Logs and Event Information
Outline
• Logs and log management
― System logs
― IDS/IPS systems
― User Behaviour Monitoring and Analysis
• Security Incident and Event Management Systems (SIEMS)
2
Sources of Event Data
• Server and desktop operating systems ― Security subsystems, e.g. SELinux
• Intrusion detection and prevention systems
• Antivirus and antimalware products
• Remote access software
• Web servers and proxy web servers
• Application servers (e.g. Apache tomcat, IBM WebSphere)
• Patch management and vulnerability management products
• Authentication servers
• Routers and firewalls
• NAC/NAP servers
• Database servers, file servers, print servers
3
*ix Log API
• Provides a standard API for any and all programs to use
― Exposed in other languages, e.g. Python, Perl, etc.
― Can even be used in scripts via logger command
• Defines multiple facilities (e.g. LOG_AUTHPRIV, LOG_CRON, LOG_DAEMON, etc.)
• Defines multiple priority levels for filtering: ― LOG_EMERG
― LOG_ALERT
― LOG_CRIT
― LOG_ERR
― LOG_WARNING ― LOG_NOTICE ― LOG_INFO
― LOG_DEBUG
• Configured by /etc/syslog.conf or /etc/systemd/journald.conf
4
Log Rotation and Archiving
• Logs can get large quite quickly
― Especially if some is running noisy attacks
(e.g. Snot, which is designed to make Snort go crazy)
• Logs on *ix systems are text files
― Easy to grep through or process with awk or Perl
― But highly redundant, i.e. compressible
• Configure logrotate (/etc/logrotate.d) to
― Truncate and copy each log file
― Compress and rotate the previous n log files
― Perform postrotation processing, e.g. restarting daemons, emailing logs
• Use scripts (e.g. logwatch) to summarise logs and email to admin
5
Other Log Management Tasks
• Upgrading, configuring, testing, deploying log management tools
• Configuring synchronization of system clocks (via (x)ntpd, etc.)
• Reconfiguring logging as policy changes
• Consolidating logs to a central log server or Security Incident and Event Management (SIEM) system
― At the very least, free tools can convert Windows Events to *ix syslog format
― SIEM’s log to a database and allow much more sophisticated analysis and reporting
6
Windows Event Logging
• Windows logs to binary files
― Not searchable or greppable in the same way as *ix
• Free (open source) tools can convert to syslog format and log to a syslog server
• Can be managed and configured via Active Directory
• Multiple commercial products to enhance
― Generally, SIEMS provide the required functionality
7
Violation Tracking
• Analyzes security-related events
― such as failed logon attempts, file access attempts, application execution attempts
• Can reveal
― Repetitive mistakes (poor training or implementation problems)
― Individuals with privileges in excess of their needs
― Where violations occur, identifying problem programs or processes
― Patterns of activity with escalating threat
Employees preparing to leave, hackers installing back doors
• Usually requires establishment of a baseline with clipping levels
― e.g. 3 failed logon attempts before lockout
8
Intrusion Detection Systems
• Attempt to detect unauthorized activity
― Unauthorized user access
― Authorized user misusing system
• By observing traffic logs or other data
― e.g. network traffic, I/O utilization, sources of connections, file access
• Three major components:
― Sensor or agent
― Analyzer
― User interface
• Two types:
― Network IDS
― Host IDS
9
Network IDS
• Uses a promiscuous sensor to capture network data ― Requires a dedicated host as sensor
• Challenges:
― Traffic volumes and speeds
May fall back on statistical sampling or round-robin sampling with multiple sensors Attacks comprise multiple packets – as long as one is detected
― Use of encryption
Either by defender (outside VPN termination) or by attacker Can’t see signatures in encrypted packets
10
Host-Based IDS
• Agent resides on monitored host
• Several types:
• Log review
― Processes logs, filters out expected entries, alerts on anomalous behaviour
• Filesystem verification
― Builds signed database of file metadata
Size, timestamps, permissions, hash digest over content
― Compares current state of files against database and alerts on differences
― Can perform change management (e.g. Tripwire)
― Best defence against rootkits
• Process monitoring
― Alert on anomalies, e.g. web server processes starting a command shell
11
Rule-Based IDS
• Most common type of IDS/IDP
• Compare packet headers and payloads against known nasties
― e.g. if (ip.src == ip.dst) { // LAND attack }
― Real Snort rule:
alert tcp any any -> any any (msg: “Land attack detected”;
flags:S; sameip; sid:5000000; rev:1;)
• Can take more time for deeper inspection than a packet-filtering firewall because not in line
• Can work on sequences of packets
• Attack signature must be known in advance
― But easier to configure and tune out false positives
• Ensure signature database is updated frequently
• Buy vs open-source decision
12
Statistical and Anomaly-Based IDS
• Starts with a generalized rule base
― Manually-developed profile
― Automatically-developed profile based on known good activity
― Statistical samples of activity and logs are taken
CPU, memory usage, network traffic, process instantiation, etc.
― Profiles define expected behaviour
• Sequences which deviate from expected behaviour are flagged as intrusion attempts
― e.g. Failed logon attempts, logins outside normal hours, restarts • Are able to detect attacks which rule-based systems will miss
― But tricky to set clipping levels
― Can give lots of false positives at first
13
Intrusion Prevention Systems
• Couples IDS to other controls to block access
― NIDS to firewall
Block source IP address
― HIDS to login authentication
Block logons
• Can also reconfigure related systems
― E.g. See a port scan on a low address, block it on systems at higher addresses
• Fraught with danger from false positives
• Historically a separate device from firewall and IDS for performance reasons
• Network appliances now integrate all functionality in one box
― Also proxy web server, mail gateway with spam filtering, malware scanning, etc.
― Not as much of a saving as you might expect – you still need all the manpower and processes to manage the separate functions
14
User Activity Monitoring
• Effectively an anomaly-based IDS on the end-user workstation
― Monitors, learns (via analytics) and builds a profile of expected user behaviour Log on/off
Sites browsed
Instant chat messages Files copied
― Provides alerts when user behaviour outside profile
― Can enforce policy
• Particularly important for privileged accounts and remote workers
• Examples:
― Forcepoint UEBA Behavioral Analytics
― CyberArk Privileged Session Manager
― Spector 360 (now Veriato Vision)
― ObserveIT
15
Security Incident and Event Management (SIEM)
• So many devices and services generate a huge volume of data
• Store aggregated log information in a large, highly parallel NoSQL database (e.g. Apache Hadoop)
― Much faster to search/query than text files or flat binary files
― May also store information about platforms and assets for risk management and
GRC
• Much more sophisticated analysis than grepping logs
― Event correlation and alerting
― Identify patterns of escalating threat activity via machine learning / big data
analytics
― Forensic investigations
• Examples:
― Splunk
― HP ARCSight
― Apache Metron
16