Event Correlation

Definition: Event correlation is the process of monitoring what is happening on networks and other systems in order to identify patterns of events that might signify attacks, intrusions, misuse or failure.

In today’s interconnected world, network management is critically important. Those who maintain the network need to quickly pinpoint and fix any problem, whether it’s a malfunctioning mail daemon or a damaged fiber-optic link.

Luckily, almost every part of a modern network provides data about what it’s doing:

● Operating systems log systems and security events.

● Servers keep records of what they do.

● Applications log errors, warnings and failures.

● Firewalls and virtual private network gateways record traffic deemed suspicious.

● Network routers and switches watch what goes on between network segments.

● Messaging systems forward alerts, such as Simple Network Management Protocol (SNMP) traps, to a central management console.

Besides monitoring their own behavior, all these devices and management programs receive and relay messages from other network systems, leading to duplicate alerts. A single failure or problem can generate a blizzard of event messages.

The more complex the network and the more applications that are distributed, the more event messages, alarms and alerts the appliances will generate. In the end, far more data is generated than anyone can easily scan.

According to Chris Jordan, a security manager at Computer Sciences Corp., OC-12 connections can generate about 850 megabytes of event data in an hour. (OC-12 is a fiber-optic connection with bandwidth of 622Mbit/sec.) That translates into more than 600GB of data per month, or 7TB a year —— just for logs and alerts related to a single network link.

Event correlation simplifies and speeds the monitoring of network events by consolidating alerts and error logs into a short, easy-to-understand package. A network administrator can deal with, say, 25 events based on cross-referencing intrusion alerts against firewall entries and host/asset databases much more efficiently than when he must scan 10000 mostly normal log entries.

The benefits can be very real: more efficient use of staff time and skills, as well as the prevention of revenue loss resulting from downtime.

According to Marcus Ranum, an independent computer and communications security consultant in Woodbine, Md., correlation is something everyone wants, but nobody even knows what it is. It’s like liberty or free beer —— everyone thinks it’s a great idea and we should all have it, but there’ s no road map for getting from here to there. Still, a variety of technologies and operations are associated with event correlation:

Compression takes multiple occurrences of the same event, examines them for duplicate information, removes redundancies and reports them as a single event. So 1000 “route failed” alerts become a single alert that says “route failed 1,000 times.”

Counting reports a specified number of similar events as one. This differs from compression in that it doesn’t just tally the same event and that there's a threshold to trigger a report.

Suppression associates priorities with alarms and lets the system suppress an alarm for a lower-priority event if a higher-priority event has occurred.

Generalization associates alarms with some higher-level events, which are what’s reported. This can be useful for correlating events involving multiple ports on the same switch or router in the event that it fails. You don’ t need to see each specific failure if you can determine that the entire unit has problems.

Time-based correlation can be helpful establishing causality —— for instance, tracing a connectivity problem to a failed piece of hardware. Often more information can be gleaned by correlating events that have specific time-based relationships. Some problems can be determined only through such temporal correlation. Examples of time-based relationships include the following:

● Event A is followed by Event B.

● This is the first Event A since the recent Event B.

● Event A follows Event B within two minutes.

● Event A wasn’t observed within Interval I.

Event correlation, in its basic form, is becoming almost a commodity product. If you want to reduce the number of events and alarms and have some level of topological awareness to eliminate duplicates, that’s pretty standard and working today.

事件相關

定義: 事件相關是一個過程，監視網絡上和其他系統中正在發生的事情，以便識別出有可能表示攻擊、入侵或故障的事件模式。

在今天這個相互聯接的世界里，網絡管理是至關重要的。維護網絡的人需要快速查明和解決任何問題，不管它是出了故障的郵件后臺收發程序、還是被毀的光纜線路。

令人幸運的是，現代網絡的幾乎每個部分都提供它在做什么的數據：

● 操作系統記錄系統和安全事件。

● 服務器保存它們做了什么的紀錄。

● 應用程序記錄錯誤、警告和故障。

● 防火墻和虛擬專網網關記錄被認為是可疑的流量。

● 網絡路由器和交換機監視著網絡各段之間流動著什么。

● 消息系統給中央管理控制臺轉發警報，如SNMP(簡單網絡管理協議)陷阱。

除監視它們自己的行為之外，所有這些設備和管理程序還接收和轉發其他網絡系統傳來的消息，導致警報的復制。單一的故障或問題有可能產生事件消息的泛濫。

網絡越復雜、應用程序越分散，產生的事件消息、預警和警報就越多。結果，產生了太多的數據，以致沒有人能夠很容易地瀏覽一遍。

計算機科學公司的安全經理Chris Jordan說，OC-12連接在一個小時內能產生大約850兆字節的事件數據(OC-12是帶寬為622兆位/秒的光纜連接)。就與單一網絡連接有關的記錄和警報而言，這意味著一個月就有超過600GB數據，一年就是7TB的數據。

事件相關通過將警報和錯誤記錄合并成簡短的、容易理解的包，從而簡化和加速網絡事件的監視。比如，一名網管員就能處理25個基于針對防火墻輸入的交叉引用和主/資產數據庫的入侵警報的事件，比他通常掃描1萬條記錄事件更高效。

其好處是實實在在的：更高效地利用員工的時間和技能，以及防止因宕機造成收入的損失。

美國馬里蘭州Woodbine市的獨立計算機和通信安全顧問Marcus Ranum說，相關是人人都需要的東西，但是沒有人知道它是什么樣的。它與自由或免費啤酒差不多——人人都認為這是一個好主意，我們都應該擁有它，而如何得到卻沒有線路圖。但是，有一些技術和操作可以用于事件相關：

壓縮取出發生多次的相同事件，檢查重復的信息，去除冗余，按單一的事件報告。因而，1000個“路由失敗”警報成了單個警報，說“路由失敗了1000次”。

計數把規定數目的類似事件按一個(事件)報告。它與壓縮的區別在于它不只是記錄相同的事件同時對觸發報告設有一門限值。

抑制與警報的優先等級有關聯，如果出現較高優先級的警報，它讓系統抑制較低優先級的事件。

歸納與一些較高級別的事件的警報有關聯，指出報告的是什么。這對涉及同一交換機或路由器上多個端口的事件在交換機或路由器失效的情況下進行相關處理時有用。如果你能確定整個設備有問題，你就不需要察看每個具體的故障。

基于時間的相關有助于建立因果關系。例如，從連接故障追查到硬件的失效部件。常常通過對具有特定基于時間的關系的事件進行相關，就能收集到更多的信息。有些問題只要通過時間相關就能確定。下列是基于時間的關系的例子：

● 事件B緊跟著事件A。

● 自最新一個事件B以后出現的第一個事件A。

● 兩分鐘內事件A跟在事件B之后。

● 在間隔1中沒有發現事件A。

事件相關，就其基本形式，幾乎成為了商品化產品。如果你要減少事件和警報的數目，以及擁有某種水平對消除重復的拓撲結構的認知，那么(事件相關)是今天非常好的標準和工作。