SlideShare a Scribd company logo

Review on Event Correlation- مروری بر روش های همبسته سازی در مدیریت رخداد

ReZa AdineH
ReZa AdineH

in this presentation we will review all concepts related to event correlation. Event correlation is the most important concepts in Log management and analysis. if you considering attack detection and incident detection, it is the fundamental of these topics. in this presentation we will familiar with event correlation definition, event correlation types and event correlation approaches. it is simple presentation gathered and presented by Reza Adineh as an instructor in 2018. Hope to enjoy. ---------------------------------------------- این ارائه در سال 2018 میلادی توسط رضا آدینه تهیه و تدوین شده است. موضوع این ارائه معرفی مفهوم همبسته سازی، انواع روشها و رویکردهای موجود برای همبسته سازی است که در عموم راهکارهای مدیریت رخداد بکار می رود.

Software
1 of 28
A general review on Event Correlation Concepts Presented by : Reza Adineh ReZa.AdineH; Think Smarter, Stay Secure .... 112/20/2018
Who am I ? Reza Adineh • Professional Summary: • Over 10 years of professional experience • SOC & CSIRT Architect & Consultant • SIEM Engineer • Currently working as senior on SOC & IR • Authors of “Threat Intelligence for Threat Hunting” & “Next Generation SOC” • Authoring “Threat Intelligence”, “Security Operation Center” & “Threat Hunting” Courses Instructor for many official courses including Security+, CysA+, CHFI, ECIH, Log management, Forensic Investigation, Incident response, Splunk administration, etc. ReZa.AdineH; Think Smarter, Stay Secure .... 212/20/2018
Event correlation definition: • Event correlation is a technique for making sense of a large number of events and pinpointing the few events that are really important in that mass of information. This is accomplished by looking for and analyzing relationships between events. ReZa.AdineH; Think Smarter, Stay Secure .... 312/20/2018
Event Correlation • Correlation is a statistical measure that indicates the extent to which two or more variables fluctuate together. A positive correlation indicates the extent to which those variables increase or decrease in parallel; a negative correlation indicates the extent to which one variable increases as the other decreases. ReZa.AdineH; Think Smarter, Stay Secure .... 412/20/2018
Event Correlation • In simple word: it is a way to find out specific and particular conditions among the events. 12/20/2018 ReZa.AdineH; Think Smarter, Stay Secure .... 5
Event Correlation • Event Correlation is the process of relating a set of events that have occurred in a predefined interval of time. • The process includes analysis of the events to know how it could add up to become a bigger event ! And finally in most of the case it could be an Incident . • It usually occurs on the log management platform, after the users find out certain logs having similar properties. In general it is not a completely new concepts, it used some how in many different solution, such as NIDS. • In general, the event correlation is implemented with the help of single event correlator software ReZa.AdineH; Think Smarter, Stay Secure .... 612/20/2018
SIEM Event Correlation • SIEM event correlation is an essential part of any SIEM solution. It aggregates and analyzes log data from across your network applications, systems, and devices, making it possible to discover security threats and malicious patterns of behaviors that otherwise go unnoticed and can lead to compromise or data loss. ReZa.AdineH; Think Smarter, Stay Secure .... 712/20/2018
Steps in event correlation • Event Aggregation • Event Masking • Event Filtering • Root cause analysis ReZa.AdineH; Think Smarter, Stay Secure .... 812/20/2018
Types of Event Correlation • Simple Correlation • This is when you use one log source for correlation • Cross Correlation • In this case you have to use multiple log source for correlation • Tip: keep in mind which most useful type in most case is cross correlation. Because when you need to detect an incident, you need many different log source for collecting evidence, and in this case the result is more reliable and efficient for analysis. ReZa.AdineH; Think Smarter, Stay Secure .... 912/20/2018
Prerequisites of event correlation • Transmission of Events and data • Pull or Push • Normalization • Reduction ReZa.AdineH; Think Smarter, Stay Secure .... 1012/20/2018
Event Correlation Approaches • Graph-based correlation approach • Neural-Network Based correlation approach • Code-book based correlation approach • Rule-Based correlation approach • Field-based correlation approach • Automated field correlation approach • Packet parameter/payload correlation approach ReZa.AdineH; Think Smarter, Stay Secure .... 1112/20/2018
Event Correlation Approaches • Profile (finger print) based correlation approach • Vulnerability based correlation approach • Open port based correlation approach • Bayesian based correlation approach • Time based correlation approach ReZa.AdineH; Think Smarter, Stay Secure .... 1212/20/2018
Correlation: Graph-based approach • This approach construct a graph with each node as a system component and each edge as dependency among 2 components. ReZa.AdineH; Think Smarter, Stay Secure .... 1312/20/2018
Correlation: Neural-Network Based approach • This approach uses a neural network to detect the anomalies in the event stream, root cause of fault events, etc. ReZa.AdineH; Think Smarter, Stay Secure .... 1412/20/2018
Correlation: Code-book based approach • This approach uses a code book to store a set of events and correlate them. • Monitors capture alarm events; configuration model contains the configuration of network. • Event model represents events and their casual relationships. • Correlator correlate alarms events with event model and determines the problem that caused the events. • Problem events viewed as messages generated by a system and encoded in sets of alarms. Correlator decodes the problem message to identify the problem. • There are two phases: • Codebook selection phase • Correlator compares alarm events with codebook and identifies the problem. ReZa.AdineH; Think Smarter, Stay Secure .... 1512/20/2018
Correlation: Rule-Based approach • In this approach, events are correlated according to a set of rules as follows: • Condition -> Action • We have to make a combination of rules with logical operator to get results. ReZa.AdineH; Think Smarter, Stay Secure .... 1612/20/2018
Field-based approach • A basic approach where specific events are compared with single or multiplied fields in the normalized data. ReZa.AdineH; Think Smarter, Stay Secure .... 1712/20/2018
Automated field correlation • This methods checks and compares all the fields systematically and intentionally for positive and negative correlation with each other to determine the correlation across one or multiple fields. ReZa.AdineH; Think Smarter, Stay Secure .... 1812/20/2018
Packet parameter/payload correlation • This approach is used to correlating particular packets with other packets. • This approach can make a list of possible new attacks by comparing packets with attacks signatures. ReZa.AdineH; Think Smarter, Stay Secure .... 1912/20/2018
Profile (finger print) based correlation approach • A series of datasets can be gathered from forensic events data such as isolated OS fingerprints, isolated port scan, finger information, banner snatching to compare link attack data to other attacker profiles. • This information is used to identify whether any system is a rely or a formerly compromised host, or to detect the same hacker from different locations. • In this approach the most important thing is a good enough baseline. ReZa.AdineH; Think Smarter, Stay Secure .... 2012/20/2018
Vulnerability based correlation approach • This approach is used to map IDS events that target a specific vulnerable host with the help of vulnerability scanner. • This approach is also used to deduce an attack on a particular host in advance, and it prioritized attack data so that you can response to trouble spots quickly. ReZa.AdineH; Think Smarter, Stay Secure .... 2112/20/2018
Open port based correlation approach • This approach determines the rates of successful attacks by comparing it with the list of open ports available on the hosts and that are being attacked. ReZa.AdineH; Think Smarter, Stay Secure .... 2212/20/2018
Bayesian based correlation approach • This approach is an advanced correlation method that assumes and predict what an attacker can do next after attack by studying the statistics and probability. ReZa.AdineH; Think Smarter, Stay Secure .... 2312/20/2018
Role or Time based correlation approach • This is used to monitor the systems and users behavior and provide an alert if something amanous is found. • It focus on roles of systems and or users. • In this approach, when a condition is happened the alert is triggered and wait for next condition in a defined time. ReZa.AdineH; Think Smarter, Stay Secure .... 2412/20/2018
Route Correlation • This approach is used to extract the attack route information and use that information to single out other attack data. • In this correlation we have information about the attack path or flow. ReZa.AdineH; Think Smarter, Stay Secure .... 2512/20/2018
Hybrid correlation ReZa.AdineH; Think Smarter, Stay Secure .... 26 • In this types of correlation we need correlate simultaneously multiple source together and enriching them, to get the results. • In fact It is combination of different approaches. 12/20/2018
Alerting and Incidents ReZa.AdineH; Think Smarter, Stay Secure .... 2712/20/2018
ReZa.AdineH; Think Smarter, Stay Secure .... 28 End. 12/20/2018

