Events are generated from many types of systems and devices (both security and nonsecurity). Examining the architecture in Figures 1 and 2 gives you an idea of how many types of events can occur:
- The firewalls create a log when a connection is allowed or denied.
- The NIPS creates a log any time traffic matches a known signature.
- The WAF creates a log any time there is activity in the web application that is either allowed or denied.
- The NBA system (if used) receives flow data for each network connection.
- The web server generates logs when connections are received.
- The web application generates logs when users log in and at various times as the transaction progresses.
- The database generates logs based on the queries initiated by the web application.
- The vulnerability scanner generates reports based on its findings.
Any of these events may be of interest from a security perspective, but when the information is presented only from the system where it was generated, there is a lack of context to help a security analyst understand whether the event is important or not. Correlating events from multiple sources helps to add the context.
Security information and event monitoring (SIEM) systems were created to gather logs from many sources and to correlate the events so that security analysts can focus on events of importance. An SIEM is configured with a set of rules that identify particular events from various systems and their relationship to other events. For example, correlating NIPS or NIDS events with vulnerability scanner reports can help to prioritize alerts indicating that an attack has occurred. The SIEM examines an attack event and compares it to vulnerabilities on the target system. If the attack is against a known vulnerability, the priority of the event is elevated, but if the system is not vulnerable to the particular attack, the priority is not elevated and may even be reduced.
Another example of a correlation might look like this:
- An attack is identified by the NIPS or NIDS directed at a specific system.
- The system generates a log entry indicating a mismatched input to an application.
- The NBA system identifies a spike in network traffic originating from the system.
- The firewall logs a deny event due to unauthorized traffic originating from the system.
Although no single event definitively identifies a successful attack against this system, correlating the four events concerns a security analyst. At the very least, the system should be examined to see if anything is amiss.
Writing correlation rules can be a difficult task. There are certainly obvious and easy rules that can be used to start with, such as correlating attacks and vulnerability scanner information. However, deeper correlations require extensive knowledge of system, application, and attack behavior. For example, if a buffer overflow attack is made against a system, what event in the system logs will indicate whether it was successful or not? In other cases, the number of events that might be related can be daunting. Correlating four events (such as in the earlier example) may seem obvious, but do you need a rule to raise an alarm when all four events occur, or should the alarm be raised after three or even two events?
An SIEM helps not necessarily by automating the correlation, but by putting all of the events into a single repository where they can be queried and examined by a security analyst. Without an SIEM, an NIPS event might cause an analyst to locate the vulnerability scanner report on another system, which takes time or which may not even be possible if the analyst is not authorized to access the scanner reports. With an SIEM, the analyst can be alerted to an event and then dig deeper into the repository to see what else has occurred on or around the systems in question.
This article is an excerpt from Network Security A Beginner’s Guide, Third Edition published by McGraw Hill. Visit Amazon to purchase the book.
All information in this article is copyrighted by McGraw Hill and is reprinted here by express permission of the publisher.