Friday, September 28, 2007

Firewalls, SIM, and Visualization

Saudi asks for help on the loganalysis mailing list:

"Looking for help in identifying meaningful/actionable reports that we can get from Firewall log analysis."

Normally, I would've replied to the list, but attaching a bunch of jpeg files that will be sent to hundreds of people is poor etiquette. So instead, I'll spam the list with a link to this blog post. :-)

Reports are great and all, and you've gotten some excellent suggestions so far. But I'm a believer in mjr's artificial ignorance model for log analysis, so I put a high value on finding things that I don't know that I'm looking for. And when you want to do that with millions of events, visualization is the way to go. So here are some ArcSight data monitors that I have that are specific to firewall data.

This is a pair of moving average graphs. The green one is 'accept' messages and the red one is 'drop' or 'reject' messages. Big spikes or dips in these graphs are interesting. The other thing you can't see in these is that there's a second line along the bottom. That line is the failover firewall. When it fails over, both graphs draw a pretty 'X' with intersecting lines.

This is another moving average graph. I love these things! This one isolates workstation VLANs (so this is user-land only) and pairs srcaddr/dstport. Big spikes and long plateaus are usually interesting. The plateaus have traditionally been malware trying to scan or send spam. We've gotten better at catching this stuff on the front end, though, so I rely on this less today than I did 2 years ago. Also, if multiple lines are doing the same thing, that's interesting, too, since it can mean multiple infections.

This data monitor shows, to-scale, firewall events by hour, by severity. Any place you have visible orange or red or green is probably interesting. Also an abnormally high or low event count per hour is also interesting. This one above shows the overnight, so the yellow, orange, and red appear more prevalent because there are fewer events in those buckets.

This data monitor is a pie graph that shows last-hour firewall events by target country code. This probably doesn't work for all organizations, but my company is based and does business exclusively in the US. That means that any large amount of traffic destined for RU or CN is probably the start of a bad day for me.

This data monitor is just a chart that displays the Top 10 sources of blocked traffic. I've whited-out the actual IP's, but you can see the zone details. (The top 3 DMZ servers are due to a recent change in the firewall that the servers haven't caught up to.)

One of the cool things about SIM visualization gadgetry like ArcSight's data monitors is that these displays are in near-realtime. So it's like a report that's always running, and that's really easy to operationalize - "Here, stare at this for a few minutes every so often. If it looks weird, click on it and find out why."

No comments: