Security Information Management Systems Cyril

(1)

Security Information Management Systems

Cyril. Onwubiko

Networking and Communications Group

http://ncg.kingston.ac.uk

(2)



Background



Theory



Approach



Resources



Q/A

Overview

(3)

(4)

Security Information Management Systems



Integration



Correlation



Normalisation



Analysis

F un ct io n R e le va nc

e



Enterprise Network Monitoring



Alert Correlation Coordination



Threat Identification and Tracking

(5)

General Concept

C

or

re

la

tio

n

E

ng

in

e

Normalisation

Analysis/Detection

AV VS FW IDS

Network

(6)

Organisations/Products



Cisco

 NAC – [Network Admission Control]

 CiscoWorks SIMS



Microsoft

 NAP – [Network Access Protection]



Arcsight

ESM – [Enterprise Security Management]

Open Source

 OSSIM – [Open Source Security Information Management]

(7)

Cisco: Network Admission Control

(8)

Cisco: Network Admission Control

CSA CTA OSCE Client (Trend) NAD Network ACS Server Vendor Policy Server IP EAPoUDP EAPoRADIUS HTTPS 1 2 3 4 Host 6 7 8 5 9 1. Network Request

• IP packet triggers Intercept ACL on router 2. Trigger posture validation (EAPoUDP6)

3. CTA sends posture credentials to router (EAPoUDP) 4. Posture credentials sent to AAA (RADIUS)

7. Access-Accept with ACLs/URL redirect 8. Posture Response sent

(9)

Microsoft NAP: Network Access Protection



Policy-based enforcement built into Windows

Server 2003 & later



Validate computer health before allowing

access to the network.



Automatic update of healthy computers to

ensure ongoing compliance.



Optionally isolate unhealthy computers to a

restricted network until they become healthy.

(10)

Arcsight: Enterprise Security Management

 ESM Manager

 Event Correlation

 Reporting

(11)

OSSIM:



Open Source Security Information

Management



Integrates Network Monitoring, Security, and

Correlation.



Threat Detection Capability.



Vulnerability and Risk Assessment

Capabilities

(12)

OSSIM Framework

Control Panel

Monitors Forensic Console

Risk Assessment Correlation Prioritisation Normalisation Pattern Detectors Anomaly Detectors

(13)

(14)

Frameworks

Admission (Access)

Control/Prevention Protection/Defence

- Access Control Systems

- Network Access Protection - Network Admission Control

- Point Solution - Perimeter Defence - Defence in depth - SAR / Self-Defending - Emphases on Prevention - Pre-requisite to protection - 1st _{stage protection} - Emphases on defence

-SAR – (Human Assistance required) - Self-defence (Automated) F ra m ew or ks S ig n ifi ca nc e

(15)



Sensor, Analysis and Response Paradigm



Migrate from ‘

Point Solution

’ to ‘

Integrated

Solution

’:

 Integrated detection (sensing) of security threats

 Coordinated Response

 Network-wide (enterprise-wide) threat visibility and sensing

 Secure signalling of intra-process coordination

(16)

Point Solution

Sensor Sensor Analysis Component Analysis Component Response Component Response Component Point Countermeasure Inbound Traffic Network Function (O pt io na lly )

- All functions in one component - Limited network visibility

(17)

Integrated Solution: S.A.R

Sensor-AV

Sens or-VS

Sensor-FW Sensor-IDS

Network

ComponentAnalysis

Analysis Component Response Component Response Component Sensing Component

(18)

Integrated Solution: S.A.R

- Enterprise Network-aware

- Integrating sensing, analysis and response functionalities

- Coordinated Detection and Analysis

- Unified Response

- Sense and report threats to the analysis unit.

- threats – security events log, audit trails and alert messages

- Eg: FW. IDS, Threat Monitors, Security Scanner, AV

Sensors Analysis

- Correlate security events (logs, audit trails and alerts).

- Analyse and evaluate threshold and severity of security events

- Stipulate “concretize” security related threats and inform action

-Eg: Concepts than tools Response

- Respond to security threats

- Action request to known or

unknown security threats

-- “Template” exist and matches

threats or does not match -Eg: Concepts than tools Advantages of S.A.R Framework

(19)

(20)



Relation Information Graph-Based Representation



Reveal explicit temporal and spatial relationships among

security threat attributes

 Better visual display of threat relationships

 Detailed logical relationships possible



Sub-Graph Isomorphism of Spatio-Temporal Graph



Matching of concrete security threats (subgraph template) to symptomatic evidence (super graph)

(21)

 Nodes represent the object or its parts, while the

edges represent certain relationships between objects or objects parts.

Graph-Based Representation

(22)

Graph Theory

 Graph is a rich and flexible data structure to

represent objects, object attributes and relationships.

Graph Theory:

labelling function for finite set of edge relationships

V

E





V p V V  :



labelling function of a finite set of vertices

p E E  :  V_w E_w

finite set of graph edge relationships

G(V, E,



,



, V

_w

, E

_w

)

finite set of Vertices /Nodes

finite set of vertex labels (numbers) finite set of edge labels (numbers)

(23)

Spatio-Temporal Graph Data Structure

 A vertex corresponds to a security event and a spatial

edge represents a spatial relationship between two adjacent vertices (security events).

 The vertex attributes (V_w) are security event elements (for

example, router, sensor, server, PC).

 Classification (critical, major or minor) corresponding

security events.

 The temporal edge attributes (E_w) indicate relationships between two adjacent security events E.g. time occurrence, (events are “coincidental”, “before”, “after”, “during”, “starts”, “ends”) and the direction of the security event.

(24)

Spatio-Temporal Graph Representation

Visualisation of "attribute" information graph-based representation

(25)

Sub-Graph Isomorphism of Spatio-Temporal

Graph

Sub-Graph Isomorphism (Matching):

Definition 1: A subgraph G_s(V_s, E_s, _s, _s, V_ps, E_ps) of G,

,

G

_s



is a six-tuple, such that:

s s s s s s s s V E E V xV v v v V and e e e E V  ;  ( );  ( ) ( )   ( )( ) 

Definition 2: Graph isomorphism:

A graph G is isomorphic to a graph H, if there exists a bijective function (mapping)  from the nodes of G to the nodes of H that preserves all labels and structures of the edges.

(26)

Sub-Graph Isomorphism

Sub-Graph Matching Representation:

B 0 1 2 3 4 A C D E 5 t₁-t₀ t₂-t₁ t₂-t₀ t₃-t₂ t4-t3 t₅-t₄ t₄-t₂ 6 t₆-t₅ F G B 0 1 2 3 A C D 4 t₁-t₀ t₂-t₁ t₂-t₀ t₃-t₂ t₅-t₄ t₄-t₃ 5 E F G H

An example of graph matching of two graphs G and H, matching vertex and preserving edge invariant property.

(27)

Implementation

Simulation-Based Vulnerability attributes of infected hosts infected

hosts _{Pattern Attack}

Graph Trace file

analysis Detailed Network

(DN) Abstract Network (AN)

(Internet)

Detailed Network (DN) Abstract Network (AN)

(Internet)

probing traffic

Modelling Network Worm using Network Simulator [[i]]

[i]. K. Fall and K. Varadhan (2005) “The NS Manual (formerly ns Notes and Documentation)”, The VINT Project, A Collaboration between researchers at UC Berkeley, LBL, USC/ISI, and Xerox PARC, pp.353

(28)

 Exact and inexact graph matching

 Performs efficiently in time with the size of the graph

 Matching of graph template to super graph.

Implementation and Analysis of Result

Graph Matching Technique:

(29)

Sub-Graph Definition:

Analysis of Result

 Template of potential security threats or

 Template of known security violations

(30)

Result: Sample of matching output

Result

Graph index: gn5 Subgraph matches: 1 9 7 2 6 1

< …> ********

4 3 2 1 0 ********

(31)

Conclusion

 Graph Representation is suitable for the Analysis of Security Events for SIM.

 Graph Representation reveals explicit Security Attributes.

 Graph Representation reveals subtle and

important relationships among Security Events.

 Two sets of Graphs reveal similarities through Graph Matching.

 The Graph Matching Technique assists SIM to Detect Security Threats.

(32)

(33)

Resources/References

1. Arcsight: http://www.arcsight.com/ 2. Microsoft NAP: http://www.microsoft.com/windowsserver2003/technologies/networking/nap/beta.msp x

3. Cisco NAC: http://www.cisco.com/warp/public/cc/so/neso/sqso/csdni_wp.htm 4. Cisco CiscoWorks SIMS:

http://www.cisco.com/en/US/products/sw/cscowork/ps5209/index.html 5. Additional Resource: http://www.research-series.com/cyril/resources.html 6. IETF: EAP (Extensible Authentication Protocol):

https://datatracker.ietf.org/public/idindex.cgi?command=id_detail&id=8369 7. EAPoUDP = udp port 21862 (eapoudp)

8. CSA: Cisco Security Agent: Desktop FW/IDS. Eg Blackice defender (ISS); ZoneAlarm etc

9. CTA: Cisco Trust Agent: Free software from Cisco that enforces compliance with CSA and OS

10. OSCE: OfficeScan Corporate Edition: From Micro Trends Systems, design to stipulate support for OS

(34)

Contact Details

Networking & Communications Group

Kingston University

http://ncg.kingston.ac.uk

Email:

[email protected] or [email protected] Tel: Not Applicable 