Information Technology Reference
In-Depth Information
F
IG
. 5. Multi-layered log architecture.
have to be
trusted
, i.e., hardened, and have cryptosystems that can handle authenti-
cation, hashing and reliable transmission as briefly discussed in Section
2.1
.
3 . 6
C o r r e l a t i o n a n d F i l t e r i n g : N e e d s a n d P o s s i b l e S o l u t i o n s
In performing log correlation and filtering, the Security Architect and the Manager
have to deal with the problems described above. Here, the perspective on the problem
shifts to the architecture.
3.6.1
Correlation and Filtering: Some Definitions
Correlation—“A causal, complementary, parallel, or reciprocal relationship,
especially a structural, functional, or qualitative correspondence between two
comparable entities.” Source:
http://dictionary.com
In this article we use
Correlation
to mean the activity carried out by one or more
engines
to reconstruct a given complex event, that may be symptomatic of a past or
current violation.
By
filtering
we mean an activity that may be carried out by the same engines to
extract certain kinds of data and arrange them, for example, by protocol type, time,
IP, MAC Address and so on.
A fairly complex architecture may be set up as follows.
As may be observed from
Fig. 6
, and assuming the necessary precautions indi-
cated in the above sections have been followed, if data is collected at the individual
acquisition points (i.e.,
before
the logs get to the normalization engines) by methods
such as SCP, the very use of this method might slow down subsequent operations
since these activities require a greater dynamism than the “simple” acquisition and
generation of logs. Hence in this phase you have to use a Tunneling and Authentica-
tion
(
T
p
)
system based on a secure communication protocol that might be a level 3
ISO/OSI.
