By Joel Snyder
Information Security, November 2004
Original Article on Information Security Web Site
A well-tuned security information management (SIM) product is a network detective that collects evidence from firewalls, IDSes, routers and switches and sounds an alarm when it sees anomalous events. It correlates data that you may not have time to even look at, much less interpret.
For example, a SIM reading firewall logs may find many short SSH sessions from the Internet to various systems in the corporate network. The traffic is encrypted, so your IDS is blind to it. At the same time, data from routers and switches show a spike in login failures.
The SIM's conclusion: Someone is using SSH to mask a brute-force password attack; the SIM issues an alert.
Using the SIM's forensics capabilities, you can check traffic logs for longer SSH sessions indicating that the attacker guessed right and got into a system. As a result of this incident, you tighten firewall policy to block SSH management from the Internet. You can also refine your SIM's ability to spot future attacks by writing a correlation rule that detects SSH sessions to systems that aren't normally remotely managed.
Another example: by correlating firewall, router and IDS data, your SIM can go beyond the flood of alerts indicating a worm probe in progress and identify a successful attack.
Shortly after the IDS reports a worm signature, the firewall logs show that the outbound connect rate for a particular network server is above historic averages, and router data shows it generating uncharacteristically heavy traffic. The SIM correlates the traffic patterns with the IDS alerts and concludes that the server was successfully attacked by a worm.