in this presentation we will review all concepts related to event correlation.
Event correlation is the most important concepts in Log management and analysis.
if you considering attack detection and incident detection, it is the fundamental of these topics.
in this presentation we will familiar with event correlation definition, event correlation types and event correlation approaches.
it is simple presentation gathered and presented by Reza Adineh as an instructor in 2018.
Hope to enjoy.
----------------------------------------------
این ارائه در سال 2018 میلادی توسط رضا آدینه تهیه و تدوین شده است.
موضوع این ارائه معرفی مفهوم همبسته سازی، انواع روشها و رویکردهای موجود برای همبسته سازی است که در عموم راهکارهای مدیریت رخداد بکار می رود.
Review on Event Correlation- مروری بر روش های همبسته سازی در مدیریت رخداد
1. A general review on Event
Correlation Concepts
Presented by :
Reza Adineh
ReZa.AdineH; Think Smarter, Stay Secure .... 112/20/2018
2. Who am I ?
Reza Adineh
• Professional Summary:
• Over 10 years of professional experience
• SOC & CSIRT Architect & Consultant
• SIEM Engineer
• Currently working as senior on SOC & IR
• Authors of “Threat Intelligence for Threat Hunting” & “Next Generation SOC”
• Authoring “Threat Intelligence”, “Security Operation Center” & “Threat Hunting”
Courses Instructor for many official courses including Security+, CysA+, CHFI,
ECIH, Log management, Forensic Investigation, Incident response, Splunk
administration, etc.
ReZa.AdineH; Think Smarter, Stay Secure .... 212/20/2018
3. Event correlation definition:
• Event correlation is a technique for making sense of a large number
of events and pinpointing the few events that are really important in
that mass of information. This is accomplished by looking for and
analyzing relationships between events.
ReZa.AdineH; Think Smarter, Stay Secure .... 312/20/2018
4. Event Correlation
• Correlation is a statistical measure that indicates the extent to which
two or more variables fluctuate together. A positive correlation
indicates the extent to which those variables increase or decrease in
parallel; a negative correlation indicates the extent to which one
variable increases as the other decreases.
ReZa.AdineH; Think Smarter, Stay Secure .... 412/20/2018
5. Event Correlation
• In simple word:
it is a way to find out specific and particular conditions among the events.
12/20/2018 ReZa.AdineH; Think Smarter, Stay Secure .... 5
6. Event Correlation
• Event Correlation is the process of relating a set of events that have
occurred in a predefined interval of time.
• The process includes analysis of the events to know how it could add
up to become a bigger event ! And finally in most of the case it could
be an Incident .
• It usually occurs on the log management platform, after the users find
out certain logs having similar properties. In general it is not a
completely new concepts, it used some how in many different
solution, such as NIDS.
• In general, the event correlation is implemented with the help of single
event correlator software
ReZa.AdineH; Think Smarter, Stay Secure .... 612/20/2018
7. SIEM Event Correlation
• SIEM event correlation is an essential part of any SIEM solution. It
aggregates and analyzes log data from across your network
applications, systems, and devices, making it possible to discover
security threats and malicious patterns of behaviors that otherwise go
unnoticed and can lead to compromise or data loss.
ReZa.AdineH; Think Smarter, Stay Secure .... 712/20/2018
9. Types of Event Correlation
• Simple Correlation
• This is when you use one log source for correlation
• Cross Correlation
• In this case you have to use multiple log source for correlation
• Tip: keep in mind which most useful type in most case is cross
correlation. Because when you need to detect an incident, you need
many different log source for collecting evidence, and in this case the
result is more reliable and efficient for analysis.
ReZa.AdineH; Think Smarter, Stay Secure .... 912/20/2018
10. Prerequisites of event correlation
• Transmission of Events and data
• Pull or Push
• Normalization
• Reduction
ReZa.AdineH; Think Smarter, Stay Secure .... 1012/20/2018
12. Event Correlation Approaches
• Profile (finger print) based correlation approach
• Vulnerability based correlation approach
• Open port based correlation approach
• Bayesian based correlation approach
• Time based correlation approach
ReZa.AdineH; Think Smarter, Stay Secure .... 1212/20/2018
13. Correlation: Graph-based approach
• This approach construct a graph with each node as a system
component and each edge as dependency among 2 components.
