1 / 27

Reducing False-Positives and False-Negatives in Security Event Data Using Context

Reducing False-Positives and False-Negatives in Security Event Data Using Context. Derek G. Shaw August 2011. Overview of Security Monitoring. Reducing False-Positives and False-Negatives in Security Event Data Using Context —2— August 2011. Purpose of Security Monitoring.

kaida
Download Presentation

Reducing False-Positives and False-Negatives in Security Event Data Using Context

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Reducing False-Positives and False-Negatives in Security Event Data Using Context Derek G. Shaw August 2011

  2. Overview of Security Monitoring Reducing False-Positives and False-Negatives in Security Event Data Using Context—2—August 2011

  3. Purpose of Security Monitoring The purpose of security monitoring is to provide real-time, up-to-the-minute security awareness of current threats, risks, and compromises as accurately as possible. Reducing False-Positives and False-Negatives in Security Event Data Using Context—3—August 2011

  4. Components of Security Monitoring • Consoles (Analyst Desktop) • Database • Manager (Rules, Data Aggregation, Data Correlation, Reporting) • Sensors • Intrusion Detection System • Log Servers • Network Flows • Vulnerability Scanners Reducing False-Positives and False-Negatives in Security Event Data Using Context—4—August 2011

  5. The False Problem With Security Monitoring • False-positives • Normal or expected behavior that is identified as anomalous or malicious • False-negatives • Conditions that should be identified as anomalous or malicious but are not Reducing False-Positives and False-Negatives in Security Event Data Using Context—5—August 2011

  6. Why So Many False Positives and Who Knows Hows Many False-Negatives • While some false-positives and false-negatives will occur, a good portion can be attributed to lack of knowledge about the environment being monitored • Not keeping knowledge about the environment up-to-date as well as historically accurate Reducing False-Positives and False-Negatives in Security Event Data Using Context—6—August 2011

  7. So, how do you reduce the rate of both false-positives and false-negatives? Context Reducing False-Positives and False-Negatives in Security Event Data Using Context—7—August 2011

  8. What is Context Context is additional data and information that is added to security event data to increase the relevance and meaning of the data in relation to one’s environment. Reducing False-Positives and False-Negatives in Security Event Data Using Context—8—August 2011

  9. Traditional Security Event Data Reducing False-Positives and False-Negatives in Security Event Data Using Context—9—August 2011

  10. Traditional Network Flow Event Data Reducing False-Positives and False-Negatives in Security Event Data Using Context—10—August 2011 Note : 192.168.0.0/16 - Corporate Network

  11. Traditional IDS Event Data Reducing False-Positives and False-Negatives in Security Event Data Using Context—11—August 2011 Note : 192.168.0.0/16 - Corporate Network

  12. Traditional Syslog Event Data Reducing False-Positives and False-Negatives in Security Event Data Using Context—12—August 2011 Note : 192.168.0.0/16 - Corporate Network

  13. Traditional Security Event Data with Context Added Reducing False-Positives and False-Negatives in Security Event Data Using Context—13—August 2011

  14. Network Flow Event Data with Context Reducing False-Positives and False-Negatives in Security Event Data Using Context—14—August 2011 Note : 192.168.0.0/16 - Corporate Network

  15. IDS Event Data with Context Reducing False-Positives and False-Negatives in Security Event Data Using Context—15—August 2011 Note : 192.168.0.0/16 - Corporate Network

  16. Syslog Event Data with Context Reducing False-Positives and False-Negatives in Security Event Data Using Context—16—August 2011 Note : 192.168.0.0/16 - Corporate Network

  17. Types of Networks Context • Access tags (Internal, Private, External, No-Internet) • Dark space tags for unused IP space • Subnet descriptions Reducing False-Positives and False-Negatives in Security Event Data Using Context—17—August 2011

  18. Types of Asset Context • Business Role Tags (Financial, HR, Printers) • Operating System • Software Category Tags (Apache, BIND, MySQL) • System Classification Tags (SSH Server, LDAP Server, Web Server, DNS) Reducing False-Positives in Security Event Data Using Context—18—August 2011

  19. Types of User Context • Real Name • Working group (Mail Room, Control Room, Networking Group) • List of accounts • List of privileged access accounts Reducing False-Positives in Security Event Data Using Context—19—August 2011

  20. How Context is Implemented Reducing False-Positives and False-Negatives in Security Event Data Using Context—20—August 2011

  21. Context Data Sources • Memory-resident key/value data stores • Contains data about assets, networks, and users • Continually updated by data mining scripts Reducing False-Positives and False-Negatives in Security Event Data Using Context—20—August 2011

  22. Context Preprocessor • Sits between the sensors and security monitoring system manager • Queries the context data sources in real-time based on IP addresses or user names • Appends any context data available to event data record Reducing False-Positives and False-Negatives in Security Event Data Using Context—22—August 2011

  23. Important Things to Remember • For context to be effective, it must be current. • For events to be accurately reflected in your environment, context cannot be treated as on-demand in the manager. Context for a given event must be recorded once and not changed. • Treating context as on-demand in the manager may turn an alert into a false-negative. Reducing False-Positives and False-Negatives in Security Event Data Using Context—23—August 2011

  24. Advantages of Context • Adds additional data and information to the event record that the sensor does not have. • Updates to context data sources can be automated and dynamic. Reducing False-Positives and False-Negatives in Security Event Data Using Context—24—August 2011

  25. Advantages of Context (cont.) • Changes to your environment can be reflected in updating the context data; requiring less changes to security monitoring rules and filters • Security monitoring rules and filters can be created for context. This eliminates or reduces the need to create filters and rules based on lists of IP addresses, one-off rules, and filter exceptions. Reducing False-Positives and False-Negatives in Security Event Data Using Context—25—August 2011

  26. Disadvantages of Context • Requires analysts to understand the IT infrastructure • Requires constant upkeep to stay relevant • Extra process in security monitoring workflow Reducing False-Positives and False-Negatives in Security Event Data Using Context—26—August 2011

  27. Questions? Comments? Reducing False-Positives and False-Negatives in Security Event Data Using Context—27—August 2011

More Related