SlideShare a Scribd company logo
1 of 43
Download to read offline
Visual Security Event Analysis

      Raffael Marty, GCIA, CISSP
              ArcSight Inc.
          02/14/06 – HT2-103
Disclaimer




        IP addresses and host names showing
          up in graphs and descriptions were
       obfuscated/changed. The addresses are
      completely random and any resemblance
      with well-known addresses or host names
                are purely coincidental.
Who Am I?

 ●   Raffael Marty, GCIA, CISSP
 ●   Strategic Application Solutions @ ArcSight, Inc.
 ●   Intrusion Detection Research @ IBM Research
 ●   IT Security Consultant @ PriceWaterhouse Coopers
 ●   Open Vulnerability and Assessment Language (OVAL) board
     member
 ●   Speaker at Various Security Conferences
 ●   Passion for Visual Security Event Analysis
     see http://afterglow.sourceforge.net
Table Of Contents

• The Security Monitoring Challenge
• Solving Event Overload - Today
  —   Normalization

  —   Prioritization

  —   Correlation

• Visual Security Event Analysis
  —   Situational Awareness

  —   Real-time Monitoring

  —   Forensic and Historical Analysis
A Picture is Worth a Thousand Log Entries




            Detect the Expected
            Detect the Expected
          & Discover the Unexpected
          & Discover the Unexpected

  Reduce Analysis and Response Times
  Reduce Analysis and Response Times

            Make Better Decisions
            Make Better Decisions
Typical Security Monitoring Challenges




    ?
          Complexity


                                     ?
       “ How can I                                   Accuracy
  manage this flood
         of data?”                                    “ I wish I could see
                                                        prioritized and
                                                        relevant
                                                        information!”
               Efficiency
                “ How can we prioritize



                                                            ?
                  and communicate
                  efficiently?”




                  ?
                                               Reporting
                                               “ How can I
                                                 demonstrate
                                                 compliance?”




                  … and do it all cost effectively
The Needle in the Haystack

                             Security information / events
     Tens of millions
         per day             Millions
                                              Less than
                              per day
                                               1 million
                                               per month         A few thousand
             Defense                                              per month
                                  in Depth
                Insider Threat

                   Com pliance
                                                                 Attack     Verified
                                             Pre-attacks         formation
                          Normal                                             breaches
     Raw events          Audit trail       Policy              Potential
                                              violations           breaches
                          Failed attacks
                                             Identified
                          False alarms                             Misuse
                                              vulnerabilities
Solving Event
Overload - Today
Data Analysis Components

• Collection, Normalization, and Aggregation
• Risk-based Prioritization with Vulnerability and Asset Information
• Real-time Correlation across event sources
  —   Rule-based Correlation
  —   Statistical Correlation
                                                   Intelligence
• Advanced Analytics
  —   Pattern Detection
Event Normalization and Categorization

Normalization:                    Categorization:
    Sample Raw Pix Events:
   Jun 01 2005 00:00:12: %PIX-3-106011: Deny inbound (No xlate) udp src
   outside:10.50.215.97/6346 dst outside:204.110.228.254/6346
   Jun 01 2005 00:00:12: %PIX-6-305011: Built dynamic TCP translation from
   isp:10.50.107.51/1967 to outside:204.110.228.254/62013
   Jun 01 2005 00:00:12: %PIX-6-302013: Built outbound TCP connection
   2044303174 for outside:213.189.13.17/80 (213.189.13.17/80) to
                                   Jun 02 2005 12:16:03: %PIX-6-106015:
                                   Deny TCP (no connection) from
   isp:10.50.107.51/1967 (204.110.228.254/62013)
   Jun 02 2005 12:16:03: %PIX-6-106015: Deny TCP (no204.110.227.16/443
                                   10.50.215.102/15605 to connection) from
                                   flags FIN ACK on interface outside
   10.50.215.102/15605 to 204.110.227.16/443 flags FIN ACK on interface
   outside
Risk-based Prioritization

Vulnerability    Agents
  Scanner
                   Asset
                Information          Agent Severity    Asset Criticality



  Unix/Linux/
  AIX/Solaris
                              Severity                              Relevance
   Security                                  Model Confidence
    Device
                 Agents
   Security
    Device
                   Event
  Mainframe
   & Apps                           Prioritized
                                       Event
  Databases


                                           Collector
    Windows
    Systems
Event Correlation

• Most overused and least well-defined concept in ESM.
• Combine multiple events through predefined rules
  or analyze statistical properties of event streams
  —Across devices
  —Heavily utilizing event categorization
• Helps eliminate false positives
• Correlation is not prioritization!
  —Can use priorities of individual events
Four Types of Real-time Correlation

 • Simple Event Match
     Failed logins
   on UNIX systems
                                5 or more failed
                                                    Attempted Brute
      Failed logins            logins in a minute
                                                      Force Attack
  on Windows systems           from same source




 • Complex Multi-Event Match

                                Attempted Brute
                                 Force Attack +
     Successful login           Successful Login
   to Windows systems
Four Types of Real-time Correlation

 •   Statistical
      —    Mathematical model

                                                 50% increase
                                               in traffic per port
                                                 and machine
                                                                     ?
Traffic per port going to 10.0.0.2


 •   Stateful                    user
 Simple
                                 jdoe   user
                                     jdoe

 Compex         Correlation      ram
                                   ram 3
                                        jdoe



                                 … ram 3       User on terminated
 Statistical                       …             employee list
                                     …
 Manual Population                                tries to login
                               Login attempt
                               from user ram
Advanced Analytics - Pattern Detection

 •   Automatically detect repetitive event patterns
                                                      Name                             Device Product
                                                      NETBIOS DCERPC Activation        Snort
                                                      little endian bind attempting

                                                      NETBIOS DCERPC System            Snort
                                                      Activity path overflow attempt
                                                      litlen endian unicode

                                                      Tagged Packet                    Snort

                                                      SHELLCODE x86 NOOP               Snort

                                                      NETBIOS DCERPC Remote            Snort
                                                      activity bind attempt




 •   Capability to detect new worms,
     malware, system misconfigurations, etc.
 •   Automatically create correlation rules to
     flag new occurrences of attack
Visual Security
Event Analysis
Why a Visual Approach Helps



       A picture tells more than a
           thousand log lines
Visual Approach – Benefits I

 •   Multiple views on the same data
Visual Approach – Benefits II

• Selection and drill-down




• Color by sifferent properties
Three Aspects of Visual Security Event Analysis

•   Situational Awareness
    —   What is happening in a specific business area
        (e.g., compliance monitoring)
    —   What is happening on a specific network
    —   What are certain servers doing

•   Real-Time Monitoring and Incident Response
    —   Capture important activities and take action
    —   Event Workflow
    —   Collaboration

