Network Forensics: SIEM, the Investigations Triad, and SANS Top-20 Vulnerabilities

CrossTec Corporation | 500 NE Spanish River Blvd, Suite 201 | Boca Raton, FL 33431 www.CrossTecCorp.com | PH: 561.391.6560 | Toll: 800.675.0729 | Fax: 561.391.5820

By: Albert Caballero CISSP, GSEC, BA MIS Security Stanley Fidge MCSA, CCNA, Security +, BA MIS Security

Abstract
Vulnerability assessments, forensic investigations, and incident responses are the cornerstones for building a secure and compliant computing environment. Information Technology professionals have a need to monitor and correlate all of their network and system security events; otherwise it is difficult to effectively manage and maintain relative security. Network forensics is basically the investigation of all of the packets and events generated on any given network. The better these events can be understood and correlated, the better the possibility of detecting an incident, in the past or present., Security events are at the root of all incidents, and in the digital world, without some combination of correlated security events, it is nearly impossible to know if an incident has actually occurred. Network events are generated by almost every system, application or device on a network.I If there is no monitoring of these events, incidents can occur quite often and go completely unnoticed, or worse, become untraceable. In this case, what you dont know WILL hurt you! The importance of responding to incidents, identifying anomalous or unauthorized behavior, and securing intellectual property has never been more important. Without security event and vulnerability monitoring, identifying threats and attacks to confidentiality, integrity, or availability becomes much more difficult. Furthermore, there is a limited chance that any network forensic investigation will be properly conducted, much less successfully, without the retention and correlation of network security event logs. Ideally, an organization should develop clear and concise log management policies, continually train staff in security awareness, and implement new and effective technologies to successfully detect and respond to security incidents. This will also ease the burden of network forensic investigations. Our focus is Security Information and Event Management (SIEM), as it pertains to network forensic investigations, vulnerability management and incident response. Modern voice and data networks integrate past, present, and future technologies in ways that have revolutionized all methods of conducting business in our global economy. This IT revolution has posed some significant challenges to network forensics, including: New multi-vendor vulnerabilities are discovered everyday, and many unknown vulnerabilities are exploited without ever being detected. Tons of dynamic, network event data from disparate devices is rarely audited, easily lost, and inadequately stored, making maintaining log integrity difficult. High IDS/IPS false positive rates and information overload from millions of event logs every day haze the accuracy with which IT staff can detect true incidents.

CrossTec Corporation | 500 NE Spanish River Blvd, Suite 201 | Boca Raton, FL 33431 www.CrossTecCorp.com | PH: 561.391.6560 | Toll: 800.675.0729 | Fax: 561.391.5820

Correlation of security events to vulnerabilities isnt easy to understand or implement, always requires significant computer security expertise, and is usually quite expensive and time consuming. Our goal as a research group is to reveal that before conducting a network forensics investigation, it is critical to assess vulnerabilities and correlate them to intrusion detection alerts using new technologies such as SIEM. We will be using Activeworx Security Center as our network forensic tool of choice.

