This post concludes our series on the exciting potential for Intelligent Security Perimeters for network protection. Qualitative analysis of traffic that goes beyond simple SIEM reporting raises the situational awareness of IT administrators through a qualitative predictor.
We’ll now examine some of the possible factors for such qualitative model, and revisit these ideas in other blog posts on evolving Firewall Log Analyzers. Network activities that would be prominent candidates for a qualitative predictive model include different aspects of event logs already collected by an ordinary SIEM.
For example, an event log for either application control or intrusion detection/prevention will contain common elements such as source and destination port numbers, source and destination IPs, application or attack type, and depending on the UTM firewall vendor, also some category information describing the traffic.
All this information may be analyzed and correlated in order to develop predictive capabilities to warn and advise IT managers on security posture. For example, session information may reveal that a host is listening on an external port and has not been otherwise active, it is possible that it could be awaiting command and control connections from a malicious server.
Another case is examining traffic for consecutive unsuccessful connection attempts or other patterns known as “port knocking”. Failed attempts in some regular pattern or increased frequency may be indicators that malware is trying to connect some specifically exploitable application or service.
Categories of events and geographic sources are also indicators of the quality of traffic. Typically, traffic is rated by most UTM devices by some subjective quality, for example is a website for Porn, Business, News, or otherwise. Knowing patterns of traffic category and in particular where traffic is originated can give an indication that a malware pattern is being observed.
All of these are services that require attention in real-time, the reality of forensic examination is that it’s too late, so being able to perform qualitative analysis in real-time is a significant factor in Intelligent Security Perimeter design.