ArcSight事件关联分析.ppt

,Click to edit Master title style,Click to edit Master text styles,Second level,Third level,Fourth level,2005 ArcSight Confidential,*,2005 ArcSight Confidential,*,Click to edit Master title style,ArcSight Correlation,Fabian Libeau,Superpan,翻译,hongliangpan,QQ:28797575,ArcSight ESM,ArcSight ESM,作为一款应对安全风险、合规要求和内部威胁的企业安全管理系统，,ArcSight ESM,（,Enterprise Security Management,）能够集中展示企业信息安全各方面的概况，同时还提供有实时监视和事件关联、风险分析、深入调查功能、报告、通知以及其他安全管理功能，可在企业范围内全面管理、审计安全事务。,2005 ArcSight Confidential,2,ArcSight ESM,强大的事件收集能力和跨设备的事件分类能力,ArcSight ESM,实现了实时数据格式标准化，超过,260,种默认支持的设备，对每一种事件都进行了详尽的分类，以帮助管理员理解事件的含义，并进行跨设备的分析。,最为智能和灵活的关联分析,ArcSight ESM,提供实时的、内存内,(In-Memory),关联分析，具有,106,种预置关联规则，图形化规则编辑，支持资产分类、漏洞状态与企业策略与风险管理目标的关联。,直观的调查分析和合规性报表,ArcSight ESM,具有,169,个可重用、图形化数据监视模块，自由定义的仪表板（预置,41,个），灵活的报表格式，提供图形化报表编辑器，提供预先打包的合规解决方案。,2005 ArcSight Confidential,3,ArcSight ESM,完善的自动安全响应能力,ArcSight ESM,可与安全设备共同协作来关闭威胁通信，以阻止正在进行的攻击，提供威胁升级和工单处理功能。,智能存储,ArcSight ESM,集成了数据监控、备份脚本、分区管理等等一系列的数据库维护工具，提供综合安全生命周期信息管理（,SLIM,）策略，利用自动的高度压缩、存档和恢复系统以减少存储长期安全事件所需费用。,2005 ArcSight Confidential,4,ArcSight ESM,2005 ArcSight Confidential,5,SOC,中日志关联分析的核心技术,SIM/SEM/SIEM/SOC,的日志关联分析核心技术主要集中在：日志收集、格式化、事件映射、关联四个方面。,日志收集：一个,SIM,产品是否有优势，就要看日志收集能否支持更多的设备日志类型，能否容易扩展，自动识别支持未知设备日志。例如需要支持的协议有,syslog,、,snmp trap,、,windows log,、,checkpoint opsec,、,database,、,file,、,xml,、,soap,等等。,格式化：日志收集来了，需要格式化统一标准，为后面的关联，事件映射做准备，如果格式化不够标准，后面也不好做。,事件映射：将日志需要统一映射成一个标准，提供统一的解决方案，这个难度也比较大，各个厂家设备的日志名称，类型，含义都不相同，如果统一映射，是个难题。,关联分析：这个是,SIM,的核心部分，例如,ArcSight,提供了简单的事件关联、上下文关联、攻击场景关联、低慢攻击关联、位置关联、身份关联、角色关联等等。关联分析还有脆弱性信息关联、因果关联、推理关联等等。关键问题是如何利用这些技术，给用户提供一个很好的,SIM/SEM/SIEM/SOC,系统，也是一个难题。,2005 ArcSight Confidential,6,2005 ArcSight Confidential,7,Agenda,Architectural Overview,概述,ArcSight Risk Prioritization,风险的优先顺序,ArcSight different ways of correlating information,不同的关联分析方法,Rule based correlation,基于规则,Statistical correlation,统计相关性分析,Pattern discovery(advanced predictive DataMining),模式发现（先进的预测数据挖掘）,ArcSight Key Concepts,2005 ArcSight Confidential,8,Vulnerability,Assessment,漏洞评估,Architectural Overview,架构概述,Console,Database,ArcSight,Manager,Asset,Management,资产管理,XML,Windows,Systems,Unix/Linux/AIX/Solaris,Security,Device,安全设备,Security,Device,Database,Management,Systems,Syslog,Concentrator,集中器,Mainframe&Apps,主机和应用,Security,Device,Data Flows,数据流,2005 ArcSight Confidential,9,ArcSight SmartAgent Overview,智能代理,Largest number of supported devices 150+,100%Data Capture,Intelligent Event Capture,智能事件捕获,Normalization One format,规范化,-,统一格式化,Categorization Grouping similar events,分类,-,分组类似事件,Aggregation Event redundancy(50-80%for firewalls and routers),聚集,-,事件冗余（,50-80,的防火墙和路由器）,Filtering Transfer and store only what you need,过滤转移和存储您所需要的,Secure,configurable and governed,安全，配置和管辖的,FlexAgents new SmartAgents in hours,在几个小时,FlexAgents,新,CounterAct Agents automated remediation,抵制代理,-,自动修复,Flexible Data Collection Centralized or Distributed,灵活的数据收集,-,集中式或分布式,Flexible Collection,灵活采集,CounterAct,SmartAgent,FlexAgent,2005 ArcSight Confidential,10,ArcSight