Network Forensics The Problem

According to CSO magazine, 46% of CISOs spend up to 33% of their day reading and analyzing reports generated from their security applications, and in some cases, CISOs spend up to seven hours per day analyzing such reports! Issues surrounding network forensics and SIEM tools include obtaining the event data in the first place. Many times intrusions occur, and the events get deleted by the perpetrator on the system that was compromised. If these events have not been stored or sent to another location then they are usually gone forever. Another obstacle to actually obtaining network or system events is that appliances and applications that provide this type of capability are usually extremely expensive and difficult to implement, in essence becoming cost prohibitive in regards to ROI. To compound the pressures organizations face in regards to implementing proper network forensics and log management techniques, federal regulations are now requiring organizations keep all network event data, in some cases for as long as seven years! In that situation there is no other choice but to procure expensive archiving equipment and analysis software to monitor and archive network security events, or face ridiculously expensive fines. Organizations can only hope they can prove at some future date that the network security events gathered have not been altered. Assuming, of course, they even have any events at all. Up to 35% of CIOs state that network security improvements topped the to-do lists in 2005 and 2006. 22% of organizations in the United States are not meeting federal regulatory compliance guidelines for incident response, business continuity, disaster recovery, information security or electronic records retentions. Other network forensic problems are due to the deployment of enterprise wide security hardware appliances and applications from different manufacturers and vendors, implemented at various levels to provide layered security. This defense strategy is effective but provides little rhyme or reason to what is actually happening. Numerous types of disparate devices and event log formats exist making them difficult to monitor, manage, or correlate for any action, typically requiring a combination of tools and consoles for an incident to materialize. Also, until recently there has not been an easy way to correlate IDS alerts with firewall logs, system logs, or vulnerability scans. Being notorious for high false positive rates, a correlated IDS alert is much more meaningful.
CrossTec Corporation | 500 NE Spanish River Blvd, Suite 201 | Boca Raton, FL 33431 www.CrossTecCorp.com | PH: 561.391.6560 | Toll: 800.675.0729 | Fax: 561.391.5820

Finally, there is general information overload with millions of appliance, application and system event logs being generated everyday. The final result and primary problem with network forensics is the dynamic nature of network event data, and the fact that it is rarely audited, inadequately archived, and easily lost, deleted, or copied. 65% of organizations report that they do not have established any Return on Investment (ROI) metrics for security risk management regarding their enterprise networks. 56% of organizational upper management and decision makers rarely or never discuss policies and the need for procedures regarding access to critical information, leaving the tasks solely to IT Security Management and IT Security Technicians to comply with Federal regulations.

The Investigations Triad

All network forensic investigations revolve around what is known as the Investigations Triad. To meet the goals of the Investigations Triad, as it pertains to network forensics, we will use a commercial, software-based, SIEM and log management tool called Activeworx Security Center, and we will discuss three main topics: Vulnerabilities: Using the SANS/FBI Top 20 Internet Vulnerabilities as our framework, we will use ASC to automate correlation of IDS events to vulnerability scans, in an effort to minimize false positives. Intrusion Response: Through event correlation we will see how we can identify if any of these 20 vulnerabilities is being attacked in real-time, and hope to thereby improve incident response times and mitigate risk to our assets. Investigations: Discuss the importance of archiving and retrieving forensically sound network logs and proving their integrity at a future date. Figure 1 The Investigations Triad

Implementing real-time network forensic techniques is an effective method of initially identifying and responding to computer crimes and policy violations. With a
CrossTec Corporation | 500 NE Spanish River Blvd, Suite 201 | Boca Raton, FL 33431 www.CrossTecCorp.com | PH: 561.391.6560 | Toll: 800.675.0729 | Fax: 561.391.5820

Security Information and Event Management tool an analyst can monitor, automate and investigate network forensic event data, as well as respond much quicker to IDS events by minimizing false positives. Correlating security events, investigating and acting according to policy, and properly archiving network and system events over time, are critical elements of preparing an organization to be successful in current and future network forensic investigations. In tandem, vulnerability assessment and risk management are required elements of any investigation, to test and verify the integrity of computer systems, servers, and enterprise networks. SIEM, as used to monitor network IDS and provide incident response functions, is desirable because it helps identify anomalies, such as covert channels and intruder attacks using automated tools, and of course helps in correlating these anomalies on the network with system and firewall logs. Computer investigative functions are necessary to manage, protect and maintain the forensic integrity of network-based systems and devices.