Recommended

Intrusion prevention system(ips)
Intrusion prevention system(ips)Intrusion prevention system(ips)
Intrusion prevention system(ips)Papun Papun
 
What is SIEM? A Brilliant Guide to the Basics
What is SIEM? A Brilliant Guide to the BasicsWhat is SIEM? A Brilliant Guide to the Basics
What is SIEM? A Brilliant Guide to the BasicsSagar Joshi
 
What is SIEM
What is SIEMWhat is SIEM
What is SIEMPatten John
 
Security Information and Event Management (SIEM)
Security Information and Event Management (SIEM)Security Information and Event Management (SIEM)
Security Information and Event Management (SIEM)k33a
 
Introduction to IDS & IPS - Part 1
Introduction to IDS & IPS - Part 1Introduction to IDS & IPS - Part 1
Introduction to IDS & IPS - Part 1whitehat 'People'
 
Signature-Based or Anomaly-Based Intrusion Detection: The Merits and Demerits
Signature-Based or Anomaly-Based Intrusion Detection: The Merits and DemeritsSignature-Based or Anomaly-Based Intrusion Detection: The Merits and Demerits
Signature-Based or Anomaly-Based Intrusion Detection: The Merits and Demeritsdavid rom
 
IDS and IPS
IDS and IPSIDS and IPS
IDS and IPSSantosh Khadsare
 
Cyber Risk: Exposures, prevention, and solutions
Cyber Risk: Exposures, prevention, and solutionsCyber Risk: Exposures, prevention, and solutions
Cyber Risk: Exposures, prevention, and solutionsCapri Insurance
 

Recommended

Intrusion prevention system(ips)
Intrusion prevention system(ips)Intrusion prevention system(ips)
Intrusion prevention system(ips)Papun Papun
 
What is SIEM? A Brilliant Guide to the Basics
What is SIEM? A Brilliant Guide to the BasicsWhat is SIEM? A Brilliant Guide to the Basics
What is SIEM? A Brilliant Guide to the BasicsSagar Joshi
 
What is SIEM
What is SIEMWhat is SIEM
What is SIEMPatten John
 
Security Information and Event Management (SIEM)
Security Information and Event Management (SIEM)Security Information and Event Management (SIEM)
Security Information and Event Management (SIEM)k33a
 
Introduction to IDS & IPS - Part 1
Introduction to IDS & IPS - Part 1Introduction to IDS & IPS - Part 1
Introduction to IDS & IPS - Part 1whitehat 'People'
 
Signature-Based or Anomaly-Based Intrusion Detection: The Merits and Demerits
Signature-Based or Anomaly-Based Intrusion Detection: The Merits and DemeritsSignature-Based or Anomaly-Based Intrusion Detection: The Merits and Demerits
Signature-Based or Anomaly-Based Intrusion Detection: The Merits and Demeritsdavid rom
 
IDS and IPS
IDS and IPSIDS and IPS
IDS and IPSSantosh Khadsare
 
Cyber Risk: Exposures, prevention, and solutions
Cyber Risk: Exposures, prevention, and solutionsCyber Risk: Exposures, prevention, and solutions
Cyber Risk: Exposures, prevention, and solutionsCapri Insurance
 
Intrusion detection system
Intrusion detection systemIntrusion detection system
Intrusion detection systemAparna Bhadran
 
All about Honeypots & Honeynets
All about Honeypots & HoneynetsAll about Honeypots & Honeynets
All about Honeypots & HoneynetsMehdi Poustchi Amin
 
intrusion detection system (IDS)
intrusion detection system (IDS)intrusion detection system (IDS)
intrusion detection system (IDS)Aj Maurya
 
Intrusion detection
Intrusion detectionIntrusion detection
Intrusion detectionCAS
 
Using the Threat Agent Library to improve threat modeling
Using the Threat Agent Library to improve threat modelingUsing the Threat Agent Library to improve threat modeling
Using the Threat Agent Library to improve threat modelingEric Jernigan MSIA, CISSP, CISM, CRISC
 
Threat Intelligence
Threat IntelligenceThreat Intelligence
Threat IntelligenceDeepak Kumar (D3)
 
Metasploit framwork
Metasploit framworkMetasploit framwork
Metasploit framworkDeepanshu Gajbhiye
 
Beginner's Guide to SIEM
Beginner's Guide to SIEM Beginner's Guide to SIEM
Beginner's Guide to SIEM AlienVault
 
Cyber security from military point of view
Cyber security from military point of viewCyber security from military point of view
Cyber security from military point of viewS.E. CTS CERT-GOV-MD
 
Intrusion detection system
Intrusion detection systemIntrusion detection system
Intrusion detection systemAAKASH S
 
Logging, monitoring and auditing
Logging, monitoring and auditingLogging, monitoring and auditing
Logging, monitoring and auditingPiyush Jain
 
Vulnerability Assessment Presentation
Vulnerability Assessment PresentationVulnerability Assessment Presentation
Vulnerability Assessment PresentationLionel Medina
 
SOC: Use cases and are we asking the right questions?
SOC: Use cases and are we asking the right questions?SOC: Use cases and are we asking the right questions?
SOC: Use cases and are we asking the right questions?Jonathan Sinclair
 
Incident response-in-the-cloud
Incident response-in-the-cloudIncident response-in-the-cloud
Incident response-in-the-cloudPriyanka Aash
 
SIEM - Activating Defense through Response by Ankur Vats
SIEM - Activating Defense through Response by Ankur VatsSIEM - Activating Defense through Response by Ankur Vats
SIEM - Activating Defense through Response by Ankur VatsOWASP Delhi
 
