Security Information Management | Extreme Exploits: Advanced Defenses Against Hardcore Hacks (Hacking Exposed)

Security information management (SIM) systems arose as a result of the vast volume of security information originating from disparate intrusion detection, prevention, and firewall systems. SIM systems serve to normalize, correlate, and provide context on events originating from these devices. Interpreting the output from these devices is no small task, given the diverse detection capabilities and variances in nomenclature and output formats.

Many intrusion detection and prevention vendors offer some form of management interface in order to provide for both configuration and monitoring of their own devices. These products are often specific to that vendor, and may not support management or monitoring of competing devices.

To serve its purpose well, a SIM solution must provide some of the basic capabilities discussed here.

Event Normalization

Event normalization involves the normalizing or mapping of events from disparate vendors into a common event dictionary. This provides a common view of events originating from multiple devices that may have been procured through different vendors. For example, Vendor 1 may name the vulnerability associated with CodeRed the "ISAPI DLL Buffer Overflow Attack" while Vendor 2 may call this same attack "Microsoft IIS ISAPI DLL Exploitation." An event dictionary provides normalization of these names by mapping vendor-specific event names to a common name. But simply mapping events to a common name may not be this easy, given the disparity in signature quality and detection ability described previously. What Vendor 1 and Vendor 2 are detecting may differ , and an intelligent SIM solution should take this into account.

No standard naming or numbering systems exist today in order to classify intrusion detection system events across vendors. The only standard that does exist is the classification of the vulnerability that a particular signature may detect (if it is detecting a vulnerability and not some other behavior). This is done via the Common Vulnerabilities and Exposures (CVE) identifier, a vulnerability tracking and numbering system maintained by MITRE Corporation. This dictionary of vulnerabilities provides an industry standard numbering mechanism for vulnerabilities.

In addition to providing a dictionary for the purpose of normalizing security events, this dictionary should refer to a knowledge base of in-depth information on the vulnerabilities and exposures associated with the security event. This database should provide information about the core vulnerability, the platforms and technologies it affects, and patches and mitigation information on resolving the vulnerability itself.

Therefore, when evaluating a SIM solution it is important to consider what depth of security knowledge exists within the solution and what process was used to build this knowledge base. Also important is how often updates are made available to this knowledge base, as without updates an organization is blind to the latest threats even if their security devices may be detecting them. At the pace at which new threats emerge today, the SIM solution must be updated as quickly as the core security technologies that are protecting your network.

Event Correlation/Reduction

Security event correlation has been interpreted in many ways in the past. Correlation itself can be defined as "a causal , complementary, parallel, or reciprocal relationship, especially a structural, functional, or qualitative correspondence between two comparable entities." One of the goals of security event correlation is to group events that are related in some way into higher-level incidents. Events can be related in a number of different ways, such as:

By their origin Many events originating from the same source can be accumulated into a single incident.
By time A group of events related in some fashion occurring at the same time can be grouped into a single incident.

A number of correlation mechanisms exist in order to accomplish this. Different solutions may use one or more of these mechanisms.

Rule-Based Correlation

In rule-based correlation, events are evaluated against a set of rules, which may be stock rules (out of the box) or may be written by the network administrator to correlate events together. These rules form the basis of what may be labeled an expert system distilling and automating the domain knowledge of a security expert into the correlation capability. Rules will look for patterns occurring in the event stream, create associations on those events, and alert the analyst accordingly .

Field-Based Correlation

When field-based correlation technologies are applied, fields within events are evaluated and if those fields meet specified criteria, then an alert occurs. For example, if a system is configured to alert when it sees a connection to a specific IP address, as long as the data is being reported in a normalized format (so that the IP address is reported in a consistent field), then an alert would occur, regardless of which security device detected that event.

Context Correlation

Context correlation involves correlating events based on the environment (such as network assets) provided by the end user. This allows a consistent overall representation of the network security stance. For instance, if the end user can populate the system with asset information such as which IP addresses would signify Apache web servers, then correlations could be completed based on that information. In this case, if a network intrusion detection system has detected an attack exploiting a vulnerability in IIS web servers, it is meaningless compared to one exploiting an Apache vulnerability. This context correlation can also be applied to integration with vulnerability assessment products: being able to detect events and correlate them to the operating system, patch level, and open ports on a system. This capability results in the elimination of many false positives and background noise that can occur in a security information manager.

Aggregation and Filtering Correlation

Through aggregation and filtering, data can effectively be reduced, eliminating background noise from relevant events. This is generally applied through normalized categories or fields. Aggregation can also be accomplished by assessing the event stream for duplicate events reporting the same information, perhaps varying only by time. Aggregation correlation would then eliminate the second event and increase the count of occurrences in the first event to accurately reflect the system status. This assists an analyst by allowing for meaningful views of the event stream and a reduction of data to be analyzed .

Behavioral Correlation

By evaluating the event stream and allowing correlations on nonstandard traffic (hey, there's an FTP to this server which never had an FTP event before), near real-time detection of previously unknown attacks would be a critical benefit to a security analyst. While present in some security information management solutions, this mechanism is also the heart of behavior-based intrusion detection systems.

Post-Occurrence Correlation

Data mining for related events also offers a value to an analyst. The ability to search a database and correlate events that occurred days ago after a pattern is detected is critical in establishing the reconnaissance phase of attacks or in establishing the actual state of a system. For instance, if a weekly scan of a system with an anti-virus program installed on it revealed the presence of a rootkit, the ability to then return to the database and correlate activity that may have led to the installation of the rootkit would be invaluable.