Sagan log analysis with Websense Threatseeker integration.
A couple of months ago, Quadrant Information Security announce its partnership with Websense. This partnership enables Quadrant's “Sagan” log analysis engine to use the Websense Threatseeker to detect threats that would not be detected using normal signature-based technology.
The idea of using reputation databases with SIEM technology is not new. As a matter of fact, Tyler Cater of McAfee issued a blog post in August 2012 stating that he “had a debate last week with one of our System Engineers about whether our customers needed McAfee Global Threat Intelligence (GTI)”.
McAfee's GTI functions as a reputation database, similar to Websense Threatseeker. While McAfee “debated” about cloud base reputation databases with SIEM, Quadrant was already doing field tests with this technology. However, rather than using McAfee's GTI, Quadrant decided to use Websense's Threatseeker. Quadrant wanted to use the “best breed” of reputation databases, and after intensive research and testing, the clear choice for us was to use Websense Threatseeker.
In this blog posting, I would like to discuss some early results obtained during our “in the field” testing of Sagan with Websense Threatseeker.
Quadrant Information Security has been actively developing Sagan for several years now. At Quadrant, we not only developed Sagan, but we use it to monitor our own assets and those of our clients. When Sagan detects something malicious via real time log analysis, those events are sent to our Security Operations Center. Quadrant is essentially a Managed Security Service Provider (MSSP) and Sagan is one of our core technologies used to determine security events via log analysis.
As the old saying goes, “we eat our own dog food”.
Let’s consider the following log line from a Cisco ASA that happened at one of our clients:
Teardown dynamic TCP translation from inside:10.1.70.103/14286 to Outside:18.104.22.168/443 duration 0:00:30 bytes 4895 TCP FINs
*[Note: the real destination has been replaced by 22.214.171.124]
By itself, this log message contains nothing that would indicate that something malicious might be happening. However, this is Botnet “Command and Control” (C&C) traffic. This is a situation where standard rule based detection fails.
However, with the Sagan Websense processor, we can determine that this session is communications with a known Botnet Command and Control (C&C) and alert the customer in real time.
How does this work?
Each and every log that Sagan receives is pumped through our Sagan Websense processor. When the Sagan Websense processor receives the log message it “normalizes” it. This means that Sagan “extracts” the potentially useful data. In this particular event, Sagan extracts the source and destination IP addresses. Addresses that are not internal LAN addresses or RFC1918 are sent to the Websense Threatseeker cloud and queried.
In this case, the Websense Threatseeker cloud tells Sagan, “The destination IP address is a known Botnet C&C”. Sagan then takes this information and creates an alert. We can pass this alert information on to the staff and they can remediate the issue.
What is more interesting about this log line is that other technologies failed to detect the Botnet C&C traffic.
This is basically what happened; The log line was created by an outside vendor plugging a laptop into our client’s network.
Anti-Virus fails, since the vendor was likely not following the organization’s anti-virus policy. Intrusion Detection/Prevention fails, because the log line indicates that the TCP session was initiated (note the duration and bytes transferred). It is likely that it failed due to the fact that the Botnet C&C was using SSL, which the IDS/IPS was not able to “peer into”. Botnet C&C over encrypted channels is becoming the norm.
Our client removed the laptop from the network and had it scanned. Sure enough, the laptop had been compromised.
All of this was done in real-time and was detected by a seemingly benign log entry from a Cisco ASA.
No other log analysis tool could have done this, and it is all because of our real-time tight integration with the Websense Theatseeker technology.