Open service

By Mike Epplin, Director of Technical Services

Today's IT environment is becoming a complex array of business applications, networking hardware and security applications designed to protect your business assets. On a daily basis the newspaper and the RSS feeds detail the latest security breach and data theft. Business face an ever increasing threat and the possible loss of trade secrets, financial information, and consumer data. These very consumers often times have to replace credit cards, change bank accounts and monitor their financial lives on a daily basis to protect against the possibility of more fraud due to a security breach which they had no control over, and possibly no knowledge of. What becomes interesting is that at the point the breach becomes known, the consumer and the business approach differ. Businesses work through a process to identify the extent of the damage, attempt to find an application or enforcement point to "blame" and then add more locks in the form of more security applications, and an updated security policy. Consumers on the other hand, use retained log data, in the form of bank and credit card statements, to see if there is any additional exposure and then utilize real time credit monitoring solutions to help identify and mitigate any future breach before it causes more damage. Are consumers, in some cases, more technically savvy then corporate America? When it comes to real-time monitoring and management, the answer may be a resounding "yes".

Why is this the case? It has to do with the sheer complexity of the environment, and the lack of an ability for a business to effectively manage this complexity to reduce noise. The average household, according to a 2005 CNN story has 19.3 credit cards, bank cards and retail cards. While this seems like a significant number of items to manage, there are typically only a few transactions per month, and all can be easily accessed on-line, where transactions show in near-real time. These are then all tied together by credit bureau reporting and monitoring tools which allow the consumer to centrally manage their entire financial "enterprise". A typical corporate environment, however, has hundreds, if not thousands of devices connected to their network, each performing thousands, if not millions, of transactions per day. Firewalls, Intrusion Detection and Prevention, Vulnerability Assessment, AntiVirus, Routers, Compliance Managers, HIDS, databases, and applications all produce their own logs, in their own format, and have their own consoles. This volume of logs simply can not be managed in this fashion by a staff of any reasonable size, and yet corporations today often rely on prairie dog or white board correlation to try and make sense of things. How are companies currently managing this data? Imagine for a second you are a Security Engineer at the Acme Corporation, responsible for their firewalls.

You walk into work one morning promptly at 8 am, fire up your laptop, and go get your cup of coffee. On your way to the break room you run into one of your friends and talk a few minutes about last night's game, and this weekends home improvement project and eventually make it back to your desk. After sorting through the emails, and forwarding a few jokes on, you get to the daily firewall dropped connection report for the past 24 hours. Reading through the report, you happen to notice one external IP address with an unusually high number of inbound denied connections. What are the next steps, probably a quick nslookup to determine who this is and where they are coming from. Most likely this will resolve to someones DSL or cable modem, giving you virtually no clue as to who they are, or where they are. At this point, you have a choice to make, since it was denied connections, the firewall did its job, and you can move on the the other tasks on your list, an especially attractive option since the only other person in the firewall department left a week ago for greener pastures and you are doing the job of 2 people. If you decide to investigate further, you'll need to see if you can find this IP in your accepted connection report, talk to the IDS/IPS, HIDS, and VA administrators to determine what, if anything happened. This process will take several hours from start to finish, and need to be scheduled around meetings, vacations, lunch hour, and sick time. While you are trying to track down what happened last night at 2 am and try to find any footprint left by this intruder, its 2 pm, and the intruder has already breached your perimeter defenses, stolen data, installed his botnet, or Trojan horses, covered his tracks, and is sitting at Starbucks selling credit card numbers, personal information, or blogging about his exploits. By the time you figure out this was an actual breach of security several days may have passed, and irate consumers are calling customer service wondering why their life has been ruined based on this mornings headlines.

This type of scenario illustrates the complexity involved in monitoring and managing today's networks, whether they are a global enterprise, or a small to medium sized business. The sheer amount of noise generated by this complex environment can be overwhelming. In the above scenario, the administrators knew what they were looking for, based on a report they received. What if this report didn't actually list the threat, or contain any information because it failed to run? Attackers are using more sophisticated techniques to cover their tracks, and will often spend months probing a network, running the occasional scan, and slowly penetrating your layered defense in a fashion that would be akin to peeling an onion. Business need to speed adoption of SIM/SEIM tools in order to manage this complexity and effectively reduce the amount of noise. These tools can acquire and normalize the data in some fashion and then generate alerts based on this information. They also allow business to meet certain regulatory and compliance standards for monitoring, reporting, and storage of log data as well. However, just as often, depending on the tool you have purchased, it simply adds yet another layer of complexity to your environment.

SIM/SEIM tools have typically been rules based tools, which end up adding another layer of complexity to the environment. Script-gurus and SQL programmers are often needed to write these rules, and in order to write a rule for an attack pattern, you need to know what the attack looks like, and what chain of events could indicate an attack. Once written, these rules then need to be managed, updated and tuned, which require some system for documenting the internal procedures and policies, and adds yet another change control element to the environment. A rules based system, furthermore, simply looks at the data and determines that a threshold has been met. They do not easily take into account the value of the business asset or its vulnerability status. In effect, these tools do not see a difference between a honeypot in a DMZ and a database server without re-writing the rule for such a scenario. Add more applications, more servers, more security, and what do you need? More rules.

There are however SIM/SEIM tools which take a different approach, and correlate data in real time, while taking into account what asset is being attacked, what line of defense reported the attack, and the open vulnerabilities of the server under fire. InfoCenter from OpenService does just this, using a three step process known as, "Acquire. Analyze. Alert." This process first acquires the data from the logs produced by security applications, network gear, and servers. It then analyzes the data against other real time log data in an effort to determine where this attack may be directed at. Taking the analysis process further, once it is determined what servers or systems are being attacked it correlates the data with the most recent vulnerability scans, the asset weights and the significance of the reporting device to generate a meaningful, actionable alert. The benefit behind this type of approach is that you know the alerts that InfoCenter generates, are actionable, that is, you won't get a critical alert saying that your Apache web server is under attack from someone trying to exploit the latest IIS flaw. Also the alerts all react differently based on your environment, your servers in your DMZ can take longer to escalate to a critical threshold than your database or development servers for example.

So how does this improve the scenario described above for our over tasked Security Engineer? With a SIM/SEIM solution in place, the analyst would have been notified of the attack as it was happening, and possibly even been made aware of the probing and reconnaissance activity days or weeks before a breach happened. The solution would put the logs for the entire enterprise at the engineer's fingertips, allowing him to view the progression of the attack, and determine exactly what systems were affected by this breach. What was once a day or week long process for the engineer now only takes a matter of minutes to verify, validate, and remediate the breach.

OpenService, Inc. is a leading provider of Enterprise Event Management including; SIEM, Event Correlation and Network Monitoring solutions. Product offerings include InfoCenter, ThreatCenter, LogCenter, and NerveCenter. These products provide the solutions necessary for a company to acquire, analyze and alert on an otherwise unmanageable volume of log information in real time. You can learn more about these products by visiting www.openservice.com on the web.