Detecting Change -- Part II

Tenable has previously bloged about how change can be detected through log analysis. Network change can be detected many other ways, including scanning and passive network monitoring. This blog entry will discuss why detecting change is important to security and compliance, the different types of change that can occur on the network and how they can be detected with Tenable solutions.

Types of Network Change

You might think of a network as always being in motion. There are different users logged on, different traffic loads and over time, new services are supported by the network. Having discrete methods to detect certain types of change is extremely useful. Consider the following lists of potential changes that can occur on a network:

• adding a new server
• adding a new client or server application
• creating a new user account
• changes in a system's configuration
• changes in a system's network activity

Obviously, there are many more types of change than these, but the above list will catch a majority of changes that do occur. Each of these items can have dramatic ramifications for an organization's IT compliance or security postures.

Security and Compliance

Regardless if your organization follows ITIL, COBIT or some other form of IT management, any type of change which hasn't been authorized is against policy. If your organization allows undocumented changes as needed, over time, your network will become unmanageable since each system will likely have a very unique configuration.

This can also impact security by dramatically increasing the cost of performing system administration. If systems are not managed in a known state, then performing routine tasks like patch management can become very tedious.

Also notice that nowhere on the above list of "change" was detecting a new vulnerability. Very often, "new" vulnerabilities are discovered when they are disclosed, and Tenable's research team writes a Nessus or Passive Vulnerability Scanner plugin for them. The same exact system from the day before is now deemed vulnerable. However nothing really changed in the system except we have a more accurate test to enumerate a security issue.

Detecting a New Server

Tenable offers many ways to detect when a new system has been added.

Actively, subsequent Nessus scans can be used to identify new hosts. When managed by the Security Center, asset owners can be alerted after each active scan if there are any new systems. If the same system has been scanned several times, the Security Center will also track when issues surrounding it have been first seen, last seen and how many times they have been observed.

For passive alerting of new hosts, the Passive Vulnerability Scanner (PVS) will alert in real time if it sees a new host. When managed by the Security Center, all "new hosts" can be automatically placed into a dynamic asset list and scanned with Nessus once per day.

Detecting a New Client or Server Application

For active network scans, if the new application has listening daemons, Nessus will likely identify the system, or at least the presence of new open ports. All "server" applications have some sort of listening port which can be fingerprinted. The Security Center can alert individual asset owners when any new data, including new services and open ports, is discovered. Many "client" applications such as iTunes or eMule also have open ports which can be identified by a network scan.

Client and server applications also generate network traffic. This traffic can be observed by the PVS. At a minimum, if a system has not even browsed on a certain port in the past, the PVS will alert on this change. Typically, the PVS will identify the new application as it performs a handshake with its server or reaches out to the Internet for a potential self update.

If the Log Correlation Engine (LCE) is in use, Tenable has produced many normalization rules which detect when new client or server software has been installed or has been upgraded.

Detecting New Users

If a new user is added to an operating system, the Log Correlation Engine is able to parse these logs and gather them. Similarly, LCE rules exist to look for changes in user privileges. A variety of LCE correlation rules named TASLs are available. One in particular tracks active directory authentication requests along with DHCP queries and can alert when an individual user's MAC address has changed. Other TASLs can automatically learn any account used for most OSes (UNIX and Windows) as well as applications such as VNC.

With active scanning, Nessus is also able to list users on Windows operating systems, detect accounts which haven't been used and a variety of other types of information. 

Detecting Changes in a System Configuration

Nessus Compliance Checks can be used to audit UNIX and Windows systems against a known good policy. These checks look at user privileges, permissions of objects, file permissions and many different parameters including the content of UNIX and Windows configuration files. If there are any changes that violate an IT configuration policy, the next audit will highlight the issue.

The Log Correlation Engine also has the detect_change.tasl script. This script is constantly updated with new types of logs which indicate changes in users, changes in system configurations and software being added or removed.

Detecting a Change in Activity

The Passive Vulnerability Scanner constantly builds up a model of all systems on the network. For known systems, if it sees a new port being used for network browsing or a new port being used to serve an application, it will alert this new activity in real time.

The Log Correlation Engine also has a statistical anomaly engine that models all network and log events. This model includes frequency of events as well as internal, external and inbound connection activity. If there are statistical changes in any event (like web browsing) or connectivity (more connections between a server and a domain controller) it will log the anomaly.

For More Information

For more information on detecting change to look for compliance, IT management exceptions, and security incidents, please consider the following resources:

• Request a copy of Tenable's "Real Time Compliance Monitoring" paper.
• Read the "Security and IT Controls" blog entry
• Download a copy of the "Network Implications of Visible Ops" paper which discusses using Tenable products to monitor networks in an ITIL framework
• List of User and Compliance Monitoring TASL Scripts for the LCE

For more information on Tenable's products, please visit our web site, browse our "demos" page or consider pricing for the Direct Feed, Security Center, Passive Vulnerability Scanner or Log Correlation Engine.