managed security service provider | Blog

Solutionary Blog and Bloggers

 Solutionary is an information security company. What does that mean? Simply put, we help businesses protect their assets, remain fully secure and safe online, and maintain and adhere to compliance regulations and standards. Solutionary's blog will be a place to learn about and discuss a wide variety of security and compliance topics. More information about Solutionary can be found here. To read the Solutionary blog comment policy and disclaimer, click here.

Solutionary Bloggers: 

Brad Curtis, Compliance Manager              Jon Heimerl, Director of Strategic Security
Mike Hrabik, President and CTO 
Don Gray, Chief Security Strategist
Court Little, Director of Strategic Security Joseph Blankenship, Senior Director of Product Marketing and Strategy
Doug Picotte, Regional Technical Manager
Rob Kraus, Senior Security Consultant   Scott Simpson, Director, Security Consulting Services                            Brian Reed, Regional Technical Manager          

 

 

 

 


Subscribe to our blog

Your email:

Posts by category

Posts by popularity

Solutionary Minds - Your Information Security Blog Source

Current Articles | RSS Feed RSS Feed

Event Correlation Value

Posted by Doug Picotte on Wed, May 12, 2010 @ 10:47 AM
Share on Twitter Twitter | Share on Facebook Facebook | Submit to Digg digg it |  Add to delicious  delicious |  Submit to StumbleUpon StumbleUpon | Submit to Reddit reddit 

Hello music and security lovers. I recently sat through an information security webinar, in which the speaker said that security event log correlation is the "mothers' milk" of Security Information and Event Management.

Specifically, he was emphasizing how important this is (or SHOULD be) for a Managed Security Service Provider (MSSP). The distinguished speaker went on to say that some MSSPs demonstrate their correlation capabilities through animation or by "cartoon", as he described it. As I sat through the webinar, I wondered what questions our customers would have regarding the incredible buzzword of correlation.

1. As a customer, why should I care about correlating security event logs?

2. What value does correlation provide, and how does it benefit my business?

So, a "low tech" attacker goes to the hardware store and purchases a ski mask, duct tape, crow bar and a large bolt cutter. Of course, there is nothing all that suspicious about purchasing any one of these items separately, however when purchased together on a cold, dark night, it might raise the eyebrow of the clerk behind the counter.

How does this tie into security event monitoring, management and investigation? Event correlation falls into primarily two different categories:

Vulnerability Data Correlation

By understanding specific information about the client's assets, such as server OS types and versions, one can apply that information along with specific vulnerability data from scanning results to profile the attack surface. If and when an attack does occur, the Security Operations Center (SOC) analyst can use this correlated information to determine if the attack has a chance for success. A perfect example of this would be an attacker launching a UNIX-based attack on a Windows server. This would be considered to be an "Off Target" attack, and as such, has little to no chance of being successful. In such a case, the client may choose to not have such an attack escalated to them. On the other hand, if the attacker launches a Windows-based attack on a Windows server that is vulnerable to that specific attack, there is a much greater chance the attack will be successful. This would be considered to be an "On Target" attack, and the client would surely want to be notified.

User ID Correlation

User ID correlation can be invaluable when investigating security events. The ability to correlate user ID information from sources such as Active Directory servers, VPN concentrators, IDS sensors and application servers for example can assist the SOC analyst in providing nearly immediate context to the security event. Imagine a situation where multiple login attempts are being performed on a particular server, followed by a successful login. That in itself is not necessarily cause for alarm. Imagine the same server suddenly starts scanning other hosts on the network at an alarming rate. Correlating the series of failed logins with the scanning has given the SOC analyst context to identify an event in process. The client would want to know specific information about this attack to mitigate the situation before additional damage is done.

Correlation Value

There are several reasons why event correlation is valuable:

1. Reduced Costs to Mitigate Events

When correlated, event notifications (alerts) provide more specific information to the client, resulting in the Total Cost of Event Mitigation (TCEM) to decrease. Detailed alerts can tell you specifically who, what, when, and where an attack is taking place.

2. Reduce False Positive Costs

Fewer event false positives increase the client's staff efficiency. Less time is spent chasing down non-impacting security issues. This also contributes to what is known as "False Positive Fatigue". If the doorbell keeps ringing, and no one is ever there, eventually you will not go answer the door when it rings again. Remember the boy who cried "wolf"?

3. Increase Staff Efficiency

Staff is not tracking down false positives, and gathering correlated information makes event investigation simpler. Do not underestimate the fact that staff time can be spent completing other projects that grow the business.

4. Decrease Event Liability

Understanding an event and the impact quickly reduces the damage and exposure that could result. The longer an attack is not detected, the greater the potential damage and liability exist. Depending on the attack type, and the business, this could translate into significant hard costs. Simply put, effective correlation can speed up event identification and management.

Until next time, stay secure and rock on!


0 Comments Click here to read/write comments

All Posts