Upload
others
View
2
Download
0
Embed Size (px)
Citation preview
Effective Use of Security
Event Correlation
Mark G. Clancy
Chief Information Security Officer
The Depository Trust & Clearing Corporation
DTCC Non-Confidential (White)
About DTCC
• DTCC provides custody and asset servicing for
$36.5 trillion in securities
– Most of which are „dematerilized” or only exist in
book entry form
• DTCC provides clearance and settlement for all
cash equity transactions completed by the 50+
exchanges and alternative trading platforms
(ECNs) operating in U.S. capital markets and
also in fixed income markets in the U.S. for
government, agency-backed, and mortgage
backed securities.
• In 2010 DTCC settled more than $1.66
quadrillion in securities transactions.
Information Security Program
Overview
Input
TVAOutput
Security
Monitoring
Top TV
Remediation
Provisioning De-Provisioning
Access
Recertification
Access Control
Vulnerability
Management
Configuration
Management
Security Awareness, Education and Communication
KPIs Information Technology Risk
Policy
Management
Application Risk Program
Security Monitoring Program:
Cornerstones
Cornerstone 1
Baseline Security Settings
- 66 Baselines from STIG,
CIS, & in house
standards
- Risk Rate Devices: High,
Medium, Low
Compliance to Settings
- 1000+ servers
- 99.9% convergence to
baselines
Security Event Monitoring
-4000 Device Logs
-345mm daily events
Security Monitoring with SEIM
• SIEM captures, aggregates, correlates and analyzes
log information from over 4,000 DTCC devices, such
as Servers, Routers, Firewalls, etc.
• SIEM creates rules that aggregate and correlate the
data creating immediate alerts of security events for
TVA staff response
• These alerts leads to identification of security
incident(s) feeding the DTCC Incident Response
Process or events that require further analysis
and/or remediation
- SIEM generates Daily, Weekly, Monthly and on-demand Security Reports, which include both summary and descriptive reports for logged anomalies that CIS and Infrastructure technology subject matter experts (SMEs) identify require immediate investigation.
Collecting Data from Supported Device Types
Collect Data using various Supported Methods SFTP, FTP, WMI,
Syslog, ODBC, and LEA for a variety of device types, such as:
• Network - Checkpoint, Cisco Pix, Cisco Routers
• Host - Windows, Unix Solaris, AIX, Linux
• Mainframe - IBM RACF
• Web Access - Blue Coat
• Anti – Malware/IPS/IDS - SEP11, CA Etrust, Sourcefire
• Access Based- RSA Access Server, Citrix Netscaler
• Storage- Brocade, FabricOS
Collecting Data from Unsupported Device Types
• Requires Additional Custom Coding
• Middleware
– IBM Webseal
– Wharelock IP Authentication
– Cleartrust
– CMAN
– EAI Cookie Monitoring
• Desktop Monitoring
–Systrack
• Database
–DB2 Universal Database
Custom Correlation Rules
• Examples of DTCC‟s Custom Correlation
Rules
– Suspicious Data upload
– Malware not Cleaned by SEP11
– Malware detected on External Drives
– Multiple systems affected by Malware
– Windows Log Tampering
– Account Lockout Monitoring
– Privileged Account Changes
– Watch list Monitoring
Custom Reports (Scheduled and Ad-Hoc)
• Examples of Custom Reports:
– Network – Top Usage (Bandwidth, Ports, drops,
etc)
– Web Activity - Executable Downloads, Top 25
Sites - Uploaded Data, User Agent Monitoring
– Windows - Privileged Monitoring, Logon Failure
Activity, Account Modification, Remote Access
Activity
– Unix - Summary - Daily Successful /Unsuccessful
Super User Activity
– Symantec Antivirus - Malware Detection Details
– Storage - FabricOS/Brocade - Successful
logins/Configuration and User Changes
– Midlleware - Administrative Lockouts, Failed
Logins, Illegal User
Asset Tracking
• Inventory Check of Security Eligible Devices
– Automated process to verify that system is active
and reporting to SIEM
– Requires combination of SIEM reports and Asset
Management Tool
2
5 5 5
8
0 01 1 1 1
4
01 1
6
01
21
4
7
9
12 2
0
2
0
2
0
2
0
2
4
6
8
10
1/2
0/2
010
1/2
7/2
010
2/3
/2010
2/1
0/2
010
2/1
7/2
010
2/2
4/2
010
3/3
/2010
3/1
0/2
010
3/1
7/2
010
3/2
4/2
010
3/3
1/2
010
4/7
/2010
4/1
4/2
010
4/2
1/2
010
4/2
8/2
010
5/5
/2010
5/1
2/2
010
5/1
9/2
010
5/2
6/2
010
6/2
/2010
6/9
/2010
6/1
6/2
010
6/2
3/2
010
6/3
0/2
010
7/7
/2010
7/1
4/2
010
7/2
1/2
010
7/2
8/2
010
8/4
/2010
8/1
1/2
010
8/1
8/2
010
8/2
5/2
010
Servers Not Registered to Envision Envision: Routers and Switches (Security Event Monitoring)
Group Eligible Devices
*
Registered
Percentage Eligible Devices
Registered
Remarks
Team A 76 71 93%
Team B 168 133 79%
Team C 734 702 96%
Universal Device Support Life
Cycle
1- Log Collection
(Device log file through FTP)
2- Requirement Gathering
(Event ID List, Msg type, Count, Device
Classification -{type/class}, Reports,
Correlation rules)
3- UDS Development
(Log Parsing, Analysis, Coding)
4- Testing
(Code testing at LAB
environment)
5- Customer Validation
(Validation of Device Discovery
and Event Categorization
6- Production Deployment
(Deploy the device XML into RSA
enVision production
environment)
7 - Final Testing and
Confirmation
UDS Support
1. Collection
2. Requirement
Gathering
3. UDS
Development
4. Testing
5. Validation
6. Production
Deployment
7. Final Testing
and
Confirmation
Common Attack Scenario -
Adversary Gains Foothold
Adversary
Compromised Website
Host 1
www.hackedsite.com
Adversary determines that it has an
interest in an organization„s
“protected” information
Tainted e-mail sent to organization„s
users
User clicks on link to compromised
website, remote admin tool installed
Additional tools uploaded
Using credentials gained, adversary works
to establish additional footholds
Host 2
Using SEIM to Increase Your ‘Luck’
Adversary
Compromised Website
Host 1
www.hackedsite.com
•Inbound emails headers get logged
to SEIM – compare vs. intellegence
to/from/subject and source IPs
•End user web traffic (proxy) logs
to SIEM - beaconing
•Account login Activity – unsual sources
Host 2
•Network traffic data upload
Common Attack Scenario - Data Mining
Host 2File
Server
Host 1
Adversary
Using network flow data to
see connections from host 1
to host 2 – (forensic)
Remote host may or may not
be the same IP/domain as
initial attack
Multiple files are typically
extracted as an encrypted
bundle
Data mining typically occurs
on file servers via share
permissions
SEIM on Data Mining Attacks
Host 2File
Server
Host 1
Adversary
Adversary frequently will
perform data mining through
a host (Host 2) other than the
initially compromised host
(Host 1)
Today‟s SEIM can‟t tie all
these threads together -
Use DLP or other tools to
watch for encrypted payloads
from unusal places
Good question!?! - some folks
have tried using usage
activity monitoring