
neuSECURE system that also allows for proper forensic analysis. Since there is no
guarantee that the sensor’s time has been kept in sync the sensor time is kept, but the
EAM also stamps the event when it is received. All neuSECURE components, including
the EAM are synchronized using NTP (Network Time Protocol). The delay between the
sensor and EAM is typically instantaneous (milliseconds).
•Sensor Time – The Sensor Time column is hidden by default and can be unhidden by
right-clicking on the header line. This is the actual time the sensor reported in the
security event.
•Sensor Name – the neuSECURE name for the sensor, which includes the security
domain prefix facilitates immediate identification of the domain the sensor belongs to.
•Sensor Type – A neuSECURE label, based on the type of sensor defined when the
sensor was configured within the system. This also makes identification of the device
quick and easy.
•Protocol – Network protocol reported by the sensor for the incident in question.
•SrcIP – The source IP address for the event reported by the sensor. This field can be
drilled into by right clicking and choosing Search (Event Search Criteria with IP as
source) or Query (Host information window).
•DstIP – The destination IP address for the event reported by the sensor. This field can
be drilled into by right clicking and choosing Search (Event Search Criteria with IP as
destination) or Query (Host information window).
•SrcPort – The source service port for the event reported by the sensor.
•DstPort – The destination service port for the event reported by the sensor.
•Priority – neuSECURE defined priority for the event (can be ignored for the
demonstration).
14
Event Search Display Filters
15
•It is possible to filter out events in the real-time and event search windows by activating
user predefines filters.
•Investigation is much easier by hiding “extra” or unimportant (to the investigation) data
events such as an “accept” event from a firewall.
•Display filters do not effect the data that is stored in the event database.
• Even with filters turned on it is still possible to see the filtered data intermixed with nonfiltered data. The filters can be turned on/off with the Show/Hide drop down menu at the
top right of the Event Search window. Filtered events will appear with a light blue
background.
15
Event Search Options
16
•The Event Search Window show an EAM time stamp for each event. Even though each
sensor may have it own local time associated with the event (Sensor Time), the EAMs
and CMSes are all synced to a single time stamp (uses NTP) in order to allow the
Security Analyst to see all of the events in chronological order.
•By default, there are several hidden fields: Sensor Time, Translated Source/Destination
IP/Port. The later is most applicable to CheckPoint Firewall-1 data, as this device reports
Network Address Translation (NAT) data as appropriate.
•The selected data can be exported to the neuSECURE trouble ticketing system as a
hyperlink.
•In release 1.6 event data can also be “exported” to the customers internal ticketing
system (Remedy, Clarify, Peregrine).
•To make quick work of “abuse” incidents and forward offending traffic events to a third
party, multiple events can be selected (Shift or Control click Event ID cells) and Exported
(right-click on Event ID cell). One Export destination is the Clipboard. The visible data
will be copied to the clipboard. This data can be pasted into any application that works
with the Clipboard – like an email program. The email address for the network
administrator could have been gleaned from the Host information window (one click from
the main window).
•The data captured to the Clipboard can be sanitized by hiding or showing only the
columns that are desired.
•Event data can also be exported in CSV format. Microsoft Excel is one application that
will import data from Comma-Separated Value formatted files and allow the user to
perform mathematical analysis on the data.
16
Internal Ticketing System
17
•neuSECURE contains its own ticketing system that allows users to automatically or
manually attach relevant events to a single ticket.
•The ticketing system allows user to pass related events amongst groups and individuals.
This could be easily used to escalate a series of “interesting” events from lower to higher
level support personnel, between operating groups (firewall vs. IDS teams), etc.
•Event data can be “exported” to an internal ticket (Remedy, Clarify, Peregrine).
•The ticketing system supports Status, Priority, Owner, User, and Group assignments.
•A non-modifiable notes section is provides that records all notes and changes made to
the ticket.
•One of the most important parts of the ticket is the Event Link. Once a ticket has been
created, this becomes a hyperlink. The hyperlink will open the Event Search window,
producing the specific events linked to the ticket.
17
Events – Real-time Viewer
18
•The Real-time Event Viewer has the same format as the Event Search.
