Raffael marty gcia cissp senior security engineer @ arcsight february 21th 2006
This presentation is the property of its rightful owner.
Sponsored Links
1 / 52

A Visual Approach to Security Event Management EuSecWest ‘06, London PowerPoint PPT Presentation


  • 73 Views
  • Uploaded on
  • Presentation posted in: General

Raffael Marty, GCIA, CISSP Senior Security Engineer @ ArcSight February 21th, 2006. *. A Visual Approach to Security Event Management EuSecWest ‘06, London. Raffael Marty, GCIA, CISSP. Enterprise Security Management (ESM) specialist Strategic Application Solutions @ ArcSight, Inc.

Download Presentation

A Visual Approach to Security Event Management EuSecWest ‘06, London

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -

Presentation Transcript


Raffael marty gcia cissp senior security engineer @ arcsight february 21th 2006

Raffael Marty, GCIA, CISSPSenior Security Engineer @ ArcSightFebruary 21th, 2006

*

A Visual Approach to Security Event ManagementEuSecWest ‘06, London


Raffael marty gcia cissp

Raffael Marty, GCIA, CISSP

  • Enterprise Security Management (ESM) specialist

  • Strategic Application Solutions @ ArcSight, Inc.

  • Intrusion Detection Research @ IBM Research

    • See http://thor.cryptojail.net

  • IT Security Consultant @ PriceWaterhouse Coopers

  • Open Vulnerability and Assessment Language (OVAL) board member

  • Passion for Visual Security Event Analysis


Table of contents

Table Of Contents

  • Introduction

  • Basics

  • Examples of Graphs you can draw with AfterGlow

  • AfterGlow1.x – Event Graphs2.0 – TreeMapsFuture – All in One!


Introduction

Introduction


Disclaimer

Disclaimer

IP addresses and host names showingup in event graphs and descriptions were obfuscated/changed. The addresses are completely random and any resemblancewith well-known addresses or host namesare purely coincidental.


Text or visuals

Text or Visuals?

  • What would you rather look at?

Jun 17 09:42:30 rmarty ifup: Determining IP information for eth0...

Jun 17 09:42:35 rmarty ifup: failed; no link present. Check cable?

Jun 17 09:42:35 rmarty network: Bringing up interface eth0: failed

Jun 17 09:42:38 rmarty sendmail: sendmail shutdown succeeded

Jun 17 09:42:38 rmarty sendmail: sm-client shutdown succeeded

Jun 17 09:42:39 rmarty sendmail: sendmail startup succeeded

Jun 17 09:42:39 rmarty sendmail: sm-client startup succeeded

Jun 17 09:43:39 rmarty vmnet-dhcpd: DHCPINFORM from 172.16.48.128

Jun 17 09:45:42 rmarty last message repeated 2 times

Jun 17 09:45:47 rmarty vmnet-dhcpd: DHCPINFORM from 172.16.48.128

Jun 17 09:56:02 rmarty vmnet-dhcpd: DHCPDISCOVER from 00:0c:29:b7:b2:47 via vmnet8

Jun 17 09:56:03 rmarty vmnet-dhcpd: DHCPOFFER on 172.16.48.128 to 00:0c:29:b7:b2:47 via vmnet8

Jun 17 09:56:03 rmarty vmnet-dhcpd: DHCPREQUEST for 172.16.48.128 from 00:0c:29:b7:b2:47 via vmnet8

Jun 17 09:56:03 rmarty vmnet-dhcpd: DHCPACK on 172.16.48.128 to 00:0c:29:b7:b2:47 via vmnet8

Jun 17 10:00:03 rmarty crond(pam_unix)[30534]: session opened for user root by (uid=0)

Jun 17 10:00:10 rmarty crond(pam_unix)[30534]: session closed for user root

Jun 17 10:01:02 rmarty crond(pam_unix)[30551]: session opened for user root by (uid=0)

