Reducing False-Positives and False-Negatives in Security Event Data

Reducing False-Positives and False-Negatives in Security Event Data Using Context Derek G. Shaw August 2011

Overview of Security Monitoring Reducing False-Positives and False-Negatives in Security Event Data Using Context — 2— August 2011

Purpose of Security Monitoring The purpose of security monitoring is to provide real-time, up-to-the-minute security awareness of current threats, risks, and compromises as accurately as possible. Reducing False-Positives and False-Negatives in Security Event Data Using Context — 3— August 2011

Components of Security Monitoring • Consoles (Analyst Desktop) • Database • Manager (Rules, Data Aggregation, Data Correlation, Reporting) • Sensors • Intrusion Detection System • Log Servers • Network Flows • Vulnerability Scanners Reducing False-Positives and False-Negatives in Security Event Data Using Context — 4— August 2011

The False Problem With Security Monitoring • False-positives Normal or expected behavior that is identified as anomalous or malicious • False-negatives Conditions that should be identified as anomalous or malicious but are not Reducing False-Positives and False-Negatives in Security Event Data Using Context — 5— August 2011

Why So Many False Positives and Who Knows Hows Many False-Negatives • While some false-positives and false-negatives will occur, a good portion can be attributed to lack of knowledge about the environment being monitored • Not keeping knowledge about the environment up-todate as well as historically accurate Reducing False-Positives and False-Negatives in Security Event Data Using Context — 6— August 2011

So, how do you reduce the rate of both false-positives and false-negatives? Context Reducing False-Positives and False-Negatives in Security Event Data Using Context — 7— August 2011

What is Context is additional data and information that is added to security event data to increase the relevance and meaning of the data in relation to one’s environment. Reducing False-Positives and False-Negatives in Security Event Data Using Context — 8— August 2011

Traditional Security Event Data Reducing False-Positives and False-Negatives in Security Event Data Using Context — 9— August 2011

Traditional Network Flow Event Data Start Time End Time Source Address Source Port Direction 2011 -01 -01 12: 30: 04 2011 -01 -011 12: 30: 34 192. 168. 1. 1 12525 -> Destination Address Destination Port IP Protocol Duration Flags 10. 0. 1. 1 80 TCP 30 E Source Packets Destination Packets Source Bytes Destination Bytes 5 53 384 12453 Reducing False-Positives and False-Negatives in Security Event Data Using Context — 10— August 2011 Note : 192. 168. 0. 0/16 - Corporate Network

Traditional IDS Event Data Detection Time Alert Source Address Source Port 2011 -01 -01 12: 30: 04 MS SQL Injection Attempt 10. 0. 2. 1 12525 Destination Address Destination Port IP Protocol 192. 168. 2. 1 1443 TCP Reducing False-Positives and False-Negatives in Security Event Data Using Context — 11— August 2011 Note : 192. 168. 0. 0/16 - Corporate Network

Traditional Syslog Event Data Date Time Host Process PID Jan 1 13: 54: 12 192. 168. 24. 33 SUDO 34456 Message jdoe : TTY=ttys 000 ; PWD=/Users/jdoe ; USER=root ; COMMAND=/bin/bash Reducing False-Positives and False-Negatives in Security Event Data Using Context — 12— August 2011 Note : 192. 168. 0. 0/16 - Corporate Network

Traditional Security Event Data with Context Added Reducing False-Positives and False-Negatives in Security Event Data Using Context — 13— August 2011

Network Flow Event Data with Context Start Time End Time Source Address Source Port Source Network 2011 -01 -01 12: 30: 04 2011 -01 -011 12: 30: 34 192. 168. 1. 1 12525 Unused - 192. 168. 1. 0192. 168. 1. 255 Direction Destination Address Destination Port Destination Network IP Protocol -> 10. 0. 1. 1 80 China TCP Duration Flags Source Packets Destination Packets Source Bytes 30 E 5 53 384 Destination Bytes Alert Asset Tags 12453 Destination Address on Malware Watch List Unknown Reducing False-Positives and False-Negatives in Security Event Data Using Context — 14— August 2011 Note : 192. 168. 0. 0/16 - Corporate Network

