Documente Academic
Documente Profesional
Documente Cultură
MARIUS VLDESCU
GEORGIANA MATEESCU
VALENTIN SGRCIU
Automatic and Computer Science
University Polytechnics
Splaiul Independenei 313, Bucureti 060042
ROMANIA
E-mails: vladescumariusnicolae@yahoo.com, georgiana.mateescu@gmail.com,
vsgarciu@aii.pub.ro
Abstract: This paper aims to present techniques for combating theft or leakage of sensitive
information belonging to companies, using event correlation engines. The solution is based on
monitoring the activity of the employees using a data loss prevention system, and deactivating the
Active Directory account, in case suspicious events are detected. Event correlation engines collect
information from multiple sources, prioritize them based on their criticality and impact, correlate them
based on predefined correlation rules and trigger alarms in case a rule has fired.
Key-Words: information security, event correlation
1. Introduction
For enterprises, information is a critical
asset. Sensitive information must be
protected by any costs and means possible.
Information leakage may imply huge
pecuniary,
reputational
losses
and
interruption in important activities. Most
companies
protect
themselves
from
information security threats by applying
controls meant to reject external attacks,
but enterprises must apply technological
controls to protect themselves from
information security incidents generated by
employees, willingly or unintended, taking in
count that the activity of hundreds or
thousands of employees is hard to monitor
and control.
There is a false impression that incidents
generated by human factor is not so much
relevant, but recent studies made by
Ponemon Institute indicate the fact that
almost 29 percent of total incidents had
human factor at their root cause [1]. The
platforms
Employees negligence may lead to losses
generated by compromising technological
resources available, which interrupt critical
services, or cause unrecoverable data
destruction. This case is very common in
large enterprises, despite the fact that they
invest heavily in training sessions, meant to
teach the personnel how to properly handle
the technological resources. Enterprises
also invest in technological controls like
Data Loss Prevention systems and
cryptographic techniques, meant to secure
the informational systems used by
employees and to secure confidential data
in every stage [2]:
Data at rest
Data in process
Data in motion
Another dangerous vulnerability for internal
security is leaving user accounts active for
the people who have left the company.
Many of the reported cases of domestic
incidents were caused by this vulnerability.
Best user account management systems
are Identity Management systems (IDMs),
which count, monitor and manage user
accounts in companies, for every software
platform that they use. IDMs are integrated
with all the platforms used by the company,
and they deactivate all the accounts, in
case the central account of the employee is
deactivated. For Windows users, the central
account is usually stored in Active Directory,
which authenticates and authorizes all
users and computers in the domain, through
its
domain
controller.
Using
AD,
administrators can design and enforce
security policies for all the users and the
computers of the company which are part of
the domain.
The most common and dangerous case of
internal security incidents is theft of
enterprises sensitive information. This
could mean theft of:
Intellectual property
Customer related information
Technical drawings
correlation systems:
1. Log reduction event correlation
engines this kind of correlation is
a very simple technique, and uses n
logs
that
contain
redundant
information for creating one or m
logs, where m<n.
2. Rule-based
event
correlation
engines this kind of systems use
predefined security rules applied by
specialized administrators. Before
creating a rule, administrators study
the behavior of attackers and try to
combat every step of the attack with
a rule. The most common forms of
attack imply scanning a victim
system, in order to determine the
vulnerability that they can exploit.
Usually, when a vulnerability is
found, several attacks are launched
to exploit it.
3. Statistical
correlation
event
correlation engines this type of
correlation engine system is
monitoring the normal activity of the
network, by taking measurements
on different variables, on which it
applies algorithms to calculate the
degree of statistical relationship
between the variables. After the
setup has been made, if an
anomaly is detected, an alert is
generated.
