Analytics // Security Monitoring
9/14/2012
05:25 PM
Connect Directly
RSS
E-Mail
50%
50%
Repost This

From Catching A Clue To Catching The Attacker: SIEMs Evolve

Security information and event monitoring (SIEM) and log management systems have generally fallen short of detecting attacks in real time. That's changing, say security experts

Security information and event monitoring (SIEM) systems are typically used to create a forensics trail so that evidence of digital intrusions can be investigated after an attack is discovered. Increasingly, however, SIEM and log management systems have the ability to detect attacks in real time, security experts say.

While many security professionals have wished for such capabilities, only recently has the technology caught up with the promise of catching attackers through real-time correlation of disparate networking events, says David Pack, manager of LogRhythm Labs, a maker of SIEM systems. A combination of factors is leading to the evolution of the systems: The technology can better handle the volume of log data generated by corporate systems, the capabilities of the correlation engines have grown, and the researchers developing such systems better understand attack patterns, he says.

"What is going on in the SIEM industry is that it is becoming a real-time monitoring solution -- it's becoming the SIEM 2.0 that it should be," Pack says. "All the framework and pieces are there to turn this into real-time analysis and real-time alarming."

In a presentation at the United Security Summit in San Francisco, Pack spelled out ways that log management systems can use advanced correlation to detect attackers and showed the signs that a typical attacker will leave in the logs. While many security firms focus on detecting attackers' attempts to exploit vulnerabilities and compromise systems, event correlation can put together evidence from other systems to detect an attack.

In a spear-phishing incident, for example, a log trail can show the user's Outlook e-mail client connecting to an Exchange server and downloading a message with a malicious attachment, the user's Adobe Acrobat opening up a PDF file, and, following exploitation, see the client communicating with an unknown Internet address.

"Pretty much every piece of that activity is logged somewhere, often away from where the exploit happened," Pack says. "What is interesting about that is you don't have to worry about whether the exploited vulnerability is known or a zero-day. You only have to worry about how [the attack] is delivered and what happens afterward."

Information security managers are increasingly looking for a greater awareness of what is happening on their networks. In addition, they are being asked to look at a greater variety of threats than in the past, says Mark Seward, senior director of security and compliance for network-intelligence firm Splunk.

"It used to be that I -- as the information security manager -- was only responsible for the information security infrastructure -- listening to it and reacting to it," Seward says. "Now I'm being asked to look at malicious insiders and being asked to look at real-time threats to the business."

[ Any security monitoring system comes with a certain amount of good old-fashioned alerting, but interpreting those alerts in the context of a whole running system is something else entirely. See The Most Expensive Part Of The Monitoring System. ]

Turning networking and physical events that have been logged into intelligence about what is happening on the network is necessary in today's world, Seward says.

In the lion's share of breaches, for example, the attacker leaves traces in the log files. In its latest Data Breach Investigations Report, telecommunications and security provider Verizon found that 86 percent of incidents could have been detected from the events collected in the logs -- if the victim's staff had only been looking.

Part of the problem is that the evidence is lost in the massive volume of log data, which has increased dramatically, says Chris Novak, managing principal with Verizon. In the past, when his investigations team visited a potential client and asked for log data, the company's executives would often give them a blank look, he says. Now, because of compliance regulations, companies are collecting the data, but not generally mining it for useful data on security events.

"Now many of your larger organizations are storing their logs indefinitely," Novak says. "But ... organizations have so much log data that it has created a new problem that they don't know how to mine and search and correlate that data to make it useful, so it just becomes something we store."

With better correlation engines, companies could not only better use the data, but detect attacks in real time. The first step is to create a baseline for the company so that strange behavior can be detected. Then technology providers and their customers can describe complex patterns that may indicate an attack. LogRhythm uses self-contained rules, called rule blocks, to build more complex structures. Some half of the company's technical workers are developing rules and patterns to translate device logs into patterns that can be detected, LogRhythm's Pack says.

"The real-time alerting has been there for simple issues," he says. "But now we are able to do it for complex behavioral patterns."

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2012-3946
Published: 2014-04-24
Cisco IOS before 15.3(2)S allows remote attackers to bypass interface ACL restrictions in opportunistic circumstances by sending IPv6 packets in an unspecified scenario in which expected packet drops do not occur for "a small percentage" of the packets, aka Bug ID CSCty73682.

CVE-2012-5723
Published: 2014-04-24
Cisco ASR 1000 devices with software before 3.8S, when BDI routing is enabled, allow remote attackers to cause a denial of service (device reload) via crafted (1) broadcast or (2) multicast ICMP packets with fragmentation, aka Bug ID CSCub55948.

CVE-2013-6738
Published: 2014-04-24
Cross-site scripting (XSS) vulnerability in IBM SmartCloud Analytics Log Analysis 1.1 and 1.2 before 1.2.0.0-CSI-SCALA-IF0003 allows remote attackers to inject arbitrary web script or HTML via an invalid query parameter in a response from an OAuth authorization endpoint.

CVE-2014-0188
Published: 2014-04-24
The openshift-origin-broker in Red Hat OpenShift Enterprise 2.0.5, 1.2.7, and earlier does not properly handle authentication requests from the remote-user auth plugin, which allows remote attackers to bypass authentication and impersonate arbitrary users via the X-Remote-User header in a request to...

CVE-2014-2391
Published: 2014-04-24
The password recovery service in Open-Xchange AppSuite before 7.2.2-rev20, 7.4.1 before 7.4.1-rev11, and 7.4.2 before 7.4.2-rev13 makes an improper decision about the sensitivity of a string representing a previously used but currently invalid password, which allows remote attackers to obtain potent...

Best of the Web