Thursday, September 21, 2006

The Art of Digital War - [Part 3] Abstract Data Types in the Security Domain

Part 1 / Part 2 / Part 3 / Part 4

Abstract Data Types in the Security Domain


The objective of this section is to identify the key abstract data types required to handle any type of security related data to identify the Digital Intrusions / Extrusions and take necessary remediation process to mitigate those attacks.

Handling of millions of network events (generated by Routers, Firewalls, IDS/IPS etc) per day is one of the key elements of all the Security Management solutions. Other set of information collected for processing and mining the attack pattern involves OS logs, vulnerability information of an asset, network topology, Asset Database, Identity Management systems and Application Logs. So you end up having lot of different data types. One of the biggest challenges is to normalize this information across the vendors. However, before the normalization process the key element is to identify and classify the data types.
So, let me start with two fundamental data types and let us see how these data fits into all the data sources available from different vendors and creates Digital ‘Conversations’. Following are the two abstract data types.

1. Entities
2. Atomic Events

Entity[1]

An Entity is a ‘thing’ in the system with a certain properties. For example An ‘Asset’ (a machine) with a set of services (applications) running (listening on a port), or a ‘User’ with one or more roles and privileges or an ‘Application’ which is farmed out on a server farm. Attributes of an Entity usually remain static (for certain Entities static attributes also changes frequently) while state of an Entity changes frequently.

The first diagram shows the Attributes and States of an Asset (Financial Server) as an Entity. OS, Services and the CVE information is for illustration purposes only. Understanding an Asset and the services it supports is the key to figure out what needs to be protected on Network. Behind every Asset (or Services to be specific) you have very
important data. Services (any application listening on a port) are the doors to the world. Any SOC (Security Operation Center) Analyst must have a clear understanding of the Key Assets and Services on the network.

The second diagram shows the Attributes and States of a User as an Entity. User, applications and CVE ID for illustration purposes only.

In the same line you can create an Application as an Entity with vulnerability profiles and network
characteristics (like how does it communicates in the network and with what protocols and what kind of services it provides, impact of these protocols/services in the event of a failure etc).
The third diagram illustrates an Intruder as an Entity with a certain characteristics like Intruder Classification (Internal / External or an Automated) impact of the attacks, Attack sophistication etc. All the these characteristics with Attack behaviors and recent states of the Intruder (which includes the recent attack history, damage caused, number of incident cases results in creating a normalized Threat Score for the Intruder which is on a scale of 1-10 with 10 as the Highest Threat. Threat modeling for an Intruder is the key to identify its (Intruder’s) threat to an Enterprise.
The fourth diagram shows Virus / Worm as an Entity and its potential attributes which describes its Infection and Attack Behaviors and its ability to cause damages in the enterprise. Classification of Virus and Worms and creating a Virus Entity database helps in recognizing the similar patterns and do predictive analysis on the future Viruses and BOT threats.
So, the idea of an Entity is clear it’s identifying the ‘thing(s)’ internal / external to your enterprise with a certain set of characteristics. As I mentioned in the first part of this series, the key is Identifying your Assets (Know yourself) and identifying the Intruders (Know your Enemy). Depends on the Enterprise Network size the types Entities will wary, however the key Entities identified in this section remains same (may be with more attributes and states). Now let us look at what’s an Atomic Event and how does it ties two entities together.


Atomic Event

An Atomic Event is created when any of the two entities talks to each other. Atomic Events can’t be broken down further. For Example a Firewall Network Status Event (Connection open or Connection closed Event). Collecting millions of these Atomic Events from hundreds of security devices was a huge task in late 1990’s and early 2000. First generation of the Security Data Management Vendors concentrated on this task and did a pretty good job in collecting and centrally managing all the Atomic Events. Correlation technologies correlate these Atomic Events giving more value to the end users in identifying the internal or external threats. 90% of the Atomic Events are noise. However, these technologies need to move from Event Management to Entity Management resulting in creating environment specific context sensitive conversations.


So, the bottom line is you can’t create Atomic Events without entities. Here are the some of the examples of Atomic Events by connecting two Entities.

PIX Firewall Message
2004 21:19:23: %PIX-2-106001: Inbound TCP connection denied from 172.12.10.146/2493 to 172.169.110.21/80 flags SYN on interface outside
2004 21:19:23: %PIX-2-106001: Inbound TCP connection denied from 172.12.10.146/2494 to 172.169.110.22/80 flags SYN on interface outside
2004 21:19:23: %PIX-2-106001: Inbound TCP connection denied from 172.12.10.146/2495 to 172.169.110.23/80 flags SYN on interface outside
Conversation

Grouping of Atomic Events in a specific environment (Zones) and context creates a conversation. Read the
Part 2 of this series to know more about various types of Conversations. Entities, Atomic Events, Context Sensitive Conversations will give more accurate Enterprise Security Posture to CSO / CISO.

References

[1] The Merriam Webster definition for an Entity is
independent, separate, or self-contained existence
the existence of a thing as contrasted with its attributes
something that has separate and distinct existence and objective or conceptual reality

Work in Progress ......