•   Forensic and Historic Investigation
    —   Selecting arbitrary set of events for investigation
    —   Understanding big picture
    —   Analyzing relationships - Exploration
    —   Reporting
Situational Awareness
Instant Awareness
Event Graph Dashboard
MMS CDRs


           From
           Phone#




           MSG
           Type




           To
           Phone#
Geo Spatial Visualization
Real-time Monitoring
Real-time Monitoring – Detect Activity
Analysis Process


                          Real-time
                                                     Visual
                            Data
                                                    Detection
                         Processing                                      Automatic
                                                                          Action



                                Rem
                                    ed
                                Auto iation
                                    m a ti
      Creation of new Filters              c              Visual
   and Correlation Components                          Investigation
                    is
               a lys
             An nd
          al
       ric sic a
     to n
  His Fore
                                     Assign to                         Assign Ticket
                                 2 Level Analysis
                                  nd                                   for Operations
Visual Detection and Investigation


    Beginning of Analyst’s shift
Visual Detection

    Scanning activity is displayed



                           Firewall Blocks




                           Scan Events
Visual Investigation
Define New Correlation Rules and Filters




                                1. Rule
                                          Assign for further analysis if
                                              More than 20 firewall drops
                                              from an external machine
                                              to an internal machine
                                3. Open a ticket for Operations to
                                   quarantine and clean infected machines
 2. Filter

 • Internal machines on white-list
 • connecting to active directory servers
Real-time Analysis - Summary

 • Benefits of Visual Analysis
   —   Visually driven process for investigating events

   —   Visual investigation helps
          • getting a quick turn-around
          • detected new and previously unknown patterns (i.e. incidents)
   —   Reduced event load for analysts by feeding gained knowledge back
       into analysis work-flow.
Forensic and
Historical Analysis
Forensic and Historical Investigation

• Three Areas of Concern
  —   Defense in Depth

  —   Insider Threat

  —   Compliance
Defense In Depth - Port Scan Detection
Analysis - Port Scan?
Insider Threat – User Reporting




                                  High ratio of failed logins
Insider Threat - Email Problems


                                       2:00 < Delay < 10:00
                                       Delay > 10:00
                                       To




                                  To           Delay
Compliance – Business Reporting

• Attacks targeting internal systems   Revenue Generating Systems
                                                            Attacks
Compliance - Business Reporting
Summary



             Detect the expected
          & discover the unexpected

   Reduce analysis and response times

            Make better decisions
Q&A
          Raffael Marty
           ArcSight, Inc.


Email:   raffy@arcsight.com

More Related Content

What's hot

How To Drive Value with Security Data
How To Drive Value with Security DataHow To Drive Value with Security Data
How To Drive Value with Security DataRaffael Marty
 
Insider Threat Visualization - HITB 2007, Kuala Lumpur
Insider Threat Visualization - HITB 2007, Kuala LumpurInsider Threat Visualization - HITB 2007, Kuala Lumpur
Insider Threat Visualization - HITB 2007, Kuala LumpurRaffael Marty
 
Delivering Security Insights with Data Analytics and Visualization
Delivering Security Insights with Data Analytics and VisualizationDelivering Security Insights with Data Analytics and Visualization
Delivering Security Insights with Data Analytics and VisualizationRaffael Marty
 
How to Hunt for Lateral Movement on Your Network
How to Hunt for Lateral Movement on Your NetworkHow to Hunt for Lateral Movement on Your Network
How to Hunt for Lateral Movement on Your NetworkSqrrl
 
Application Logging for Forensics
Application Logging for ForensicsApplication Logging for Forensics
Application Logging for ForensicsRaffael Marty
 
CTI ANT: Hunting for Chinese Threat Intelligence
CTI ANT: Hunting for Chinese Threat IntelligenceCTI ANT: Hunting for Chinese Threat Intelligence
CTI ANT: Hunting for Chinese Threat IntelligenceJacklynTsai
 
Threat Hunting with Elastic at SpectorOps: Welcome to HELK
Threat Hunting with Elastic at SpectorOps: Welcome to HELKThreat Hunting with Elastic at SpectorOps: Welcome to HELK
Threat Hunting with Elastic at SpectorOps: Welcome to HELKElasticsearch
 
Creating Your Own Threat Intel Through Hunting & Visualization
Creating Your Own Threat Intel Through Hunting & VisualizationCreating Your Own Threat Intel Through Hunting & Visualization
Creating Your Own Threat Intel Through Hunting & VisualizationRaffael Marty
 
Strata 2015 Presentation -- Detecting Lateral Movement
Strata 2015 Presentation -- Detecting Lateral Movement Strata 2015 Presentation -- Detecting Lateral Movement
Strata 2015 Presentation -- Detecting Lateral Movement Ram Shankar Siva Kumar
 
Dynamic Population Discovery for Lateral Movement (Using Machine Learning)
Dynamic Population Discovery for Lateral Movement (Using Machine Learning)Dynamic Population Discovery for Lateral Movement (Using Machine Learning)
Dynamic Population Discovery for Lateral Movement (Using Machine Learning)Rod Soto
 
Hunting: Defense Against The Dark Arts
Hunting: Defense Against The Dark ArtsHunting: Defense Against The Dark Arts
Hunting: Defense Against The Dark ArtsSpyglass Security
 
Security Insights at Scale
Security Insights at ScaleSecurity Insights at Scale
Security Insights at ScaleRaffael Marty
 
Artificial Intelligence – Time Bomb or The Promised Land?
Artificial Intelligence – Time Bomb or The Promised Land?Artificial Intelligence – Time Bomb or The Promised Land?
Artificial Intelligence – Time Bomb or The Promised Land?Raffael Marty
 
Threat Hunting with Data Science
Threat Hunting with Data ScienceThreat Hunting with Data Science
Threat Hunting with Data ScienceAustin Taylor
 
Avoiding the Pitfalls of Hunting - BSides Charm 2016
Avoiding the Pitfalls of Hunting - BSides Charm 2016Avoiding the Pitfalls of Hunting - BSides Charm 2016
Avoiding the Pitfalls of Hunting - BSides Charm 2016Tony Cook
 
Understanding the "Intelligence" in AI
Understanding the "Intelligence" in AIUnderstanding the "Intelligence" in AI
Understanding the "Intelligence" in AIRaffael Marty
 
Dreaming of IoCs Adding Time Context to Threat Intelligence
Dreaming of IoCs Adding Time Context to Threat IntelligenceDreaming of IoCs Adding Time Context to Threat Intelligence
Dreaming of IoCs Adding Time Context to Threat IntelligencePriyanka Aash
 
Cyber Threat Hunting with Phirelight
Cyber Threat Hunting with PhirelightCyber Threat Hunting with Phirelight
Cyber Threat Hunting with PhirelightHostway|HOSTING
 
Threat hunting in cyber world
Threat hunting in cyber worldThreat hunting in cyber world
Threat hunting in cyber worldAkash Sarode
 

