Content Awareness

Content Aware SIEM

Content Aware SIEM™ represents a new generation of Security Information and Event Management (SIEM) capabilities that extend the value and benefits of SIEM by providing visibility into the contents of applications, documents and protocols. Without content awareness, SIEM is only able to act upon the surface details provided by logs.

This limits the effectiveness of key SIEM functionalities—including threat detection, incident response, and compliance reporting—because the data being used for analysis lacks sufficient context to make informed, relevant decisions.

Content AwarenessConsider a book. A book is a collection of pages bound by a cover. At first glance, we know very little about what's inside. There is a title, an author, an ISBN number, and a price. There is also a table of contents that organizes the text into chapters and provides an idea of what the book is about. There are also reviews, ratings, and possibly recommendations for other titles.

Ultimately, however, the only way to truly understand the book is to read it.

The same is true of security information and event management: while logs are needed, and enriching those logs with context is extremely valuable, nothing can replace the insight provided by true content analysis.

 

  • Overview
  • Log Detail
  • Adding Context
  • Content Awareness

NitroView makes managing security and event data as easy as selecting a book from an online retailer. This is done by providing the same easy access to the information that you need in order to make a decision:

  • Log files, which provide a summary of high-level details
  • The added context around an event, such as whether the target of the event was vulnerable, contained information that is protected by compliance, the authority of the user, etc.
  • The contents, including the actual payload of application traffic, and the construct of it's underlying protocols.

Analyzing log files provides the least level of detail. Using the analogy of an online retailer, log files might include the book title, ISBN, and price. Typical log file details include:

  • Proxy logs: logs contain information about internet connectivity thru the proxy server; what sites the user went to and sometimes which actions he performed on each site.
  • Email server logs: these logs contain the information about sent and received email, the sender and the recipients' addressees, errors, message sizes and other parameters of email messages.
  • Netflow: similarly, netflow records contain information about systems connecting to other systems and include characteristics such as: session time, duration, protocol, packet and byte count.
  • NIDS/NIPS alerts: these alerts and logs contain information about attacks detected or prevented by the systems as well as information about suspicious activities.
  • Application logs: such logs contain literally anything that a developer will put in them, with no standards, limitation or restrictions.
  • Firewalls: firewall logs contain information on connections allowed or blocked by the firewall
  • Router logs: often disabled, router logs are similar to firewall logs and netflow since they contain connectivity information, as well as access 'permit' and 'deny' events related to network access.
  • Operating system logs such as Windows event logs or Unix/Linux syslog: they contain information about the routine system operations, system access as well as various errors and failures.
  • Database logs: native database logs contain queries and database administration commands.
  • Other: IBM ISS Real Secure Network Sensor; Microsoft Exchange Server, Active Directory; NitroSecurity SNMP

However, despite the source of these log files being applications and databases, they seldom represent actual application activity or data access. They still represent the surface detail; the "title and ISBN" information that is available in the log.

One of the ways SIEM adds value to log management is through the enrichment of log records by adding "context information." Context information is the additional information required to make the limited details available within an event or log more meaningful. Context information does not come from the logs themselves, but originates in the surrounding IT environment, in other information systems inside or outside the organization.

Continuing the analogy of an online retailer: if the book title, price, and ISBN make up the "log record" then customer reviews, prices from other sources, and other available editions that are available are all parts of the book's context. Of course, the book's contents would be an example of Content Information, which is discussed later.

Typical sources of context and the detail they provide include:

  • Windows name services, DNS and NIS servers: to map addresses to names
  • Defined asset groups: Internal or external status of an IP address; Logical or physical meta-groups
  • WHOIS servers: WHOIS information for external addresses shows who owns them and where they are located
  • Geo-location: show the physical location of the system
  • Assets; Asset and owner information for internal addresses
  • DNS and NIS servers: to map addresses to names
  • Active directory and LDAP servers: to map user names to actual user identities
  • Entitlement servers: to obtain a user's entitlements
  • Asset management systems: to gather information about systems, their ownership, compliance relevant of each system or group of systems
  • Attack and exploit information: to gather additional details about the log data
  • VA: Vulnerability assessment information
  • IAM: Identity and Access Management systems provide user policy context within SIEM.
  • CMDB: Configuration Management Database systems provide configuration policy context to SIEM.

Content represents the maximum visibility into an event. Content refers to the payload of applications, i.e., what is actually being communicated, transferred, and shared over the network. Where logs give surface details as to what occurred, content is what defines the actual nature of the activity.

Concluding the analogy of an online retailer, content awareness represents the entire contents of a book: the chapter structure, layout, and every word of text. Content awareness includes:

  • Email contents, including attachments. E.g. Credit card numbers within a pdf that has been zipped and attached to a webmail.
  • Social network communication. E.g. Sensitive data sent via Facebook email or IM, or posted to a wall.
  • Document contents. E.g. An excel spreadsheet containing bank routing numbers.
  • Database queries, including the size and/or subject matter of their responses. E.g. Queries against database tables containing credit card information, and the results of those queries..
  • IM conversations, including contents and file transfers. E.g. Customer account information being sent outside of the company via IM by a customer service representative as he/she verifies account details on the phone.