Tools of the Trade

As each day passes in our new information society the complexity increases. As the data made available through these advanced computing technologies becomes more vulnerable to all forms of attack, we need to ensure that we conduct our business and personal lives through safe and secure technological channels. The consolidation of current and future computer technologies in an intelligent way is paramount to safely integrate and utilize the potential of these technologies in e-business, on-line banking, and the rest of our personal communications. A necessary measure is to keep a close eye on your assets, in case of any unauthorized behavior from insiders or outsiders. We have found through our research that a Security Information and Event Management (SIEM) tool such as those provided by CrossTec Corp., Cisco, Arcsight, and a handful of others, has attempted to provide a solution that allows security administrators to manage security events quickly and intelligently. Most SIEM tools can correlate, monitor, analyze, and alert technicians about the different information security events and what they are telling them. They also help security analysts and forensic specialists to visualize, query, and examine what is happening in different areas of the network in real-time, or analyze an incident which has occurred in the past. In tandem, reports, diagrams, and the ability to replay security events can also be used for intrusion response or forensic analysis of an incident.
Figure 2 Activeworx Security Center

CrossTec Corporation | 500 NE Spanish River Blvd, Suite 201 | Boca Raton, FL 33431 www.CrossTecCorp.com | PH: 561.391.6560 | Toll: 800.675.0729 | Fax: 561.391.5820

Activeworx Security Center (ASC) is a SIEM software tool that can monitor, analyze, and alert on almost any event generated on your network to ascertain security and forensic information. ASC can also correlate events from different assets with vulnerability scanners in real-time. To ease the pain of compliance, the enterprise version of ASC can collect; MD5 checksum and rotate audit logs for every network device, system or application on a network. This helps organizations meet regulatory compliance and be ready for future audits and investigations. Specifically, ASC makes it easy to be compliant and also gives you the power to analyze network events in the way you think is important. When trying to make heads or tails out of how to cover the core components of the Investigation Triad, it becomes difficult to translate these ideas into actual technologies that can do the job. We will provide an example of how each component can be addressed by ASC and SIEM in general. Vulnerabilities are a crucial and often neglected component of all security programs. Without current vulnerability information of systems, applications and network devices it is impossible to know where the systems of highest risk or those most susceptible to attack are. It is difficult to run vulnerability scans on a consistent basis, primarily because they are time consuming, require a certain level of expertise, and really: What are you going to do with them once you have them anyway? Who even knows which vulnerabilities are important and which ones arent? Who can tell me when
CrossTec Corporation | 500 NE Spanish River Blvd, Suite 201 | Boca Raton, FL 33431 www.CrossTecCorp.com | PH: 561.391.6560 | Toll: 800.675.0729 | Fax: 561.391.5820

one of these vulnerabilities is being exploited? Well the answers are: ASC will correlate them with IDS events, ASC knows what your vulnerabilities are, SANS/FBI knows which are important, and your IDS/IPS devices are the ones that know when youre being attacked! The SANS Institute combined with the FBI maintains a list of the Top 20 Internet Vulnerabilities. Using this as our framework, we can use ASC and its Correlation Engine to automate the correlation of IDS events to Vulnerability Scans by CVE Reference to alert us of important events in real time. (To find out more about CVE Reference, see below under Sans Top 20 Vulnerabilities.)
Figure 3 ASC Built-in IDS Event to High Risk Vulnerability Correlation Rule

Intrusion Response (IR) is not typically associated with network forensic investigations; however, in reality, it remains one of its most important components. Proper IR techniques are what network forensics are all about, and they can make or break an investigation according to how a first response is handled. IR is made more efficient by three main SIEM components: the use of automated Event to Vulnerability correlation as described above, visualization and diagramming of events with drill-down analysis capabilities, and correlation of Event to Event activity on the network.
Figure 4 Event Diagram and Visualization of High Priority Security Events Helps IR

CrossTec Corporation | 500 NE Spanish River Blvd, Suite 201 | Boca Raton, FL 33431 www.CrossTecCorp.com | PH: 561.391.6560 | Toll: 800.675.0729 | Fax: 561.391.5820

In scenarios where it is necessary to immediately correlate certain types of events to other events which are happening on the network, there needs to be a quick and effective way to be able to get more related information from other devices.
Figure 5 ASC Event to Event Correlation Rule Helps Finds Anomalies