INCIDENT RESPONSE NIST IMPLEMENTATION
INCIDENT RESPONSE NIST IMPLEMENTATIONINCIDENT RESPONSE NIST IMPLEMENTATION
INCIDENT RESPONSE NIST IMPLEMENTATIONSylvain Martinez
 
Vulnerability assessment and penetration testing
Vulnerability assessment and penetration testingVulnerability assessment and penetration testing
Vulnerability assessment and penetration testingAbu Sadat Mohammed Yasin
 
IoT Security, Mirai Revisited
IoT Security, Mirai RevisitedIoT Security, Mirai Revisited
IoT Security, Mirai RevisitedClare Nelson, CISSP, CIPP-E
 
Ch 11: Hacking Wireless Networks
Ch 11: Hacking Wireless NetworksCh 11: Hacking Wireless Networks
Ch 11: Hacking Wireless NetworksSam Bowne
 
Mitre ATT&CK Kullanarak Etkin Saldırı Tespiti
Mitre ATT&CK Kullanarak Etkin Saldırı TespitiMitre ATT&CK Kullanarak Etkin Saldırı Tespiti
Mitre ATT&CK Kullanarak Etkin Saldırı TespitiBGA Cyber Security
 
How to Operationalize Big Data Security Analytics
How to Operationalize Big Data Security AnalyticsHow to Operationalize Big Data Security Analytics
How to Operationalize Big Data Security AnalyticsInterset
 
How to Operationalize Big Data Security Analytics
How to Operationalize Big Data Security AnalyticsHow to Operationalize Big Data Security Analytics
How to Operationalize Big Data Security AnalyticsInterset
 

More Related Content

What's hot

Intrusion detection system
Intrusion detection systemIntrusion detection system
Intrusion detection systemAparna Bhadran
 
intrusion detection system (IDS)
intrusion detection system (IDS)intrusion detection system (IDS)
intrusion detection system (IDS)Aj Maurya
 
Intrusion detection
Intrusion detectionIntrusion detection
Intrusion detectionCAS
 
Beginner's Guide to SIEM
Beginner's Guide to SIEM Beginner's Guide to SIEM
Beginner's Guide to SIEM AlienVault
 
Cyber security from military point of view
Cyber security from military point of viewCyber security from military point of view
Cyber security from military point of viewS.E. CTS CERT-GOV-MD
 
Intrusion detection system
Intrusion detection systemIntrusion detection system
Intrusion detection systemAAKASH S
 
Logging, monitoring and auditing
Logging, monitoring and auditingLogging, monitoring and auditing
Logging, monitoring and auditingPiyush Jain
 
Vulnerability Assessment Presentation
Vulnerability Assessment PresentationVulnerability Assessment Presentation
Vulnerability Assessment PresentationLionel Medina
 
SOC: Use cases and are we asking the right questions?
SOC: Use cases and are we asking the right questions?SOC: Use cases and are we asking the right questions?
SOC: Use cases and are we asking the right questions?Jonathan Sinclair
 
Incident response-in-the-cloud
Incident response-in-the-cloudIncident response-in-the-cloud
Incident response-in-the-cloudPriyanka Aash
 
SIEM - Activating Defense through Response by Ankur Vats
SIEM - Activating Defense through Response by Ankur VatsSIEM - Activating Defense through Response by Ankur Vats
SIEM - Activating Defense through Response by Ankur VatsOWASP Delhi
 
INCIDENT RESPONSE NIST IMPLEMENTATION
INCIDENT RESPONSE NIST IMPLEMENTATIONINCIDENT RESPONSE NIST IMPLEMENTATION
INCIDENT RESPONSE NIST IMPLEMENTATIONSylvain Martinez
 
Vulnerability assessment and penetration testing
Vulnerability assessment and penetration testingVulnerability assessment and penetration testing
Vulnerability assessment and penetration testingAbu Sadat Mohammed Yasin
 
Ch 11: Hacking Wireless Networks
Ch 11: Hacking Wireless NetworksCh 11: Hacking Wireless Networks
Ch 11: Hacking Wireless NetworksSam Bowne
 
Mitre ATT&CK Kullanarak Etkin Saldırı Tespiti
Mitre ATT&CK Kullanarak Etkin Saldırı TespitiMitre ATT&CK Kullanarak Etkin Saldırı Tespiti
Mitre ATT&CK Kullanarak Etkin Saldırı TespitiBGA Cyber Security
 

What's hot (20)

Intrusion detection system
Intrusion detection systemIntrusion detection system
Intrusion detection system
 
All about Honeypots & Honeynets
All about Honeypots & HoneynetsAll about Honeypots & Honeynets
All about Honeypots & Honeynets
 
intrusion detection system (IDS)
intrusion detection system (IDS)intrusion detection system (IDS)
intrusion detection system (IDS)
 
Intrusion detection
Intrusion detectionIntrusion detection
Intrusion detection
 
Using the Threat Agent Library to improve threat modeling
Using the Threat Agent Library to improve threat modelingUsing the Threat Agent Library to improve threat modeling
Using the Threat Agent Library to improve threat modeling
 
Threat Intelligence
Threat IntelligenceThreat Intelligence
Threat Intelligence
 
Metasploit framwork
Metasploit framworkMetasploit framwork
Metasploit framwork
 
Beginner's Guide to SIEM
Beginner's Guide to SIEM Beginner's Guide to SIEM
Beginner's Guide to SIEM
 
Cyber security from military point of view
Cyber security from military point of viewCyber security from military point of view
Cyber security from military point of view
 
Intrusion detection system
Intrusion detection systemIntrusion detection system
Intrusion detection system
 
Logging, monitoring and auditing
Logging, monitoring and auditingLogging, monitoring and auditing
Logging, monitoring and auditing
 
Vulnerability Assessment Presentation
Vulnerability Assessment PresentationVulnerability Assessment Presentation
Vulnerability Assessment Presentation
 
SOC: Use cases and are we asking the right questions?
SOC: Use cases and are we asking the right questions?SOC: Use cases and are we asking the right questions?
SOC: Use cases and are we asking the right questions?
 
Incident response-in-the-cloud
Incident response-in-the-cloudIncident response-in-the-cloud
Incident response-in-the-cloud
 
SIEM - Activating Defense through Response by Ankur Vats
SIEM - Activating Defense through Response by Ankur VatsSIEM - Activating Defense through Response by Ankur Vats
SIEM - Activating Defense through Response by Ankur Vats
 
INCIDENT RESPONSE NIST IMPLEMENTATION
INCIDENT RESPONSE NIST IMPLEMENTATIONINCIDENT RESPONSE NIST IMPLEMENTATION
INCIDENT RESPONSE NIST IMPLEMENTATION
 
Vulnerability assessment and penetration testing
Vulnerability assessment and penetration testingVulnerability assessment and penetration testing
Vulnerability assessment and penetration testing
 
IoT Security, Mirai Revisited
IoT Security, Mirai RevisitedIoT Security, Mirai Revisited
IoT Security, Mirai Revisited
 
Ch 11: Hacking Wireless Networks
Ch 11: Hacking Wireless NetworksCh 11: Hacking Wireless Networks
Ch 11: Hacking Wireless Networks
 
Mitre ATT&CK Kullanarak Etkin Saldırı Tespiti
Mitre ATT&CK Kullanarak Etkin Saldırı TespitiMitre ATT&CK Kullanarak Etkin Saldırı Tespiti
Mitre ATT&CK Kullanarak Etkin Saldırı Tespiti
 

Similar to Review on Event Correlation- مروری بر روش های همبسته سازی در مدیریت رخداد

How to Operationalize Big Data Security Analytics
How to Operationalize Big Data Security AnalyticsHow to Operationalize Big Data Security Analytics
How to Operationalize Big Data Security AnalyticsInterset
 
How to Operationalize Big Data Security Analytics
How to Operationalize Big Data Security AnalyticsHow to Operationalize Big Data Security Analytics
How to Operationalize Big Data Security AnalyticsInterset
 
Effective Security Operation Center - present by Reza Adineh
Effective Security Operation Center - present by Reza AdinehEffective Security Operation Center - present by Reza Adineh
Effective Security Operation Center - present by Reza AdinehReZa AdineH
 
Cybersecurity Series SEIM Log Analysis
Cybersecurity Series SEIM Log AnalysisCybersecurity Series SEIM Log Analysis
Cybersecurity Series SEIM Log AnalysisJim Kaplan CIA CFE
 
A New Approach to Threat Detection: Big Data Security Analytics
A New Approach to Threat Detection: Big Data Security Analytics A New Approach to Threat Detection: Big Data Security Analytics
A New Approach to Threat Detection: Big Data Security Analytics Interset
 
DataWorks 2018: How Big Data and AI Saved the Day
DataWorks 2018: How Big Data and AI Saved the DayDataWorks 2018: How Big Data and AI Saved the Day
DataWorks 2018: How Big Data and AI Saved the DayInterset
 
Neo4j GraphTalk Copenhagen - Next Generation Solutions using Neo4j
Neo4j GraphTalk Copenhagen - Next Generation Solutions using Neo4j Neo4j GraphTalk Copenhagen - Next Generation Solutions using Neo4j
Neo4j GraphTalk Copenhagen - Next Generation Solutions using Neo4j Neo4j
 
Operationalizing Big Data Security Analytics - IANS Forum Toronto Keynote
Operationalizing Big Data Security Analytics - IANS Forum Toronto KeynoteOperationalizing Big Data Security Analytics - IANS Forum Toronto Keynote
Operationalizing Big Data Security Analytics - IANS Forum Toronto KeynoteInterset
 
Combating Fraud and Intrusion Threats with Event Processing
Combating Fraud and Intrusion Threats with Event ProcessingCombating Fraud and Intrusion Threats with Event Processing
Combating Fraud and Intrusion Threats with Event ProcessingTim Bass
 
Operationalizing Big Data Security Analytics - IANS Forum Dallas
Operationalizing Big Data Security Analytics - IANS Forum DallasOperationalizing Big Data Security Analytics - IANS Forum Dallas
Operationalizing Big Data Security Analytics - IANS Forum DallasInterset
 
Open service risk correlation
Open service risk correlationOpen service risk correlation
Open service risk correlationfrantzyv
 
[Webinar] Supercharging Security with Behavioral Analytics
[Webinar] Supercharging Security with Behavioral Analytics[Webinar] Supercharging Security with Behavioral Analytics
[Webinar] Supercharging Security with Behavioral AnalyticsInterset
 
How to Operationalize Big Data Security Analytics - Technology Spotlight at I...
How to Operationalize Big Data Security Analytics - Technology Spotlight at I...How to Operationalize Big Data Security Analytics - Technology Spotlight at I...
How to Operationalize Big Data Security Analytics - Technology Spotlight at I...Interset
 
Ntxissacsc5 blue 3-shifting from incident to continuous response bill white
Ntxissacsc5 blue 3-shifting from incident to continuous response bill whiteNtxissacsc5 blue 3-shifting from incident to continuous response bill white
Ntxissacsc5 blue 3-shifting from incident to continuous response bill whiteNorth Texas Chapter of the ISSA
 
Data Connectors San Antonio Cybersecurity Conference 2018
Data Connectors San Antonio Cybersecurity Conference 2018Data Connectors San Antonio Cybersecurity Conference 2018
Data Connectors San Antonio Cybersecurity Conference 2018Interset
 
Fluency - Next Generation Incident Response Utilizing Big Data Analytics Over...
Fluency - Next Generation Incident Response Utilizing Big Data Analytics Over...Fluency - Next Generation Incident Response Utilizing Big Data Analytics Over...
Fluency - Next Generation Incident Response Utilizing Big Data Analytics Over...Collin Miles
 
SAP Enterprise Threat Detection Overview
SAP Enterprise Threat Detection OverviewSAP Enterprise Threat Detection Overview
SAP Enterprise Threat Detection OverviewSAP Technology
 
AI & ML in Cyber Security - Why Algorithms are Dangerous
AI & ML in Cyber Security - Why Algorithms are DangerousAI & ML in Cyber Security - Why Algorithms are Dangerous
AI & ML in Cyber Security - Why Algorithms are DangerousPriyanka Aash
 
AI & ML in Cyber Security - Why Algorithms are Dangerous
AI & ML in Cyber Security - Why Algorithms are DangerousAI & ML in Cyber Security - Why Algorithms are Dangerous
AI & ML in Cyber Security - Why Algorithms are DangerousRaffael Marty
 

Similar to Review on Event Correlation- مروری بر روش های همبسته سازی در مدیریت رخداد (20)

How to Operationalize Big Data Security Analytics
How to Operationalize Big Data Security AnalyticsHow to Operationalize Big Data Security Analytics
How to Operationalize Big Data Security Analytics
 
How to Operationalize Big Data Security Analytics
How to Operationalize Big Data Security AnalyticsHow to Operationalize Big Data Security Analytics
How to Operationalize Big Data Security Analytics
 
Effective Security Operation Center - present by Reza Adineh
Effective Security Operation Center - present by Reza AdinehEffective Security Operation Center - present by Reza Adineh
Effective Security Operation Center - present by Reza Adineh
 
Cybersecurity Series SEIM Log Analysis
Cybersecurity Series SEIM Log AnalysisCybersecurity Series SEIM Log Analysis
Cybersecurity Series SEIM Log Analysis
 
A New Approach to Threat Detection: Big Data Security Analytics
A New Approach to Threat Detection: Big Data Security Analytics A New Approach to Threat Detection: Big Data Security Analytics
A New Approach to Threat Detection: Big Data Security Analytics
 
DataWorks 2018: How Big Data and AI Saved the Day
DataWorks 2018: How Big Data and AI Saved the DayDataWorks 2018: How Big Data and AI Saved the Day
DataWorks 2018: How Big Data and AI Saved the Day
 
Neo4j GraphTalk Copenhagen - Next Generation Solutions using Neo4j
Neo4j GraphTalk Copenhagen - Next Generation Solutions using Neo4j Neo4j GraphTalk Copenhagen - Next Generation Solutions using Neo4j
Neo4j GraphTalk Copenhagen - Next Generation Solutions using Neo4j
 
Operationalizing Big Data Security Analytics - IANS Forum Toronto Keynote
Operationalizing Big Data Security Analytics - IANS Forum Toronto KeynoteOperationalizing Big Data Security Analytics - IANS Forum Toronto Keynote
Operationalizing Big Data Security Analytics - IANS Forum Toronto Keynote
 
Combating Fraud and Intrusion Threats with Event Processing
Combating Fraud and Intrusion Threats with Event ProcessingCombating Fraud and Intrusion Threats with Event Processing
Combating Fraud and Intrusion Threats with Event Processing
 
Operationalizing Big Data Security Analytics - IANS Forum Dallas
Operationalizing Big Data Security Analytics - IANS Forum DallasOperationalizing Big Data Security Analytics - IANS Forum Dallas
Operationalizing Big Data Security Analytics - IANS Forum Dallas
 
Be the Hunter
Be the Hunter Be the Hunter
Be the Hunter
 
Open service risk correlation
Open service risk correlationOpen service risk correlation
Open service risk correlation
 
[Webinar] Supercharging Security with Behavioral Analytics
[Webinar] Supercharging Security with Behavioral Analytics[Webinar] Supercharging Security with Behavioral Analytics
[Webinar] Supercharging Security with Behavioral Analytics
 
How to Operationalize Big Data Security Analytics - Technology Spotlight at I...
How to Operationalize Big Data Security Analytics - Technology Spotlight at I...How to Operationalize Big Data Security Analytics - Technology Spotlight at I...
How to Operationalize Big Data Security Analytics - Technology Spotlight at I...
 
Ntxissacsc5 blue 3-shifting from incident to continuous response bill white
Ntxissacsc5 blue 3-shifting from incident to continuous response bill whiteNtxissacsc5 blue 3-shifting from incident to continuous response bill white
Ntxissacsc5 blue 3-shifting from incident to continuous response bill white
 
Data Connectors San Antonio Cybersecurity Conference 2018
Data Connectors San Antonio Cybersecurity Conference 2018Data Connectors San Antonio Cybersecurity Conference 2018
Data Connectors San Antonio Cybersecurity Conference 2018
 
Fluency - Next Generation Incident Response Utilizing Big Data Analytics Over...
Fluency - Next Generation Incident Response Utilizing Big Data Analytics Over...Fluency - Next Generation Incident Response Utilizing Big Data Analytics Over...
Fluency - Next Generation Incident Response Utilizing Big Data Analytics Over...
 
SAP Enterprise Threat Detection Overview
SAP Enterprise Threat Detection OverviewSAP Enterprise Threat Detection Overview
SAP Enterprise Threat Detection Overview
 
AI & ML in Cyber Security - Why Algorithms are Dangerous
AI & ML in Cyber Security - Why Algorithms are DangerousAI & ML in Cyber Security - Why Algorithms are Dangerous
AI & ML in Cyber Security - Why Algorithms are Dangerous
 
AI & ML in Cyber Security - Why Algorithms are Dangerous
AI & ML in Cyber Security - Why Algorithms are DangerousAI & ML in Cyber Security - Why Algorithms are Dangerous
AI & ML in Cyber Security - Why Algorithms are Dangerous
 

More from ReZa AdineH

MITRE-Module 1 Slides.pdf
MITRE-Module 1 Slides.pdfMITRE-Module 1 Slides.pdf
MITRE-Module 1 Slides.pdfReZa AdineH
 
MITRE-Module 2 Slides.pdf
MITRE-Module 2 Slides.pdfMITRE-Module 2 Slides.pdf
MITRE-Module 2 Slides.pdfReZa AdineH
 
MITRE-Module 4 Slides.pdf
MITRE-Module 4 Slides.pdfMITRE-Module 4 Slides.pdf
MITRE-Module 4 Slides.pdfReZa AdineH
 
MITRE-Module 5 Slides.pdf
MITRE-Module 5 Slides.pdfMITRE-Module 5 Slides.pdf
MITRE-Module 5 Slides.pdfReZa AdineH
 
MITRE-Module 3 Slides.pdf
MITRE-Module 3 Slides.pdfMITRE-Module 3 Slides.pdf
MITRE-Module 3 Slides.pdfReZa AdineH
 
SIEM POC Assessment.pdf
SIEM POC Assessment.pdfSIEM POC Assessment.pdf
SIEM POC Assessment.pdfReZa AdineH
 
Cover of book Threat Intelligence for Threat Hunting;Written by Reza Adineh
Cover of book Threat Intelligence for Threat Hunting;Written by Reza AdinehCover of book Threat Intelligence for Threat Hunting;Written by Reza Adineh
Cover of book Threat Intelligence for Threat Hunting;Written by Reza AdinehReZa AdineH
 
Next generation Security Operation Center; Written by Reza Adineh
Next generation Security Operation Center; Written by Reza AdinehNext generation Security Operation Center; Written by Reza Adineh
Next generation Security Operation Center; Written by Reza AdinehReZa AdineH
 
علت ناکامی بسیاری از پروژههای مرکزعملیاتامنیت چیست ؟
علت ناکامی بسیاری از پروژههای مرکزعملیاتامنیت چیست ؟علت ناکامی بسیاری از پروژههای مرکزعملیاتامنیت چیست ؟
علت ناکامی بسیاری از پروژههای مرکزعملیاتامنیت چیست ؟ReZa AdineH
 
Security monitoring log management-describe logstash,kibana,elastic slidshare
Security monitoring log management-describe logstash,kibana,elastic slidshareSecurity monitoring log management-describe logstash,kibana,elastic slidshare
Security monitoring log management-describe logstash,kibana,elastic slidshareReZa AdineH
 
Security operations center-SOC Presentation-مرکز عملیات امنیت
Security operations center-SOC Presentation-مرکز عملیات امنیتSecurity operations center-SOC Presentation-مرکز عملیات امنیت
Security operations center-SOC Presentation-مرکز عملیات امنیتReZa AdineH
 

More from ReZa AdineH (11)

MITRE-Module 1 Slides.pdf
MITRE-Module 1 Slides.pdfMITRE-Module 1 Slides.pdf
MITRE-Module 1 Slides.pdf
 
MITRE-Module 2 Slides.pdf
MITRE-Module 2 Slides.pdfMITRE-Module 2 Slides.pdf
MITRE-Module 2 Slides.pdf
 
MITRE-Module 4 Slides.pdf
MITRE-Module 4 Slides.pdfMITRE-Module 4 Slides.pdf
MITRE-Module 4 Slides.pdf
 
MITRE-Module 5 Slides.pdf
MITRE-Module 5 Slides.pdfMITRE-Module 5 Slides.pdf
MITRE-Module 5 Slides.pdf
 
MITRE-Module 3 Slides.pdf
MITRE-Module 3 Slides.pdfMITRE-Module 3 Slides.pdf
MITRE-Module 3 Slides.pdf
 
SIEM POC Assessment.pdf
SIEM POC Assessment.pdfSIEM POC Assessment.pdf
SIEM POC Assessment.pdf
 
Cover of book Threat Intelligence for Threat Hunting;Written by Reza Adineh
Cover of book Threat Intelligence for Threat Hunting;Written by Reza AdinehCover of book Threat Intelligence for Threat Hunting;Written by Reza Adineh
Cover of book Threat Intelligence for Threat Hunting;Written by Reza Adineh
 
Next generation Security Operation Center; Written by Reza Adineh
Next generation Security Operation Center; Written by Reza AdinehNext generation Security Operation Center; Written by Reza Adineh
Next generation Security Operation Center; Written by Reza Adineh
 
علت ناکامی بسیاری از پروژههای مرکزعملیاتامنیت چیست ؟
علت ناکامی بسیاری از پروژههای مرکزعملیاتامنیت چیست ؟علت ناکامی بسیاری از پروژههای مرکزعملیاتامنیت چیست ؟
علت ناکامی بسیاری از پروژههای مرکزعملیاتامنیت چیست ؟
 
Security monitoring log management-describe logstash,kibana,elastic slidshare
Security monitoring log management-describe logstash,kibana,elastic slidshareSecurity monitoring log management-describe logstash,kibana,elastic slidshare
Security monitoring log management-describe logstash,kibana,elastic slidshare
 
Security operations center-SOC Presentation-مرکز عملیات امنیت
Security operations center-SOC Presentation-مرکز عملیات امنیتSecurity operations center-SOC Presentation-مرکز عملیات امنیت
Security operations center-SOC Presentation-مرکز عملیات امنیت
 

Recently uploaded

Maximizing Efficiency and Profitability with OnePlan’s Professional Service A...
Maximizing Efficiency and Profitability with OnePlan’s Professional Service A...Maximizing Efficiency and Profitability with OnePlan’s Professional Service A...
Maximizing Efficiency and Profitability with OnePlan’s Professional Service A...OnePlan Solutions
 
Alfresco TTL#157 - Troubleshooting Made Easy: Deciphering Alfresco mTLS Confi...
Alfresco TTL#157 - Troubleshooting Made Easy: Deciphering Alfresco mTLS Confi...Alfresco TTL#157 - Troubleshooting Made Easy: Deciphering Alfresco mTLS Confi...
Alfresco TTL#157 - Troubleshooting Made Easy: Deciphering Alfresco mTLS Confi...Angel Borroy López
 
CRM Contender Series: HubSpot vs. Salesforce
CRM Contender Series: HubSpot vs. SalesforceCRM Contender Series: HubSpot vs. Salesforce
CRM Contender Series: HubSpot vs. SalesforceBrainSell Technologies
 
Taming Distributed Systems: Key Insights from Wix's Large-Scale Experience - ...
Taming Distributed Systems: Key Insights from Wix's Large-Scale Experience - ...Taming Distributed Systems: Key Insights from Wix's Large-Scale Experience - ...
Taming Distributed Systems: Key Insights from Wix's Large-Scale Experience - ...Natan Silnitsky
 
Recruitment Management Software Benefits (Infographic)
Recruitment Management Software Benefits (Infographic)Recruitment Management Software Benefits (Infographic)
Recruitment Management Software Benefits (Infographic)Hr365.us smith
 
Tech Tuesday - Mastering Time Management Unlock the Power of OnePlan's Timesh...
Tech Tuesday - Mastering Time Management Unlock the Power of OnePlan's Timesh...Tech Tuesday - Mastering Time Management Unlock the Power of OnePlan's Timesh...
Tech Tuesday - Mastering Time Management Unlock the Power of OnePlan's Timesh...OnePlan Solutions
 
How To Manage Restaurant Staff -BTRESTRO
How To Manage Restaurant Staff -BTRESTROHow To Manage Restaurant Staff -BTRESTRO
How To Manage Restaurant Staff -BTRESTROmotivationalword821
 
Software Project Health Check: Best Practices and Techniques for Your Product...
Software Project Health Check: Best Practices and Techniques for Your Product...Software Project Health Check: Best Practices and Techniques for Your Product...
Software Project Health Check: Best Practices and Techniques for Your Product...Velvetech LLC
 
Simplifying Microservices & Apps - The art of effortless development - Meetup...
Simplifying Microservices & Apps - The art of effortless development - Meetup...Simplifying Microservices & Apps - The art of effortless development - Meetup...
Simplifying Microservices & Apps - The art of effortless development - Meetup...Rob Geurden
 
Salesforce Implementation Services PPT By ABSYZ
Salesforce Implementation Services PPT By ABSYZSalesforce Implementation Services PPT By ABSYZ
Salesforce Implementation Services PPT By ABSYZABSYZ Inc
 
Sending Calendar Invites on SES and Calendarsnack.pdf
Sending Calendar Invites on SES and Calendarsnack.pdfSending Calendar Invites on SES and Calendarsnack.pdf
Sending Calendar Invites on SES and Calendarsnack.pdf31events.com
 
Cloud Data Center Network Construction - IEEE
Cloud Data Center Network Construction - IEEECloud Data Center Network Construction - IEEE
Cloud Data Center Network Construction - IEEEVICTOR MAESTRE RAMIREZ
 
What is Advanced Excel and what are some best practices for designing and cre...
What is Advanced Excel and what are some best practices for designing and cre...What is Advanced Excel and what are some best practices for designing and cre...
What is Advanced Excel and what are some best practices for designing and cre...Technogeeks
 
SensoDat: Simulation-based Sensor Dataset of Self-driving Cars
SensoDat: Simulation-based Sensor Dataset of Self-driving CarsSensoDat: Simulation-based Sensor Dataset of Self-driving Cars
SensoDat: Simulation-based Sensor Dataset of Self-driving CarsChristian Birchler
 
Innovate and Collaborate- Harnessing the Power of Open Source Software.pdf
Innovate and Collaborate- Harnessing the Power of Open Source Software.pdfInnovate and Collaborate- Harnessing the Power of Open Source Software.pdf
Innovate and Collaborate- Harnessing the Power of Open Source Software.pdfYashikaSharma391629
 
VK Business Profile - provides IT solutions and Web Development
VK Business Profile - provides IT solutions and Web DevelopmentVK Business Profile - provides IT solutions and Web Development
VK Business Profile - provides IT solutions and Web Developmentvyaparkranti
 
Cyber security and its impact on E commerce
Cyber security and its impact on E commerceCyber security and its impact on E commerce
Cyber security and its impact on E commercemanigoyal112
 
英国UN学位证,北安普顿大学毕业证书1:1制作
英国UN学位证,北安普顿大学毕业证书1:1制作英国UN学位证,北安普顿大学毕业证书1:1制作
英国UN学位证,北安普顿大学毕业证书1:1制作qr0udbr0
 
Unveiling the Future: Sylius 2.0 New Features
Unveiling the Future: Sylius 2.0 New FeaturesUnveiling the Future: Sylius 2.0 New Features
Unveiling the Future: Sylius 2.0 New FeaturesŁukasz Chruściel
 

Recently uploaded (20)

Maximizing Efficiency and Profitability with OnePlan’s Professional Service A...
Maximizing Efficiency and Profitability with OnePlan’s Professional Service A...Maximizing Efficiency and Profitability with OnePlan’s Professional Service A...
Maximizing Efficiency and Profitability with OnePlan’s Professional Service A...
 