For internal security, companies use internal
rules and regulations imposed over
personnel. Most of them consist in contracts
for confidential data nondisclosure, which
employees have to sign. Also, they apply
software controls, in order to protect
sensitive information. The most common
measures are:
Active Directory used to apply
information security rules and
policies for groups of users and
computers
Data Loss Prevention used to
identify and categorize sensitive
information of the company and
3. Event correlation
The main disadvantage that information
security systems active directory and Data
loss prevention are that they act individually
and that they are dominated by false
positives and false negatives. False positive
means that systems indicate a security
breach, even though there is none, and
false negative means that security systems
indicate that there is no security breach,
even though it is. A very important ability of
event correlating systems is that they can
reduce the cases of false positives and
false negatives [3]. These capabilities are
ensured by the fact that event correlation
systems gather information about the same
event from multiple sources, and it can rate
the detection error based on the information
correlated from those sources. Event
correlation engines replicate in real-time the
work that information security systems
make post-incident. This is one of the main
advantages of event correlation systems.
Fig. 2 depicts an event correlation
systems model.
2.1
Measures taken before the
correlation
Before correlation rules can analyze the
logs, preparatory steps are needed.
2.1.1
Log aggregation.
2.1.2
Log prioritization
<UserDN>
-disabled
Description
<UserDN>
-disabled
{yes|no}
Domain
Controller:
authentication and authorization
system for all users and all the
computers from Windows domain in
a network. This allows building and
imposing security policies for all
computers and users and can
deploy, install or run programs
All the attributes must be correctly set in the
script. Before building the script, event
correlating systems take the meta-data
about the user, provided through Active
Directory logs.
If the user is disabled, he wont be able to
logon next time he accessed the computer.
But in order to withdraw all the rights
instantly, a second script fires that logs off
the user automatically. The script has the
following syntax:
shutdown /l /f /m \\userx
Table 2. Prameters for remote logoff
Parameter
Description
/l
/f
/m \\computer
Specifies
computer
the
target
6. Conclusions
In order to ensure an efficient alert system
for information security threats, enterprises
use event correlation systems. The only
purpose of those systems is to alert security
administrators. We have extended this
functionality into taking real time action
against the information security threats that
occur. Our model is based on internal
security measures, intended to block
attempts of intellectual property theft. Our
event correlation system works with Active
Directory domain controller and Data Loss
Prevention system and gathers information
related to internal employees that are in
notice period, in order to detect sensitive
data transfer attempts. In case the events
collected from the sources indicate that
there is an incident on going, a rule fires
and deactivates the user account. In order
to regain access to the companys
resources, the employee must reclaim its
rights. We used this scenario because this
is the most common scenario for intellectual
property theft in enterprises.
To secure the event correlation system, we
impose an approval workflow for gaining
access rights and bring modifications to the
References:
[1] Ponemon Institude, 2013 cost of
data breach Study: Global Analisys,
2013,
https://www4.symantec.com/mktginfo/
whitepaper/053013_GL_NA_WP_Pon
emon-2013-Cost-of-a-Data-Breach-Re
port_daiNA_cta72382.pdf
[2] K. Roebuck, Data Loss Prevention
(DLP): High-impact Strategies
What You Need to Know:
Definitions,
Adoptions,
impact,
Benefits, Maturity, Vendors, ISBN
1743045492,
9781743045497,
Emereo Pty Limited, 2011
[3] Anton A.
Chuvakin,
Kevin J.
Schmidt,
Logging and Log
Management: The Authoritative
Guide
to
Understanding
the
Concepts Surrounding Logging and
Log Management Dec 13, 2013,
ISBN-10:1597496359,
ISBN-13:978-1597496353,
First
Edition
[4] Debar, Herv and Wespi, Andreas,
Aggregation and Correlation of
Intrusion-Detection Alerts, London :
Springer-Verlag, 2001. RAID '00
Proceedings of the 4th International
Symposium on Recent Advances in
Intrusion Detection . pp. 85-103.
[5] Brian Desmond, Joe Ritchards,
Robbie
Allen,
Alistair
G.