This my final post discussing security event correlation (SEC) for now. (When I say SAC I do not mean cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Simple Event Correlator [SEC] tool.) Previously I looked at some history regarding SEC, showing that cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 ways people thought about SEC really lacked rigor. Before describing my definition of SEC, I'd like to state what I think SEC is not. So, in my opinion -- you may disagree -- SEC is not:
- Collection (of data sources): Simply putting all of your log sources in a central location is not correlation.
- Normalization (of data sources): Converting your log sources into a common format, while perhaps necessary for correlation (according to some), is not correlation.
- Prioritization (of events): Deciding what events you most care about is not correlation.
- Suppression (via thresholding): Deciding not to see certain events is not correlation.
- Accumulation (via simple incrementing counters: Some people consider a report that one has 100 messages of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 same type to be correlation. If that is really correlation I think your standards are too low. Counting is not correlation.
- Centralization (of policies): Applying a single policy to multiple messages, while useful, is not correlation itself.
- Summarization (via reports): Generating a report -- again helpful -- by itself is not correlation. It's counting and sorting.
- Administration (of software): Configuring systems is definitely not correlation.
- Delegation (of tasks): Telling someone to take action based on cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 above data is not correlation.
So what is correlation? In my last post I cited Greg Shipley, who said if cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 engine sees A and also sees B or C, cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365n it will go do X. That seems closer to what I consider security event correlation. SEC has a content component (what happened) and a temporal component (when did it happen). Using those two elements you can accomplish what Greg says.
I'd like to offer cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 following definition, while being open to ocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r ideas:
Security event correlation is cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 process of applying criteria to data inputs, generally of a conditional ("if-cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365n") nature, in order to generate actionable data outputs.
So what about cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 nine elements are listed? They all seem important. Sure, but cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365y are not correlation. They are functions of a Security Information and Event Management (SIEM) program, with correlation as one component. So, add correlation as item 10, and I think those 10 elements encompass SIEM well. This point is crucial:
SIEM is an operation, not a tool.
You can buy a SIEM tool but you can't buy a SIEM operation. You have to build a SIEM operation, and you may (or may not) use a SIEM to assist you.
Wait, didn't Raffy say SIM is dead? I'll try to respond to that soon. For now let me say that cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 guiding principle for my own operation is cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 following:
Not just more data; cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 right data -- fast, flexible, and functional.
6 comments:
Richard,
Thanks for sharing your insights publicly. I often share and advocate many of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 observations you document in your blog. I am interested to know what you think about deep packet inspection as it relates to Security Event Correlation.
From GCN
http://www.gcn.com/online/vol1_no1/47475-1.html?topic=security
Leveraging deep packet inspection
Deep packet inspection applications offer agency IT managers improved tools to monitor and secure agency networks.
Exactly! Thanks for this post, hopefully it will help start some more discussion within cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 industry about what correlation really means.
And extremely importantly in my mind..
...snip...
Not just more data; cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 right data -- fast, flexible, and functional.
.../snip...
I really like cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 "Google" approach of just throwing everything in a big pile and cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365n searching cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365re. Like you mentioned though, if you're going to have a big pile you might as well put cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 best data possible into it. That seems to be cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 general direction that your thinking is headed.
My actual definition for IDS correlation is cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 following:
"Transform one or several alerts into an attack".
What do we want to get from those IDS? attacks.
Sometime correlation occurs when alerts are enriched from an informational source, sometime one alert is enough to discover an attack, sometime you need to follow steps or it can even be because of events storm.
I gave a presentation for Cansecwest 2008 on cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 subject. Slides are available here: http://cansecwest.com/csw08/csw08-tricaud-chiffier.pdf
There are a lot of things to say about cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 correlation (buzz?)word. Sec is one side of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 answer.
DPI is nothing but a buzzword to repackage old ideas.
My take is that correlation implies cross-device analysis, which is meant to eliminate cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 "island view" problem that plagues cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 IDS/IPS with so many false positives. Using this logic, prioritization implies correlating data from various sources:
Vulnerability Scans - V
Target Asset Criticality - T
History of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Attack source - H
For example, a typical formula to calculate cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 priority based on cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 criticality of an attack C would be:
P = C x V x T x H, where cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365
C = [0 thru 1]
V = [0 thru 1]
T = [.5 - 1.5]
H = [1 thru 1.5]
We can see that P can be decreased only by vulnerability data (detected attack is not relevant), and by cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 target value (target value is low). What is cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 meaning of this formula?
If cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 SIEM is used without Vulnerability data and Asset management cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 false positive issue is going to be accentuated. A SIEM that is not fed with intelligence is worse than IDS.
Anonymous: A SIEM that is not fed with intelligence is worse than IDS.
Actually, I believe cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 point is that a SIEM that is not manned by (an) intelligence is worthless. Humans correlate information into actionable items; SIEMs can only provide data to that human. If cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 SIEM isn't providing cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 right data to that human, cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 SIEM is worthless. If you don't have a human handling cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 correlation, you don't have correlation.
Compare this with creating intelligence (cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 military kind; not cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 "intelligence" inside cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 SIEM): you have collector platforms that pull in all kinds of data, and cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365re are technical processes that munge and massage it a bit, but until an intelligence analyst gets ahold of that information and correlates/processes it, it remains information. Once correlated and processed, it becomes intelligence, and thus is now actionable (as long as your analysts are getting cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 job done).
Post a Comment