• No results found

Chapter 2 – 1939 42

3. The Altmark incident, February 1940

Security information and event management technology refers to tools and processes for the centralised real-time collection, integration, and analysis of log events occurring in a dis-tributed system. The considerable advantage of centralised SIEM tools is the provision of unified interfaces to a variety of disparate data, while also allowing real-time correlation of the different events occurring in the collected parts, to effectively detect threats to the system[6].

This research involved an investigative study into the augmentation of SIEM technologies within an enterprise environment. A managed enterprise environment has many issues re-garding managed security operating with clients of typically large enterprise level. An existing managed enterprise was considered as the source of identification of current security challenges still faced by these environments. The most common security issues discovered were presented as misuse cases;

• brute-force password attacks (MC-5.5.1),

• attempted unauthorised logins (MC-5.5.2),

• malicious SQL injection (MC-5.5.3),

• session hijacking through XSS (MC-5.5.4) and lastly,

• worm propogation (MC-5.5.5).

To determine the possibilities of advancing SIEM frameworks, by addressing these challenges and the main concerns affectings security; the research proposed the use of geographic data as

134

exploited in geographic information systems, to increase certainty of authenticity of certain individuals.

To evaluate this feasibility, an insight into SIEM architecture was required. SIEMs can be defined as holistic approaches to security analysis and detection. The framework centralises and performs mining procedures on the collected data to produce insights into the conditions of all devices and systems being monitored. The methods applied for security data manage-ment and exploitation for analytics are a primary area of consideration for geographic data exploitation. Such methods include the techniques of normalisation and pattern correlation detections. Attacks can be profiled and analysed using these correlative abilities to detect pat-terns of suspicious behaviour on the network. The method of correlation monitors incoming data provided in logs defining certain aspects of an activity, for example a login process would follow an authentication procedures. Deviations from the normal pattern of such a process raises flags for the attention of security administrators in discovering potential attacks from the mass of real-time collecting of data.

For inclusion within existing techniques such as correlation, geographic co-ordinate data and its application in various security-enforcing systems through GIS are investigated. The ad-vantages of geolocation data identified from existing systems with applied geographic data can determine the augmentation potential of security within a SIEM.

To state it briefly the geolocation application investigated in the areas of security and analytics filtering, provided the following advantages;

• Enhanced visualisation[33], geographic perspective aided the creation of contextual viewing for administrators.

• Aiding user preparedness and rapid response, the use of a geographic context enabled a user to quickly identify an area of concern and seperate it from the unconcerning data.

• Selective display[33], isolating errors or situations through filters based on geographic location. This assisted in better analysis through isolation of specific areas for evalua-tion.

• Predictive modelling, data such as geographic location has an element of identification as a characteristic in certain situations. The behaviour of a target in terms of location with relation to time realises movement patterns, which can be used to create predictions for future events.

• Better network analysis and simulation, provided through the context of situational awareness provided through mapping from geolocation.

• Improved decision making, this is aided through the increased ability to evaluate a situation and a context, have a bird’s eye view.

• Facilitating dynamic visual intrusion detection[13], a network system state visualised through physical locations, helps link a physical infiltration to the virtual context, al-lowing the security to be considered in context at all layers.

• Risk assessment of assets[47], locational context can provide the means to prevent tran-gression of failures and prioritising certain assets depending on their physical implica-tions if compromised. For example, a dam is a high priority critical infrastructure, if an attacker infiltrated the automated control unit the repurcussions are extensive. The use of geolocation to collate the asset value to potential hazard is instrumental value.

The advantages of geolocation data identified were then discussed in the context of SIEM advancement in the two areas - security and privacy. The correct application of geolocation to augment existing security techniques present in SIEM tools with applied privacy consid-erations leads to the satisfaction of the hypothesis stated in this thesis. The hypothesis was stated as the following;

Location-based information enhances SIEM capability to perform advanced security detection.

Privacy-enforcing procedures on geolocation in SIEMs and meta-systems alike are necessary and enforceable.

Towards SIEM security, a matrix of geolocation based security procedures was introduced that mapped their contributive abilities in the driving areas of security of today. The driving areas are mobility, the cloud, advanced persistent threats and regulatory compliance. User authentication through ‘contextual’ analytics such as location-based authentication has been predicted to rise in enterprises by more the 30% by 2016[2].

The introduced procedures can be applied within SIEM security through the integration of geolocation in correlation and analytic procedures. The effective results from application of these techniques are dependant on the accuracy of the user geographic data, in which case a set of geolocation accuracy techniques were evaluated. Wang’s street-level client indepen-dant IP geolocation was resolved as the best solution, requiring only the IP address of the concerned user for a street-level estimation of users whereabouts. The method uses a combi-nation of pinging and landmark range search using surrounding routers.

Towards SIEM privacy, a guideline based on the EU Data Protection Directive[15] was intro-duced. This considered the privacy implications from the Directive to a SIEM. SIEMs can be seen as meta-systems containing information of other systems, thus an extremely sensitive commodity of system or network. The enforceable requirements for SIEMs to adhere to in order to increase protection of user data rights and privacy are made explicit in this guideline.

Regarding geolocation and privacy, techniques of anonymisation such as the use of general-isation approaches are discussed. The application of this technique to support the efforts towards enforcement of privacy is shown feasible for geolocation data.

Therefore, the inclusion of geolocation for security procedures through privacy-enforcing pro-cedures supports both areas of argument presented in this research.

Once determined as a suitable solution, further study was carried out to explore the integra-tion of geolocaintegra-tion into an existing SIEM. The implementaintegra-tion consisted the utilisaintegra-tion of an existing open-source SIEM, OSSIM, and selected tools of the MASSIF SIEM framework.

Using a feasible integration, an integrated prototype was created and tested.

OSSIM was used to demonstrate the integration of geolocation in an existing SIEM for se-curity analysis. The MASSIF tools were used to develop the privacy-enforcing technique

on geolocation information entering this SIEM. The MASSIF tools also ensured the forensic credibility of the data through protected storage. The privacy implications were addressed of geolocation data through complete application in the prototype experiment.

The results of applying geolocation in an incident detection procedure addressing the brute-force misuse case(MC-5.5.1) was fully accomplished. The data used in this test was anonymised by the MASSIF GET tool prior to it’s exploitation within the SIEM. The anonymisation ranges were tested at various levels and evaluated in their feasibility.

The implementation was assessed in the context of the relevant SIEM solution and framework, how they augment functionalities of these SIEMs and to determine if the application is fully supported and does not mitigate SIEM standard of delivery.

In conclusion, both the security application of geolocation-based detection and the anonymisa-tion procedures undergone on the geolocaanonymisa-tion data proved feasible and successful for addianonymisa-tion within a SIEM.