What's hot (20)

How To Drive Value with Security Data
How To Drive Value with Security DataHow To Drive Value with Security Data
How To Drive Value with Security Data
 
Insider Threat Visualization - HITB 2007, Kuala Lumpur
Insider Threat Visualization - HITB 2007, Kuala LumpurInsider Threat Visualization - HITB 2007, Kuala Lumpur
Insider Threat Visualization - HITB 2007, Kuala Lumpur
 
Delivering Security Insights with Data Analytics and Visualization
Delivering Security Insights with Data Analytics and VisualizationDelivering Security Insights with Data Analytics and Visualization
Delivering Security Insights with Data Analytics and Visualization
 
How to Hunt for Lateral Movement on Your Network
How to Hunt for Lateral Movement on Your NetworkHow to Hunt for Lateral Movement on Your Network
How to Hunt for Lateral Movement on Your Network
 
Application Logging for Forensics
Application Logging for ForensicsApplication Logging for Forensics
Application Logging for Forensics
 
CTI ANT: Hunting for Chinese Threat Intelligence
CTI ANT: Hunting for Chinese Threat IntelligenceCTI ANT: Hunting for Chinese Threat Intelligence
CTI ANT: Hunting for Chinese Threat Intelligence
 
Threat Hunting with Elastic at SpectorOps: Welcome to HELK
Threat Hunting with Elastic at SpectorOps: Welcome to HELKThreat Hunting with Elastic at SpectorOps: Welcome to HELK
Threat Hunting with Elastic at SpectorOps: Welcome to HELK
 
Creating Your Own Threat Intel Through Hunting & Visualization
Creating Your Own Threat Intel Through Hunting & VisualizationCreating Your Own Threat Intel Through Hunting & Visualization
Creating Your Own Threat Intel Through Hunting & Visualization
 
Strata 2015 Presentation -- Detecting Lateral Movement
Strata 2015 Presentation -- Detecting Lateral Movement Strata 2015 Presentation -- Detecting Lateral Movement
Strata 2015 Presentation -- Detecting Lateral Movement
 
Dynamic Population Discovery for Lateral Movement (Using Machine Learning)
Dynamic Population Discovery for Lateral Movement (Using Machine Learning)Dynamic Population Discovery for Lateral Movement (Using Machine Learning)
Dynamic Population Discovery for Lateral Movement (Using Machine Learning)
 
Hunting: Defense Against The Dark Arts
Hunting: Defense Against The Dark ArtsHunting: Defense Against The Dark Arts
Hunting: Defense Against The Dark Arts
 
Security Chat 5.0
Security Chat 5.0Security Chat 5.0
Security Chat 5.0
 
Security Insights at Scale
Security Insights at ScaleSecurity Insights at Scale
Security Insights at Scale
 
Artificial Intelligence – Time Bomb or The Promised Land?
Artificial Intelligence – Time Bomb or The Promised Land?Artificial Intelligence – Time Bomb or The Promised Land?
Artificial Intelligence – Time Bomb or The Promised Land?
 
Threat Hunting with Data Science
Threat Hunting with Data ScienceThreat Hunting with Data Science
Threat Hunting with Data Science
 
Avoiding the Pitfalls of Hunting - BSides Charm 2016
Avoiding the Pitfalls of Hunting - BSides Charm 2016Avoiding the Pitfalls of Hunting - BSides Charm 2016
Avoiding the Pitfalls of Hunting - BSides Charm 2016
 
Understanding the "Intelligence" in AI
Understanding the "Intelligence" in AIUnderstanding the "Intelligence" in AI
Understanding the "Intelligence" in AI
 
Dreaming of IoCs Adding Time Context to Threat Intelligence
Dreaming of IoCs Adding Time Context to Threat IntelligenceDreaming of IoCs Adding Time Context to Threat Intelligence
Dreaming of IoCs Adding Time Context to Threat Intelligence
 
Cyber Threat Hunting with Phirelight
Cyber Threat Hunting with PhirelightCyber Threat Hunting with Phirelight
Cyber Threat Hunting with Phirelight
 
Threat hunting in cyber world
Threat hunting in cyber worldThreat hunting in cyber world
Threat hunting in cyber world
 

Viewers also liked

Supercharging Visualization with Data Mining
Supercharging Visualization with Data MiningSupercharging Visualization with Data Mining
Supercharging Visualization with Data MiningRaffael Marty
 
Introduction of Threat Analysis Methods(FFRI Monthly Research 2016.9)
Introduction of Threat Analysis Methods(FFRI Monthly Research 2016.9)Introduction of Threat Analysis Methods(FFRI Monthly Research 2016.9)
Introduction of Threat Analysis Methods(FFRI Monthly Research 2016.9)FFRI, Inc.
 
San Antonio Security Community
San Antonio Security CommunitySan Antonio Security Community
San Antonio Security CommunityDenim Group
 
DAVIX - Data Analysis and Visualization Linux
DAVIX - Data Analysis and Visualization LinuxDAVIX - Data Analysis and Visualization Linux
DAVIX - Data Analysis and Visualization LinuxRaffael Marty
 
Visual Log Analysis - DefCon 2006
Visual Log Analysis - DefCon 2006Visual Log Analysis - DefCon 2006
Visual Log Analysis - DefCon 2006Raffael Marty
 
Analyzing RDP traffc with Bro
Analyzing RDP traffc with BroAnalyzing RDP traffc with Bro
Analyzing RDP traffc with BroJosh Liburdi
 
M-Trends® 2011: When Prevention Fails
M-Trends® 2011: When Prevention Fails M-Trends® 2011: When Prevention Fails
M-Trends® 2011: When Prevention Fails FireEye, Inc.
 
Polution in China
Polution in ChinaPolution in China
Polution in ChinaFangXuIEEE
 
Ladder for mixed signal test engineers
Ladder for mixed signal test engineersLadder for mixed signal test engineers
Ladder for mixed signal test engineersFangXuIEEE
 
Elegant Solutions
Elegant SolutionsElegant Solutions
Elegant SolutionsFangXuIEEE
 
Perfect data reconstruction algorithm of interleaved adc
Perfect data reconstruction algorithm of interleaved adcPerfect data reconstruction algorithm of interleaved adc
Perfect data reconstruction algorithm of interleaved adcFangXuIEEE
 
Log Visualization - Bellua BCS 2006
Log Visualization - Bellua BCS 2006Log Visualization - Bellua BCS 2006
Log Visualization - Bellua BCS 2006Raffael Marty
 
Awg waveform compensation by maximum entropy method
Awg waveform compensation by maximum entropy methodAwg waveform compensation by maximum entropy method
Awg waveform compensation by maximum entropy methodFangXuIEEE
 
D thies+ignite presentation
D thies+ignite presentationD thies+ignite presentation
D thies+ignite presentationKate Beihl
 
