Presentation is loading. Please wait.

Presentation is loading. Please wait.

Reducing False-Positives and False-Negatives in Security Event Data Using Context Derek G. Shaw August 2011.

Published byJade Fields Modified over 8 years ago

Similar presentations

Presentation on theme: "Reducing False-Positives and False-Negatives in Security Event Data Using Context Derek G. Shaw August 2011."— Presentation transcript:

1 Reducing False-Positives and False-Negatives in Security Event Data Using Context Derek G. Shaw August 2011

2 Overview of Security Monitoring Reducing False-Positives and False-Negatives in Security Event Data Using Context —2— August 2011

3 Purpose of Security Monitoring Reducing False-Positives and False-Negatives in Security Event Data Using Context —3— August 2011 The purpose of security monitoring is to provide real-time, up-to-the-minute security awareness of current threats, risks, and compromises as accurately as possible.

4 Components of Security Monitoring Reducing False-Positives and False-Negatives in Security Event Data Using Context —4— August 2011 Consoles (Analyst Desktop) Database Manager (Rules, Data Aggregation, Data Correlation, Reporting) Sensors Intrusion Detection System Log Servers Network Flows Vulnerability Scanners

5 The False Problem With Security Monitoring Reducing False-Positives and False-Negatives in Security Event Data Using Context —5— August 2011 False-positives Normal or expected behavior that is identified as anomalous or malicious False-negatives Conditions that should be identified as anomalous or malicious but are not

6 Why So Many False Positives and Who Knows Hows Many False-Negatives Reducing False-Positives and False-Negatives in Security Event Data Using Context —6— August 2011 While some false-positives and false-negatives will occur, a good portion can be attributed to lack of knowledge about the environment being monitored Not keeping knowledge about the environment up-to- date as well as historically accurate

7 So, how do you reduce the rate of both false-positives and false-negatives? Context Reducing False-Positives and False-Negatives in Security Event Data Using Context —7— August 2011

8 What is Context Reducing False-Positives and False-Negatives in Security Event Data Using Context —8— August 2011 Context is additional data and information that is added to security event data to increase the relevance and meaning of the data in relation to one’s environment.

9 Traditional Security Event Data Reducing False-Positives and False-Negatives in Security Event Data Using Context —9— August 2011

10 Traditional Network Flow Event Data Reducing False-Positives and False-Negatives in Security Event Data Using Context —10— August 2011 Start TimeEnd TimeSource AddressSource PortDirection 2011-01-01 12:30:042011-01-011 12:30:34192.168.1.112525-> Destination AddressDestination PortIP ProtocolDurationFlags 10.0.1.180TCP30E Source PacketsDestination PacketsSource BytesDestination Bytes 55338412453 Note : 192.168.0.0/16 - Corporate Network

11 Traditional IDS Event Data Reducing False-Positives and False-Negatives in Security Event Data Using Context —11— August 2011 Detection TimeAlertSource AddressSource Port 2011-01-01 12:30:04MS SQL Injection Attempt10.0.2.112525 Destination AddressDestination PortIP Protocol 192.168.2.11443TCP Note : 192.168.0.0/16 - Corporate Network

12 Traditional Syslog Event Data Reducing False-Positives and False-Negatives in Security Event Data Using Context —12— August 2011 DateTimeHostProcessPID Jan 113:54:12192.168.24.33SUDO34456 Message jdoe : TTY=ttys000 ; PWD=/Users/jdoe ; USER=root ; COMMAND=/bin/bash Note : 192.168.0.0/16 - Corporate Network

13 Traditional Security Event Data with Context Added Reducing False-Positives and False-Negatives in Security Event Data Using Context —13— August 2011

14 Network Flow Event Data with Context Reducing False-Positives and False-Negatives in Security Event Data Using Context —14— August 2011 Start TimeEnd TimeSource AddressSource PortSource Network 2011-01-01 12:30:042011-01-011 12:30:34192.168.1.112525 Unused - 192.168.1.0- 192.168.1.255 DirectionDestination AddressDestination PortDestination NetworkIP Protocol ->10.0.1.180ChinaTCP DurationFlagsSource PacketsDestination PacketsSource Bytes 30E553384 Destination BytesAlertAsset Tags 12453Destination Address on Malware Watch ListUnknown Note : 192.168.0.0/16 - Corporate Network

