1 / 52

A Visual Approach to Security Event Management EuSecWest ‘06, London

Raffael Marty, GCIA, CISSP Senior Security Engineer @ ArcSight February 21th, 2006. *. A Visual Approach to Security Event Management EuSecWest ‘06, London. Raffael Marty, GCIA, CISSP. Enterprise Security Management (ESM) specialist Strategic Application Solutions @ ArcSight, Inc.

lefty
Download Presentation

A Visual Approach to Security Event Management EuSecWest ‘06, London

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Raffael Marty, GCIA, CISSPSenior Security Engineer @ ArcSightFebruary 21th, 2006 * A Visual Approach to Security Event ManagementEuSecWest ‘06, London

  2. Raffael Marty, GCIA, CISSP • Enterprise Security Management (ESM) specialist • Strategic Application Solutions @ ArcSight, Inc. • Intrusion Detection Research @ IBM Research • See http://thor.cryptojail.net • IT Security Consultant @ PriceWaterhouse Coopers • Open Vulnerability and Assessment Language (OVAL) board member • Passion for Visual Security Event Analysis

  3. Table Of Contents • Introduction • Basics • Examples of Graphs you can draw with AfterGlow • AfterGlow1.x – Event Graphs2.0 – TreeMapsFuture – All in One!

  4. Introduction

  5. Disclaimer IP addresses and host names showingup in event graphs and descriptions were obfuscated/changed. The addresses are completely random and any resemblancewith well-known addresses or host namesare purely coincidental.

  6. Text or Visuals? • What would you rather look at? Jun 17 09:42:30 rmarty ifup: Determining IP information for eth0... Jun 17 09:42:35 rmarty ifup: failed; no link present. Check cable? Jun 17 09:42:35 rmarty network: Bringing up interface eth0: failed Jun 17 09:42:38 rmarty sendmail: sendmail shutdown succeeded Jun 17 09:42:38 rmarty sendmail: sm-client shutdown succeeded Jun 17 09:42:39 rmarty sendmail: sendmail startup succeeded Jun 17 09:42:39 rmarty sendmail: sm-client startup succeeded Jun 17 09:43:39 rmarty vmnet-dhcpd: DHCPINFORM from 172.16.48.128 Jun 17 09:45:42 rmarty last message repeated 2 times Jun 17 09:45:47 rmarty vmnet-dhcpd: DHCPINFORM from 172.16.48.128 Jun 17 09:56:02 rmarty vmnet-dhcpd: DHCPDISCOVER from 00:0c:29:b7:b2:47 via vmnet8 Jun 17 09:56:03 rmarty vmnet-dhcpd: DHCPOFFER on 172.16.48.128 to 00:0c:29:b7:b2:47 via vmnet8 Jun 17 09:56:03 rmarty vmnet-dhcpd: DHCPREQUEST for 172.16.48.128 from 00:0c:29:b7:b2:47 via vmnet8 Jun 17 09:56:03 rmarty vmnet-dhcpd: DHCPACK on 172.16.48.128 to 00:0c:29:b7:b2:47 via vmnet8 Jun 17 10:00:03 rmarty crond(pam_unix)[30534]: session opened for user root by (uid=0) Jun 17 10:00:10 rmarty crond(pam_unix)[30534]: session closed for user root Jun 17 10:01:02 rmarty crond(pam_unix)[30551]: session opened for user root by (uid=0) Jun 17 10:01:07 rmarty crond(pam_unix)[30551]: session closed for user root Jun 17 10:05:02 rmarty crond(pam_unix)[30567]: session opened for user idabench by (uid=0) Jun 17 10:05:05 rmarty crond(pam_unix)[30567]: session closed for user idabench Jun 17 10:13:05 rmarty portsentry[4797]: attackalert: UDP scan from host: 192.168.80.19/192.168.80.19 to UDP port: 192 Jun 17 10:13:05 rmarty portsentry[4797]: attackalert: Host: 192.168.80.19/192.168.80.19 is already blocked Ignoring Jun 17 10:14:09 rmarty portsentry[4797]: attackalert: UDP scan from host: 192.168.80.8/192.168.80.8 to UDP port: 68 Jun 17 10:14:09 rmarty portsentry[4797]: attackalert: Host: 192.168.80.8/192.168.80.8 is already blocked Ignoring Jun 17 10:14:09 rmarty portsentry[4797]: attackalert: UDP scan from host: 192.168.80.8/192.168.80.8 to UDP port: 68 Jun 17 10:14:09 rmarty portsentry[4797]: attackalert: Host: 192.168.80.8/192.168.80.8 is already blocked Ignoring Jun 17 10:21:30 rmarty portsentry[4797]: attackalert: UDP scan from host: 192.168.80.8/192.168.80.8 to UDP port: 68 Jun 17 10:21:30 rmarty portsentry[4797]: attackalert: Host: 192.168.80.8/192.168.80.8 is already blocked Ignoring Jun 17 10:28:40 rmarty vmnet-dhcpd: DHCPDISCOVER from 00:0c:29:b7:b2:47 via vmnet8 Jun 17 10:28:41 rmarty vmnet-dhcpd: DHCPOFFER on 172.16.48.128 to 00:0c:29:b7:b2:47 via vmnet8 Jun 17 10:28:41 rmarty vmnet-dhcpd: DHCPREQUEST for 172.16.48.128 from 00:0c:29:b7:b2:47 via vmnet8 Jun 17 10:28:45 rmarty vmnet-dhcpd: DHCPACK on 172.16.48.128 to 00:0c:29:b7:b2:47 via vmnet8 Jun 17 10:30:47 rmarty portsentry[4797]: attackalert: UDP scan from host: 192.168.80.8/192.168.80.8 to UDP port: 68 Jun 17 10:30:47 rmarty portsentry[4797]: attackalert: Host: 192.168.80.8/192.168.80.8 is already blocked Ignoring Jun 17 10:30:47 rmarty portsentry[4797]: attackalert: UDP scan from host: 192.168.80.8/192.168.80.8 to UDP port: 68 Jun 17 10:30:47 rmarty portsentry[4797]: attackalert: Host: 192.168.80.8/192.168.80.8 is already blocked Ignoring Jun 17 10:35:28 rmarty vmnet-dhcpd: DHCPINFORM from 172.16.48.128 Jun 17 10:35:31 rmarty vmnet-dhcpd: DHCPINFORM from 172.16.48.128 Jun 17 10:38:51 rmarty vmnet-dhcpd: DHCPREQUEST for 172.16.48.128 from 00:0c:29:b7:b2:47 via vmnet8 Jun 17 10:38:52 rmarty vmnet-dhcpd: DHCPACK on 172.16.48.128 to 00:0c:29:b7:b2:47 via vmnet8 Jun 17 10:42:35 rmarty vmnet-dhcpd: DHCPINFORM from 172.16.48.128 Jun 17 10:42:38 rmarty vmnet-dhcpd: DHCPINFORM from 172.16.48.128