Investigations many times are conducted after the incident occurred. To show that the information you have is forensically sound, the network logs of all assets need to be handled correctly as they are generated on the network. No longer is it sufficient to store logs on end systems and let them overwrite themselves every few days. Regulatory compliance and the need to forensically analyze events is forcing organizations to store network event data over long periods of time and find a mechanism that will allow them
CrossTec Corporation | 500 NE Spanish River Blvd, Suite 201 | Boca Raton, FL 33431 www.CrossTecCorp.com | PH: 561.391.6560 | Toll: 800.675.0729 | Fax: 561.391.5820

to prove their integrity at a future date. ASC allows for this capability in its new v4 ASCe, which is an enterprise version of the SIEM tool that includes complete log management. Interestingly enough, although SIEM and Log Management are so tightly related, their purposes are completely opposed. Whereas SIEM allows an analyst to discard tons of unnecessary events to pick out the few that are important, the goal of a good Log Management solution is to log every single event from every single device or system on the network and store them to disk for regulatory compliance and future analysis. ASCe will be released this Summer according to the manufacturer, and it will support the logging of over 20,000 30,000 Events Per Second (EPS), 20 to 1 compression of all logs daily, MD5 check summing and rotation of log files, easy search capabilities on archived audit data, and full integration with its SIEM tool so you can import events that occurred in the past and analyze them today.
Figure 6 ASCe Version 4 Complete Log Management with SIEM Integration

SANS Top 20 Vulnerabilities

CrossTec Corporation | 500 NE Spanish River Blvd, Suite 201 | Boca Raton, FL 33431 www.CrossTecCorp.com | PH: 561.391.6560 | Toll: 800.675.0729 | Fax: 561.391.5820

Six years ago the SANS Institute and the National Infrastructure Protection Center (NIPC) at the FBI created a Top10 list of most exploited vulnerabilities on the Internet. In the past several years thousands of organizations, public and private, have helped enhance this list to include the Top-20 Internet Security Attack Vectors. Every year SANS and the FBI update this list with the latest vulnerabilities, and it has become the Incident Handlers point of reference when attempting to define a starting point for tracking and monitoring vulnerabilities on any given network. Vulnerable services leading to worms like Blaster, Slammer, and Code Red were all on SANS Top-20 lists before the worms hit the Net, and indeed couldve been prevented, or at least detected, should these vulnerabilities have been monitored for activity on a network. The SANS Top-20 2006 is a consensus list of vulnerabilities that require immediate remediation and can be found here http://www.sans.org/top20/ The idea of this document is to effectively monitor events coming from IDS/IPS sensors to see if one of these Top-20 vulnerabilities is being attacked, furthermore, they will be compared to these events only if we know the vulnerability exists on our network. Activeworx Security Center will begin to include these rules built into the product in v4 by using CVE references. CVEs are Common Vulnerabilities and Exposures that are provided by the National Institute of Standards and Technologies (NIST), in list format, to help keep track of all the significant vulnerabilities that are discovered throughout the year. Both IDS/IPS sensors and most Vulnerability Scanners have CVE references built into their events already which give security teams the ability to correlate, index and easily reference common vulnerabilities and threats on their network as they are happening. The National Vulnerability Database where you can look up these CVEs is found here http://nvd.nist.gov/
Figure 7 SANS Top-20 Vulnerability Correlation to IDS/IPS Event

CrossTec Corporation | 500 NE Spanish River Blvd, Suite 201 | Boca Raton, FL 33431 www.CrossTecCorp.com | PH: 561.391.6560 | Toll: 800.675.0729 | Fax: 561.391.5820

