Finding Needles in the Haystack of Security Events

I hate to throw a cliché at you, but when it comes to security event and log management, a picture (or a handful of pictures) is certainly worth a thousand words.  Security devices generate volumes of raw data, usually in a proprietary manner.  Parsing such unstructured data and making sense out of it is a tedious, if not an impossible task.  If that’s not enough to make you cringe, when your organization is under a DDoS attack, your CIO is going to want not only a resolution but the answers to Who, What, Where,  When, Why and How - fast.  Security is time-sensitive; every minute counts and every second that ticks by negatively impacts your bottom line - brand degradation, unhappy customers and ultimately lost revenues.

Nothing I already stated should come as a big surprise. The question is; how can you as a security professional create that big picture out of the thousands or even millions of raw events?  Do you need a state-of-the art Security Operations Center (SOC), a crew of security experts, and perhaps a little prayer to create that big picture?  Or, is it time for a virtual SOC that provides economies of scale by consolidating security expertise and visibility in one centralized location?

Let’s first take a look at how specialized SOCs follow a systematic approach to find the relevant needles in the haystack of security events.  At the foundational level, the attack mitigation techniques followed by a typical SOC involve three main steps:

  1. Inspect
  2. Analyze
  3. Respond

The goal of inspecting Internet traffic and establishing a baseline is to determine the normal activity level for your environment and establish any thresholds that would indicate a threat or security event in order to generate the proper alerts.  Normal activity levels can vary by time of day or by the month of the year or by some other factors specific to your business.

Some examples of baselines are:

  • Normal link utilization is 30% during peak hours, 10% during off hours.  During the months of July, normal link utilization during peak hours goes up to 40%.
  • Normally, we observe 200K packets per second during peak hours, 100K packets per second during off hours.
  • Typically, 60% of the traffic is TCP and 35% UDP

Once the baselines are established, SOCs monitor all activity (network activity, security events) and analyze those that exceed the pre-determined thresholds or indicate suspicious behavior.  Monitoring involves tracking abnormal behavior, outside the range of normal activity levels established during the baseline, and is almost always done via the alerting procedures that notify SOC personnel via an e-mail, SMS, dashboard indicators, or a combination of these.  Based on the above baseline info, the SOC may set up an alert if link utilization exceeds 50% or packets per second level exceed 300K.

Analysis is about getting down to explaining abnormal behavior and determining the root cause.  Hence, the cliché of using pictures and not words is most effective.  For example, you might find that a spike in link utilization/packets per second coincided with unusually large amounts of traffic with the source port of 53.  This could be an indication of an unsolicited DNS response being sent to your servers from an open DNS resolver.  Charts showing link utilization, packets per second, and port activity over time can be used to create the big picture.

Finally, response to the security event requires implementing policy changes to protect against the threats discovered but not previously mitigated.  In this example, you may create a rule with an on-premises DDoS mitigation equipment to block all unsolicited DNS responses and protect your web services from this attack vector in the future.

Now, just imagine trying to do all this with raw syslog events, little baseline info, and without dedicated DDoS mitigation in place.  The good news is that security vendors like Corero are empowering customers and Managed Security Service Providers with capabilities that are currently only available to sophisticated SOCs, - without a significant up-front investment.

I invite you to keep checking back for additional posts on this topic. I hope to share more about specific attack vectors and the investigative techniques used to determine root cause of each, with powerful security analytics.



You May Also Be Interested In: