Security analytics are only as good as the data being analyzed. Yet nearly all security analytics systems today suffer from a lack of even basic protections on data collection. By merely monitoring network traffic, an adversary can eavesdrop on SAS outputs to discover sensitive SAS instrumentation and security-alerting behaviors. Moreover, by using advance malware, an adversary can undetectably suppress or tamper with SAS messages to conceal attack evidence and disrupt intrusion detection.
We introduce PillarBox, a tool for securely relaying SAS data in a security analytics system. PillarBox enforces integrity: It secures SAS data against tampering, even when such data is buffered on a compromised host within an adversarially controlled network. Additionally, PillarBox (optionally) offers stealth: It can conceal SAS data, alert-generation activity, and potentially even alerting rules on a compromised host, thus hiding select SAS alerting actions from an adversary.
We present an implementation of PillarBox and show experimentally that it can secure messages against attacker suppression, tampering or discovery even in the most challenging environments where SASs generate real-time security alerts related to a host compromise directly targeting to diminish their alerting power. We also show, based on data from a large enterprise and on-host performance measurements, that PillarBox has minimal overhead and is practical for real-world security analytics systems.
Category / Keywords: cryptographic protocols / application, implementation, forward-security, logging, data security Original Publication (with major differences): RAID 2014 Date: received 27 Sep 2013, last revised 23 Oct 2014 Contact author: kevin bowers at rsa com Available format(s): PDF | BibTeX Citation Note: This is an updated full version which contains new ideas and concepts that have been developed and tested. Version: 20141023:180543 (All versions of this report) Short URL: ia.cr/2013/625 Discussion forum: Show discussion | Start new discussion