Detecting Access Policy Violations with Stealthwatch
Access policy violations by internal users are a major security concern for enterprises because these violations commonly result in fraud, unauthorized disclosure, theft of intellectual and personal information, and other abuses. Monitoring end-to-end user traffic within the organization and alerting on such violations is a key component to enforcing compliance of security policies.
Stealthwatch enables organizations to obtain a complete visibility into end-to-end user activity and identify behaviors that could signify an insider threat. This solution explains how to detect unauthorized user access in Stealthwatch by leveraging Custom Security events and Host Locking. The following sections show different scenarios in which Stealthwatch can help in detecting unauthorized user access through Host Locking and Custom Events.
Scenario 1 – Auditing Firewall and ACL Configurations with Host Locking
A Host Lock Violation alarm is raised if the client sends traffic and the server responds to this traffic and this traffic is being monitored (i.e. there is 2-way communication occurring between client and server using a service/application that is not allowed according to security policies).
To configure Host Locking, open the Management Console JavaUI then right-click a domain or host group, and select Configuration -> Host Locking Configuration from the pop-menu as shown next:
- Name - The name of the Host Locking rule. This name is displayed in the Details column on the Alarm Table for the Host Lock Violation alarm to help you identify the rule that triggered the alarm. If the rule has been deleted, the unique rule ID is displayed instead.
- Client Host Group - Host group that is sending traffic to be monitored.
- Server Host Group - Host group that is receiving traffic to be monitored.
- Allow/Disallow - Indicates whether traffic is allowed or disallowed between the selected client host group and server host group in the direction indicated. For example, if the security policy prohibits specific services or applications between two groups, then use the Allow option to alert on the violation when that particular traffic is seen)
- Exceptions - Lists the services and applications that are exceptions to the traffic that has been allowed or disallowed. For example, if the Allow/Disallow column shows Disallow All, and this column shows Services: http, any services that appear between the host group pair in the indicated direction will cause a Host Lock Violation alarm, except for HTTP.
For example, a company’s security policy dictates that only HTTP/HTTPS traffic is allowed between the wireless users and the web servers. A Host Locking rule is configured with a Disallow rule and an exception for HTTP/HTTPS traffic that will alarm when there is non-HTTP/HHTPS traffic between the Wireless Host Group and the Web Server Host Group as shown:
The Host Lock rule is displayed as follows in the Host Lock configuration:
When there is non-HTTP/non-HTPS traffic between wireless users and the web servers group a Host Lock Violation alarm will be raised in the Alarm Table:
The same alarm can be visualized in the Management Console WebUI:
Scenario 2 – Monitoring User Access with Custom Security Events
Stealthwatch allows customers to further expand their network monitoring capabilities by creating Custom Security Events based on additional metadata from NetFlow records. Custom Security Event contribute to the Policy Violation alarm category.
Policy Violation alarms can generate alarms on three severity levels: yellow, orange, and black.
Severity level yellow or orange - The following security events will assign a severity level of only yellow or orange to the Policy Violation alarm. They will never assign the highest severity level (black) no matter how many of these security events are triggered.
- High Volume Email
- Mail Rejects
- Mail Relay
- New Host Active
- Spam Source
Severity level black - The following security events will always cause the Policy Violation alarm to have the highest severity level (black):
- All custom security events
- Host Lock Violation
- Watch Host Active
Custom Security Events are a feature introduced in Stealthwatch version 6.5 that allows security events to be generated on a more complete set of flow conditions including usernames, devices, directionality, and connection details such as amount of data transferred or time. The following figure illustrates the flow properties that can be leveraged to configure a Custom Security Event, where:
- IP address acting as the client or server
- Port being used on either the client side or server side
- Application being used
- Total bytes and/or total packets
- Duration of flow and/or time of flow
In order to enable Custom Security Events, the Policy Violation alarm needs to be enabled and configured on a Default or role policy as shown next:
For example, a company’s security policy dictates that users in the developer’s network (in this case user1) cannot download more than 10 KB of data after normal business hours from internal SQL servers.
The following image illustrates such Custom Security Event:
Users downloading more than 10 KB of data over SQL after business hours triggers the Custom Security Event:
The following alarm will be displayed in the Java console showing the username, time and source/destination:
The same alarm can be visualized in the Management Console Web GUI:
This is only one type of advanced threat that can be detected by Stealthwatch. Others include command-and-control activity, distributed denial-of-service (DDoS) attacks, insider threats, malware propagation, and more.