IDS and SIEM

Defense in Depth
• Single defenses can and will fail
• Instead, we need multiple layers of defense of
different designs and objectives
Network Defense in Depth
1 1. Advance Threat Protection
2 e.g. FireEye, Cisco/IronPort
3 2. Intrusion Detection Systems
4 e.g. McAfee
5 3. Web Security
6 e.g. Fortinet
7 4. Email Security
8 e.g. Bluecoat, Cisco/IronPort
5. Forensics Analysis
e.g. RSA/NetWitness
6. Data Loss Prevention (DLP)
e.g. TrendMicro
7. Next-Gen Firewalls
e.g. Palo Alto Networks
8. Security Event Monitoring
e.g. HP/ArcSight
Network Defense in Depth
1 1. Advance Threat Protection
2 e.g. FireEye, Cisco/IronPort
3 2. Intrusion Detection Systems
4 e.g. McAfee
5 3. Web Security
6 e.g. Fortinet
7 4. Email Security
8 e.g. Bluecoat, Cisco/IronPort
5. Forensics Analysis
e.g. RSA/NetWitness
6. Data Loss Prevention (DLP)
e.g. TrendMicro
7. Next-Gen Firewalls
e.g. Palo Alto Networks
8. Security Event Monitoring
e.g. HP/ArcSight
 Intrusion Detection System
• A device or software application that monitors
a network or systems for malicious activity or
policy violations. [CIA violation]

• Types of Intrusion Detection Systems

– Network-based IDSs
– Host-based IDSs
 Network-based IDS
• Deploying sensors at strategic locations
– E.G., Packet sniffing via tcpdump at routers
• Inspecting network traffic
– Watch for violations of protocols and unusual
connection patterns
• Monitoring user activities
– Look into the data portions of the packets for
malicious command sequences
• May be easily defeated by encryption
– Data portions and some header information can be
encrypted
 Network-based IDS
Countermeasure

Policy Alarms
Event
Event Analyzer stream Event Storage

Filtered packet stream

Configuration

Packets Collector

Packet stream

Sensor Sensor Sensor Sensor

SYSTEM
 Firewall versus Network IDS
• What is the difference between firewalls and
network-based Intrusion Detection Systems?
 Firewall vs. Network-based IDS
• What is the difference between firewalls and
network-based Intrusion Detection Systems?

• Firewall
– Active filtering FW

– Fail-close
• Network-based IDS
IDS
– Passive monitoring
– Fail-open
 Host-based IDS
• Using OS auditing mechanisms
– EventLog: Windows Event Logs, System, Security,
Application.
– Netstat: Read information about network usage.
– Health: Read information about CPU, Memory,
and Swap usage.
– Ps: Read information about running processes
• Monitoring user activities
– E.g. analyze shell command
• Monitoring execution of system programs
 Host-based IDS

Policy Configuration

Alarms
Detector Countermeasure

Vulnerability
Audit logs Actions
Scanning

SYSTEM
 IDS detection Methods
• Knowledge-based

• Specification-based

• Behavior-based
 Evaluation of IDS
• Accuracy
• Completeness
• Performance
• Fault tolerance
• Timeliness
 Knowledge-based IDS
• High accuracy, but low in completeness

• Drawback: need regular update of knowledge

(malware signatures)

• High performance with minimal processing

power
 Specification-based IDS
• Manually develop specifications that capture
the legitimate system behavior. Any deviation
from it is an intrusion.
• Pro: can avoid false-positives since the
specification can capture all legitimate
behavior.
• Con: hard to develop a complete and detailed
specification.
 Behavior-based IDS
• High in completeness, but low accuracy

