Context Driven Scalable SIEM Solution

   Cyber-attacks have grown exponentially more frequent and sophisticated, demanding near real time, highly available, and automated responses to threats. Cyberattacks are the fastest growing crime and predicted to cost the world in excess of $6 trillion annually by 2021, up from $3 trillion in 2015 according to a 2019 report from Cybersecurity Ventures. In addition to the data loss, security breaches can cause immeasurable—and sometimes irrevocable damage to brand. Analyzing machine data from firewalls and perimeter devices in real time is vital to thwarting and predicting threats. Every router, switch, firewall, intrusion prevention system (IPS), web proxy, or other security element has a story to tell about the confidentiality, integrity, and availability of the IT environment. Relevant data from across these systems is critical to investigations as well as for continuous monitoring for situational awareness. However, the real return on investment for security solutions lies in making them work together to provide a comprehensive view of the enterprise security posture. This combined and chronological view of all relevant data allows the security team to prioritize events and responses, and to effectively engage with IT operations and other areas of the business.

The Methodology

SIEM solutions are usually used for real-time threat monitoring, incident forensics, demonstrating regulatory compliance, and streamlining IT operations. In most organizations, these functions are designed with the intent of leveraging them to protect sensitive data. In such scenarios, SIEM can be effectively integrated with:

• Application Security Solutions

• DDoS Protection Solutions

• Firewalls

• Secure Mail & Web Gateways

• DLP Systems

• IPS

• Endpoint Security Solutions

• Database Security Systems

• OSs

The methodology presented in this paper is based on the ability to identify and understand the flow of log streams. Understanding and decoding log flow is the first step. Output of this step is categorized event streams like;

Malicious->DNS->Attack

Compromised->Virus->Attachment->Not Cleaned

Informational->VPN->Tunnel->Failed

Labeling, categorization and identification can be used interchangeably. This log identification can be used for scenario based correlation, but might also be used for any number of other controls.

This technology gives us the power of defining human readable correlation rules like:

“Visit a website and suddenly make lots of connections”

After a log or log stream labeled they are not just logs from now on, they represents a process in your network. This labels represents each SIEM integrated device or application like: Application Security Solutions, DDoS Protection Solutions, Firewalls, Secure Mail & Web Gateways, DLP Systems, IPS, Endpoint Security Solutions, Database Security Systems state Some previous works also point out log content analysis and make some classifications like [1]:

  • Authentication and Authorization Reports
  • Systems and Data Change Reports
  • Network Activity Reports
  • Resource Access Reports
  • Malware Activity Reports
  • Failure and Critical Error Reports

We have nearly 300 categories with sub-category.

Once the feeds are incorporated and the best possible coverage has been achieved, detected category will be ready for rule definition. Correlation rules can also correlate events via their taxonomy allowing the creation of device-independent correlation rules.

The Taxonomy Algorithm

No matter the source of the event, or the format it originated in, there are types of system and network events common across many system types. A security analyst wanting to see all user logins within a certain time period, should not have to know what the specific attributes for each event type for each system type is, to retrieve that information. LOGTITAN maintains a taxonomy of event types that normalized fields can be matched to and retrieved via. Correlation directives can also correlate events via their taxonomy allowing the creation of device independent correlation rules.

A taxonomy aids in pattern recognition and also improves the scope and stability of correlation rules. Our comprehensive log taxonomy is then applied in order to enable the cross-device, cross-infra Save structure correlation. This log taxonomy takes into account more than 400,000 distinct signatures to make sure that no matter the device, the message can be categorized. Signatures are a way to match information in the log streams. Once the data are categorized, the advanced correlation and alerting intelligence can be applied for prioritization of the logs.

The taxonomy is constructed of high-level, first-tier groups such as Access, Application, Authentication, DoS, Exploit, Informational, Malware, Policy, Recon, Suspicious Activity, System, etc. Each first-tier group is then broken down further into sub-groups and even further as necessary, each lower tier representing more specific event classification. By referring to the highest level of the Normalized Taxonomy, all lower-tier event classifications in that branch are included in the selection. This allows the operator to select a more general event group, such as Authentication, and all sub-group branches (Login, Logout, Password, etc.) and their children (Admin Login, Database Login, Domain Login, etc.) of the Authentication parent will also be included in the selection.

Sample Execution:

The identification algorithm of correlation for a load balancing switch for web will analyze logs from this log point and in order to identify abnormal health status condition, intelligent key search will look for ERRORtransmit-cannot-receive within log streams.

The correlation engine has thousands of signatures for most of the : Application Security Solutions, DDoS Protection Solutions, Firewalls, Secure Mail & Web Gateways, DLP Systems, IPS, Endpoint Security Solutions, Database Security Systems state, Oss.

Attack Classification

Classifying attacks against log anonymization is an early step towards a comprehensive study of the security of anonymization policies. If network owners can select classes of attacks that they wish to prevent, they can then ensure that their anonymization policies meet their security constraints, while allowing as much non-private information as possible to be revealed—thus increasing a data set’s utility.

As described previously, we wish to provide network owners with a taxonomy of attacks, the classes of which they can select to prevent, rather than having to focus on individual attacks. We also wish to formally express relationships between attacks, allowing for expression of attack groupings in a logic about anonymization. This taxonomy must be complete (every known attack can be placed in at least one class) and mutually exclusive (no attack can be a member of more than one class). The classes must be fine-grained enough for network owners to select specific classes without seriously impacting the utility of a log. Finally, the classes must be tied together in a more concrete way than a description in natural language.

References:

1. “Top 6 SANS Essential Categories of Log Reports 2013”, v 3.01

2019-07-17T22:16:34+00:00
Go to Top