Tuning the Network Behavior Analysis

11.12.16 Bezpečnost

Today, we are busting a myth about configurating and tuning of the NBA / UEBA solution to be time consuming project. Come and learn how you can tune Flowmon ADS in an hour.

IT professionals usually believe deploying NBA (Network Behavior Analysis) or UEBA (User and Entity Behavior Analysis) is a long term project with time consuming configuration and false positives tuning. I will show you today this is not always the case. Recently, we deployed Flowmon ADS in a large government entity. I will summarize tips and tricks for the configuration and tuning of the system which took me pretty much the same time as writing this blog post – one hour.
The customer has roughly 3000 devices in the network. Traffic is monitored in three different types of infrastructure – on the enterprise perimeter, inside the internal network and on the private backbone where the subordinate organizations are connected. Traffic from these three different networks is analyzed in three corresponding flow collection and processing instances in Flowmon ADS. The initial deployment was based on a built-in configuration wizard that created filters and adjusted the configuration of anomaly detection methods based on the provided inputs. After the initial configuration the customer experienced thousands of events per day that included not only false positives but also low priority events like known malicious IPs hitting the firewall on the enterprise perimeter or duplicate events detected in the internal network and on the perimeter. So, now it is time to tune it up.

Flowmon ADS dashboard with colorized traffic according to configured priorities and detected threats. Difference before and after tuning. 
Figure 1: Difference between detected events (traffic colored different than green) before tuning and after. Tuning was carried out in the evening between 20:00 and 21:00.

Step 1 – Apply relevant methods on relevant data

There is no need to detect duplicate events. Additionally, there are methods relevant for the internal network but not enterprise perimeter after NAT is applied and traffic of individual hosts is aggregated behind a single IP address. These methods include detecting various undesired applications such as P2P networks, TOR anonymizers and user activities like data sharing. At the same time it is meaningless to report on hundreds of known attacks that touch the enterprise perimeter. Tune up procedure – process by corresponding detection methods only data from internal network and backbone. Exclude enterprise perimeter from such detections.

Applying relevant detection methods on relevat network data. 
Figure 2: Apply the detection method only on relevant data.

Step 2 – Define false positives

Usually when you deploy Network Behavior Analysis and start to analyze the data, the first anomalies are related to your traditional SNMP-based monitoring system like Nagios or Zabbix that scan over the whole network and check for the availability of network components and services. As such behavior is also connected to malicious activities or malware infected devices, Flowmon ADS detects corresponding events. You can get rid of them using the feature "Mark as false positive" so you simply create rules based on existing events to avoid detecting the same events again.
 

Mark as false positive.
Figure 3: Mark as false positive based on event detection. Corresponding parameters are pre-defined. You should include the comment regarding the purpose of this particular false positive rule.

Step 3 – Adjust priorities

Not all the events have the same importance. Prioritizing the events enables to focus on the most important attacks and network anomalies. You would agree that a port scan in the internal network is more important than the same event detected on the enterprise perimeter where the source of the scan is somewhere in the internet. On the other hand you still want to detect both events to make sure you recognize all the anomalies and have evidence. It can turn out in the future that this particular event is relevant. The concept of event prioritization in ADS is called "Perspectives" where you can adjust based on the flow source, IP addresses or event detail priority that will be assigned to a particular event by that particular perspective.
 

Adjusting event priorities
Figure 4: Port scans adjusted to have HIGH priority if the source of the event is in the internal network. Otherwise such event will be classified by lower priority.

Step 4 – Analyze the rest

After applying the three previous steps Flowmon ADS will show anomalies that are worth a more detailed investigation. So, let’s take a look at what has been left for the analyst to investigate. We don’t have to analyze events one by one as we can take advantage of the aggregated dashboard view called "Threats" where relevant events are grouped and linked together and presented to the security analyst. So, at the end of the day we have got from more than thousand to less than 20 threats or incidents we have to go through. Further prioritization shows we should focus first on three incidents classified as critical. There is a misconfigured device causing serious network anomalies with a high impact on the whole network. Another device in the network is probably compromised by malware and there is potential data leakage detected. So, these are the events an analyst should start with. In addition, we can see users using applications you don’t want to see in your enterprise network, anomalies in DNS traffic and attacks to gain unauthorized access to your systems as well as some others. But these can wait after critical incidents are solved.
 

After tuning Flowmon ADS we can see list of less than 20 security threats.
Figure 5: Threats detected after system configuration and tune-up.

Summary

So, I’ve spent around one hour creating this blog post. Going through steps one to three as described above took me around the same time. Impossible? The key is in a top down and systematic approach when deploying and configuring Network Behavior Analysis. At the same time you have to keep in mind that the goal is not to generate as many events as you can but detect only events relevant from security and operational point of view. Are instant messengers allowed to be used in your network? So turn of the corresponding detection method. Obviously you don’t need to detect such events. Do you want still to detect attacks on the perimeter? So keep the methods analyzing this data but clear your view and prioritize the event from the internal network using perspectives.
I hope you have found this experience sharing blog useful and it will help you to tune-up your NBA/UEBA system quickly to achieve a high accuracy of detection and reduce false positive that may appear. Any ideas and tips I’ve missed are welcome.

What are your experiences with tuning Flowmon ADS or other NBA / UEBA solution? Feel free to leave comment below.
If you are interested in Flowmon ADS, try free trial now.