SmartAgent-Event Normalization and Categorization,事件规范化和分类,Jun 01 2005 00:00:12:%PIX-3-106011:Deny inbound(No xlate)udp src outside:10.50.215.97/6346 dst outside:204.110.228.254/6346,Jun 01 2005 00:00:12:%PIX-6-305011:Built dynamic TCP translation from isp:10.50.107.51/1967 to outside:204.110.228.254/62013,Jun 01 2005 00:00:12:%PIX-6-302013:Built outbound TCP connection 2044303174 for outside:213.189.13.17/80(213.189.13.17/80)to isp:10.50.107.51/1967(204.110.228.254/62013),Jun 02 2005 12:16:03:%PIX-6-106015:Deny TCP(no connection)from 10.50.215.102/15605 to 204.110.227.16/443 flags FIN ACK on interface outside,Sample Raw Pix Events:,Jun 02 2005 12:16:03:%PIX-6-106015:Deny TCP(no connection)from 10.50.215.102/15605 to 204.110.227.16/443 flags FIN ACK on interface outside,Arcsight Categorization:,Arcsight Normalization:,2005 ArcSight Confidential,11,ArcSight SmartAgent Guaranteed Delivery,智能代理,保证交付,Analyst,ArcSight,Manager,Port 8443,Cache,缓存,Failover,Manager,(optional),故障转移管理器（可选）,ArcSight,Event,ArcSight,Event,Compressed,Event,SSL,Content,Updates,2005 ArcSight Confidential,12,The ArcSight Manager-Overview,Real-Time,In-Memory Correlation,实时内存关联,Real-time Dashboards,实时仪表盘,Anomaly Detection,异常检测,Correlation Rules-known behaviors,关联规则,已知行为,Pattern Discovery undiscovered patterns,模式发现,-,未被发现的模式,Flow Rates deviations from the norm,流量速率,-,标准差 基线偏差,Asset Linkage,资产联动,Priority Scoring,优先评分,Vulnerability,漏洞,Asset Value,资产价值,Severity,严重性,Alerts,among other configurable actions,其他配置的行动警告,Scalability and High Availability Options,可扩展性和高可用性选项,Intelligent Processing,智能处理,Manager,LINUX,Windows,UNIX,Macintosh,2005 ArcSight Confidential,13,Agenda,Architectural Overview,ArcSight Risk Prioritization,风险的优先,ArcSight different ways of correlating information,Rule based correlation,Statistical correlation,Pattern discovery(advanced predictive DataMining),ArcSight Key Concepts,2005 ArcSight Confidential,14,ArcSight Risk Correlation,风险相关性,Events,Scans,Correlation,Devices,Prioritization,Whats happening?,Whatstargeted?,Whatmatters?,Whats vulnerable?,漏洞、,脆弱,=False Alarm or Normal,虚假报警或普通事件,=Prioritized Red Alarm,优先红色警报,Dynamic Threat Severity Index,动态威胁的严重程度指数,Profiled Asset,异常资产,Confirmed Vulnerability,已确认的漏洞,Weighting Algorithms,加权算法,+,+,+,Detected Event,检测事件,ArcSight fuses all key event sources and related inputs to rank event significance on multiple variables,所有关键的事件源和多变量等级事件,2005 ArcSight Confidential,15,Asset Linkage and Priority Scoring-Overview,资产联动和优先评分,-,概述,Windows Systems,Unix/Linux/,AIX/Solaris,Security,Device,Security,Device,Mainframe&Apps,Security,Device,Prioritization and Imported Scanned Assets,资产的优先顺序和导入扫描的资产,SmartAgents,ArcSight,Event,ArcSightManager,TM,ArcSight,Prioritized,Event,事件优先权,Vulnerability,Scanner,漏洞扫描,SmartAgents,Asset,Information,建模的程度（信心）,Model Confidence,Has asset been,scanned for open ports,and vulnerabilities?,关联,Relevance,Are ports open on asset?,Is it vulnerable?,Severity,严重性,Is there a history with,this attacker or target,(active lists)?,资产重要性,Asset