  7. A Picture is Worth a Thousand Log Entries Detect the Expected & Discover the Unexpected Reduce Analysis and Response Times Make Better Decisions

  8. Three Aspects of Visual Security Event Analysis • Situational Awareness • What is happening in a specific business area(e.g., compliance monitoring) • What is happening on a specific network • What are certain servers doing • Real-Time Monitoring and Incident Response • Capture important activities and take action • Event Workflow • Collaboration • Forensic and Historic Investigation • Selecting arbitrary set of events for investigation • Understanding big picture • Analyzing relationships - Exploration • Reporting

  9. Basics

  10. How To Generate A Graph? ... | Normalization | ... Device Event Visualizer Parser Jun 17 09:42:30 rmarty ifup: Determining IP information for eth0... Jun 17 09:42:35 rmarty ifup: failed; no link present. Check cable? Jun 17 09:42:35 rmarty network: Bringing up interface eth0: failed Jun 17 09:42:38 rmarty sendmail: sendmail shutdown succeeded Jun 17 09:42:38 rmarty sendmail: sm-client shutdown succeeded Jun 17 09:42:39 rmarty sendmail: sendmail startup succeeded Jun 17 09:42:39 rmarty sendmail: sm-client startup succeeded Jun 17 09:43:39 rmarty vmnet-dhcpd: DHCPINFORM from 172.16.48.128 Jun 17 09:45:42 rmarty last message repeated 2 times Jun 17 09:45:47 rmarty vmnet-dhcpd: DHCPINFORM from 172.16.48.128 Jun 17 09:56:02 rmarty vmnet-dhcpd: DHCPDISCOVER from 00:0c:29:b7:b2:47 via vmnet8 Jun 17 09:56:03 rmarty vmnet-dhcpd: DHCPOFFER on 172.16.48.128 to 00:0c:29:b7:b2:47 via vmnet8 NH Visual Log File