Security Visualization - Let's Take A Step Back
Security Visualization - Let's Take A Step BackSecurity Visualization - Let's Take A Step Back
Security Visualization - Let's Take A Step BackRaffael Marty
 
Am radio and OTDR
Am radio and OTDRAm radio and OTDR
Am radio and OTDRFangXuIEEE
 
Benefits of enhanced event analysis in datacenter otdr testing
Benefits of enhanced event analysis in datacenter otdr testingBenefits of enhanced event analysis in datacenter otdr testing
Benefits of enhanced event analysis in datacenter otdr testingFangXuIEEE
 
Visual Analytics and Security Intelligence
Visual Analytics and Security IntelligenceVisual Analytics and Security Intelligence
Visual Analytics and Security IntelligenceRaffael Marty
 
Signal cancellation techniques for testing high end digital-to-analog converters
Signal cancellation techniques for testing high end digital-to-analog convertersSignal cancellation techniques for testing high end digital-to-analog converters
Signal cancellation techniques for testing high end digital-to-analog convertersFangXuIEEE
 

Viewers also liked (19)

Supercharging Visualization with Data Mining
Supercharging Visualization with Data MiningSupercharging Visualization with Data Mining
Supercharging Visualization with Data Mining
 
Introduction of Threat Analysis Methods(FFRI Monthly Research 2016.9)
Introduction of Threat Analysis Methods(FFRI Monthly Research 2016.9)Introduction of Threat Analysis Methods(FFRI Monthly Research 2016.9)
Introduction of Threat Analysis Methods(FFRI Monthly Research 2016.9)
 
San Antonio Security Community
San Antonio Security CommunitySan Antonio Security Community
San Antonio Security Community
 
DAVIX - Data Analysis and Visualization Linux
DAVIX - Data Analysis and Visualization LinuxDAVIX - Data Analysis and Visualization Linux
DAVIX - Data Analysis and Visualization Linux
 
Visual Log Analysis - DefCon 2006
Visual Log Analysis - DefCon 2006Visual Log Analysis - DefCon 2006
Visual Log Analysis - DefCon 2006
 
Analyzing RDP traffc with Bro
Analyzing RDP traffc with BroAnalyzing RDP traffc with Bro
Analyzing RDP traffc with Bro
 
M-Trends® 2011: When Prevention Fails
M-Trends® 2011: When Prevention Fails M-Trends® 2011: When Prevention Fails
M-Trends® 2011: When Prevention Fails
 
Polution in China
Polution in ChinaPolution in China
Polution in China
 
Ladder for mixed signal test engineers
Ladder for mixed signal test engineersLadder for mixed signal test engineers
Ladder for mixed signal test engineers
 
Elegant Solutions
Elegant SolutionsElegant Solutions
Elegant Solutions
 
Perfect data reconstruction algorithm of interleaved adc
Perfect data reconstruction algorithm of interleaved adcPerfect data reconstruction algorithm of interleaved adc
Perfect data reconstruction algorithm of interleaved adc
 
Log Visualization - Bellua BCS 2006
Log Visualization - Bellua BCS 2006Log Visualization - Bellua BCS 2006
Log Visualization - Bellua BCS 2006
 
Awg waveform compensation by maximum entropy method
Awg waveform compensation by maximum entropy methodAwg waveform compensation by maximum entropy method
Awg waveform compensation by maximum entropy method
 
D thies+ignite presentation
D thies+ignite presentationD thies+ignite presentation
D thies+ignite presentation
 
Security Visualization - Let's Take A Step Back
Security Visualization - Let's Take A Step BackSecurity Visualization - Let's Take A Step Back
Security Visualization - Let's Take A Step Back
 
Am radio and OTDR
Am radio and OTDRAm radio and OTDR
Am radio and OTDR
 
Benefits of enhanced event analysis in datacenter otdr testing
Benefits of enhanced event analysis in datacenter otdr testingBenefits of enhanced event analysis in datacenter otdr testing
Benefits of enhanced event analysis in datacenter otdr testing
 
Visual Analytics and Security Intelligence
Visual Analytics and Security IntelligenceVisual Analytics and Security Intelligence
Visual Analytics and Security Intelligence
 
Signal cancellation techniques for testing high end digital-to-analog converters
Signal cancellation techniques for testing high end digital-to-analog convertersSignal cancellation techniques for testing high end digital-to-analog converters
Signal cancellation techniques for testing high end digital-to-analog converters
 

Similar to RSA 2006 - Visual Security Event Analysis

Redefining siem to real time security intelligence
Redefining siem to real time security intelligenceRedefining siem to real time security intelligence
Redefining siem to real time security intelligenceBrendaly Marcano
 
Trend micro real time threat management press presentation
Trend micro real time threat management press presentationTrend micro real time threat management press presentation
Trend micro real time threat management press presentationAndrew Wong
 
CYBER INTELLIGENCE &amp; RESPONSE TECHNOLOGY
CYBER INTELLIGENCE &amp; RESPONSE TECHNOLOGYCYBER INTELLIGENCE &amp; RESPONSE TECHNOLOGY
CYBER INTELLIGENCE &amp; RESPONSE TECHNOLOGYjmical
 
2012-12-12 Seminar McAfee ESM
2012-12-12 Seminar McAfee ESM2012-12-12 Seminar McAfee ESM
2012-12-12 Seminar McAfee ESMPinewood
 
Encase cybersecurity alat za proaktivnu kontrolu korporativne it sigurnosti 2
Encase cybersecurity alat za proaktivnu kontrolu korporativne it sigurnosti 2Encase cybersecurity alat za proaktivnu kontrolu korporativne it sigurnosti 2
Encase cybersecurity alat za proaktivnu kontrolu korporativne it sigurnosti 2Damir Delija
 
Continuous Monitoring and Real Time Risk Scoring
Continuous Monitoring and Real Time Risk ScoringContinuous Monitoring and Real Time Risk Scoring
Continuous Monitoring and Real Time Risk ScoringQ1 Labs
 
Symantec Endpoint Protection 12
Symantec Endpoint Protection 12Symantec Endpoint Protection 12
Symantec Endpoint Protection 12Symantec
 
DSS ITSEC CONFERENCE - Lumension Security - Intelligent application whiteli...
DSS   ITSEC CONFERENCE - Lumension Security - Intelligent application whiteli...DSS   ITSEC CONFERENCE - Lumension Security - Intelligent application whiteli...
DSS ITSEC CONFERENCE - Lumension Security - Intelligent application whiteli...Andris Soroka
 
Offensive malware usage and defense
Offensive malware usage and defenseOffensive malware usage and defense
Offensive malware usage and defenseChristiaan Beek
 
Barco CineCare Web
Barco CineCare WebBarco CineCare Web
Barco CineCare WebBarco
 
Preventing The Next Data Breach Through Log Management
Preventing The Next Data Breach Through Log ManagementPreventing The Next Data Breach Through Log Management
Preventing The Next Data Breach Through Log ManagementNovell
 