Criticality,How important is this,asset to the business?,代理严重性,Agent Severity,Mapping of reporting,device severity to,ArcSight severity,2005 ArcSight Confidential,16,Asset Linkage and Priority Scoring Information Flow,资产联动和优先评分,-,信息流,Vulnerability,Assessment,漏洞评估,Three dimensional correlation of assets,events and vulnerabilities,Allows organizations to apply SIM to risk management,Minimizes dead end investigations,Information seamlessly linked within the ArcSight system,三二维相关的资产，事件和漏洞允许企业申请,SIM,卡风险管理最大限度地减少死胡同调查无缝链接的信息系统内的,ArcSight,ArcSight Manager,Assets,Compliance Requirement,Business Role,Application,Operating System,Data role,Criticality,资产重要性,Vulnerabilities,-,Zones,区,ArcSight,Event,Event CVE,Event Severity,事件等级,Priority Score,Relevance,2005 ArcSight Confidential,17,Threat Priority Variables Considered,威胁优先,多种关系组合考虑,Model Confidence:,How well does ArcSight know this asset?,Has it been scanned?,Options:,0=Asset is not modeled,没有建模,4=Asset has not been scanned for open ports or vulnerabilities,没有扫描端口或漏洞,8=Asset has been scanned for open ports or vulnerabilities,but not for both,扫描端口或漏洞其一,10=Asset is scanned for both open ports and vulnerabilities,扫描端口和漏洞,Relevance:,Is the port open,and has a vulnerability been exploited,利用,?,Options:,5=Assets target port is open.,5=Event will exploit a know asset vulnerability,Severity:,Is there a history with this attacker or target(Active Lists)?,Options:,5=Hostile List,3=Compromised,3=Suspicious List,1=Reconnaissance List,5=,敌对目录,3=,不受影响 折中,3=,可疑名单,1=,侦察名单,The,Priority,of an event is the,Agent Severity,adjusted by:,Model Confidence,Relevance,、,Severity,、,Asset Criticality,一个事件的优先事项是代理严重性调整：模式的信心、关联、严重性、资产重要性,Asset Criticality:,资产重要性,How critical have I rated this asset within my organization.,Options:,10=Very High Criticality Assets,非常高,8=High Criticality Assets,高,6=Medium Criticality Assets,中,4=Low Criticality Assets,低,2=Very Low Criticality Assets,非常低,0=Unknown Criticality Assets,未知,Agent Severity:,Mapping of reporting device severity to ArcSight severity.,代理严重性：报告设备严重性到,ArcSight,的严重性的映射。,2005 ArcSight Confidential,18,Relevance,drags down the,Agent Severity.,相关性,Example:If,Relevance,=0,the,Priority,=0,If,Relevance,=,10,the,Priority,=,Agent,Severity,Model,Confidence,tempers the effect of,relevance,on priority.,建模程度,Example:If,Model,Confidence,=0,Relevance,has no effect on,Priority,If,Model,Confidence,=10,Priority,acts the way specified above,3.Formulae for the multiplication factor contributed by,Model,Confidence,(M)and,Relevance,(R),R,=,(R+M-R*M/10),If,Severity,(S)=10 it adds up to 30%to,Agent,Severity,to provide,Priority,:(1+S*3/100),Criticality,applies a boost to,Agent,Severity,by 20%if =(Very High)10;does nothing if,Criticality,=(High)8;,and applies a decrement/drag if the,Criticality,is Medium/Low/Unknown(6/4/2):(1+(,Criticality,-8)/10),Threat Priority The Formula,威胁优先级的公式,2005 ArcSight Confidential,19,Heuristic:Formula-Based,启发式：按公式计算,Threat level formula,Prioritizes incident investigation and