  11. Visual Types I • Will focus on visuals that AfterGlow supports: TreeMaps Event Graphs (Link Graphs) AfterGlow 2.0 - JAVA AfterGlow 1.x - Perl

  12. SIP Name DIP Visual Types II TreeMaps Event Graphs (Link Graphs) Block Pass TCP TCP UDP UDP • Hierarchy • ”Box” Coloring • “Box” Size • Node Configuration • Node Coloring • Edge Coloring

  13. SIP Name DIP DIP DPort SIP SIP SPort DPort Name SIP DIP Link Graph Configurations Raw Event: [**] [1:1923:2] RPC portmap UDP proxy attempt [**] [Classification: Decode of an RPC Query] [Priority: 2] 06/04-15:56:28.219753 192.168.10.90:32859 -> 192.168.10.255:111 UDP TTL:64 TOS:0x0 ID:0 IpLen:20 DgmLen:148 DF Len: 120 Different node configurations: 192.168.10.90 RPC portmap 192.168.10.255 192.168.10.90 192.168.10.255 111 192.168.10.90 32859 111 RPC portmap 192.168.10.90 192.168.10.255

  14. TreeMap Configurations Raw Event: [**] [1:1923:2] RPC portmap UDP proxy attempt [**] [Classification: Decode of an RPC Query] [Priority: 2] 06/04-15:56:28.219753 192.168.10.90:32859 -> 192.168.10.255:111 UDP TTL:64 TOS:0x0 ID:0 IpLen:20 DgmLen:148 DF Len: 120 Different configurations: SIP SIP Name DIP DIP Dport SIP Name Sport SIP DIP DIP 192.168.10.255

  15. Graph Use CasesThings You Can Do With AfterGlow

  16. Situational Awareness Dashboard

  17. One Machine A Vulnerability Vulnerability Awareness I DIP Vuln Score

  18. Vulnerability Awareness II DIP Score Vuln

  19. AfterGlow - LGL

  20. Traffic to WebServers Monitoring Web Servers

  21. Suspicious Activity?

  22. Network Scan

  23. Port Scan • Port scan or something else?

  24. PortScan SIP DIP DPort

  25. External Machine Internal Machine Outgoing Incoming Rule# Rule# DIP SIP Firewall Activity • Next Steps: • Visualize “FW Blocks” of outgoing traffic • -> Why do internal machines trigger blocks? • Visualize “FW Blocks” of incoming traffic • -> Who and what tries to enter my network? • Visualize “FW Passes” of outgoing traffic • -> What is leaving the network?

  26. pass block Firewall Rule-set Analysis

  27. Load Balancer

  28. Worms

  29. DstPort < 1024 DstPort > 1024 Source Of Evil Internal Target Other Team's Target Internal Source Internet Target Exposed Services Our Servers DIP DPort SIP DefCon 2004 Capture The Flag

  30. TTL Source Of Evil Internal Target Internal Source Offender TTL Our Servers TTL SIP DIP DefCon 2004 Capture The Flag – TTL Games

  31. Flags TTL DPort DefCon 2004 Capture The Flag – More TTL Show Node Counts

  32. To Phone# From Phone# Content Type|Size Telecom Malicious Code Propagation

  33. From: My Domain From: Other Domain To: My Domain To: Other Domain To From Email Cliques

  34. Make “my domain” invisible Grey out emails to and from “my domain” From: My Domain From: Other Domain To: My Domain To: Other Domain Do you run an open relay? To From Email Relays

  35. Size > 10.000 Omit threshold = 1 To Size Multiple recipients withsame-size messages Email SPAM?

  36. nrcpt => 2 Omit threshold = 1 From nrcpt Email SPAM?

  37. Size > 100.000 Omit Threshold = 2 From To Size BIG Emails Documents leaving the network?

  38. 2:00 < Delay < 10:00 Delay > 10:00 To To Delay Email Server Problems?