Fully Integrated Defense Operation
Fully Integrated Defense OperationFully Integrated Defense Operation
Fully Integrated Defense OperationRob Fry
 
IOCs Are Dead—Long Live IOCs!
IOCs Are Dead—Long Live IOCs!IOCs Are Dead—Long Live IOCs!
IOCs Are Dead—Long Live IOCs!Priyanka Aash
 
Ensuring Security and Compliance in a Data Deluge
Ensuring Security and Compliance in a Data DelugeEnsuring Security and Compliance in a Data Deluge
Ensuring Security and Compliance in a Data DelugeTripwire
 
Fs isac fico and core presentation10222012
Fs isac fico and core presentation10222012Fs isac fico and core presentation10222012
Fs isac fico and core presentation10222012Seema Sheth-Voss
 
FireSIGHT Management Center (FMC) slides
FireSIGHT Management Center (FMC) slidesFireSIGHT Management Center (FMC) slides
FireSIGHT Management Center (FMC) slidesAmy Gerrie
 
Realities of Security in the Cloud
Realities of Security in the CloudRealities of Security in the Cloud
Realities of Security in the CloudAlert Logic
 

Similar to RSA 2006 - Visual Security Event Analysis (20)

Redefining siem to real time security intelligence
Redefining siem to real time security intelligenceRedefining siem to real time security intelligence
Redefining siem to real time security intelligence
 
Trend micro real time threat management press presentation
Trend micro real time threat management press presentationTrend micro real time threat management press presentation
Trend micro real time threat management press presentation
 
CYBER INTELLIGENCE &amp; RESPONSE TECHNOLOGY
CYBER INTELLIGENCE &amp; RESPONSE TECHNOLOGYCYBER INTELLIGENCE &amp; RESPONSE TECHNOLOGY
CYBER INTELLIGENCE &amp; RESPONSE TECHNOLOGY
 
2012-12-12 Seminar McAfee ESM
2012-12-12 Seminar McAfee ESM2012-12-12 Seminar McAfee ESM
2012-12-12 Seminar McAfee ESM
 
2012 Data Center Security
2012 Data Center Security2012 Data Center Security
2012 Data Center Security
 
encase enterprise
 encase enterprise  encase enterprise
encase enterprise
 
Encase cybersecurity alat za proaktivnu kontrolu korporativne it sigurnosti 2
Encase cybersecurity alat za proaktivnu kontrolu korporativne it sigurnosti 2Encase cybersecurity alat za proaktivnu kontrolu korporativne it sigurnosti 2
Encase cybersecurity alat za proaktivnu kontrolu korporativne it sigurnosti 2
 
Continuous Monitoring and Real Time Risk Scoring
Continuous Monitoring and Real Time Risk ScoringContinuous Monitoring and Real Time Risk Scoring
Continuous Monitoring and Real Time Risk Scoring
 
Symantec Endpoint Protection 12
Symantec Endpoint Protection 12Symantec Endpoint Protection 12
Symantec Endpoint Protection 12
 
DSS ITSEC CONFERENCE - Lumension Security - Intelligent application whiteli...
DSS   ITSEC CONFERENCE - Lumension Security - Intelligent application whiteli...DSS   ITSEC CONFERENCE - Lumension Security - Intelligent application whiteli...
DSS ITSEC CONFERENCE - Lumension Security - Intelligent application whiteli...
 
Offensive malware usage and defense
Offensive malware usage and defenseOffensive malware usage and defense
Offensive malware usage and defense
 
Barco CineCare Web
Barco CineCare WebBarco CineCare Web
Barco CineCare Web
 
Preventing The Next Data Breach Through Log Management
Preventing The Next Data Breach Through Log ManagementPreventing The Next Data Breach Through Log Management
Preventing The Next Data Breach Through Log Management
 
Fully Integrated Defense Operation
Fully Integrated Defense OperationFully Integrated Defense Operation
Fully Integrated Defense Operation
 
NetWitness
NetWitnessNetWitness
NetWitness
 
IOCs Are Dead—Long Live IOCs!
IOCs Are Dead—Long Live IOCs!IOCs Are Dead—Long Live IOCs!
IOCs Are Dead—Long Live IOCs!
 
Ensuring Security and Compliance in a Data Deluge
Ensuring Security and Compliance in a Data DelugeEnsuring Security and Compliance in a Data Deluge
Ensuring Security and Compliance in a Data Deluge
 
Fs isac fico and core presentation10222012
Fs isac fico and core presentation10222012Fs isac fico and core presentation10222012
Fs isac fico and core presentation10222012
 
FireSIGHT Management Center (FMC) slides
FireSIGHT Management Center (FMC) slidesFireSIGHT Management Center (FMC) slides
FireSIGHT Management Center (FMC) slides
 
Realities of Security in the Cloud
Realities of Security in the CloudRealities of Security in the Cloud
Realities of Security in the Cloud
 

More from Raffael Marty

Exploring the Defender's Advantage
Exploring the Defender's AdvantageExploring the Defender's Advantage
Exploring the Defender's AdvantageRaffael Marty
 
Extended Detection and Response (XDR) An Overhyped Product Category With Ulti...
Extended Detection and Response (XDR)An Overhyped Product Category With Ulti...Extended Detection and Response (XDR)An Overhyped Product Category With Ulti...
Extended Detection and Response (XDR) An Overhyped Product Category With Ulti...Raffael Marty
 
Cyber Security Beyond 2020 – Will We Learn From Our Mistakes?
Cyber Security Beyond 2020 – Will We Learn From Our Mistakes?Cyber Security Beyond 2020 – Will We Learn From Our Mistakes?
Cyber Security Beyond 2020 – Will We Learn From Our Mistakes?Raffael Marty
 
AI & ML in Cyber Security - Why Algorithms Are Dangerous
AI & ML in Cyber Security - Why Algorithms Are DangerousAI & ML in Cyber Security - Why Algorithms Are Dangerous
AI & ML in Cyber Security - Why Algorithms Are DangerousRaffael Marty
 
Big Data Visualization
Big Data VisualizationBig Data Visualization
Big Data VisualizationRaffael Marty
 
Workshop: Big Data Visualization for Security
Workshop: Big Data Visualization for SecurityWorkshop: Big Data Visualization for Security
Workshop: Big Data Visualization for SecurityRaffael Marty
 
Cyber Security – How Visual Analytics Unlock Insight
Cyber Security – How Visual Analytics Unlock InsightCyber Security – How Visual Analytics Unlock Insight
Cyber Security – How Visual Analytics Unlock InsightRaffael Marty
 
Event Graphs - EUSecWest 2006
Event Graphs - EUSecWest 2006Event Graphs - EUSecWest 2006
Event Graphs - EUSecWest 2006Raffael Marty
 
Insider Threat Visualization - HackInTheBox 2007
Insider Threat Visualization - HackInTheBox 2007Insider Threat Visualization - HackInTheBox 2007
Insider Threat Visualization - HackInTheBox 2007Raffael Marty
 

More from Raffael Marty (10)

Exploring the Defender's Advantage
Exploring the Defender's AdvantageExploring the Defender's Advantage
Exploring the Defender's Advantage
 
Extended Detection and Response (XDR) An Overhyped Product Category With Ulti...
Extended Detection and Response (XDR)An Overhyped Product Category With Ulti...Extended Detection and Response (XDR)An Overhyped Product Category With Ulti...
Extended Detection and Response (XDR) An Overhyped Product Category With Ulti...
 
