Intelligent logging server SIEM for the poor Jan Vykopal , Martin Ju - - PowerPoint PPT Presentation

intelligent logging server
SMART_READER_LITE
LIVE PREVIEW

Intelligent logging server SIEM for the poor Jan Vykopal , Martin Ju - - PowerPoint PPT Presentation

Jun 07, 2023 444 likes •685 views

Introduction Use case: cyber attack detection Intelligent logging server SIEM for the poor Jan Vykopal , Martin Ju ren, Daniel Kou ril Tom Kubina, Michal Prochzka, Martin Draar Masaryk University, Brno, Czech Republic CYTER

slide-1
SLIDE 1

Introduction Use case: cyber attack detection

Intelligent logging server

“SIEM for the poor” Jan Vykopal, Martin Juˇ ren, Daniel Kouˇ ril Tomáš Kubina, Michal Procházka, Martin Drašar

Masaryk University, Brno, Czech Republic

CYTER 2010 Prague, June 23–24, 2010

slide-2
SLIDE 2

Introduction Use case: cyber attack detection

Introduction Use case: cyber attack detection

slide-3
SLIDE 3

Introduction Use case: cyber attack detection

Intelligent logging server (ILS)

useful tool for intrusion detection and forensic analysis that:

slide-4
SLIDE 4

Introduction Use case: cyber attack detection

Intelligent logging server (ILS)

  • Enables earlier and more accurately detection of

cyber attacks.

  • Integrates outputs from separate ICT monitoring systems.
  • Based on free (and open-source) components.
  • Reduces total count of relevant messages and eventual

false positives.

  • Supports network hierarchy – suitable for large networks.
  • Detects also system misconfiguration.
slide-5
SLIDE 5

Introduction Use case: cyber attack detection

ILS as a central monitoring point I

  • Supervises network infrastructure:

servers, IDS, honeypots . . .

  • Centrally stores log files destroyed by attackers at

compromised hosts (allows forensic analysis).

  • Can reveal malicious activities invisible at host level (e. g.,

distributed attacks).

  • Uses additional data sources such as public blacklists.
  • Logs are sent via secure channel to ensure message

integrity and authentication.

slide-6
SLIDE 6

Introduction Use case: cyber attack detection

ILS as a central monitoring point II

slide-7
SLIDE 7

Introduction Use case: cyber attack detection

ILS development as a project I

  • Small project funded by Development Fund of CESNET and

Masaryk University.

  • Our prototype is aimed at the Linux operating system family.
  • Should be easy to deploy in real-life network

infrastructure.

  • Project period: 09/2009–11/2010.
  • Output available under BSD license:

software package and deployment guide incl. probes configuration.

slide-8
SLIDE 8

Introduction Use case: cyber attack detection

ILS development as a project II

  • Done:
  • project specification:

”core” protocol: Syslog, correlation: Simple Event Correlator

  • central log storage deployment (Linux server with RAID)
  • honeypot deployment (honeyd, VMware + Sebek + database
  • f attempted passwords)
  • deployment of public blacklist correlation engine
  • integration of flow-based IDS
  • attack detection modules
  • In progress:
  • presentation layer
  • deployment of the whole system in the Masaryk University

network

slide-9
SLIDE 9

Introduction Use case: cyber attack detection

Use case: Unauthorized access to computer system

  • network reconnaissance by attacker
  • online distributed dictionary attack
  • successful breach
  • destruction of evidence
  • . . .
slide-10
SLIDE 10

Introduction Use case: cyber attack detection

Incident handling without ILS

Somebody or some devices reports several alerts = cyber attacks.

slide-11
SLIDE 11

Introduction Use case: cyber attack detection

Incident handling without ILS

Somebody or some devices reports several alerts = cyber attacks.

  • (distributed) port scanning captured by firewall/IDS
slide-12
SLIDE 12

Introduction Use case: cyber attack detection

Incident handling without ILS

Somebody or some devices reports several alerts = cyber attacks.

  • (distributed) port scanning captured by firewall/IDS
  • (distributed) dictionary attack (not) detected at host
slide-13
SLIDE 13

Introduction Use case: cyber attack detection

Incident handling without ILS

Somebody or some devices reports several alerts = cyber attacks.

  • (distributed) port scanning captured by firewall/IDS
  • (distributed) dictionary attack (not) detected at host
  • breach is locally logged as well as many other events
slide-14
SLIDE 14

Introduction Use case: cyber attack detection

Incident handling without ILS

Somebody or some devices reports several alerts = cyber attacks.

  • (distributed) port scanning captured by firewall/IDS
  • (distributed) dictionary attack (not) detected at host
  • breach is locally logged as well as many other events
  • attacker stealthily destroys local log files
slide-15
SLIDE 15

Introduction Use case: cyber attack detection

Incident handling without ILS

Somebody or some devices reports several alerts = cyber attacks.

  • (distributed) port scanning captured by firewall/IDS
  • (distributed) dictionary attack (not) detected at host
  • breach is locally logged as well as many other events
  • attacker stealthily destroys local log files

We do not know any connection between these events.

slide-16
SLIDE 16

Introduction Use case: cyber attack detection

Incident handling with ILS

ILS reports only one alert = cyber attack.

slide-17
SLIDE 17

Introduction Use case: cyber attack detection

Incident handling with ILS

ILS reports only one alert = cyber attack.

  • port scanning is reported to ILS
slide-18
SLIDE 18

Introduction Use case: cyber attack detection

Incident handling with ILS

ILS reports only one alert = cyber attack.

  • port scanning is reported to ILS
  • ILS creates context
slide-19
SLIDE 19

Introduction Use case: cyber attack detection

Incident handling with ILS

ILS reports only one alert = cyber attack.

  • port scanning is reported to ILS
  • ILS creates context
  • assigns other reported events to this context
slide-20
SLIDE 20

Introduction Use case: cyber attack detection

Incident handling with ILS

ILS reports only one alert = cyber attack.

  • port scanning is reported to ILS
  • ILS creates context
  • assigns other reported events to this context
  • destroyed logs can be accessed later in ILS data storage
slide-21
SLIDE 21

Introduction Use case: cyber attack detection

Incident handling with ILS

ILS reports only one alert = cyber attack.

  • port scanning is reported to ILS
  • ILS creates context
  • assigns other reported events to this context
  • destroyed logs can be accessed later in ILS data storage

Events are correlated, one incident is reported and all evidence is kept.

slide-22
SLIDE 22

Introduction Use case: cyber attack detection

Summary: incident handling without ILS

  • Events are correlated
  • Only one dashboard
  • Utilization of public

blacklists

  • Retaining all logs for

forensic analysis

  • Several alerts relevant to
  • ne attack
  • Several different systems
  • Local logs prone to

destruction

slide-23
SLIDE 23

Introduction Use case: cyber attack detection

Questions&Answers Intelligent logging server

Jan Vykopal et al. vykopal@ics.muni.cz