data security analytics by abhijit khuperkar
Post on 22-Jan-2018
174 Views
Preview:
TRANSCRIPT
Author: Abhijit Khuperkar, Data Specialist & Big Data Evangelist
Data Security Analytics:
Analysis of the Firewall Log
Presentation Outline
Problem Statement
Key Observations
Dashboards
Problem Statement
► Dataset: The dataset contains the firewall log data for a month’s
period between 1-Sep’14 to 1-Oct’14. The dataset includes a record of
approx. 87,000 events grouped into categories and log responses.
► Goal: Carry out a high-level analysis of the firewall log data. Explore
data and perform aggregate data analysis.
► Criteria: Identify vulnerable categories, Drill down into problem, Visually
represent the analysis
The Challenge
Methodology
► Data: Standardized log messages to drill down into important log
messages
► Analysis: Carried out a descriptive and aggregate analysis of number
of security events, log responses. Drilled down into intrusion prevention
events having high priority and vulnerable security events
► Visualization: Prepared Tableau dashboards representing data
aggregates visually
► Event logs: One-fifth of total logs are intrusion prevention events. Of these, 1% logs have medium-high priority alerts and security warnings. The connection was dropped for many authorized access events
Key Observations
► Event trend: Intrusion prevention events were higher than usual during 15-23 Sep’14. As a result, a large number of security alerts and warnings were triggered during this period. Some outliers in authorized network access were observed during 5-14 Sep’14
► Intrusion events: High priority alerts and synchronization floods are potential threats. The dashboard shows three source IPs of high priority alerts and their destination IPs. IPs of sync flood were untraceable.
► VPN access: The warnings and notices for the VPN access events were the result of payload type security alert, mismatch in encryption algorithm and IKE proposal. Firewall took action by dropping few packets and connections
► Source & destination IPs: Four source IPs account for 44% of the log events. Likewise, two IPs received bulk of the requests accounting for 15% of total logs recorded by firewall
Click the headings to jump to the dashboard
Dashboards
Security Events At A GlanceBack to Key Observations
Events need
drill down
Trend in Security EventsBack to Key Observations
Higher than
usual alerts
Higher than
usual intrusions
Intrusion Prevention EventsBack to Key Observations
Destination
IPs
Alerts with Medium-
High priority and
potential Sync
flood
Untraceable
sources. IPs were
unavailable
xxx.xx.xxx.xxx yyy.xx.xxx.xxx zzz.xx.xxx.xxx
VPN Access EventsBack to Key Observations
Potential
security threats
Key reasons:
Mismatch encrypt
algorithm, IKE
proposal
Source vs Destination SystemsBack to Key Observations
44% of the security
logs attributed to
the four Source IPs
Two destination IPs
are accessed
most
xxx.xx.xxx.xxx xxx.xx.xxx.xxx
xxx.xx.xxx.xxx
xxx.xx.xxx.xxx
xxx.xx.xxx.xxx
xxx.xx.xxx.xxx
Abhijit Khuperkar, Data Specialist & Big Data Evangelist
akhuperkar@yahoo.com
For queries and feedback contact
Thank you!
top related