Cyber Security Beyond 2020 – Will We Learn From Our Mistakes?
Cyber Security Beyond 2020 – Will We Learn From Our Mistakes?Cyber Security Beyond 2020 – Will We Learn From Our Mistakes?
Cyber Security Beyond 2020 – Will We Learn From Our Mistakes?
 
AI & ML in Cyber Security - Why Algorithms Are Dangerous
AI & ML in Cyber Security - Why Algorithms Are DangerousAI & ML in Cyber Security - Why Algorithms Are Dangerous
AI & ML in Cyber Security - Why Algorithms Are Dangerous
 
Big Data Visualization
Big Data VisualizationBig Data Visualization
Big Data Visualization
 
Workshop: Big Data Visualization for Security
Workshop: Big Data Visualization for SecurityWorkshop: Big Data Visualization for Security
Workshop: Big Data Visualization for Security
 
Cyber Security – How Visual Analytics Unlock Insight
Cyber Security – How Visual Analytics Unlock InsightCyber Security – How Visual Analytics Unlock Insight
Cyber Security – How Visual Analytics Unlock Insight
 
AfterGlow
AfterGlowAfterGlow
AfterGlow
 
Event Graphs - EUSecWest 2006
Event Graphs - EUSecWest 2006Event Graphs - EUSecWest 2006
Event Graphs - EUSecWest 2006
 
Insider Threat Visualization - HackInTheBox 2007
Insider Threat Visualization - HackInTheBox 2007Insider Threat Visualization - HackInTheBox 2007
Insider Threat Visualization - HackInTheBox 2007
 

Recently uploaded

Introduction to Quantum Computing
Introduction to Quantum ComputingIntroduction to Quantum Computing
Introduction to Quantum ComputingGDSC PJATK
 
Connector Corner: Extending LLM automation use cases with UiPath GenAI connec...
Connector Corner: Extending LLM automation use cases with UiPath GenAI connec...Connector Corner: Extending LLM automation use cases with UiPath GenAI connec...
Connector Corner: Extending LLM automation use cases with UiPath GenAI connec...DianaGray10
 
Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...
Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...
Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...Will Schroeder
 
UiPath Solutions Management Preview - Northern CA Chapter - March 22.pdf
UiPath Solutions Management Preview - Northern CA Chapter - March 22.pdfUiPath Solutions Management Preview - Northern CA Chapter - March 22.pdf
UiPath Solutions Management Preview - Northern CA Chapter - March 22.pdfDianaGray10
 
Computer 10: Lesson 10 - Online Crimes and Hazards
Computer 10: Lesson 10 - Online Crimes and HazardsComputer 10: Lesson 10 - Online Crimes and Hazards
Computer 10: Lesson 10 - Online Crimes and HazardsSeth Reyes
 
OpenShift Commons Paris - Choose Your Own Observability Adventure
OpenShift Commons Paris - Choose Your Own Observability AdventureOpenShift Commons Paris - Choose Your Own Observability Adventure
OpenShift Commons Paris - Choose Your Own Observability AdventureEric D. Schabell
 
Comparing Sidecar-less Service Mesh from Cilium and Istio
Comparing Sidecar-less Service Mesh from Cilium and IstioComparing Sidecar-less Service Mesh from Cilium and Istio
Comparing Sidecar-less Service Mesh from Cilium and IstioChristian Posta
 
9 Steps For Building Winning Founding Team
9 Steps For Building Winning Founding Team9 Steps For Building Winning Founding Team
9 Steps For Building Winning Founding TeamAdam Moalla
 
UWB Technology for Enhanced Indoor and Outdoor Positioning in Physiological M...
UWB Technology for Enhanced Indoor and Outdoor Positioning in Physiological M...UWB Technology for Enhanced Indoor and Outdoor Positioning in Physiological M...
UWB Technology for Enhanced Indoor and Outdoor Positioning in Physiological M...UbiTrack UK
 
Nanopower In Semiconductor Industry.pdf
Nanopower  In Semiconductor Industry.pdfNanopower  In Semiconductor Industry.pdf
Nanopower In Semiconductor Industry.pdfPedro Manuel
 
Videogame localization & technology_ how to enhance the power of translation.pdf
Videogame localization & technology_ how to enhance the power of translation.pdfVideogame localization & technology_ how to enhance the power of translation.pdf
Videogame localization & technology_ how to enhance the power of translation.pdfinfogdgmi
 
The Data Metaverse: Unpacking the Roles, Use Cases, and Tech Trends in Data a...
The Data Metaverse: Unpacking the Roles, Use Cases, and Tech Trends in Data a...The Data Metaverse: Unpacking the Roles, Use Cases, and Tech Trends in Data a...
The Data Metaverse: Unpacking the Roles, Use Cases, and Tech Trends in Data a...Aggregage
 
Cloud Revolution: Exploring the New Wave of Serverless Spatial Data
Cloud Revolution: Exploring the New Wave of Serverless Spatial DataCloud Revolution: Exploring the New Wave of Serverless Spatial Data
Cloud Revolution: Exploring the New Wave of Serverless Spatial DataSafe Software
 
RAG Patterns and Vector Search in Generative AI
RAG Patterns and Vector Search in Generative AIRAG Patterns and Vector Search in Generative AI
RAG Patterns and Vector Search in Generative AIUdaiappa Ramachandran
 
Crea il tuo assistente AI con lo Stregatto (open source python framework)
Crea il tuo assistente AI con lo Stregatto (open source python framework)Crea il tuo assistente AI con lo Stregatto (open source python framework)
Crea il tuo assistente AI con lo Stregatto (open source python framework)Commit University
 
Secure your environment with UiPath and CyberArk technologies - Session 1
Secure your environment with UiPath and CyberArk technologies - Session 1Secure your environment with UiPath and CyberArk technologies - Session 1
Secure your environment with UiPath and CyberArk technologies - Session 1DianaGray10
 
Digital magic. A small project for controlling smart light bulbs.
Digital magic. A small project for controlling smart light bulbs.Digital magic. A small project for controlling smart light bulbs.
Digital magic. A small project for controlling smart light bulbs.francesco barbera
 
