Video Screencast Help

Metrics using data from SEPM (part three)

Created: 08 Sep 2009 • Updated: 19 Oct 2009 | 2 comments
Language Translations
jeffwichman's picture
+12 12 Votes
Login to vote
 
You’ve impressed your C-level management with your metrics revolving around malware infections through your organization. It is time to expand upon our previous report with additional information pulled directly from the SEPM system. In this article we will look at report metrics for the SEP firewall and IDS. 
 
In order to save space and time, please make sure you’ve read the previous articles on SEPM metrics. 
 
Let’s get started.
 
Exporting the necessary logs
With your SEPM console open click on the Monitors item in the left window pane.
Click on the Logs tab in the main window.
Choose the Log Type Network Threat Protection
Choose Log Content: Attacks
**Choose the Time Range: Past Month Dates (manually choose your date/time)
Click the Advanced Settings option
Click Save Filter
Name the Filter: Monthly NTP Attack Metrics
Click OK after the window pops up stating the filter was saved.
Now that the saved filter is “Monthly NTP Att..” click View Log
Click the Export link.
A typical Microsoft windows box opens to save the file. Normally I will save the file in the format 0809_NTPAttack_Report.txt for historical purposes.
 
Now let’s repeat that for the next set of logs we will pull data from.
 
With your SEPM console open click on the Monitors item in the left window pane.
Click on the Logs tab in the main window.
Choose the Log Type Network Threat Protection
Choose Log Content: Traffic
**Choose the Time Range: Past Month Dates (manually choose your date/time)
Click the Advanced Settings option
Click Save Filter
Name the Filter: Monthly NTP Traffic Metrics
Click OK after the window pops up stating the filter was saved.
Now that the saved filter is “Monthly NTP Tra..” click View Log
Click the Export link.
A typical Microsoft windows box opens to save the file.  Normally I will save the file in the format 0809_NTPTraffic_Report.txt for historical purposes.
 
I have not worked with capturing traffic or packet yet so will skip diving into that type of log content at this point. From my initial test however there will be enough interesting information captured in the traffic log to generate some metrics, we however are not at that point yet.
 
** When/if Symantec allows a scheduled export of the logs from the SEPM rather than the simplified reports available in SEPM (mht files are nice but lack the guts we need to work with).
 
 
Now that we have our spreadsheets created let’s open them up and look at what kind of information (and there is a lot) that Symantec captured. Here is the list of items included in the Firewall Attack content. It is a treasure trove of information we can use to enhance our security posture and provide management with some excellent metrics.
 
 
Time Stamp
Event Type
Event Time
Severity
Host Name
Current IP Address
Historical IP Address
Remote Host IP
Remote Host Name
Network Protocol
Traffic Direction
Application Name
Begin Time
End Time
Repetition
Alert
Send SNMP Trap
Local Host Mac
Remote Host Mac
Location Name
Username
Hack Type
OS Type
Event Description
Domain Name
Site Name
Server name
Group Name
Computer Name
 
Let’s think carefully about what we want management to know…. They are likely not interested in the technical details. So let’s try to keep our metrics at a higher level that we can use to tell management a story.
 
One of the first items I pull up is the traffic direction and count of alerts. Let’s grab Traffic Direction and drop it in the
 
The primary fields we will work with from the Field List are:
 
Traffic Direction -Drop Column Fields Here
Alerts - Drop Data Items Here
Severity – Drop Row Fields Here
Blank/Nothing - Drop Page Fields Here
 
We should see something similar to the below image. Why is this important? You can explain to management the relation of inbound verse outbound attacks detected. In my opinion we always focus on outbound attacks because something may have already gained a foothold on one of our clients or worse someone might be a malicious insider. 
 
Firewall_Attack_Traffic_Direction.JPG (click to enlarge)
 
If you want your analysts to start digging this makes it easy to start. Double click on the Outbound/Critical alerts and a new spreadsheet opens with the details on those 95 alerts. In a majority of ours we have detected and blocked googletalk.exe from making a connection to the outside world (but we still examine it every week).
 
The second set of statistic I like to gather from the IDS (attacks) logs works with the Event Description. So let’s clear our previous pivot table and drop the following items into the respective locations.
 
Nothing/Blank -Drop Column Fields Here
Hack Type - Drop Data Items Here
Event Description – Drop Row Fields Here
Severity - Drop Page Fields Here
 
You will need to minimize the column width on the in order to work with the information (at least I do). Now we have a look at all of the previous months IDS alerts and a count to go along with it. Let’s select the drop down item for Event Description… Uncheck anything that does NOT start with [SID: #####]. This again would be a great place for your analysts or support staff to being looking into possible compromised systems. However we can use this information for management as well. We can see that many of our alerts begin with something in common. We can take and perform counts on everything that starts with HTTP, contains tracking cookie, RPC, SQL… whatever pattern you want to use. Just remember to remain constant from month to month to keep your data accurate.
 
Firewall_Attack_Event_Description.JPG (click to enlarge)
 
 
Another one of my favorites (not for management but for me) is the Remote Host IP/Direction. 
 
Traffic Direction -Drop Column Fields Here
Severity - Drop Data Items Here
Remote Host IP – Drop Row Fields Here
Nothing/Blank - Drop Page Fields Here
 
Once you have these fields filled in you can see a picture of the number of alerts detected by each IP address of the attacker. We can take the list of attackers (especially the ones with a large number of events) and throw them into a Host List in our SEPM policy. Put the firewall rule in to block that list of hosts and bingo you’ve added another layer of protection… however be careful! You may accidentally block something that was a false positive. Research the remote IP address to figure out what is behind it if possible.
 
Firewall1.JPG (click to enlarge)
 
One additional piece of information (that the value is questionable IMO) it taking your list of Remote IP addresses from the previous pivot table and determining the countries associated with the IP address. I simply grab 400 IP’s at a time, head over to http://software77.net/geo-ip/multi-lookup/ enter the ip’s, hit the Lookup button and save the output into a new text file. You can easily take this text file, import it into Excel and get a count of the top attacking countries your organization encounters. The reason I feel this data is questionable is due to bots being remotely controlled. It is difficult to truly gauge who is attacking.
 
CountryLookup.JPG (click to enlarge)
 
You get the idea here. Build some data that makes sense to you (and your management team) so they can get a realistic picture of the threats facing your organization. Once I get some decent data on traffic/packet that management might like I will be sure to post another follow up.

Comments 2 CommentsJump to latest comment

Vikram Kumar-SAV to SEP's picture

 These articles are  really helpful...

Vikram Kumar

Symantec Consultant

The most helpful part of entire Symantec connect is the Search button..do use it.

0
Login to vote
Bekir's picture

Awesome jeff...

Is there going to be follow-ups to the series :) ?

Thanks!

Best regards,
Bekir Burak Durmaz

0
Login to vote