•The Watchlists and Display Filters become even more important when tens or hundreds
of events are streaming past in a given second.
•The real-time viewer is truly real-time – many of the competitors don’t have this
capability.
•All of the same features apply that were in the Event Search – exporting data to ticket or
clipboard, searching, queries, shown and hidden fields.
•Java’s Runtime Environment 1.4 is required for the Real-time viewer, geographic map
displays, and Alerting window.
18
Security Baseline – Threat
Weighting
19
•The first place to start configuring neuSECURE to optimize the correlation engine is
within the Network and Hosts section of the Infrastructure menu. neuSECURE gives the
security administrator the ability to weed out false positives with several different settings.
The Network and Hosts section provides a means of setting a threat weighting to the
source and destination of networks and hosts.
•Network: For example, the secure network should “never” be the destination of traffic
from outside networks. Therefore, the Destination Threat Weighting could be set higher
than normal (values are 0-255%). Since there may be many users within this network
accessing destinations outside of the network, the Source Threat Weighting could be set
lower than normal (100% - or a value relatively lower than other network threat
weightings). This would suppress events that are sourced from this network and escalate
events that are destined to this network.
•Hosts: Similar to the network example, a host can be configured with Source and
Destination Threat Weightings. This could be used to ensure that the financial server is
typically the destination (but not source of) traffic, and an employee’s laptop is generally
the source of traffic, but not the destination, etc.
19
Security Baseline – Validity
and Priority
20
•The second major area of end-user configuration is formatting the events.
•Eliminating security false positives and creating a security baseline within the system is
done by setting the Validity and Priority values (0-255%) for the sensor type and event
type.
•Validity denotes the accuracy of the device reporting the event to how likely the sensor is
to be reporting an event that actually occurred (“Do you trust this device reports events
that actually occur?”). Priority describes how important a specific event is in relation to
other events being received by neuSECURE (“How important is this event to our
environment?”).
• Since every environment is different, there isn’t a “standard” or “recommended”
configuration for this section, however, that is what also makes this such a powerful
configuration tool. Default values are 100% for Validity and 50% for Priority
•Since not all sensors (Checkpoint, PIX) list the same event name for the same event, the
“Event Class” can be used to list a specific name for an event across all vendor products
(e.g. “fw.accept” will look for all firewall accept events from any firewall that is reporting,
regardless of vendor and version).
20
Business Rules and Actions
21
•Actions are to be executed based on Business Rules. neuSECURE provides several
actions that can be executed when a business rule criteria is met. These include: Alert
(a visual/audible alert window to display events), Email, Ticket (internal ticketing system),
OPSEC SAM (used for countermeasures with CheckPoint firewalls, although discouraged
due to potential DOS), and Shell scripts (executable files on Solaris and Linux systems).
•Statefull Business Rules can be written to execute over a specified time any defined
action or series of actions when certain criteria are met. These are the same criteria
found in the Event Search Criteria, Display Filters, etc. For example, it might be desirable
to create a ticket when CodeRed/Nimda events are noticed.
•When creating an automatic ticket, multiple events are attached to a single ticket until
that ticket is modified (and then a new ticket is created for subsequent events).
•Multiple actions can be executed for a given rule and they are executed in the order
listed.
21
Advanced Analytics Package
• Custom Report Designer
• Report Scheduler
• Numerous output types
22
•The neuSECURE system comes with a standard basic package of reports covering
summary and detail information by country source IP, country destination IP, events,
hosts, network destination, network source, sensor name, sensor type and ticket. These
reports contain hyperlinks which allow the Security Analyst to drill down for additional
information and investigation.
•The custom reporting module (“Advance Analytics Package”) available in version 1.6 will
allow the end user to have virtually any report they need and the ability to customize
existing reports and create new ones as theirs needs change.
•The custom report writer is Quadbase’s Espress and will allow users to easily design
and deploy charts and reports without any coding knowledge.
•Espress contains a built-in scheduler, ad hoc reporting, generates web-ready content, 30
different chart types, advanced statistical analysis and can be run from any web browser.
