Thinking About Security Monitoring and Event CorrelationBy: Dell SecureWorks
The result of the increased use of the Internet particularly by business is the rapid growth of security incidents. This growth has forced organizations to significantly expand their information technology infrastructures.
Information security incidents can be characterized as the lack of availability, integrity, and/or confidentiality of data. Software and hardware vendors have dedicated a tremendous amount of resources to the creation of security devices such as firewalls, intrusion detection systems, strong authentication, and access control mechanisms, virtual private networks, and public key infrastructure. Organizations worldwide are implementing these technologies to protect their information assets and detect information security incidents.
Most security devices provide logging and alerting of known and possibly unknown security events that occur on an information technology infrastructure. Despite all our technological advances and the introduction of devices like firewalls and VPNs, most companies do not monitor the information coming from these devices.
Security device logging can be extensive and difficult to interpret due to the detail and size of the logs. Manual review is time consuming. In many organizations, a dedicated staff of information technology personnel is not available to continuously monitor logs and alerts or network and system administrators use routine maintenance to review security information. This limited or not existent monitoring of enterprise security leaves organizations blind to information attacks targeted at their networks. Security logs provide details about the activity on an information technology infrastructure. This activity includes valid business applications; external attacks using the Internet and internal attacks by employees. Recognizing their vulnerability, organizations are looking outside for the management of their security infrastructure. Third party management of firewalls is already commonplace, and management of intrusion detection systems is becoming more common.
But this need for outside security management has become more than just monitoring the alerts from a network-based or host-based intrusion detection system; it has become 24x7x365 security monitoring of the entire enterprise.
Today only a few companies are offering 24x7x365 enterprise-wide security monitoring services and even fewer include monitoring events from firewalls and network-based and host-based intrusion detection systems as well as the logs and alerts from routers, switches, anti-virus, and content scanning applications, backup applications, PBXs, and critical Unix and NT servers including but not limited to web servers, FTP servers, and mail servers. In the future enterprise security monitoring will incorporate security events from physical security devices such as card readers, motion detectors, and cameras, security alarms from secured doors and gates, fire alarms and climate control sensors.
Each device or application listed above can generate hundreds of lines of logs daily. A majority of the events logged are not security related so surveillance of specific security events is difficult and time consuming. For the typical system administrator, network administrator, and/or security officer, the task of reviewing logs is not a reality and monitoring events in real-time is impossible, day-to-day system maintenance demands too much time. Companies just do not have a 24x7x365 information technology staff to perform real-time monitoring and response. "Off business hours" monitoring becomes particularly difficult or nonexistent. Internal and external hackers are well aware of this vulnerability.
Some vendors do provide tools to condense their product events and logs, but even with these tools it is nearly impossible for an administrator to find time to monitor a security system, enterprise-wide. Most of these consolidation tools are vendor specific. Vendor A's tool can only be used to accept logs or events from Vendor A's products while Vendor B's tools can only be used to consolidate Vendor B's products. The reason for this is that Vendor A's products and Vendor B's products log event information differently. This situation forces administrators to have many different tools to monitor logs and event information throughout their enterprise. Today, there are only a few companies that provide vendor independent log and event consolidation solutions, but these solutions demand an extensive amount of customization to be useful in monitoring security events enterprise-wide.
Along with lack of time and vendor independent tools, false positives are another reason why enterprise security monitoring in not easy. A false positive is when an event triggers a security alert, but the event is not security related. There has been a lot of discussion over the last year regarding intrusion detection systems and false positives. In order to have extensive vision on a host or network, a host-based or network-based intrusion detection system needs to be configured loosely so that a high number of false positives are generated. The problem with this is that many administrators do not have the time or knowledge to research the quantity of events generated by these loosely configured intrusion detection systems. Host-based and network-based intrusion detection systems are only two types of devices that generate false positives. Many other security devices produce them as well.
Monitoring an entire security enterprise takes an experienced 24x7x365 staff of security analysts who have responsibility for continuously analyzing events and filtering out the false positives. For an enterprise security manager a large number of false positives are difficult to manage, without a dedicated security staff, people are diverted from their regular work to respond to false attacks. But, false positive analysis is critical to protecting an organizations information assets. Is there another way? Maybe.
The next advance in enterprise security monitoring will be to capture the knowledge and analytical capabilities of human security experts for the development of an intelligent system that performs event correlation from the logs and alerts of multiple security technologies.
For example company A has a screening router outside of their firewall that protects their corporate network and a security event monitoring system with reliable artificial intelligence. The monitoring system would start detecting logs where the access control lists or packet screens on the screening router were denying communications from a certain IP address. Because the intelligent system is intelligent it begins detailed monitoring of the firewall logs and any publicly accessible server logs of any communications destined for or originating from the IP address. If the intelligent system determined that there was malicious communication, the system would have the capability to modify the router access control lists or the firewall configuration to deny any communication destined for or originating from the IP address. In this example, the access control lists deny logs from the router triggering the intelligent system to look for suspicious activity from a certain IP address. Using event correlation the reaction mechanism has more time to monitor and react to an attacker. If the system did not correlate events, the system would only detect an event that had already occurred based on a known attack signature or the system might even read a malicious attack as normal traffic.
What if the intelligent system began detecting multiple failed logins to an NT server by the president of the company? It would be useful for this technology to determine where these failed logins were originating from and look for suspicious activity from this IP and/or user for some designated timeframe. If this system determined that the failed logins originated from a user other than the president of the company, it could begin to closely monitor for a period of time all actions by this user and the company president (the user could be impersonating the president). This monitoring could include card readers, PBXs or voice mail access, security alarms from secured doors and gates and access to other servers. If the monitoring system were not correlating events the user impersonating the company president would probably bypass all access control and security monitoring devices because the users actions appear as normal activity.
Today there is one major obstacle to intelligent event correlation enterprise-wide. There is no standard for logging security related information or alerts. Every vendor uses their own logging or alerting methodology on security related events. In many cases there are inconsistent formats among products from the same vendor. These issues make enterprise security monitoring difficult and event correlation almost impossible with artificial intelligence. The industry will need to impose a standard method or protocol for logging and alerting security related events before an intelligent system can be developed and successfully implemented enterprise-wide.
The usefulness of developing an intelligent monitoring system that performs event correlation for internal and external security events is obvious. Today security technology needs human intervention and action. 9 to 5 security monitoring by an already busy IT staff is not enough for organizations to maintain maximum information security and integrity. They need a dedicated team of security analysts continuously looking at their enterprise-wide security infrastructure. This team needs to spend the time to research false positives so they can build a database of events for comparison and correlation. And of course there needs to be a security analyst monitoring the enterprise 24x7x365, ready to respond to malicious attacks and anomalies according to predetermined policies and procedures. For most organizations 24x7x365 monitoring is too expensive, but as information integrity is compromised and downtime increases the effect on the bottom line becomes real. The most effective alternative to internal monitoring is to out source an organizations security management and monitoring to a company that has the experience and expertise to share responsibility, 24x7x365, for an organizations information assets. Until we have artificial intelligence available, we can rely with confidence on human intelligence to keep our information secure.