Jun 17 10:01:07 rmarty crond(pam_unix)[30551]: session closed for user root

Jun 17 10:05:02 rmarty crond(pam_unix)[30567]: session opened for user idabench by (uid=0)

Jun 17 10:05:05 rmarty crond(pam_unix)[30567]: session closed for user idabench

Jun 17 10:13:05 rmarty portsentry[4797]: attackalert: UDP scan from host: 192.168.80.19/192.168.80.19 to UDP port: 192

Jun 17 10:13:05 rmarty portsentry[4797]: attackalert: Host: 192.168.80.19/192.168.80.19 is already blocked Ignoring

Jun 17 10:14:09 rmarty portsentry[4797]: attackalert: UDP scan from host: 192.168.80.8/192.168.80.8 to UDP port: 68

Jun 17 10:14:09 rmarty portsentry[4797]: attackalert: Host: 192.168.80.8/192.168.80.8 is already blocked Ignoring

Jun 17 10:14:09 rmarty portsentry[4797]: attackalert: UDP scan from host: 192.168.80.8/192.168.80.8 to UDP port: 68

Jun 17 10:14:09 rmarty portsentry[4797]: attackalert: Host: 192.168.80.8/192.168.80.8 is already blocked Ignoring

Jun 17 10:21:30 rmarty portsentry[4797]: attackalert: UDP scan from host: 192.168.80.8/192.168.80.8 to UDP port: 68

Jun 17 10:21:30 rmarty portsentry[4797]: attackalert: Host: 192.168.80.8/192.168.80.8 is already blocked Ignoring

Jun 17 10:28:40 rmarty vmnet-dhcpd: DHCPDISCOVER from 00:0c:29:b7:b2:47 via vmnet8

Jun 17 10:28:41 rmarty vmnet-dhcpd: DHCPOFFER on 172.16.48.128 to 00:0c:29:b7:b2:47 via vmnet8

Jun 17 10:28:41 rmarty vmnet-dhcpd: DHCPREQUEST for 172.16.48.128 from 00:0c:29:b7:b2:47 via vmnet8

Jun 17 10:28:45 rmarty vmnet-dhcpd: DHCPACK on 172.16.48.128 to 00:0c:29:b7:b2:47 via vmnet8

Jun 17 10:30:47 rmarty portsentry[4797]: attackalert: UDP scan from host: 192.168.80.8/192.168.80.8 to UDP port: 68

Jun 17 10:30:47 rmarty portsentry[4797]: attackalert: Host: 192.168.80.8/192.168.80.8 is already blocked Ignoring

Jun 17 10:30:47 rmarty portsentry[4797]: attackalert: UDP scan from host: 192.168.80.8/192.168.80.8 to UDP port: 68

Jun 17 10:30:47 rmarty portsentry[4797]: attackalert: Host: 192.168.80.8/192.168.80.8 is already blocked Ignoring

Jun 17 10:35:28 rmarty vmnet-dhcpd: DHCPINFORM from 172.16.48.128

Jun 17 10:35:31 rmarty vmnet-dhcpd: DHCPINFORM from 172.16.48.128

Jun 17 10:38:51 rmarty vmnet-dhcpd: DHCPREQUEST for 172.16.48.128 from 00:0c:29:b7:b2:47 via vmnet8

Jun 17 10:38:52 rmarty vmnet-dhcpd: DHCPACK on 172.16.48.128 to 00:0c:29:b7:b2:47 via vmnet8

Jun 17 10:42:35 rmarty vmnet-dhcpd: DHCPINFORM from 172.16.48.128

Jun 17 10:42:38 rmarty vmnet-dhcpd: DHCPINFORM from 172.16.48.128


A picture is worth a thousand log entries

A Picture is Worth a Thousand Log Entries

Detect the Expected & Discover the Unexpected

Reduce Analysis and Response Times

Make Better Decisions


Three aspects of visual security event analysis

Three Aspects of Visual Security Event Analysis

  • Situational Awareness

    • What is happening in a specific business area(e.g., compliance monitoring)

    • What is happening on a specific network

    • What are certain servers doing

  • Real-Time Monitoring and Incident Response

    • Capture important activities and take action

    • Event Workflow

    • Collaboration

  • Forensic and Historic Investigation

    • Selecting arbitrary set of events for investigation

    • Understanding big picture

    • Analyzing relationships - Exploration

    • Reporting


Basics

Basics


How to generate a graph

How To Generate A Graph?

