Many companies use different tools to protect their assets. Vulnerability and management scans are very popular today. However, some companies handle too many applications or assets; to the point where it is difficult to bring order to all the data collection processed. How can we keep track of a system that organizes so much information? In this context, the correlation of events or is only important: it is necessary.
What is Event Correlation?
In simple terms: Event correlation allows us to discover and apply logical associations between events. These events can belong to any kind of registry, even individual or disparate.
The correlation of events allows us not only to organize these records, but also to make better decisions based on the data collected. This is because we have a clearer and broader vision of the events that occur around our assets. Not only that: We can better identify the threats detected and respond to them. Event Correlation allows us also to check the effectiveness of our security controls.
Through data collection, we can understand where the failures are; how our protocols react and what it takes to correct that particular error. In addition, it can measure compliance with PCI, HIPAA, SOX and other important standards for the company.
As a troubleshooting tool, the correlation of events is important to test users as well. The records contain the essential data collection of the network and the information of each device. We can know what users are doing; what data they are accessing; which are the weak points in our system in relation to network activities; what system indicates a security threat or an ongoing attack, etc.
Complexity and management of Event Correlation
84% of organizations that had a security breach had prior evidence in their log files. If those breaches were being monitored, why weren’t they avoided? Simple: log files do not shout “Attack in progress”. You have to know how to read them, and that is where the importance of these practices begins.
First, the records in the correlation of events vary between systems. There may even be changes from one version to another within the same system. Second, we have the subject of language; Some records register in simple and understandable language, and others under encryption or very detailed. Besides, each system evaluates based on its own filter. For example, a network IDS system sees packets and sequences; while an application log sees sessions, users and requests. Although they record similar activities, the way they articulate these activities is different.
Another detail to test is that these records base on static fixed points in time. Thus, they give us the complete context of the sequence of related events. So, logical analysis through event correlation rules is of importance to get the full context. The correlation of events provides the answer to these challenges. It is thanks to this that security analysts can make decisions about what to do to respond to failures. Yet, what turns raw log data collection into alarms is the use of event correlation rules. They tell us what to think about unprocessed log events, connecting the points between unrelated data. The logic in the event correlation rules translates plain log fragments into alarms; this way, we can put in place the appropriate actions.
Let’s talk about Event Correlation using some examples about Event Correlation
An example of event correlation can occur with intruder detection. Let’s say there is an employee account with no access for years. Suddenly, many login attempts appear in the logs. That account could start executing suspicious commands in a matter of time. Using event correlation, the security team can state that an attack is in progress.
Now: let’s say that after many login attempts, one was successful. In the correlation, the system marks this event as “curious.” Then we noticed that 15 minutes earlier, someone scanned a system port. Now we notice that the IP address of the port scan and the login attempts are the same. Here the correlation of events informs us by marking the importance of the said event as of high concern.
If we try to find these events only with a manual correlation, we would have to rely more on luck than on skill. As human beings, we would have to add the context of the event to the data collection. Besides, we would have to test how the pieces fit together to detect these correlations.