Security Event Detection – Man vs Machine

Salutations, pop culture and security lovers! I have always been intrigued with science fiction themes where machines serve man. Initially, the relationship seems to work well; both machine and man existing in harmony while getting their work completed. Of course the interesting turn of events are when the machines gain enough "intelligence" to determine there is no longer a need for the inferior humans. Let the carnage begin! This is especially true in the Star Trek and Terminator series. I also cannot fail to mention the film "2001: A Space Odyssey" and the main computer "HAL". HAL eventually needed to be deactivated after several attempts to kill the humans on the space mission. I love it when they request HAL to "rotate the pod" to see if the machine is listening as the crewmen conspire to deactivate the super computer.

As usual, you may ask yourself, what does this have to do with data security? The point is that no matter how good the threat detection technology becomes (the machine), there will always need to be the human element that oversees and validates security events prior to alerting the client. The true value we [Solutionary] bring to the client is a combination of People (SOC Analysts and other support personnel), Processes (Implementation, alerting, escalation), and Technology (ActiveGuard) that all work together in concert to provide relevant, intelligent, security services.

Here are a couple of examples of threat detection to illustrate my point.

Spyware, Adware, Malware Detection

The following security event represents malware being detected on a client network. Malware can be inadvertently installed on client machines through many ways including the installation of 3rd party search bars, or news and weather bar applications on the desktop. Often times the malware infected machine will send usage or personal information back to a central collection server to be used later for malicious purposes. The analyst viewing the event queue determines that a single host is communicating outbound (using port 80) to hosts all over the world.

Figure 1: Spyware, Adware, Malware event queue view

Further investigation by the analyst confirms the infection by identifying the string "Relevant Knowledge" listed in payload decode. This is known to be a common type of spyware/malware footprint. The analyst would typically notify the client of the event, and recommend running the appropriate anti-spyware or anti-malware removal software to resolve the issue.

Figure 2: Spyware, Adware, Malware log line view

Additionally the Snort Signature that fired the alert is viewed. In this case, the specific spyware detected in the signature is identified as "Hijacker market score runtime detection". The snort signature specific content string is identified as "User Agent OSS Proxy". Notice the content string found in the Snort Signature is also present in the Decoded Payload. The analyst will compare the Decoded Payload with the Snort Signature to manually confirm this is not a false positive event.

Figure 1: Spyware, Adware, Malware event queue view
Further investigation by the analyst confirms the infection by identifying the string "Relevant Knowledge" listed in payload decode. This is known to be a common type of spyware/malware footprint. The analyst would typically notify the client of the event, and recommend running the appropriate anti-spyware or anti-malware removal software to resolve the issue.

Figure 2: Spyware, Adware, Malware log line view Additionally the Snort Signature that fired the alert is viewed. In this case, the specific spyware detected in the signature is identified as "Hijacker market score runtime detection". The snort signature specific content string is identified as "User Agent OSS Proxy". Notice the content string found in the Snort Signature is also present in the Decoded Payload. The analyst will compare the Decoded Payload with the Snort Signature to manually confirm this is not a false positive event.