... | Normalization | ...

Device

Event Visualizer

Parser

Jun 17 09:42:30 rmarty ifup: Determining IP information for eth0...

Jun 17 09:42:35 rmarty ifup: failed; no link present. Check cable?

Jun 17 09:42:35 rmarty network: Bringing up interface eth0: failed

Jun 17 09:42:38 rmarty sendmail: sendmail shutdown succeeded

Jun 17 09:42:38 rmarty sendmail: sm-client shutdown succeeded

Jun 17 09:42:39 rmarty sendmail: sendmail startup succeeded

Jun 17 09:42:39 rmarty sendmail: sm-client startup succeeded

Jun 17 09:43:39 rmarty vmnet-dhcpd: DHCPINFORM from 172.16.48.128

Jun 17 09:45:42 rmarty last message repeated 2 times

Jun 17 09:45:47 rmarty vmnet-dhcpd: DHCPINFORM from 172.16.48.128

Jun 17 09:56:02 rmarty vmnet-dhcpd: DHCPDISCOVER from 00:0c:29:b7:b2:47 via vmnet8

Jun 17 09:56:03 rmarty vmnet-dhcpd: DHCPOFFER on 172.16.48.128 to 00:0c:29:b7:b2:47 via vmnet8

NH

Visual

Log File


Visual types i

Visual Types I

  • Will focus on visuals that AfterGlow supports:

TreeMaps

Event Graphs (Link Graphs)

AfterGlow 2.0 - JAVA

AfterGlow 1.x - Perl


Visual types ii

SIP

Name

DIP

Visual Types II

TreeMaps

Event Graphs (Link Graphs)

Block

Pass

TCP

TCP

UDP

UDP

  • Hierarchy

  • ”Box” Coloring

  • “Box” Size

  • Node Configuration

  • Node Coloring

  • Edge Coloring


Link graph configurations

SIP

Name

DIP

DIP

DPort

SIP

SIP

SPort

DPort

Name

SIP

DIP

Link Graph Configurations

Raw Event:

[**] [1:1923:2] RPC portmap UDP proxy attempt [**]

[Classification: Decode of an RPC Query] [Priority: 2]

06/04-15:56:28.219753 192.168.10.90:32859 -> 192.168.10.255:111

UDP TTL:64 TOS:0x0 ID:0 IpLen:20 DgmLen:148 DF

Len: 120

Different node configurations:

192.168.10.90 RPC portmap 192.168.10.255

192.168.10.90 192.168.10.255 111

192.168.10.90 32859 111

RPC portmap 192.168.10.90 192.168.10.255


Treemap configurations

TreeMap Configurations

Raw Event:

[**] [1:1923:2] RPC portmap UDP proxy attempt [**]

[Classification: Decode of an RPC Query] [Priority: 2]

06/04-15:56:28.219753 192.168.10.90:32859 -> 192.168.10.255:111

UDP TTL:64 TOS:0x0 ID:0 IpLen:20 DgmLen:148 DF

Len: 120

Different configurations:

SIP

SIP

Name

DIP

DIP

Dport

SIP

Name

Sport

SIP

DIP

DIP

192.168.10.255


Graph use cases things you can do with afterglow

Graph Use CasesThings You Can Do With AfterGlow


Situational awareness dashboard

Situational Awareness Dashboard


Vulnerability awareness i

One Machine

A Vulnerability

Vulnerability Awareness I

DIP

Vuln

Score


Vulnerability awareness ii

Vulnerability Awareness II

DIP

Score

Vuln


Afterglow lgl

AfterGlow - LGL


Monitoring web servers

Traffic to WebServers

Monitoring Web Servers


Suspicious activity

Suspicious Activity?


