4.1 Understanding Correlation
Correlation adds intelligence to security event management by automating analysis of the incoming event stream to find patterns of interest. Correlation allows you to define rules that identify critical threats and complex attack patterns so that you can prioritize events and initiate effective incident management and response. Starting with Sentinel 6.0, the Correlation engine is built with a pluggable framework, which allows the addition of new Correlation engines in the future.
Correlation rules define a pattern of events that should trigger, or fire, a rule. Using either the Correlation Rule Wizard or the simple RuleLG language, you can create rules that range from simple to extremely complex, for example:
-
High severity event from a finance server
-
High severity event from any server brought online in the past 10 days
-
Five failed logins in 2 minutes
-
Five failed logins in 2 minutes to the same server from the same username
-
Intrusion detection event targeting a server, followed by an attempted login to root originating from that same server within 60 seconds
Two or more of these rules can be combined into one composite rule. The rule definition determines the conditions under which the composite rule fires:
-
All subrules must fire
-
A specified number of subrules must fire
-
The subrules must fire in a particular sequence
After the rule is defined, it should be deployed to an active Correlation engine, and one or more actions can be associated with it. After the rule is deployed, the Correlation engine processes events from the real-time event stream to determine whether they should trigger any of the active rules.
NOTE:Events that are sent directly to the database or dropped by a global filter are not processed by the Correlation engine.
When a rule fires, a correlated event is sent to the Sentinel Control Center, where it can be viewed in the Active Views window.
Figure 4-1 Active Views Window
The correlated event can also trigger actions, such as sending an e-mail with the correlated event’s details or creating an incident associated with an iTRAC workflow.
4.1.1 Technical Implementation
All correlation is done in-memory on the machine (or machines) that host the Correlation engine. This model allows fast, distributed processing that does not contend with database operations such as inserting events into the database.
For environments with large numbers of Correlation rules or extremely high event rates, it might be advantageous to install more than one Correlation engine and redeploy some rules to the new Correlation engine. The ability to deploy multiple Correlation engines provides the ability to scale as the Sentinel system incorporates additional data sources or as event rates increase.
Sentinel correlation is nearly real-time and depends on the time stamp for the individual events. To synchronize time, you can use an NTP (Network Time Protocol) server to synchronize the time on all devices on your network, or you can rely on the time on the Collector Manager servers and synchronize only those few machines.
Correlation relies on the data that is collected, parsed, and normalized by the Collectors, so a working understanding of the data is necessary to write rules. Many Novell Correlation rules rely on an event taxonomy that ensures that a “failed login” and an “unsuccessful logon” from two devices are classified the same.
In the tab, you can:
-
Create/modify Correlation rules and rule folders
-
Deploy Correlation rules on the Correlation engine
-
Create and associate an action to a rule
-
Configure dynamic lists
NOTE:Access to the correlation functions can be enabled by the administrator on a user-by-user basis.