15 IDS Event Data with Context Reducing False-Positives and False-Negatives in Security Event Data Using Context —15— August 2011 Detection TimeAlertSource AddressSource Port 2011-01-01 12:30:04MS SQL Injection Attempt10.2.3.112525 Source NetworkDestination AddressDestination PortDestination NetworkIP Protocol Brazil192.168.127.221443 Printer Network - 192.168.127.0- 192.168.127.255 TCP Asset Tags Printer, No-Internet Note : 192.168.0.0/16 - Corporate Network

16 Syslog Event Data with Context Reducing False-Positives and False-Negatives in Security Event Data Using Context —16— August 2011 DateTimeHostHost NetworkProcess Jan 113:54:12192.168.24.33 Financial - 192.168.24.0- 192.168.24.255 SUDO PIDMessage 34456jdoe : TTY=ttys000 ; PWD=/Users/jdoe ; USER=root ; COMMAND=/bin/bash AssetAlertUser Info Linux, Financial, DB, RestrictedUser not authorized for SUDO on host John Doe, Mail Room Staff Note : 192.168.0.0/16 - Corporate Network

17 Types of Networks Context Reducing False-Positives and False-Negatives in Security Event Data Using Context —17— August 2011 Access tags (Internal, Private, External, No-Internet) Dark space tags for unused IP space Subnet descriptions

18 Types of Asset Context Reducing False-Positives in Security Event Data Using Context —18— August 2011 Business Role Tags (Financial, HR, Printers) Operating System Software Category Tags (Apache, BIND, MySQL) System Classification Tags (SSH Server, LDAP Server, Web Server, DNS)

19 Types of User Context Reducing False-Positives in Security Event Data Using Context —19— August 2011 Real Name Working group (Mail Room, Control Room, Networking Group) List of accounts List of privileged access accounts

20 How Context is Implemented Reducing False-Positives and False-Negatives in Security Event Data Using Context —20— August 2011

21 Context Data Sources Reducing False-Positives and False-Negatives in Security Event Data Using Context —20— August 2011 Memory-resident key/value data stores Contains data about assets, networks, and users Continually updated by data mining scripts

22 Context Preprocessor Reducing False-Positives and False-Negatives in Security Event Data Using Context —22— August 2011 Sits between the sensors and security monitoring system manager Queries the context data sources in real-time based on IP addresses or user names Appends any context data available to event data record

23 Important Things to Remember Reducing False-Positives and False-Negatives in Security Event Data Using Context —23— August 2011 For context to be effective, it must be current. For events to be accurately reflected in your environment, context cannot be treated as on-demand in the manager. Context for a given event must be recorded once and not changed. Treating context as on-demand in the manager may turn an alert into a false- negative.

24 Advantages of Context Reducing False-Positives and False-Negatives in Security Event Data Using Context —24— August 2011 Adds additional data and information to the event record that the sensor does not have. Updates to context data sources can be automated and dynamic.

25 Advantages of Context (cont.) Reducing False-Positives and False-Negatives in Security Event Data Using Context —25— August 2011 Changes to your environment can be reflected in updating the context data; requiring less changes to security monitoring rules and filters Security monitoring rules and filters can be created for context. This eliminates or reduces the need to create filters and rules based on lists of IP addresses, one-off rules, and filter exceptions.

26 Disadvantages of Context Reducing False-Positives and False-Negatives in Security Event Data Using Context —26— August 2011 Requires analysts to understand the IT infrastructure Requires constant upkeep to stay relevant Extra process in security monitoring workflow

27 Questions? Comments? Reducing False-Positives and False-Negatives in Security Event Data Using Context —27— August 2011

Download ppt "Reducing False-Positives and False-Negatives in Security Event Data Using Context Derek G. Shaw August 2011."

Similar presentations

Firewalls By Tahaei Fall 2012. What is a firewall? a choke point of control and monitoring interconnects networks with differing trust imposes restrictions.

Firewalls By Tahaei Fall What is a firewall? a choke point of control and monitoring interconnects networks with differing trust imposes restrictions.
FIREWALLS Chapter 11.