ReZa.AdineH; Think Smarter, Stay Secure .... 1312/20/2018
14. Correlation: Neural-Network Based approach
• This approach uses a neural network to detect the anomalies in the
event stream, root cause of fault events, etc.
ReZa.AdineH; Think Smarter, Stay Secure .... 1412/20/2018
15. Correlation: Code-book based approach
• This approach uses a code book to store a set of events and correlate them.
• Monitors capture alarm events; configuration model contains the
configuration of network.
• Event model represents events and their casual relationships.
• Correlator correlate alarms events with event model and determines the
problem that caused the events.
• Problem events viewed as messages generated by a system and encoded in
sets of alarms. Correlator decodes the problem message to identify the
problem.
• There are two phases:
• Codebook selection phase
• Correlator compares alarm events with codebook and identifies the problem.
ReZa.AdineH; Think Smarter, Stay Secure .... 1512/20/2018
16. Correlation: Rule-Based approach
• In this approach, events are correlated according to a set of rules as
follows:
• Condition -> Action
• We have to make a combination of rules with logical operator to get
results.
ReZa.AdineH; Think Smarter, Stay Secure .... 1612/20/2018
17. Field-based approach
• A basic approach where specific events are compared with single or
multiplied fields in the normalized data.
ReZa.AdineH; Think Smarter, Stay Secure .... 1712/20/2018
18. Automated field correlation
• This methods checks and compares all the fields systematically and
intentionally for positive and negative correlation with each other to
determine the correlation across one or multiple fields.
ReZa.AdineH; Think Smarter, Stay Secure .... 1812/20/2018
19. Packet parameter/payload correlation
• This approach is used to correlating particular packets with other
packets.
• This approach can make a list of possible new attacks by comparing
packets with attacks signatures.
ReZa.AdineH; Think Smarter, Stay Secure .... 1912/20/2018
20. Profile (finger print) based correlation
approach
• A series of datasets can be gathered from forensic events data such as
isolated OS fingerprints, isolated port scan, finger information, banner
snatching to compare link attack data to other attacker profiles.
• This information is used to identify whether any system is a rely or a
formerly compromised host, or to detect the same hacker from
different locations.
• In this approach the most important thing is a good enough baseline.
ReZa.AdineH; Think Smarter, Stay Secure .... 2012/20/2018
21. Vulnerability based correlation approach
• This approach is used to map IDS events that target a specific
vulnerable host with the help of vulnerability scanner.
• This approach is also used to deduce an attack on a particular host in
advance, and it prioritized attack data so that you can response to
trouble spots quickly.
ReZa.AdineH; Think Smarter, Stay Secure .... 2112/20/2018
22. Open port based correlation approach
• This approach determines the rates of successful attacks by comparing
it with the list of open ports available on the hosts and that are being
attacked.
ReZa.AdineH; Think Smarter, Stay Secure .... 2212/20/2018
23. Bayesian based correlation approach
• This approach is an advanced correlation method that assumes and
predict what an attacker can do next after attack by studying the
statistics and probability.
ReZa.AdineH; Think Smarter, Stay Secure .... 2312/20/2018
24. Role or Time based correlation approach
• This is used to monitor the systems and users behavior and provide an
alert if something amanous is found.
• It focus on roles of systems and or users.
• In this approach, when a condition is happened the alert is triggered
and wait for next condition in a defined time.
ReZa.AdineH; Think Smarter, Stay Secure .... 2412/20/2018
25. Route Correlation
• This approach is used to extract the attack route information and use
that information to single out other attack data.
• In this correlation we have information about the attack path or flow.
ReZa.AdineH; Think Smarter, Stay Secure .... 2512/20/2018
26. Hybrid correlation
ReZa.AdineH; Think Smarter, Stay Secure .... 26
• In this types of correlation we need correlate simultaneously multiple
source together and enriching them, to get the results.
• In fact It is combination of different approaches.
12/20/2018