•Highly Customizable: Nearly every chart element can be modified or customized in
some fashion. In fact there are over 240 different customizable chart attributes. Users can
manipulate shading, light source, color, axis scale, grid step, and labels. Legends can be
customized as well as fonts, text, annotation, control lines, control areas, and background
images. Espress also offers customizable pop-up labels, and mouse events. Espress
supports internationalization with local-specific, and time zone formatting. Advanced
features include time-series zooming, data drill-down, parameterized charts, run-time text
substitution, and customizable axis labels.
22
System Administration
23
•The system status report gives you a quick thumbnail of how your system is operating
and how much of a load it is experiencing
•All major processes can be monitored, stopped, and started through the browser.
Additionally, database size, event counts, and names can be determined through this
interface. Very little has to be done by the system administrator or DBA, making this
product even more appealing to most SOC environments that do not have a DBA onsite.
It’s even appealing to environments that currently have DBAs because it’s not an
additional burden on them!
•Inbound Event Queue – count of the events that are waiting to be processed that have
been received by the EAMs. This count should always be near zero unless there is an
exceptionally heavy load on the system.
•Correlation Engine Status – The first job that the CMS is responsible for is looking at the
inbound events and correlating them. The Correlation Engine should always be running.
•Outbound Event Queue – This queue holds events after they have been correlated and
before they are stored into the database. Like the Inbound Event Queue, this value
should be near-zero.
•Archiver Status – The Archiver is responsible for storing correlated events into the
database. This process should always be running.
•Network Lookup Queue – To offload the network lookup processes for netblock
information and not delay correlation and archiving of the events, this process performs
these lookups in the background. With higher event loads, this queue may typically not
be near zero.
•Network Lookup Process – The network lookup process is responsible for processing
netblock information. This process should always be running.
•EAM Manager – The EAM Manager maintains connectivity to each EAM configured
within the system. This includes ensuring the transfer of data, EAM connectivity and
encryption between modules. Data cannot flow from the EAM(s) to the CMS without this
process. This process should always be running.
•Event Table Status – This window shows the names of the various data tables loaded
into the system, their sizes and last time of access (addition). By default, event data
tables are broken on monthly boundaries.
23
User Administration
24
•Every user that has access to the neuSecure system can be given a highly customizable
restricted access
•The User Administration section contains three important sections: User Accounts, User
Profiles, and User Groups.
•Individual User Accounts can be created to give each user individual settings of
identification and passwords. The individual account will contain the users contact
information as well as what profile and groups are assigned to them.
•The user profile allows the administrator to set permissions for nearly all aspects of the
neuSECURE product. Object permissions provide View, Add, Change, and Delete
permissions for Security Domains, Users, Hosts & Networks, Sensors, Rules & Actions,
Event Definitions, Tickets, and Firewall Rules. Action Permissions include Running
Reports, Importing Vulnerabilities, and System Administration. Workbench Permissions
provide granular permissions for each of the investigative workbench tools.
•The user groups allow users to be grouped together, and tied to specific security
domains. These groupings are useful for attaching specific users to security domains for
threat ranking calculations of security domains as well as groups that can be used within
the ticketing system.
24
Workflow
25
25
Device Support
26
•There are approximately 50 sensor devices that neuSECURE supports with new devices
being added to the list every month.
•If the user has a device that is not on our list and it supported through SNMP or Syslog
then GuardedNet can add that device for the customer within 2 weeks as part of the
ongoing maintenance agreement.
26
More about SIM?
• SIM Seminar 1. Oktober (Details in the
Seminarkalender or on the Web)
• Orbit: Stand Halle 1.1 E39
• GENESISCOM Mailingliste [email protected]
27
27

neuSECURE

Transcription

Similar documents

Two forces working with the weather…

AlcoMate Prestige (Model AL-6000)

The idea with modifying stock down pipes is to gut the pre

SAFEDRIVE. Drive Safe. Save Lives.

Untitled

catalogue

iSCOUT PRS80

ecosmart touchless Paper Towel Roll Dispenser

your seventh sense - L

ASSURANCE - Sensaphone