Network scan

Network Scan


Port scan

Port Scan

  • Port scan or something else?


Portscan

PortScan

SIP

DIP

DPort


Firewall activity

External Machine

Internal Machine

Outgoing

Incoming

Rule#

Rule#

DIP

SIP

Firewall Activity

  • Next Steps:

  • Visualize “FW Blocks” of outgoing traffic

    • -> Why do internal machines trigger blocks?

  • Visualize “FW Blocks” of incoming traffic

  • -> Who and what tries to enter my network?

  • Visualize “FW Passes” of outgoing traffic

    • -> What is leaving the network?


Firewall rule set analysis

pass

block

Firewall Rule-set Analysis


Load balancer

Load Balancer


Worms

Worms


Defcon 2004 capture the flag

DstPort < 1024

DstPort > 1024

Source Of Evil

Internal Target

Other Team's Target

Internal Source

Internet Target

Exposed Services

Our Servers

DIP

DPort

SIP

DefCon 2004 Capture The Flag


Defcon 2004 capture the flag ttl games

TTL

Source Of Evil

Internal Target

Internal Source

Offender TTL

Our Servers

TTL

SIP

DIP

DefCon 2004 Capture The Flag – TTL Games


Defcon 2004 capture the flag more ttl

Flags

TTL

DPort

DefCon 2004 Capture The Flag – More TTL

Show Node Counts


Telecom malicious code propagation

To

Phone#

From

Phone#

Content

Type|Size

Telecom Malicious Code Propagation


Email cliques

From: My Domain

From: Other Domain

To: My Domain

To: Other Domain

To

From

Email Cliques


Email relays

Make “my domain” invisible

Grey out emails to and from “my domain”

From: My Domain

From: Other Domain

To: My Domain

To: Other Domain

Do you run an open relay?

To

From

Email Relays


Email spam

Size > 10.000

Omit threshold = 1

To

Size

Multiple recipients withsame-size messages

Email SPAM?


Email spam1

nrcpt => 2

Omit threshold = 1

From

nrcpt

Email SPAM?


Big emails

Size > 100.000

Omit Threshold = 2

From

To

Size

BIG Emails

Documents leaving the network?


Email server problems

2:00 < Delay < 10:00

Delay > 10:00

To

To

Delay

Email Server Problems?


Afterglow

AfterGlow

afterglow.sourceforge.net


Afterglow1

AfterGlow

  • http://afterglow.sourceforge.net

  • Two Versions:

    • AfterGlow 1.x – Perl for Event Graphs

    • AfterGlow 2.0 – Java for TreeMaps


Afterglow 1 x perl

AfterGlow 1.x - Perl

  • Supported graphing tools:

    • GraphViz from AT&T (dot and neato) http://www.research.att.com/sw/tools/graphviz/

    • LGL (Large Graph Layout) by Alex Adaihttp://bioinformatics.icmb.utexas.edu/lgl/

Parser

AfterGlow

Grapher

Graph LanguageFile

CSV File


Afterglow 1 x command line parameters

AfterGlow 1.x – Command Line Parameters

  • Some command line arguments:

    -h : help

    -t: two node mode

    -d: print count on nodes

    -e: edge length

    -n: no node labels

    -o threshold: omit threshold (fan-out for nodes to be displayed)

    -c configfile: color configuration file


Afterglow 1 x color properties

AfterGlow 1.x – color.properties

color.[source|event|target|edge]=<perl expression returning a color name>

  • Array @fields contains input-line, split into tokens:

    color.event=“red” if ($fields[1] =~ /^192\..*)