IDS Event Data with Context Detection Time Alert Source Address Source Port 2011 -01 -01 12: 30: 04 MS SQL Injection Attempt 10. 2. 3. 1 12525 Source Network Destination Address Destination Port Destination Network IP Protocol Brazil 192. 168. 127. 22 1443 Printer Network - 192. 168. 127. 0192. 168. 127. 255 TCP Asset Tags Printer, No-Internet Reducing False-Positives and False-Negatives in Security Event Data Using Context — 15— August 2011 Note : 192. 168. 0. 0/16 - Corporate Network

Syslog Event Data with Context Date Time Host Network Process Jan 1 13: 54: 12 192. 168. 24. 33 Financial - 192. 168. 24. 0192. 168. 24. 255 SUDO PID Message 34456 jdoe : TTY=ttys 000 ; PWD=/Users/jdoe ; USER=root ; COMMAND=/bin/bash Asset Alert User Info Linux, Financial, DB, Restricted User not authorized for SUDO on host John Doe, Mail Room Staff Reducing False-Positives and False-Negatives in Security Event Data Using Context — 16— August 2011 Note : 192. 168. 0. 0/16 - Corporate Network

Types of Networks Context • • • Access tags (Internal, Private, External, No-Internet) Dark space tags for unused IP space Subnet descriptions Reducing False-Positives and False-Negatives in Security Event Data Using Context — 17— August 2011

Types of Asset Context • Business Role Tags (Financial, HR, Printers) • Operating System • Software Category Tags (Apache, BIND, My. SQL) • System Classification Tags (SSH Server, LDAP Server, Web Reducing False-Positives in Security Event Data Using Context — 18— August 2011 Server, DNS)

Types of User Context • Real Name • Working group (Mail Room, Control Room, Networking Group) • List of accounts • List of privileged access accounts Reducing False-Positives in Security Event Data Using Context — 19— August 2011

How Context is Implemented Reducing False-Positives and False-Negatives in Security Event Data Using Context — 20— August 2011

Context Data Sources • Memory-resident key/value data stores • Contains data about assets, networks, and users • Continually updated by data mining scripts Reducing False-Positives and False-Negatives in Security Event Data Using Context — 20— August 2011

Context Preprocessor • Sits between the sensors and security monitoring system manager • Queries the context data sources in real-time based on IP addresses or user names • Appends any context data available to event data record Reducing False-Positives and False-Negatives in Security Event Data Using Context — 22— August 2011

Important Things to Remember • For context to be effective, it must be current. • For events to be accurately reflected in your environment, context cannot be treated as on -demand in the manager. Context for a given event must be recorded once and not changed. • Treating context as on-demand in the manager may turn an alert into a false- Reducing False-Positives and False-Negatives in Security Event Data Using Context — 23— August 2011

Advantages of Context • Adds additional data and information to the event record that the sensor does not have. • Updates to context data sources can be automated and dynamic. Reducing False-Positives and False-Negatives in Security Event Data Using Context — 24— August 2011

Advantages of Context (cont. ) • Changes to your environment can be reflected in updating the context data; requiring less changes to security monitoring rules and filters • Security monitoring rules and filters can be created for context. This eliminates or reduces the need to create filters and rules based on lists of IP addresses, one-off rules, and filter exceptions. Reducing False-Positives and False-Negatives in Security Event Data Using Context — 25— August 2011

Disadvantages of Context • Requires analysts to understand the IT infrastructure • Requires constant upkeep to stay relevant • Extra process in security monitoring workflow Reducing False-Positives and False-Negatives in Security Event Data Using Context — 26— August 2011

Questions? Comments? Reducing False-Positives and False-Negatives in Security Event Data Using Context — 27— August 2011