1. Pattern Detectors
We call Detectors any program that listens on the Rimici Secure Cloud network, a socket or a log file, searching for patterns, and producing security events when they match.
Most traditional detectors functionality are based in patterns, and the best example is a IDS (Intrusion Detection System), which is able to detect patterns defined using signatures or rules.
Almost any element in our cloud network, such as a router, a workstation, a firewall, etc., has some capacity for security patterns detection. Those elements usually generate logs with the produced events (matched patterns) and we collect this useful information for the correlation engines.
Pattern Detectors included in RIMICI “ONE Source” Security Operations Center
OSSIM includes some open source pattern detectors which are installed on OSSIM Sensors.
The basic pattern detector included within OSSIM is the Snort NIDS (Network Intrusion Detection System). Snort itself includes various preprocessors for attack detection.
Other detectors included are the Snare and Osiris HIDSs (Host Intrusion Detection Systems).
RIMICI “ONE Source” Security Operations Center also includes a Collection System which allows for data gathering from many other external devices.
This Collector System is fed by Plugins which will make it possible to receive from external systems as Windows, Linux, and other Unix operating systems, Firewalls such as Checkpoint, or network devices like Cisco.
It also includes a Customizable plugin architecture which makes it very easy to create an specific plugin for any application or device.
2. Anomaly Detectors
The ability to detect anomalies is more recent than pattern matching. In this case we do not have to tell the detection system what is good and what is bad; it can learn by itself and alert us when behavior statistically deviates enough from what it has learnt as a normal behavior.
Anomaly Detection provides a point of view that is both different and complementary to pattern detection.
This technique provides a solution —beyond reach until recently— for access control of privileged users, as in internal attacks, for example by disloyal employees, where no policy is violated and no exploits are carried out. Yet they represent an anomaly in the use and manner of use of a service.
Now let’s look at some examples where anomaly detectors can be useful in the Rimici Secure Cloud:
A new attack for which there still are no signatures could produce an obvious anomaly yet circumvent pattern detection systems.
- A worm that has been introduced into the organization, malware, a spamming attack, and even the use of P2P programs would generate a number of anomalous connections that are easy to detect.
- We likewise detect:
1. Use of services that is abnormal in origin and destination
2. Use at abnormal times
3. Excess use of traffic or connections
4. Changes in a machine’s operating system, ip, mac, service
3. Anomaly Detectors included in RIMICI “ONE Source” Security Operations Center
RIMICI “ONE Source” Security Operations Center is different from most SIM products in wide use of anomaly detection, the following open source products are included in OSSIM compilation and used For anomaly detection:
- Detects unusual connections by used port and destination.
- Aberrant Behavior plugin learns usage parameters and alerts when they behave in a not predicted way.
- Ability to detect MAC spoofing.
- Ability to detect Operating System changes.
- Ability to detect new Network Services that may appear or change
1. Network Monitoring
At Rimici Secure Cloud Data Center, we believe that monitoring is essential for a security system, and in their absence the security administrator would be blind to past events, would not be able to distinguish between normal and abnormal activity, and would not be able to see the network, like a traffic cop on a pitch black road.
RIMICI “ONE Source” Security Operations Center is different from most cloud security services’ as it’s able to correlate the information of either both detectors and monitors, allowing us to create very rich and useful Correlation Directives.
Usage Profiles and Session Monitoring
RIMICI “ONE Source” Security Operations Center monitors create a Usage Profile of every host in the network with the following information:
- Network Usage information about the machine, such as number of bytes transmitted over time.
- Information about service activity, as for example “uses mail, pop, and http”.
- Real-time Session monitoring provides a snapshot of the situation of the sessions in which hosts are participating
RIMICI “ONE Source” Security Operations Center provides these three monitoring capabilities using the passive monitor, which can act as a sniffer and sees the network situation at the highest degree of detail.
Flows give statistical traffic information as origin, destinations, ports, traffic and time duration.