Anypoint Code Builder , Google Pub sub connector and MuleSoft RPA
Anypoint Code Builder , Google Pub sub connector and MuleSoft RPAAnypoint Code Builder , Google Pub sub connector and MuleSoft RPA
Anypoint Code Builder , Google Pub sub connector and MuleSoft RPAshyamraj55
 
Do we need a new standard for visualizing the invisible?
Do we need a new standard for visualizing the invisible?Do we need a new standard for visualizing the invisible?
Do we need a new standard for visualizing the invisible?SANGHEE SHIN
 
Meet the new FSP 3000 M-Flex800™
Meet the new FSP 3000 M-Flex800™Meet the new FSP 3000 M-Flex800™
Meet the new FSP 3000 M-Flex800™Adtran
 

Recently uploaded (20)

Introduction to Quantum Computing
Introduction to Quantum ComputingIntroduction to Quantum Computing
Introduction to Quantum Computing
 
Connector Corner: Extending LLM automation use cases with UiPath GenAI connec...
Connector Corner: Extending LLM automation use cases with UiPath GenAI connec...Connector Corner: Extending LLM automation use cases with UiPath GenAI connec...
Connector Corner: Extending LLM automation use cases with UiPath GenAI connec...
 
Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...
Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...
Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...
 
UiPath Solutions Management Preview - Northern CA Chapter - March 22.pdf
UiPath Solutions Management Preview - Northern CA Chapter - March 22.pdfUiPath Solutions Management Preview - Northern CA Chapter - March 22.pdf
UiPath Solutions Management Preview - Northern CA Chapter - March 22.pdf
 
Computer 10: Lesson 10 - Online Crimes and Hazards
Computer 10: Lesson 10 - Online Crimes and HazardsComputer 10: Lesson 10 - Online Crimes and Hazards
Computer 10: Lesson 10 - Online Crimes and Hazards
 
OpenShift Commons Paris - Choose Your Own Observability Adventure
OpenShift Commons Paris - Choose Your Own Observability AdventureOpenShift Commons Paris - Choose Your Own Observability Adventure
OpenShift Commons Paris - Choose Your Own Observability Adventure
 
Comparing Sidecar-less Service Mesh from Cilium and Istio
Comparing Sidecar-less Service Mesh from Cilium and IstioComparing Sidecar-less Service Mesh from Cilium and Istio
Comparing Sidecar-less Service Mesh from Cilium and Istio
 
9 Steps For Building Winning Founding Team
9 Steps For Building Winning Founding Team9 Steps For Building Winning Founding Team
9 Steps For Building Winning Founding Team
 
UWB Technology for Enhanced Indoor and Outdoor Positioning in Physiological M...
UWB Technology for Enhanced Indoor and Outdoor Positioning in Physiological M...UWB Technology for Enhanced Indoor and Outdoor Positioning in Physiological M...
UWB Technology for Enhanced Indoor and Outdoor Positioning in Physiological M...
 
Nanopower In Semiconductor Industry.pdf
Nanopower  In Semiconductor Industry.pdfNanopower  In Semiconductor Industry.pdf
Nanopower In Semiconductor Industry.pdf
 
Videogame localization & technology_ how to enhance the power of translation.pdf
Videogame localization & technology_ how to enhance the power of translation.pdfVideogame localization & technology_ how to enhance the power of translation.pdf
Videogame localization & technology_ how to enhance the power of translation.pdf
 
The Data Metaverse: Unpacking the Roles, Use Cases, and Tech Trends in Data a...
The Data Metaverse: Unpacking the Roles, Use Cases, and Tech Trends in Data a...The Data Metaverse: Unpacking the Roles, Use Cases, and Tech Trends in Data a...
The Data Metaverse: Unpacking the Roles, Use Cases, and Tech Trends in Data a...
 
Cloud Revolution: Exploring the New Wave of Serverless Spatial Data
Cloud Revolution: Exploring the New Wave of Serverless Spatial DataCloud Revolution: Exploring the New Wave of Serverless Spatial Data
Cloud Revolution: Exploring the New Wave of Serverless Spatial Data
 
RAG Patterns and Vector Search in Generative AI
RAG Patterns and Vector Search in Generative AIRAG Patterns and Vector Search in Generative AI
RAG Patterns and Vector Search in Generative AI
 
Crea il tuo assistente AI con lo Stregatto (open source python framework)
Crea il tuo assistente AI con lo Stregatto (open source python framework)Crea il tuo assistente AI con lo Stregatto (open source python framework)
Crea il tuo assistente AI con lo Stregatto (open source python framework)
 
Secure your environment with UiPath and CyberArk technologies - Session 1
Secure your environment with UiPath and CyberArk technologies - Session 1Secure your environment with UiPath and CyberArk technologies - Session 1
Secure your environment with UiPath and CyberArk technologies - Session 1
 
Digital magic. A small project for controlling smart light bulbs.
Digital magic. A small project for controlling smart light bulbs.Digital magic. A small project for controlling smart light bulbs.
Digital magic. A small project for controlling smart light bulbs.
 
Anypoint Code Builder , Google Pub sub connector and MuleSoft RPA
Anypoint Code Builder , Google Pub sub connector and MuleSoft RPAAnypoint Code Builder , Google Pub sub connector and MuleSoft RPA
Anypoint Code Builder , Google Pub sub connector and MuleSoft RPA
 
Do we need a new standard for visualizing the invisible?
Do we need a new standard for visualizing the invisible?Do we need a new standard for visualizing the invisible?
Do we need a new standard for visualizing the invisible?
 
Meet the new FSP 3000 M-Flex800™
Meet the new FSP 3000 M-Flex800™Meet the new FSP 3000 M-Flex800™
Meet the new FSP 3000 M-Flex800™
 

