Professional Documents
Culture Documents
Theoretical
Theoretical
Theoretical
Foundations
Student Guide
ED-SA-FND-310
Rev P10
DO NOT DUPLICATE
DO NOT DUPLICATE
Notice
Trademarks
RSA, the RSA Logo and EMC are either registered trademarks or trademarks of EMC
Corporation in the United States and/or other countries. All other trademarks used
herein are the property of their respective owners. For a list of RSA trademarks, go to
www.emc.com/legal/emc-corporation-trademarks.htm#rsa.
ED SA FND 310
P10
Concentrators can pass data (log and packet meta) to the ESA host, where it can be passed
through complex rule-sets to generate timely alerts; to the Broker, where data from multiple
Concentrators can be aggregated; or, directly to the SA server, where the Investigation,
Reporting, Malware Analysis, and Incident Management engines reside.
Notice the “breadcrumb trail” circled at the top of the second screen. The breadcrumbs
always remind you of exactly what drillpoint you’ve reached, and exactly what data
you’re examining. To eliminate the effects of the drill, simply click on the breadcrumb to
see your options for navigating to a different view.
Note that right-clicking on a Meta Value offers you the choice of opening the drillpoint in
a new browser tab, which can make it easier to compare views from different levels in
your investigation. Some drillpoints can go deep into the data, creating breadcrumb
trails that are four or five (or more) elements long.
At any point in the drill, the analyst can switch to viewing the Session data itself. Do this
by clicking not on the (blue) Meta Value of interest, but on the (green numeric) Session
Value. Clicking on the Session Value opens the Event View – alternatively, right-click
on it to open it in a new tab. The Event View offers a look deep inside the reconstructed
packet session or log events of interest.
To navigate back to an earlier point in the breadcrumb trail, simply click on the
breadcrumb itself, as shown above. A menu of navigation options will appear.
Removing the breadcrumb trail altogether (“Remove” menu choice) returns you to the
Broker view, where you will see all data aggregated at the Broker.
If you select the “Advanced” radio button in the Query dialog, you can write your own
query using multiple variables and multiple logical operators. The Advanced Query
requires that you use the actual Meta Key name (“action”) rather than its display name
(“Action Event”). It also requires you to enclose meta value names that contain spaces
in single quotes (for example, action = ‘teardown connection’). Advanced Query also
provides a Wizard to prompt you with available key names and logical operators. When
you’ve finished typing your query syntax, click on Apply.
The Advanced Query is also known as a Custom Drill. It allows you to specify a
complex drillpoint, using multiple keys, values, and logical operators, as depicted in the
graphic above.
Note that only Simple Queries can be constructed via this method. To join two or more
logical expressions into a single query (e.g., action = retrieved && ip.dstport = 53),
select Query from the Navigate main menu and then select the Advanced radio button.
Remember that if you right-click on the session value, you can open the Events View in
a separate browser tab.
To create a Custom View, work through the Manage Column Groups menu choice on
the Events>View screen. Click the plus sign + to add a column group; click the next
red plus sign to add the specific meta keys you would like to include.
Click Save and Apply when you are done, to create your custom view.
On this screen the user has chosen to restrict the time range for data to the last 3 hours.
He has also turned on Visualization, by clicking on the Visualization button at the top
right corner of the screen. We’ll return to visualization later in this module.
Selecting Total results in a numeric sort order (ascending or descending) based on the
session count for each value within the meta key. In the example above, the values for
the Meta Key “Source Country” are listed in descending numeric order, beginning with
5,771 sessions originating in the Russian Federation, and ending with countries that
have had just a small number of captured sessions.
The Profiles apply to the Navigate view (meta groups and queries) and the Events
view (column groups and queries) alike.
In the Visualization Options dialog box, choose Visualization – Coordinates, and click
the Plus sign. From here you can add and subtract Meta Keys from the Parallel
Coordinates Visualization dialog.
Select a time range for the Visualization from the Investigation menu. The metadata you
selected will appear in graphical format at the top of the investigation screen. You can
expand the graph area, and highlight specific areas to gather more detail.
It’s important to note that Network and Application rules can be written to filter, truncate,
or keep data. These rules can also be configured to populate meta keys with alert
metavalues when specified conditions are met. We’ll look more closely at the Keep and
Alert parameters of these rules later on in this module.
A note on terminology: these filtering rules are completely different from the broad
category of Reporting and Alerting Rules, which we will also look at later in this course.
Berkeley packet filters were developed for use with the Unix OS and are independent of Security Analytics.
BPF syntax guides can be found at various sites on the Internet: use your search engine to find one that’s
useful to you.
Note: to filter out traffic that meets a specific condition, you must precede that condition with the operator
not. Interpret that “not” as do not keep. Some examples of BPF syntax are as follows:
Berkeley Packet Filters should be tested to ensure that they will yield the expected behavior before
implementing them. For example, you might use tcpreplay to live stream known data to verify that your BPF
is working. Alternatively you can also use either tcpdump or windump. For example:
windump –nni 2 not (port 53 or port 443) or not (ip proto 50)
Example:
To filter (exclude) traffic on port 80 from 192.168.1.1 OR traffic on port 443 from
10.10.10.1, use this syntax:
Remember that IntelliSense (the rule syntax wizard) is your friend. Also, note that the
Validate button checks your syntax for errors before saving
The rules shown above are simple, but when combined (as in examples 4 and 5 above)
they can access specific sessions very quickly. And time can be of the essence when
working with a security breach.