response,Sums up complex information from the network model,威胁级别的公式事故调查和应对的优先顺序汇总了网络模型的复杂信息,C:arcsightManagerconfigserverThreatLevelFormula.xml,2005 ArcSight Confidential,20,Priority Calculation Exercise,优先级的计算练习,Steps,Device Severity-Agent Severity-Calculation,Exercise,Agent Severity=Low,Priority=,4,Asset Criticality is 0,=20%decrease in priority.,Priority=,3.2,Severity=0,no effect on priority.,2005 ArcSight Confidential,21,Priority is adjusted by Criticality,通过重要性调整优先级,Combined factor for model confidence and relevance,lets call it MCR=,MCR is calculated using the formula,R*10,MCR=,(R+M-R*M/10),where,R(Relavance)=5,M(Model Confidence)=4,MCR=7=30%drop in priority again.,New Priority=,3.2,*0.7=,2.24,rounded off gives a,2,.,The Final Priority is-because of low values for criticality and relevance your final priority of the event came down from,4,to,2,.,2005 ArcSight Confidential,22,Agenda,Architectural Overview,ArcSight Risk Prioritization,ArcSight different ways of correlating information,Rule based correlation,基于规则的关联,Statistical correlation,Pattern discovery(advanced predictive DataMining),ArcSight Key Concepts,2005 ArcSight Confidential,23,Rule based correlation,基于规则的关联,Fast memory based algorithm,based on RETE 2(,in Correlation:,整合的相关性,Events,事件,Vulnerability Information,漏洞信息,Active Lists(dynamic list with e.g.Asset/User information),活动列表（如与动态列表资产,/,用户信息,Asset Categories(see later slides),资产类别（见稍后幻灯片）,Asset Zones(IP ranges),资产区（,IP,范围）,Asset Networks(IP networks/groups of Asset Zones),资产网络（,IP,网络资产区,/,组）,Results earlier rule based correlation,早期规则为基础的相关性,Results earlier statistical correlation,早期统计（静态）为基础的相关性,2005 ArcSight Confidential,24,Rules Theory,规则理论,1.,Simple,Aggregation,Single event type or category,Basic conditions,De-duplication,简单,-,聚合单事件类型或类别基本条件重复数据删除,targets,ping,e.g.,any source repetitively profiling targets,arcsight_category startsWith/recon,target_address inSubnet,groupBy source_address,2 or more matching events in 1 minute,source,2.,Complex Correlation,Multi-Event Join,Multiple event types or categories,Boolean conditions,Complete session or“round trip”,复杂的关系,-,多事件加入多个事件类型或类别布尔条件完整会话或“来回”,targets,e.g.,any source successfully engaging a target,arcsight_category startsWith/attack,target_address inSubnet,groupBy source_address,target_address,1+matching events in 1 minute,join events across IDS,firewall,and host,3.,Complex,Long Sequence,Multiple sessions,Pre-attack probes,attack formation/progression,and attack conclusion,Handles long-term memory need using active lists,复杂鈥长序列多个会话、预探测攻击，攻击编队,/,进程，攻击结束处理长期记忆需要使用活动列表,attack,FW,IDS,e.g.,low&slow attack pattern across multiple rules,/recon rule records source_address suspicious,/attack rule upgrades source_address to hostileand records target_address as compromised,Final rule looks for evidence of success,rule1,activelist,activelist,rule2,rule3,source,Rule Types By Complexity,复杂规则类型,Example,例子,Approach,方法,途径,Catch and accumulate events in real-time in memory,-,Good for event