  • Special color “invisible”:

    color.target=“invisible” if ($fields[0] eq “IIS Action”)

  • Edge color

    color.edge=“blue”


Afterglow 1 x color properties example

AfterGlow 1.x – color.properties - Example

color.source="olivedrab" if ($fields[0]=~/191\.141\.69\.4/);

color.source="olivedrab" if ($fields[0]=~/211\.254\.110\./);

color.source="orangered1"

color.event="slateblue4"

color.target="olivedrab" if ($fields[2]=~/191\.141\.69\.4/);

color.target="olivedrab" if ($fields[2]=~/211\.254\.110\./);

color.target="orangered1"

color.edge="firebrick" if (($fields[0]=~/191\.141\.69.\.4/) or ($fields[2]=~/191\.141\.69\.4/))

color.edge="cyan4"


Afterglow 2 0 java

AfterGlow 2.0 - Java

  • Command line arguments:

    -h : help

    -c file: property file

    -f file: data file

Parser

AfterGlow - Java

CSV File


Afterglow 2 0 example

AfterGlow 2.0 - Example

  • Data:

  • Launch:

    ./afterglow-java.sh –c afterglow.properties

# AfterGlow - JAVA 2.0

# Properties File

# File to load

file.name=/home/ram/afterglow/data/sample.csv

# Column Types (default is STRING), start with 0!

# Valid values:

# STRING

# INTEGER

# CATEGORICAL

column.type.count=4

column.type[0].column=0

column.type[0].type=INTEGER

column.type[1].column=1

column.type[1].type=CATEGORICAL

column.type[2].column=2

column.type[2].type=CATEGORICAL

column.type[3].column=3

column.type[3].type=CATEGORICAL

# Size Column (default is 0)

size.column=0

# Color Column (default is 0)

color.column=2

Target System Type,SIP,DIP,User,Outcome

Development,192.168.10.1,10.10.2.1,ram,failure

VPN,192.168.10.1,10.10.2.1,ram,success

Financial System,192.168.20.1,10.0.3.1,drob,success

VPN,192.168.10.1,10.10.2.1,ram,success

VPN,192.168.10.1,10.10.2.1,jmoe,failure

Financial System,192.168.10.1,10.10.2.1,jmoe,success

Financial System,192.168.10.1,10.10.2.1,jmoe,failure


Afterglow 2 0 java output

AfterGlow 2.0 – Java - Output


Afterglow 2 0 java interaction

AfterGlow 2.0 – Java - Interaction

  • Left-click:

    • Zoom in

  • Right-click:

    • Zoom all the way out

  • Middle-click

    • Change Coloring to currentdepth

      (Hack: Use SHIFT for leafs)


Afterglow 3 0 the future

AfterGlow 3.0 – The Future

  • Generating LinkGraphs with the Java version

  • Adding more output formats

  • Saving output as image file

  • Animation


Afterglow parsers

AfterGlow – Parsers

  • tcpdump2csv.pl

    • Takes care of swapping response source and targets

      tcpdump -vttttnnelr /tmp/log.tcpdump | ./tcpdump2csv.pl "sip dip sport"

  • sendmail_parser.pl

    • Reassemble email conversations:

  • Jul 24 21:01:16 rmarty sendmail[17072]: j6P41Gqt017072: from=<[email protected]>, size=650, class=0, nrcpts=1,

  • Jul 24 21:01:16 rmarty sendmail[17073]: j6P41Gqt017072: to=ram, ctladdr=<[email protected]> (0/0), delay=00:00:00, xdelay=00:00:00, mailer=local, pri=30881, dsn=2.0.0, stat=Sent


Summary

Summary

Detect the expected

& discover the unexpected

Reduce analysis and response times

Make better decisions


A visual approach to security event management eusecwest 06 london

[email protected]

Raffael Marty

EuSecWest 2006 Lodon

52


  • Login