Alfresco TTL#157 - Troubleshooting Made Easy: Deciphering Alfresco mTLS Confi...
Alfresco TTL#157 - Troubleshooting Made Easy: Deciphering Alfresco mTLS Confi...Alfresco TTL#157 - Troubleshooting Made Easy: Deciphering Alfresco mTLS Confi...
Alfresco TTL#157 - Troubleshooting Made Easy: Deciphering Alfresco mTLS Confi...
 
CRM Contender Series: HubSpot vs. Salesforce
CRM Contender Series: HubSpot vs. SalesforceCRM Contender Series: HubSpot vs. Salesforce
CRM Contender Series: HubSpot vs. Salesforce
 
Taming Distributed Systems: Key Insights from Wix's Large-Scale Experience - ...
Taming Distributed Systems: Key Insights from Wix's Large-Scale Experience - ...Taming Distributed Systems: Key Insights from Wix's Large-Scale Experience - ...
Taming Distributed Systems: Key Insights from Wix's Large-Scale Experience - ...
 
Recruitment Management Software Benefits (Infographic)
Recruitment Management Software Benefits (Infographic)Recruitment Management Software Benefits (Infographic)
Recruitment Management Software Benefits (Infographic)
 
Tech Tuesday - Mastering Time Management Unlock the Power of OnePlan's Timesh...
Tech Tuesday - Mastering Time Management Unlock the Power of OnePlan's Timesh...Tech Tuesday - Mastering Time Management Unlock the Power of OnePlan's Timesh...
Tech Tuesday - Mastering Time Management Unlock the Power of OnePlan's Timesh...
 
How To Manage Restaurant Staff -BTRESTRO
How To Manage Restaurant Staff -BTRESTROHow To Manage Restaurant Staff -BTRESTRO
How To Manage Restaurant Staff -BTRESTRO
 
Software Project Health Check: Best Practices and Techniques for Your Product...
Software Project Health Check: Best Practices and Techniques for Your Product...Software Project Health Check: Best Practices and Techniques for Your Product...
Software Project Health Check: Best Practices and Techniques for Your Product...
 
Simplifying Microservices & Apps - The art of effortless development - Meetup...
Simplifying Microservices & Apps - The art of effortless development - Meetup...Simplifying Microservices & Apps - The art of effortless development - Meetup...
Simplifying Microservices & Apps - The art of effortless development - Meetup...
 
Salesforce Implementation Services PPT By ABSYZ
Salesforce Implementation Services PPT By ABSYZSalesforce Implementation Services PPT By ABSYZ
Salesforce Implementation Services PPT By ABSYZ
 
Sending Calendar Invites on SES and Calendarsnack.pdf
Sending Calendar Invites on SES and Calendarsnack.pdfSending Calendar Invites on SES and Calendarsnack.pdf
Sending Calendar Invites on SES and Calendarsnack.pdf
 
Cloud Data Center Network Construction - IEEE
Cloud Data Center Network Construction - IEEECloud Data Center Network Construction - IEEE
Cloud Data Center Network Construction - IEEE
 
Hot Sexy call girls in Patel Nagar🔝 9953056974 🔝 escort Service
Hot Sexy call girls in Patel Nagar🔝 9953056974 🔝 escort ServiceHot Sexy call girls in Patel Nagar🔝 9953056974 🔝 escort Service
Hot Sexy call girls in Patel Nagar🔝 9953056974 🔝 escort Service
 
What is Advanced Excel and what are some best practices for designing and cre...
What is Advanced Excel and what are some best practices for designing and cre...What is Advanced Excel and what are some best practices for designing and cre...
What is Advanced Excel and what are some best practices for designing and cre...
 
SensoDat: Simulation-based Sensor Dataset of Self-driving Cars
SensoDat: Simulation-based Sensor Dataset of Self-driving CarsSensoDat: Simulation-based Sensor Dataset of Self-driving Cars
SensoDat: Simulation-based Sensor Dataset of Self-driving Cars
 
Innovate and Collaborate- Harnessing the Power of Open Source Software.pdf
Innovate and Collaborate- Harnessing the Power of Open Source Software.pdfInnovate and Collaborate- Harnessing the Power of Open Source Software.pdf
Innovate and Collaborate- Harnessing the Power of Open Source Software.pdf
 
VK Business Profile - provides IT solutions and Web Development
VK Business Profile - provides IT solutions and Web DevelopmentVK Business Profile - provides IT solutions and Web Development
VK Business Profile - provides IT solutions and Web Development
 
Cyber security and its impact on E commerce
Cyber security and its impact on E commerceCyber security and its impact on E commerce
Cyber security and its impact on E commerce
 
英国UN学位证,北安普顿大学毕业证书1:1制作
英国UN学位证,北安普顿大学毕业证书1:1制作英国UN学位证,北安普顿大学毕业证书1:1制作
英国UN学位证,北安普顿大学毕业证书1:1制作
 
Unveiling the Future: Sylius 2.0 New Features
Unveiling the Future: Sylius 2.0 New FeaturesUnveiling the Future: Sylius 2.0 New Features
Unveiling the Future: Sylius 2.0 New Features
 