bursts,在内存中捕获和累积事件,良好的突发事件,Catch and correlate events in real-time in memory until the rule chain is complete-,Good for cross-event matching that occurs in a single session,在内存中捕获和累积事件,直到完成该规则链,-,良好的交叉配对活动，在单个会话发生,Break up sequences in logical segments and maintain active lists in the database that tie together multiple rules-,Good for long elapsed time attack sequences that start and stop across multiple sessions,打破序列逻辑段，保持积极的数据库列出了多个规则联系在一起,-,经过好长的时间序列，开始攻击和跨多个会话停止,2005 ArcSight Confidential,25,Simple Correlation:Event Aggregation,简单的相关性：事件聚集,Most basic correlation,最基础的关联,De-duplicates events (many-to-one),去重,Single source,single target,单一源单一目标,Flatten event bursts,压扁,事件爆发,ArcSight SmartAgents do this too!,Correlation,Single Event,Multiple Events,(same base event),As above plus,Distributed attack sources,分布攻击源,Multiple attack targets,多攻击目标,Any,field or,combination,of event fields(types of event),人行事件领域（事件类型的组合）,Interrelates diverse events,不同的事件相互联系,Correlation,Single Event,Multiple Events,(multiple event types,sources and/or targets),2005 ArcSight Confidential,26,Simple Correlation:Event Aggregation,简单的相关性：事件聚集,Most basic correlation,最基础的关联,De-duplicates events (many-to-one),去重,Single source,single target,单一源单一目标,Flatten event bursts,压扁,事件爆发,ArcSight SmartAgents do this too!,Correlation,Single Event,Multiple Events,(same base event),As above plus,Distributed attack sources,分布攻击源,Multiple attack targets,多攻击目标,Any,field or,combination,of event fields(types of event),人行事件领域（事件类型的组合）,Interrelates diverse events,不同的事件相互联系,Correlation,Single Event,Multiple Events,(multiple event types,sources and/or targets),2005 ArcSight Confidential,27,Advanced Correlation:Multi-event Joins,高级的相关性：多事件加人,Inter-relates(joins)diverse events with any combination of common field values e.g.,source IP,target IP,port,protocol,username,domain,location,zone etc,分析不同事件的相互联系，,with,事件通用属性：例如，源,IP,，目标,IP,，端口，协议，用户名，域，位置，区域等,Compare,any,event fields using flexible boolean logic(AND,OR,NOT),比较任意事件字段采用比较灵活的布尔逻辑（与，或，非）,Good for cross-event matching of complete end-to-end sessions,良好的跨事件的完整的端至端会话匹配,E.g.correlating an attacker detected by NIDS,crossing the firewall,compromising a host,creating a back connection to steal confidential data,Correlation,Single Event,Multiple Events with Common Event Fields,(different base events),在事件通用属性上分析多事件,2005 ArcSight Confidential,28,Complex Correlation:Attack State Monitoring,复杂的相关性：攻击状态监测,Inter-relates events across sessions using,Active Lists,使用活动列表分析跨多会话事件,Any,field or,combination,of event fields may be persisted from base events,任何字段或字段组合的事件可能会从基本事件提炼,Long&short-term state machines,长期与短期的状态机,Good for tracking logical sequences of events,良好的跟踪事件的逻辑顺序,E.g.Reconnaissance,attack formation,progression&conclusion,例如侦察，攻击形成，进展及结论,Correlation,Event Sequence 1,(multi-event joins),Record on Active List,(state 1),Correlation,Event Sequence 2,Event Sequence 3,Correlation,Record on Active List,(state 2),Single Event,2005 ArcSight Confidential,29,(2),(1),Rule based Cross-C