  39. AfterGlow afterglow.sourceforge.net

  40. AfterGlow • http://afterglow.sourceforge.net • Two Versions: • AfterGlow 1.x – Perl for Event Graphs • AfterGlow 2.0 – Java for TreeMaps

  41. AfterGlow 1.x - Perl • Supported graphing tools: • GraphViz from AT&T (dot and neato) http://www.research.att.com/sw/tools/graphviz/ • LGL (Large Graph Layout) by Alex Adaihttp://bioinformatics.icmb.utexas.edu/lgl/ Parser AfterGlow Grapher Graph LanguageFile CSV File

  42. AfterGlow 1.x – Command Line Parameters • Some command line arguments: -h : help -t : two node mode -d : print count on nodes -e : edge length -n : no node labels -o threshold : omit threshold (fan-out for nodes to be displayed) -c configfile : color configuration file

  43. AfterGlow 1.x – color.properties color.[source|event|target|edge]= <perl expression returning a color name> • Array @fields contains input-line, split into tokens: color.event=“red” if ($fields[1] =~ /^192\..*) • Special color “invisible”: color.target=“invisible” if ($fields[0] eq “IIS Action”) • Edge color color.edge=“blue”

  44. AfterGlow 1.x – color.properties - Example color.source="olivedrab" if ($fields[0]=~/191\.141\.69\.4/); color.source="olivedrab" if ($fields[0]=~/211\.254\.110\./); color.source="orangered1" color.event="slateblue4" color.target="olivedrab" if ($fields[2]=~/191\.141\.69\.4/); color.target="olivedrab" if ($fields[2]=~/211\.254\.110\./); color.target="orangered1" color.edge="firebrick" if (($fields[0]=~/191\.141\.69.\.4/) or ($fields[2]=~/191\.141\.69\.4/)) color.edge="cyan4"

  45. AfterGlow 2.0 - Java • Command line arguments: -h : help -c file : property file -f file : data file Parser AfterGlow - Java CSV File

  46. AfterGlow 2.0 - Example • Data: • Launch: ./afterglow-java.sh –c afterglow.properties # AfterGlow - JAVA 2.0 # Properties File # File to load file.name=/home/ram/afterglow/data/sample.csv # Column Types (default is STRING), start with 0! # Valid values: # STRING # INTEGER # CATEGORICAL column.type.count=4 column.type[0].column=0 column.type[0].type=INTEGER column.type[1].column=1 column.type[1].type=CATEGORICAL column.type[2].column=2 column.type[2].type=CATEGORICAL column.type[3].column=3 column.type[3].type=CATEGORICAL # Size Column (default is 0) size.column=0 # Color Column (default is 0) color.column=2 Target System Type,SIP,DIP,User,Outcome Development,192.168.10.1,10.10.2.1,ram,failure VPN,192.168.10.1,10.10.2.1,ram,success Financial System,192.168.20.1,10.0.3.1,drob,success VPN,192.168.10.1,10.10.2.1,ram,success VPN,192.168.10.1,10.10.2.1,jmoe,failure Financial System,192.168.10.1,10.10.2.1,jmoe,success Financial System,192.168.10.1,10.10.2.1,jmoe,failure

  47. AfterGlow 2.0 – Java - Output

  48. AfterGlow 2.0 – Java - Interaction • Left-click: • Zoom in • Right-click: • Zoom all the way out • Middle-click • Change Coloring to currentdepth (Hack: Use SHIFT for leafs)

  49. AfterGlow 3.0 – The Future • Generating LinkGraphs with the Java version • Adding more output formats • Saving output as image file • Animation

  50. AfterGlow – Parsers • tcpdump2csv.pl • Takes care of swapping response source and targets tcpdump -vttttnnelr /tmp/log.tcpdump | ./tcpdump2csv.pl "sip dip sport" • sendmail_parser.pl • Reassemble email conversations: • Jul 24 21:01:16 rmarty sendmail[17072]: j6P41Gqt017072: from=<root@localhost.localdomain>, size=650, class=0, nrcpts=1, • Jul 24 21:01:16 rmarty sendmail[17073]: j6P41Gqt017072: to=ram, ctladdr=<root@localhost.localdomain> (0/0), delay=00:00:00, xdelay=00:00:00, mailer=local, pri=30881, dsn=2.0.0, stat=Sent

More Related