Intrusion Detection FAQ: How do I Tie the Identity of the Person Behind the Network Activity I Detect?

Jim McMillan
November 2009

Introduction

As we all know, networks were not invented with security in mind. As corporations realized the need for security, we saw various products created to defend our networks and hosts. Firewalls, intrusion detection/prevention systems and host log monitors soon hit the market, each coming with its own unique logging capabilities. However, there was no logging standard and none of the products were developed to log in a common, or normalized, fashion.

As a result, we have a lot of similar information ending up in various logs in various formats. With so much information, we do not have the capability to manually process these logs efficiently and effectively. How do we find a definite answer to our question of "Who did that"?

With a lot of digging and cross-referencing, we may have the ability to come up with somewhat of an answer. But in the end we probably still can't say with utmost certainty. With pressures from compliance and regulatory requirements, what can we do to bring these logs together? How do we get the accurate reporting to provide the certainty we need and require?

This is where we call on Security Information and Event Management (SIEM) products. SIEM products are designed to take logs from many security products, applications and operating systems, put the data from them in a common format (normalization) and tie the various log events together (correlation).

Background

Networks were designed to enable efficient communications and sharing of network resources. Initially networks were isolated and designed for use by internal users. Therefore, with no outside connectivity and a low concern of insider threat, security measures were not a high priority or necessity.

As the Internet was introduced, the need for electronic collaboration and information sharing became a great business asset and enabler. Many existing networks were tied together without much concern for security. When people discovered the value of their network resources and information, they quickly realized the need for security measures to protect their assets.

In many of today's corporate networks, we have the ability to capture, analyze, record and react to network traffic as it goes across the wire (or air in the case of wireless). On the devices we connect to those networks, we have the ability to implement, log and analyze access to the devices by built-in access control features.

Our ability to analyze network traffic provides us information about what communication is occurring between network devices. From this analysis we can determine important things about what is happening on our networks. We can tell where the traffic originated (source), where it is headed (destination) and other pertinent information, such as the time the communication occurred.

On our devices, we typically have some sort of access control measure built into the underlying operating systems. These access control measures give us the ability to authenticate and authorize access on an individual basis. With these control measures we are also provided a way to audit access by recording access events to log files. These logs will provide important information to us about access events. Like who accessed the device, the times associated with the access, what the device is named and network settings associated with the device.

The information we obtain from network traffic analysis and access control analysis can provide us the complete information we need to tie an identity to the associated network activity. However, to do so, we need all of the logs to be configured to record the events we require. Many devices do not have this level of logging enabled by default. However, if they are configured to record the information we need, we can dig through the logs and find matching events to tie events across all devices together.

Manually performing this investigation can be very cumbersome and difficult to do in a timely manner. With the quantity of log information these devices can produce, many events per millisecond, this task is impossible to effectively complete in a reasonable amount of time. That is why we see products being developed and refined to help us with this daunting task.

The Bailout

Once we have our systems logging the information we need, we can implement another product to automate the normalization and correlation task for us. Products that can collect all of the logged information, analyze it and report on findings much faster than doing so manually. This brings in three types of, and closely related, technologies.

  • Security Information Management (SIM): SIM helps support the needs of regulatory compliance requirements by providing log management. SIM systems collect, analyze and report log data for user and resource activities. Primarily, they focus on host and application logs. Network and security device logs are secondary.
  • Security Event Management (SEM): SEM helps more so in threat management. SEM systems collect, analyze and report on data from security devices, network devices, hosts and applications in real time. They assist well for incident response and management needs.
  • Security Information and Event Management (SIEM): SIEM systems are a combination of both SIM and SEM to provide a holistic product that provides the benefits of SIM and SEM. They have derived because of the complimentary values and needs of deploying SIM and SEM products in the same environments.

We can tie identity to activity by implementing a product that can: collect logs from many different devices, convert data into a normal and understandable format, analyze it against policy rules and report on important findings. SIEM products can provide us the means to tie a person to activity on our networks (and hosts) with certainty.

Which SIEM Product is Right for Me?

The SIEM product that is right for you all depends on your overall goals. However, for tying a person to their activities on your network, any good SIEM product will get the job done.

When selecting a SIEM product, be diligent in defining your overall needs and perform in-depth research. A beneficial technique is to research what others have to say about the products. A good resource for this is the WhatWorks series from SANS. You can find many security topics and products covered from a neutral perspective. Listen to people who have gone through the process you are preparing to go through and learn from their experiences.

Another good option is to look to reports by top consulting agencies, such as Gartner. Companies such as Gartner provide research and insight into core components of products and which capabilities are critical to have. Leverage these types of reports to your benefit. Getting the reports straight from Gartner may not be free, but often these reports are available through vendors of the products.

Conclusion

On today's corporate networks, there is a lot of activity. In real time, this activity is impossible to make sense of using manual investigation techniques. We must utilize technology to collect, monitor and analyze the information that is made available to us through various logging capabilities. SIEM technology is a good choice for helping us accomplish our goal of tying a person to the activity we are seeing, and ultimately knowing what individuals are doing with certainty.

Resources

Gittlen, S. (2008, October 09). Security information and event management: finding the proverbial needle. Retrieved from http://www.networkworld.com/supp/2008/100908-trendwatch-siem.html

Security Matters Mag, . (n.d.). Security matters - Q&A with Reed Henry, Arcsight. Retrieved from http://www.securitymattersmag.com/security-matters-magazine-article-detail.php?id=444

Northcutt, S. (2009, April). Tying log management and identity management shortens incident response. Retrieved from http://searchsecurity.techtarget.com/magazineFeature/0,296894,sid14_gci1351973_mem1,00.html?ShortReg=1&mboxConv=searchSecurity_RegActivate_Submit&

Franklin Jr., C. (2008, January 08). Security information management. Retrieved from http://www.infoworld.com/d/security-central/security-information-management-343

Nicolett, M, & Kavanagh, KM. (2009, May 29). Security information management. Retrieved from http://www.loglogic.com/2009_GartnerMQ_Report/?utm_source=google&utm_medium=cpc&utm_content=GARTNERSIEM_SIEMMQ&utm_campaign=G_Gartner2009SIEM_NA_Search

SANS Institute (2009). SANS: Internet security tools that work. Retrieved from SANS WhatWorks

Back to Intrusion Detection FAQ Home | Next Question