FIREWALLS Chapter 11.
Snort & ACID. UTSA IS 6973 Computer Forensics SNORT.

Snort & ACID. UTSA IS 6973 Computer Forensics SNORT.
1 Chapter 7 Intrusion Detection. 2 Objectives In this chapter, you will: Understand intrusion detection benefits and problems Learn about network intrusion.

1 Chapter 7 Intrusion Detection. 2 Objectives In this chapter, you will: Understand intrusion detection benefits and problems Learn about network intrusion.
Presentation by: Peter Thomas Blue Lance, Inc Using SIEM Solutions Effectively to meet Security, Audit, and Compliance Requirements.

Presentation by: Peter Thomas Blue Lance, Inc Using SIEM Solutions Effectively to meet Security, Audit, and Compliance Requirements.
MCTS Guide to Microsoft Windows Server 2008 Network Infrastructure Configuration Chapter 4 Installing and Configuring the Dynamic Host Configuration Protocol.

MCTS Guide to Microsoft Windows Server 2008 Network Infrastructure Configuration Chapter 4 Installing and Configuring the Dynamic Host Configuration Protocol.
1.  To analyze and explain the IDS placement in network topology  To explain the relationship between honey pots and IDS  To explain, analyze and evaluate.

1.  To analyze and explain the IDS placement in network topology  To explain the relationship between honey pots and IDS  To explain, analyze and evaluate.
NETWORK SECURITY INTRUSION DETECTION SYSTEMS (IDS) KANDIAH.M Clarkson University, Potsdam, New York.

NETWORK SECURITY INTRUSION DETECTION SYSTEMS (IDS) KANDIAH.M Clarkson University, Potsdam, New York.
Common IS Threat Mitigation Strategies An overview of common detection and protection technologies Max Caceres CORE Security Technologies www.coresecurity.com.

Common IS Threat Mitigation Strategies An overview of common detection and protection technologies Max Caceres CORE Security Technologies
5/1/2006Sireesha/IDS1 Intrusion Detection Systems (A preliminary study) Sireesha Dasaraju CS526 - Advanced Internet Systems UCCS.

5/1/2006Sireesha/IDS1 Intrusion Detection Systems (A preliminary study) Sireesha Dasaraju CS526 - Advanced Internet Systems UCCS.
Lesson 13-Intrusion Detection. Overview Define the types of Intrusion Detection Systems (IDS). Set up an IDS. Manage an IDS. Understand intrusion prevention.

Lesson 13-Intrusion Detection. Overview Define the types of Intrusion Detection Systems (IDS). Set up an IDS. Manage an IDS. Understand intrusion prevention.
IBM Security Network Protection (XGS)

IBM Security Network Protection (XGS)
© 2012 IBM Corporation IBM Security Systems 1 © 2014 IBM Corporation IBM Security Network Protection (XGS) Advanced Threat Protection Integration Framework.

© 2012 IBM Corporation IBM Security Systems 1 © 2014 IBM Corporation IBM Security Network Protection (XGS) Advanced Threat Protection Integration Framework.
SYSLOG Real-Time Monitoring of System i Events. What is SYSLOG? Multi server environments are now the reality at most sites; however the number of operators.

SYSLOG Real-Time Monitoring of System i Events. What is SYSLOG? Multi server environments are now the reality at most sites; however the number of operators.
Lecture 11 Intrusion Detection (cont)

Lecture 11 Intrusion Detection (cont)
Department Of Computer Engineering

Department Of Computer Engineering
Pro Exchange SPAM Filter An Exchange 2000 based spam filtering solution.

Pro Exchange SPAM Filter An Exchange 2000 based spam filtering solution.
Network Intrusion Detection Systems Slides by: MM Clements A Adekunle The University of Greenwich.

Network Intrusion Detection Systems Slides by: MM Clements A Adekunle The University of Greenwich.
INTRUSION DETECTION SYSTEMS Tristan Walters Rayce West.

INTRUSION DETECTION SYSTEMS Tristan Walters Rayce West.
Understanding Active Directory

Understanding Active Directory

Similar presentations

Ads by Google