Many network devices such as Cisco Routers have Flows agents embedded in their Operating System, and this makes easy to implement a fast and wide network analysis.
Flows give less detail information than sniffers but allow distributed monitoring without having to deploy local Sensors in each domain of the network.
2. Availability Monitoring
Availability information is important to detect Denial of Services Attacks.
RIMICI “ONE Source” Security Operations Center includes the Nagios availability monitor capable of checking, displaying and reporting hosts and network unavailability.
RIMICI “ONE Source” Security Operations Center includes a plugin that is capable to collect and include this events in the correlation, reporting and decision making processes.
3. Customized Rimici Secure Cloud Monitoring
RIMICI “ONE Source” Security Operations Center has a Customized Monitor that extracts any parameter we want to gather, filter, consolidate, and send this information to the Server, to be processed by the higher level processes.
This could be used to launch a cloud scan after a possible host intrusion or to check the status of an UPS system after an outage event.
Vulnerability Scanners allow to audit the network from a specific point of view where they are located.
They search for weaknesses in the target network devices, launching tests or attack simulations to check if the network, service or application levels are vulnerable from
their network point of view.
RIMICI “ONE Source” Security Operations Center includes the enterprise security scanner, the most complete and wider distributed.
The Scanner is installed on each deployed Sensor or on a central Server depending on the auditing requirements. Scans can be automatically launched by a scheduler.
Individual reports are collected from the Central Server and RIMICI “ONE Source” Security Operations Center maintains a vulnerability list for each host so that Cross Correlation can be performed by the Correlation Engine and historic vulnerability data for each scanned host/network is also being saved.
Automatic Inventory is done at the Sensor level with passive Detectors that passively see all the traffic. This inventory mechanism is also implemented on the Server by Network Scanners that can actively find hosts and services from a central point. Both Methods automatically feed the Inventory database with the following information:
- OS Type and Version
- Service Type and Version
- Mac and IP Addresses
RIMICI “ONE Source” Security Operations Center implements Automatic Inventory using the following programs:
- An agentless Network Scanner
- An agentless passive OS detector
- An agentless passive Services detector
- An agentless passive ARP detector
- OCS as an agent
The Collection process unify security events, from all critical systems throughout the Rimici secure cloud, in a single format on just one console.
With those unified events we will be able to observe all the security status related in a particular moment of time —wherever they come from: a router, a firewall, an IDS, or
a UNIX server— on the same screen and to show them with the same unified format.
Data gathering can be done in two ways on the sensor side:
- Sending the data from the host to be analyzed, using a native protocol, to the nearest sensor which will act as a concentrator.
- Installing agents on the host to be analyzed, all of which will send data to the sensor
1. RIMICI “ONE Source” Security Operations Center Agent and Plugins
RIMICI “ONE Source” Security Operations Center has a process called Agent installed on all RIMICI security Sensors.
The Agent has a number of Plugins which allow to parse all the specific events for a system, an example of typical plugins would be Windows, Checkpoint or Cisco.
There is a Customizable Plugin which makes easy to gather information from any application or device.
2. Collection, Normalization and Priority Policy
Plugins will parse logs and the Agent will send them through the network to the server.
There is a normalization of the priority value when events arrive at the server.
Normalization is necessary as each detector categorizes priorities or threats differently. For example, IDS/IPS maximum priority is 3, while Unix has 8 levels. All
events are normalized using priority values between 0 and 5.
Normalization tables have default values that administrators can change for each event.
There is also a Policy Panel where priority or threat is contextualized to the network topology, assigning for example higher values to external attacks than internal, and
lowering priority to known false positives.
3. Implementing a Collection Policy
It is possible to install a Priority Policy and Correlation Directives on each sensor to filter and control the amount and type of events which will be collected.
We can, for example, consolidate a big number of similar events and send a unique one.
We can also evaluate Instant Risk at the sensor level and collect only the important events.
The Priority Policy can be downloaded from a parent server so sensor won’t need to have database access, and a global Priority Policy can be used on a central server for all