Consider rule #2: looking for sessions using the Telnet protocol. RSA Security Analytics
goes beyond simply matching UDP or TCP port numbers to standard protocols; instead,
Security Analytics looks at the packet payload to determine if the content itself is
recognized as a particular protocol. Tcp.dstport=23 would reflect normal Telnet traffic
on port 23, but Service=23 will tag all sessions that are utilizing the Telnet protocol,
regardless of the port number actually used.
The characteristics of the meta key are defined in the file entry. In the example above,
you can see the xml definitions for the “Risk:” keys, which we’ll return to in a moment.
Note that:
Key definitions typically reside in the Index-Concentrator.xml file. Because this file can
be replaced during a routine software update, custom meta key definitions should be
created in the Index-Concentrator-Custom.xml file. The “custom” version of the file
works seamlessly with the default version as a single file, but has the advantage that it
will never be overwritten.
Examine these files on the Concentrator > Config screen, under the Files tab.
We might create a series of application rules (that populate the Alerts meta key for
instance) in a taxonomic way as well. Recall that the name of the Application Rule
becomes the meta value under the Meta Key that the rule populates. We might name a
series of application rules “possible threat”, “probable threat”, and “confirmed threat”, for
instance. We could create reports, alerts, dashboards, etc. to highlight “confirmed
threats” and escalate them into incident queues.
In the example above, the analyst has created a series of rules to populate the alert.id
meta key with precise information about what events have occurred relating to the
manipulation of accounts.
Example:
To alert the analyst whenever a router configuration is made, create the following rule:
Note that this Application Rule is not filtering out data, but is keeping data that match
the specified logical criteria. Data that match those criteria are populating the meta key
“Alert”, as specified at the “Alert on” dropdown menu. Any events that match the criteria
will populate the “Alert” meta key with the Meta Value “Facebook Logins”.
Adopting a taxonomic approach, we might have multiple Alert meta values, each named
and defined to track a different kind of alert: Alert.authentication, Alert.malwaredomain,
Alert.accessfailures, and so on. You can be as granular and creative as you like with
the creation and population of meta values.
Alert
When not filtering or truncating to reduce the data set, you may choose to create rules
that flag certain conditions by populating designated Alert meta keys with meta values
of your own creation. In the example above, any session that matches the application
rule logic would populate the Alerts meta key with the meta value “facebook logins”.
Examples:
To detect traffic between pairs of hosts (key=ip.src,ip.dst) where the unique count of
TCP destination ports is greater than 5 within 1 minute, create a rule as follows:
To detect more than 10 failed login attempts within 5 minutes, create a rule as follows:
• no-ip.com
• dyndns.org
• changeip.com
• duiadns.net
• dynamicdns.org
• .. many others
When a subscriber registers a subdomain, they are free to pick any name they want
and map it to any IP address they want. For example, one could register
myuniquedomainname.no-ip.org or asnl2349qpwdan.no-ip.org and have them both
resolve to 5.6.7.8, and later change one of the domains to point at a new IP address
9.8.7.6.
Once the report is created, you can run it, schedule it to run once or at regular intervals,
create an output action for the report, and view the report.
Warehouse DB
If you are using a warehouse in your environment, you can report on data contained in
the warehouse.
This slide shows the various scores used to generate a final aggregation score that
determines whether an alert is triggered.
The module evaluates HTTP packet data, filters out whitelisted domains, and then
assigns a score for recent content, rare domains with few source IP connections and a
high ratio of connections with no referrer, rare or null user agents, beaconing activity
and nearly expired or recently expired domains. The scores are aggregated and the
aggregation score determines whether an alert is triggered.
The system can make multiple enrichment connections and pull contextual data to
make the alert more meaningful. For example:
• ${events[0]["RSADataScienceLookup"][0].score} gives the “risk” score of the
destination domain computed by the RSA Data Science module.
• ${events[0]["orgchart"][0].supervisor} gives the name of the supervisor of the
employee that the alert pertains to (pulled from an HR database).
• ${events[0]["LoginRegister"][0].username} gives the name of the user with the last
successful login from the same ip_src (using a stream based Named Window).
EPL has two parts: SQL (conforms to ANSI SQL92) and a Pattern Matching Language
(something that SQL does not have). EPL provides complex event processing capabilities and
can perform, but is not limited to the following functions:
• Filter Events
• Alert Suppression
• Compute percentages or ratios
• Average, count, min and max for a given time window.
• Correlate events arriving in multiple streams
• Correlate events that arrive out of order
• On-Off Windows
• Followed-by and Not Followed-by support
• Regex filter support
EPL be written many different ways to solve a particular use case. For more information on EPL
rules, refer to the RSA Security Analytics ESA EPL Rules elearning.