Network Forensics The Solution

An effective information security program needs specific policies and procedures in place to assist with managing information risks, basically a Plan, Do, Act, and Check lifecycle for defined security and forensic policies. Then, technical controls and tools should provide the automated implementation, enablement, enforcement, and monitoring of these policies and procedures. In order to achieve compliance with a number of regulations, organizations must monitor both successful and unsuccessful attempts to access their computer systems. Organizations following these strict policies and regulations constantly seek efficient and cost effective operational tools to manage information on their network. As the requirements for IT Risk Management become paramount, there will be an increase in the variety of solutions with different cost structures which will meet federal regulations and ensure the secure monitoring of network information. ASC can assist organizations in collecting appropriate network event data and maintain it in a form that can be easily utilized for analysis and reporting during audits, security incidents, or forensic investigations. ASC helps to ensure that policies and procedures are in place to safeguard sensitive data and audits that event data is accessed only by those with a need to know. ASC also assists in analyzing vulnerability scans to ensure that all flaws in an organization are detected and correlated to possible intrusions. Finally, ASC establishes a baseline of network and system activity for organizational computing environments.
Figure 8 Major Components of SIEM and Log Management

CrossTec Corporation | 500 NE Spanish River Blvd, Suite 201 | Boca Raton, FL 33431 www.CrossTecCorp.com | PH: 561.391.6560 | Toll: 800.675.0729 | Fax: 561.391.5820

SIEM and Log Management solutions in general, like ASC, can assist in security information and log management as well as regulatory compliance by: Aggregating and normalizing event data from unrelated network devices, security devices, and application servers into useable information. Analyze and correlate information from various devices to identify attacks as soon as possible and help respond quicker to intrusions. Conduct network forensic analysis on historical or real-time events through visualization and replay of events. Create customized report formats to adhere to specific compliance regulations. Increase the value and performance of existing security devices by providing a consolidated event management and analysis platform. Improve the effectiveness and help focus IT Risk Management personnel on what events are important.

Conclusion
As enterprise networks, voice and data traffic, and the amount of end users continue to grow, the need and requirements for stable and all inclusive SIEM and Log Management also grows. Tools such as these are rising to the forefront of information warfare as one of the best methods of strategically detecting and responding to attacks. Integrating the layers of security devices already in place with any future information
CrossTec Corporation | 500 NE Spanish River Blvd, Suite 201 | Boca Raton, FL 33431 www.CrossTecCorp.com | PH: 561.391.6560 | Toll: 800.675.0729 | Fax: 561.391.5820

assurance technologies is not an easy task. In order to efficiently monitor and understand your attackers, a SIEM tool is a huge help. Many surveys reveal that 60% of security breaches are internal, but 70% of the IT and IT security staff is more concerned about attackers on the outside. Some organizations even spend 90% of their security efforts on firewalls alone. Project Management and Cost/Benefit Analysis need to be implemented in order to save time and money in deciding at which layer to implement new information assurance measures, what policies and procedures to create, and what software and hardware to purchase. SIEM and Log Management help to focus IT security measures to more effectively protect hosts as well as the network perimeter, perform and automate network forensic analysis, automate regulatory compliance as it pertains to log retention and help you visualize and report on your network in real-time. Network forensics is a real world method of initially identifying and responding to computer crimes and policy violations, not just investigating historical incidents. Major advances in event analysis and correlation allow Information Assurance technicians to counteract threats quicker than ever, and these advances have been made available for the benefit of all Information Technology (IT) staff, especially IT Security Managers, Auditors, and CISOs who are the ones held accountable. With a SIEM an analyst can analyze, replay, and investigate network forensic data for analysis. Moreover, the correlation and proper storage of these network security events is a crucial part of preparing an organization to be successful in present and future forensic investigations. A substantial amount of suspicious security events occur and go undetected within most enterprise networks and computer systems every day.

CrossTec Corporation | 500 NE Spanish River Blvd, Suite 201 | Boca Raton, FL 33431 www.CrossTecCorp.com | PH: 561.391.6560 | Toll: 800.675.0729 | Fax: 561.391.5820