• Detect intrusion by observing a deviation from

the normal or expected behavior of the
system or the users

• Can detect attempts to exploit new and

unforeseen vulnerabilities (zero-day attacks)
 Typical Corporation Environment
Intrusion
Prevention
System
Remote Internet Router
User
Database
Server Web
Server
App Server
Email
DC Server
Server Switch Switch
DNS
EPO Server Server
 Typical Corporation Environment
Intrusion
Prevention
System
Remote Internet Router
User
Database
Server Web
Server
App Server
Email
DC Server
Server Switch Switch
DNS
EPO Server Server
 Typical Corporation Environment
Intrusion
Prevention
System
Remote Internet Router
User
Database
Server Web
Server
App Server
Email
DC Server
Server Switch Switch
DNS
EPO Server Server
 Security Information and Event
Management (SIEM)
• SIEM is a system combining Security Information
Management (SIM) and Security Event
Management (SEM).
• SEM deals with
– Real-time monitoring
– Correlation of events and threat intelligence
– Notifications
– Console views
• SIM deals with
– Long-term storage
– Analysis and reporting of log data
 SIEM Features

* Source “ManageEngine”
https://www.manageengine.com/products/eventlog/manageengine-siem-whitepaper.html
 SIEM Workflow
Generate
Collect Data Archive Logs for
Alerts Security Security and
from Log Correlate Events Forensic
Incidents Compliance
Sources Analysis
Reports
 SIEM Workflow
Generate
Collect Data Archive Logs for
Alerts Security Security and
from Log Correlate Events Forensic
Incidents Compliance
Sources Analysis
Reports

• Methods of collecting data from sources

Data Source Collector Data Source

• Aggregation: to gather data together as a whole in

singular repository
• Normalization: to create consistent records by type
and format
 Normalization
• Original log format from source 1
10:32, 12/3/2017, alsubaim, ad.corporate.com, error,
failed login attempt
• Original log format from source 2
12:45, 3/23/2017, malicious code detected,
host1.corporate.com, alsubaim
• Normalized logs
10:32, 12/3/2017, alsubaim, ad.corporate.com, failed
login attempt
12:45, 23/3/2017, alsubaim, host1.corporate.com,
malicious code detected
 SIEM Workflow
Generate
Collect Data Archive Logs for
Alerts Security Security and
from Log Correlate Events Forensic
Incidents Compliance
Sources Analysis
Reports

• Link events to identify attacks

• Event based:
– a single event identifies an attack
• Rule based:
– If X + Y + Z then do A
– If X repeated 3 times within an hour, then do Y
• Anomaly based:
– If the traffic on port X exceeds the standard deviation of
historic traffic patterns, then there may be a problem
 SIEM Workflow
Generate
Collect Data Archive Logs for
Alerts Security Security and
from Log Correlate Events Forensic
Incidents Compliance
Sources Analysis
Reports

• Severity
Low Medium High Critical
• Notification: upon identifying a threat, notifications
are sent to the security administrators (SOC)
• Automated Response: the majority of SIEM tools
can execute external scripts to react on identified
threats. (Change to FW rules, issue a Remedy ticket)
Security Operations Center (SOC)
 SIEM Workflow
Generate
Collect Data Archive Logs for
Alerts Security Security and
from Log Correlate Events Forensic
Incidents Compliance
Sources Analysis
Reports
 SIEM Workflow
Generate
Collect Data Archive Logs for
Alerts Security Security and
from Log Correlate Events Forensic
Incidents Compliance
Sources Analysis
Reports

• Collected log data is stored for future

forensic investigations.

• Not equivalent to Log Management

Solutions
 SIEM vs. LM
Security Information and Event
Functionality Log Management
Management
Log collection Security related logs All logs
Log Parsing, normalization, Indexing, parsing, or
pre-processing categorization, and enrichment none
Retain parsed and normalized Retain raw log data
Log retention
data
Reporting Security focused reporting Broad use reporting
Correlation, threat scoring, event Full text analysis,
Analysis
prioritization tagging
Alerting and Advanced security focused Simple alerting on all
notification reporting logs
Incident management, analyst High scalability of
Other features workflow, context analysis, etc. collection and
storage
HP ArcSight (SIEM)
 Why SIEM Implementation Fails?
• Lack of planning
– No defined scope
• Faulty Deployment Strategies
– Incoherent log management data collection
– High volume of irrelevant data can overload the
system
• Operational
– Lack of management oversight
Security is a process not a product
– Assume plug and play
Question?

THANK YOU!