Reducing False-Positives and False-Negatives in Security Event Data Using Context

Reducing False-Positives and False-Negatives in Security Event Data Using Context

Derek G. ShawAugust 2011

Overview of Security Monitoring

Reducing False-Positives and False-Negatives in Security Event Data Using Context—2—August 2011

Purpose of Security Monitoring


The purpose of security monitoring is to provide real-time, up-to-the-minute security awareness of current threats, risks, and compromises as accurately as possible.

Components of Security Monitoring


• Consoles (Analyst Desktop)• Database• Manager (Rules, Data Aggregation, Data

Correlation, Reporting)• Sensors

• Intrusion Detection System• Log Servers• Network Flows• Vulnerability Scanners

The False Problem With Security Monitoring


• False-positivesNormal or expected behavior that is identified as anomalous or malicious

• False-negatives Conditions that should be identified as

anomalous or malicious but are not

Why So Many False Positives and Who Knows Hows Many False-

Negatives


• While some false-positives and false-negatives will occur, a good portion can be attributed to lack of knowledge about the environment being monitored

• Not keeping knowledge about the environment up-to-date as well as historically accurate

So, how do you reduce the rate of both false-positives and false-

negatives?

Context


What is Context


Context is additional data and information that is added to security event data to increase the relevance and meaning of the data in relation to one’s environment.

Traditional Security Event Data


Traditional Network Flow Event Data


Start Time End Time Source Address Source Port Direction

2011-01-01 12:30:04 2011-01-011 12:30:34 192.168.1.1 12525 ->

Destination Address Destination Port IP Protocol Duration Flags

10.0.1.1 80 TCP 30 E

Source Packets Destination Packets Source Bytes Destination Bytes

5 53 384 12453

Note : 192.168.0.0/16 - Corporate Network

Traditional IDS Event Data


Detection Time Alert Source Address Source Port

2011-01-01 12:30:04 MS SQL Injection Attempt 10.0.2.1 12525

Destination Address Destination Port IP Protocol

192.168.2.1 1443 TCP


Traditional Syslog Event Data


Date Time Host Process PID

Jan 1 13:54:12 192.168.24.33 SUDO 34456

Message

jdoe : TTY=ttys000 ; PWD=/Users/jdoe ; USER=root ; COMMAND=/bin/bash


Traditional Security Event Data with Context Added


Network Flow Event Data with Context


Start Time End Time Source Address Source Port Source Network

2011-01-01 12:30:04 2011-01-011 12:30:34 192.168.1.1 12525 Unused - 192.168.1.0-192.168.1.255

Direction Destination Address Destination Port Destination Network IP Protocol

-> 10.0.1.1 80 China TCP

Duration Flags Source Packets Destination Packets Source Bytes

30 E 5 53 384

Destination Bytes Alert Asset Tags

12453 Destination Address on Malware Watch List Unknown


IDS Event Data with Context


Detection Time Alert Source Address Source Port

2011-01-01 12:30:04 MS SQL Injection Attempt 10.2.3.1 12525

Source Network Destination Address Destination Port Destination Network IP Protocol

Brazil 192.168.127.22 1443 Printer Network - 192.168.127.0-192.168.127.255

TCP

Asset Tags

Printer, No-Internet


Syslog Event Data with Context


Date Time Host Host Network Process

Jan 1 13:54:12 192.168.24.33 Financial - 192.168.24.0-192.168.24.255

SUDO

PID Message

34456 jdoe : TTY=ttys000 ; PWD=/Users/jdoe ; USER=root ; COMMAND=/bin/bash

Asset Alert User Info

Linux, Financial, DB, Restricted User not authorized for SUDO on host John Doe, Mail Room Staff


Types of Networks Context


• Access tags (Internal, Private, External, No-Internet)

• Dark space tags for unused IP space• Subnet descriptions

Types of Asset Context

Reducing False-Positives in Security Event Data Using Context—18—August 2011

• Business Role Tags (Financial, HR, Printers)• Operating System• Software Category Tags (Apache, BIND, MySQL)• System Classification Tags (SSH Server, LDAP Server, Web Server, DNS)

Types of User Context

Reducing False-Positives in Security Event Data Using Context—19—August 2011

•Real Name•Working group (Mail Room, Control Room, Networking Group)•List of accounts•List of privileged access accounts

How Context is Implemented


Context Data Sources


• Memory-resident key/value data stores• Contains data about assets, networks,

and users• Continually updated by data mining

scripts

Context Preprocessor


• Sits between the sensors and security monitoring system manager

• Queries the context data sources in real-time based on IP addresses or user names

• Appends any context data available to event data record

Important Things to Remember


• For context to be effective, it must be current.

• For events to be accurately reflected in your environment, context cannot be treated as on-demand in the manager. Context for a given event must be recorded once and not changed.

• Treating context as on-demand in the manager may turn an alert into a false-negative.

Advantages of Context


• Adds additional data and information to the event record that the sensor does not have.

• Updates to context data sources can be automated and dynamic.

Advantages of Context (cont.)


• Changes to your environment can be reflected in updating the context data; requiring less changes to security monitoring rules and filters

• Security monitoring rules and filters can be created for context. This eliminates or reduces the need to create filters and rules based on lists of IP addresses, one-off rules, and filter exceptions.

Disadvantages of Context


•Requires analysts to understand the IT infrastructure

•Requires constant upkeep to stay relevant

•Extra process in security monitoring workflow

Questions? Comments?


Documents

Reducing False-Positives and False-Negatives in Security Event Data Using Context