RSA 2006 - Visual Security Event Analysis

  • 1. Visual Security Event Analysis Raffael Marty, GCIA, CISSP ArcSight Inc. 02/14/06 – HT2-103
  • 2. Disclaimer IP addresses and host names showing up in graphs and descriptions were obfuscated/changed. The addresses are completely random and any resemblance with well-known addresses or host names are purely coincidental.
  • 3. Who Am I? ● Raffael Marty, GCIA, CISSP ● Strategic Application Solutions @ ArcSight, Inc. ● Intrusion Detection Research @ IBM Research ● IT Security Consultant @ PriceWaterhouse Coopers ● Open Vulnerability and Assessment Language (OVAL) board member ● Speaker at Various Security Conferences ● Passion for Visual Security Event Analysis see http://afterglow.sourceforge.net
  • 4. Table Of Contents • The Security Monitoring Challenge • Solving Event Overload - Today — Normalization — Prioritization — Correlation • Visual Security Event Analysis — Situational Awareness — Real-time Monitoring — Forensic and Historical Analysis
  • 5. A Picture is Worth a Thousand Log Entries Detect the Expected Detect the Expected & Discover the Unexpected & Discover the Unexpected Reduce Analysis and Response Times Reduce Analysis and Response Times Make Better Decisions Make Better Decisions
  • 6. Typical Security Monitoring Challenges ? Complexity ? “ How can I Accuracy manage this flood of data?” “ I wish I could see prioritized and relevant information!” Efficiency “ How can we prioritize ? and communicate efficiently?” ? Reporting “ How can I demonstrate compliance?” … and do it all cost effectively
  • 7. The Needle in the Haystack Security information / events  Tens of millions per day  Millions  Less than per day 1 million per month  A few thousand Defense per month in Depth Insider Threat Com pliance  Attack  Verified  Pre-attacks formation  Normal breaches  Raw events  Audit trail  Policy  Potential violations breaches  Failed attacks  Identified  False alarms  Misuse vulnerabilities
  • 9. Data Analysis Components • Collection, Normalization, and Aggregation • Risk-based Prioritization with Vulnerability and Asset Information • Real-time Correlation across event sources — Rule-based Correlation — Statistical Correlation Intelligence • Advanced Analytics — Pattern Detection
  • 10. Event Normalization and Categorization Normalization: Categorization: Sample Raw Pix Events: Jun 01 2005 00:00:12: %PIX-3-106011: Deny inbound (No xlate) udp src outside:10.50.215.97/6346 dst outside:204.110.228.254/6346 Jun 01 2005 00:00:12: %PIX-6-305011: Built dynamic TCP translation from isp:10.50.107.51/1967 to outside:204.110.228.254/62013 Jun 01 2005 00:00:12: %PIX-6-302013: Built outbound TCP connection 2044303174 for outside:213.189.13.17/80 (213.189.13.17/80) to Jun 02 2005 12:16:03: %PIX-6-106015: Deny TCP (no connection) from isp:10.50.107.51/1967 (204.110.228.254/62013) Jun 02 2005 12:16:03: %PIX-6-106015: Deny TCP (no204.110.227.16/443 10.50.215.102/15605 to connection) from flags FIN ACK on interface outside 10.50.215.102/15605 to 204.110.227.16/443 flags FIN ACK on interface outside
  • 11. Risk-based Prioritization Vulnerability Agents Scanner Asset Information Agent Severity Asset Criticality Unix/Linux/ AIX/Solaris Severity Relevance Security Model Confidence Device Agents Security Device Event Mainframe & Apps Prioritized Event Databases Collector Windows Systems
  • 12. Event Correlation • Most overused and least well-defined concept in ESM. • Combine multiple events through predefined rules or analyze statistical properties of event streams —Across devices —Heavily utilizing event categorization • Helps eliminate false positives • Correlation is not prioritization! —Can use priorities of individual events
  • 13. Four Types of Real-time Correlation • Simple Event Match Failed logins on UNIX systems 5 or more failed Attempted Brute Failed logins logins in a minute Force Attack on Windows systems from same source • Complex Multi-Event Match Attempted Brute Force Attack + Successful login Successful Login to Windows systems
  • 14. Four Types of Real-time Correlation • Statistical — Mathematical model 50% increase in traffic per port and machine ? Traffic per port going to 10.0.0.2 • Stateful user Simple jdoe user jdoe Compex Correlation ram ram 3 jdoe … ram 3 User on terminated Statistical … employee list … Manual Population tries to login Login attempt from user ram
  • 15. Advanced Analytics - Pattern Detection • Automatically detect repetitive event patterns Name Device Product NETBIOS DCERPC Activation Snort little endian bind attempting NETBIOS DCERPC System Snort Activity path overflow attempt litlen endian unicode Tagged Packet Snort SHELLCODE x86 NOOP Snort NETBIOS DCERPC Remote Snort activity bind attempt • Capability to detect new worms, malware, system misconfigurations, etc. • Automatically create correlation rules to flag new occurrences of attack
  • 17. Why a Visual Approach Helps A picture tells more than a thousand log lines
  • 18. Visual Approach – Benefits I • Multiple views on the same data
  • 19. Visual Approach – Benefits II • Selection and drill-down • Color by sifferent properties
  • 20. Three Aspects of Visual Security Event Analysis • Situational Awareness — What is happening in a specific business area (e.g., compliance monitoring) — What is happening on a specific network — What are certain servers doing • Real-Time Monitoring and Incident Response — Capture important activities and take action — Event Workflow — Collaboration • Forensic and Historic Investigation — Selecting arbitrary set of events for investigation — Understanding big picture — Analyzing relationships - Exploration — Reporting
  • 24. MMS CDRs From Phone# MSG Type To Phone#
  • 27. Real-time Monitoring – Detect Activity
  • 28. Analysis Process Real-time Visual Data Detection Processing Automatic Action Rem ed Auto iation m a ti Creation of new Filters c Visual and Correlation Components Investigation is a lys An nd al ric sic a to n His Fore Assign to Assign Ticket 2 Level Analysis nd for Operations
  • 29. Visual Detection and Investigation Beginning of Analyst’s shift
  • 30. Visual Detection Scanning activity is displayed Firewall Blocks Scan Events
  • 32. Define New Correlation Rules and Filters 1. Rule Assign for further analysis if More than 20 firewall drops from an external machine to an internal machine 3. Open a ticket for Operations to quarantine and clean infected machines 2. Filter • Internal machines on white-list • connecting to active directory servers
  • 33. Real-time Analysis - Summary • Benefits of Visual Analysis — Visually driven process for investigating events — Visual investigation helps • getting a quick turn-around • detected new and previously unknown patterns (i.e. incidents) — Reduced event load for analysts by feeding gained knowledge back into analysis work-flow.
  • 35. Forensic and Historical Investigation • Three Areas of Concern — Defense in Depth — Insider Threat — Compliance
  • 36. Defense In Depth - Port Scan Detection
  • 38. Insider Threat – User Reporting High ratio of failed logins
  • 39. Insider Threat - Email Problems 2:00 < Delay < 10:00 Delay > 10:00 To To Delay
  • 40. Compliance – Business Reporting • Attacks targeting internal systems Revenue Generating Systems Attacks
  • 42. Summary Detect the expected & discover the unexpected Reduce analysis and response times Make better decisions
  • 43. Q&A Raffael Marty ArcSight, Inc. Email: raffy@arcsight.com

Editor's Notes

  1. Reduce analysis and response times Quickly visualize thousands of events Facilitate communication Graphs are easier to understand than textual events Make better decisions Situational awareness Visualize status of business posture Visual display of most important properties Detecte the Expected &amp; Discover the Unexpected Reporting Visually identify patterns and outliers
  2. The graph shows a configuration that uses the destination address (green nodes) and target ports (white nodes). The contiguous port numbers either represent a part of a portscan or, what is more likely, a device which reports source ports as destination ports for some of the events.