Review on Event Correlation- مروری بر روش های همبسته سازی در مدیریت رخداد

  • 1. A general review on Event Correlation Concepts Presented by : Reza Adineh ReZa.AdineH; Think Smarter, Stay Secure .... 112/20/2018
  • 2. Who am I ? Reza Adineh • Professional Summary: • Over 10 years of professional experience • SOC & CSIRT Architect & Consultant • SIEM Engineer • Currently working as senior on SOC & IR • Authors of “Threat Intelligence for Threat Hunting” & “Next Generation SOC” • Authoring “Threat Intelligence”, “Security Operation Center” & “Threat Hunting” Courses Instructor for many official courses including Security+, CysA+, CHFI, ECIH, Log management, Forensic Investigation, Incident response, Splunk administration, etc. ReZa.AdineH; Think Smarter, Stay Secure .... 212/20/2018
  • 3. Event correlation definition: • Event correlation is a technique for making sense of a large number of events and pinpointing the few events that are really important in that mass of information. This is accomplished by looking for and analyzing relationships between events. ReZa.AdineH; Think Smarter, Stay Secure .... 312/20/2018
  • 4. Event Correlation • Correlation is a statistical measure that indicates the extent to which two or more variables fluctuate together. A positive correlation indicates the extent to which those variables increase or decrease in parallel; a negative correlation indicates the extent to which one variable increases as the other decreases. ReZa.AdineH; Think Smarter, Stay Secure .... 412/20/2018
  • 5. Event Correlation • In simple word: it is a way to find out specific and particular conditions among the events. 12/20/2018 ReZa.AdineH; Think Smarter, Stay Secure .... 5
  • 6. Event Correlation • Event Correlation is the process of relating a set of events that have occurred in a predefined interval of time. • The process includes analysis of the events to know how it could add up to become a bigger event ! And finally in most of the case it could be an Incident . • It usually occurs on the log management platform, after the users find out certain logs having similar properties. In general it is not a completely new concepts, it used some how in many different solution, such as NIDS. • In general, the event correlation is implemented with the help of single event correlator software ReZa.AdineH; Think Smarter, Stay Secure .... 612/20/2018
  • 7. SIEM Event Correlation • SIEM event correlation is an essential part of any SIEM solution. It aggregates and analyzes log data from across your network applications, systems, and devices, making it possible to discover security threats and malicious patterns of behaviors that otherwise go unnoticed and can lead to compromise or data loss. ReZa.AdineH; Think Smarter, Stay Secure .... 712/20/2018
  • 8. Steps in event correlation • Event Aggregation • Event Masking • Event Filtering • Root cause analysis ReZa.AdineH; Think Smarter, Stay Secure .... 812/20/2018
  • 9. Types of Event Correlation • Simple Correlation • This is when you use one log source for correlation • Cross Correlation • In this case you have to use multiple log source for correlation • Tip: keep in mind which most useful type in most case is cross correlation. Because when you need to detect an incident, you need many different log source for collecting evidence, and in this case the result is more reliable and efficient for analysis. ReZa.AdineH; Think Smarter, Stay Secure .... 912/20/2018
  • 10. Prerequisites of event correlation • Transmission of Events and data • Pull or Push • Normalization • Reduction ReZa.AdineH; Think Smarter, Stay Secure .... 1012/20/2018
  • 11. Event Correlation Approaches • Graph-based correlation approach • Neural-Network Based correlation approach • Code-book based correlation approach • Rule-Based correlation approach • Field-based correlation approach • Automated field correlation approach • Packet parameter/payload correlation approach ReZa.AdineH; Think Smarter, Stay Secure .... 1112/20/2018
  • 12. Event Correlation Approaches • Profile (finger print) based correlation approach • Vulnerability based correlation approach • Open port based correlation approach • Bayesian based correlation approach • Time based correlation approach ReZa.AdineH; Think Smarter, Stay Secure .... 1212/20/2018
  • 13. Correlation: Graph-based approach • This approach construct a graph with each node as a system component and each edge as dependency among 2 components. ReZa.AdineH; Think Smarter, Stay Secure .... 1312/20/2018
  • 14. Correlation: Neural-Network Based approach • This approach uses a neural network to detect the anomalies in the event stream, root cause of fault events, etc. ReZa.AdineH; Think Smarter, Stay Secure .... 1412/20/2018
  • 15. Correlation: Code-book based approach • This approach uses a code book to store a set of events and correlate them. • Monitors capture alarm events; configuration model contains the configuration of network. • Event model represents events and their casual relationships. • Correlator correlate alarms events with event model and determines the problem that caused the events. • Problem events viewed as messages generated by a system and encoded in sets of alarms. Correlator decodes the problem message to identify the problem. • There are two phases: • Codebook selection phase • Correlator compares alarm events with codebook and identifies the problem. ReZa.AdineH; Think Smarter, Stay Secure .... 1512/20/2018
  • 16. Correlation: Rule-Based approach • In this approach, events are correlated according to a set of rules as follows: • Condition -> Action • We have to make a combination of rules with logical operator to get results. ReZa.AdineH; Think Smarter, Stay Secure .... 1612/20/2018
  • 17. Field-based approach • A basic approach where specific events are compared with single or multiplied fields in the normalized data. ReZa.AdineH; Think Smarter, Stay Secure .... 1712/20/2018
  • 18. Automated field correlation • This methods checks and compares all the fields systematically and intentionally for positive and negative correlation with each other to determine the correlation across one or multiple fields. ReZa.AdineH; Think Smarter, Stay Secure .... 1812/20/2018
  • 19. Packet parameter/payload correlation • This approach is used to correlating particular packets with other packets. • This approach can make a list of possible new attacks by comparing packets with attacks signatures. ReZa.AdineH; Think Smarter, Stay Secure .... 1912/20/2018
  • 20. Profile (finger print) based correlation approach • A series of datasets can be gathered from forensic events data such as isolated OS fingerprints, isolated port scan, finger information, banner snatching to compare link attack data to other attacker profiles. • This information is used to identify whether any system is a rely or a formerly compromised host, or to detect the same hacker from different locations. • In this approach the most important thing is a good enough baseline. ReZa.AdineH; Think Smarter, Stay Secure .... 2012/20/2018
  • 21. Vulnerability based correlation approach • This approach is used to map IDS events that target a specific vulnerable host with the help of vulnerability scanner. • This approach is also used to deduce an attack on a particular host in advance, and it prioritized attack data so that you can response to trouble spots quickly. ReZa.AdineH; Think Smarter, Stay Secure .... 2112/20/2018
  • 22. Open port based correlation approach • This approach determines the rates of successful attacks by comparing it with the list of open ports available on the hosts and that are being attacked. ReZa.AdineH; Think Smarter, Stay Secure .... 2212/20/2018
  • 23. Bayesian based correlation approach • This approach is an advanced correlation method that assumes and predict what an attacker can do next after attack by studying the statistics and probability. ReZa.AdineH; Think Smarter, Stay Secure .... 2312/20/2018
  • 24. Role or Time based correlation approach • This is used to monitor the systems and users behavior and provide an alert if something amanous is found. • It focus on roles of systems and or users. • In this approach, when a condition is happened the alert is triggered and wait for next condition in a defined time. ReZa.AdineH; Think Smarter, Stay Secure .... 2412/20/2018
  • 25. Route Correlation • This approach is used to extract the attack route information and use that information to single out other attack data. • In this correlation we have information about the attack path or flow. ReZa.AdineH; Think Smarter, Stay Secure .... 2512/20/2018
  • 26. Hybrid correlation ReZa.AdineH; Think Smarter, Stay Secure .... 26 • In this types of correlation we need correlate simultaneously multiple source together and enriching them, to get the results. • In fact It is combination of different approaches. 12/20/2018
  • 27. Alerting and Incidents ReZa.AdineH; Think Smarter, Stay Secure .... 2712/20/2018
  • 28. ReZa.AdineH; Think Smarter, Stay Secure .... 28 End. 12/20/2018