CiscoWorks Security Information Management Solution

Rationalizing Security Events with Three Dimensions of Correlation

  • Viewing Options

  • PDF (150.4 KB)
  • Feedback

CiscoWorks Security Information Management Solution (SIMS)


Enterprise security teams are plagued by a common problem: They must rely on a relatively small number of people to keep up with a virtually unlimited number of events and vulnerabilities that are increasing every day. Event correlation is arguably the foundation of Security Information Management (SIM) because it is the critical piece of technology that automatically prioritizes events based on risk, eliminates time wasted on false positives, and allows security teams to continuously reduce risk exposure.
Each method of correlation statistical, rules-based, and vulnerability correlation on its own has pros and cons, but when applied together and adjusted for asset value forms a powerful combination for reducing risk by providing a true picture of risk based on business impact.
The CiscoWorks Security Information Management Solution (SIMS) from Cisco Systems ® integrates all three types of correlation, and is the only SIM technology to deliver vulnerability correlation without requiring users to write rules. This feature is critical, because vulnerability correlation is the most useful type of correlation for identifying specific threats previously unknown to the organization and weeding out false positives. By combining all three types of correlation with asset valuation, CiscoWorks SIMS provides security analysts with a true risk profile for each event, while reducing the organization's total risk exposure over time.


The high volume of events created by a large number of devices, increased threat levels, and the struggle to keep pace with the expansive list of vulnerabilities that grows daily epitomize the problem of managing information security in today's enterprise. With business factors such as industry and regulatory compliance initiatives mandating that organizations limit risk without compromising business agility, companies are turning to SIM solutions to reduce risk by quickly sifting through thousands of events and pinpointing more likely sources of attack and perhaps more importantly ferreting out false positives.
The formula used to determine risk is simple. As the volume of threats increases against high-value assets that are susceptible to attack, the organization's overall risk exposure increases. Correlation refers to the set of technologies that allows SIM products to move beyond simple normalization and aggregation of disparate security events by applying automated logic to interpret multiple events from multiple sources and device types to create a single correlated event. When this event consolidation occurs, the correlation technology performs further analysis to present security analysts with a prioritized view of events. This allows security analysts to separate the critical from the non-critical threats, understand risk, and address threats with the most catastrophic potential first.
Applying multiple dimensions of correlation is critical to helping security organizations weed out false positives, rapidly identify threats, get a true picture of risk, and continuously improve performance to reduce the organization's overall risk over time. In order to achieve these objectives, security teams must implement a SIM solution that allows them to correlate events against known vulnerabilities, implement stateful rules that identify successive related suspect events, and use statistical models to score threats based on vulnerability and asset importance. Asset valuation is critical because it helps security analysts gauge the business impact-and ultimately the potential loss from an attack on a particular machine.


Statistical correlation, as the name implies, applies statistical algorithms to determine incident severity and then assigns a threat score based on asset value. Statistical correlation looks at network behavior and identifies threats based on the presence and likely severity of anomalous event patterns. It also allows organizations to measure effectiveness, because in theory, the number of anomalous events should decrease over time as the enterprise becomes more secure.
Rules-based correlation uses predefined rules that apply conditional logic to identify likely attack scenarios by observing a specific series of events within a specified amount of time. Rules can be delivered "out of the box" by a SIM vendor, or implemented on a custom basis after careful analysis of network traffic.
Vulnerability correlation takes event data from network intrusion detection systems (IDSs) and correlates it against a database of known vulnerabilities, and host vulnerability profiles returned by vulnerability management scanners, returning a score for each asset. Vulnerability correlation helps eliminate false positives by reducing "scanner noise," and helps security personnel determine which attacks are real, and which assets are actually vulnerable to the attack.
Statistical correlation has the advantage of being an operational technology that does not require the definition of rules or significant "baselining" (determining a statistically normal state) prior to implementation. This means that security organizations can get near-term help in prioritizing events based on asset value. Statistical correlation does not require specific knowledge of threat patterns or attack scenarios to work.
Rules-based correlation is extremely effective at identifying specific threats based on prior knowledge of attack patterns. Most SIM products implement a finite set of rules that cover common scenarios, and these can be extended with custom rules. The most important aspect in determining whether rules-based correlation will be effective is the SIM vendor's support for maintaining rule state. A rule must be a long-running event, and the rules engine must hold events "in state" for a reasonable period of time until other qualifying events either trigger an alert or the rule times out for the initial event. Without this, security organizations will experience numerous false positives, or more importantly, fail to identify "low and slow attacks"-which are characterized by a small number of daily events over a long period of time.
Of all the methods of correlation, vulnerability correlation is the most effective at spotting specific attack scenarios, including those scenarios that might be new to an organization. It is also extremely good at eliminating false positives and maximizing the efficiency of the security organization by focusing on real events that correspond to true vulnerabilities. Additionally, vulnerability correlation loses value if it requires rule creation to correlate attacks that exploit particular vulnerabilities with susceptible assets, because writing these rules would be extremely labor-intensive. Because most SIM products require rules creation to enable vulnerability correlation, it is important to be judicious and select a SIM product that supports vulnerability correlation out of the box.


Although all three types of correlation are valuable, when applied together they can greatly improve the detection of real attacks. When security staff can get a unified risk profile of events based on a statistical threat score, rules-based alerts triggered, associated vulnerabilities, and asset value, their job is much easier.
CiscoWorks SIMS is the only SIM application that combines all three correlation technologies in concert to help security team work smarter. In addition to providing a unified risk profile for each event by applying all three types of correlation and factoring in asset value, CiscoWorks SIMS delivers best-of-breed functions for each type of correlation to help ensure that the combined result is the most accurate available to security teams today.


Unlike other SIM products, CiscoWorks SIMS supports vulnerability correlation without writing rules. This means that security teams can reap the benefits of vulnerability correlation right away, and do not have to lose time writing and maintaining rules to get the most valuable method of identifying attacks in place.
CiscoWorks SIMS correlates IDS data with multiple sources of vulnerability data-including data from vulnerability management scanners and a database of known vulnerabilities-and assigns a confidence level to those events that are not readily determined to be false positives or false alarms. That data is then correlated against asset threat data and a risk score is assigned to each asset, allowing security operators to see the business impact of specific events. Security operators can then assess in real time whether action should be taken based on the likelihood that an event could take advantage of vulnerability in a particular asset, susceptibility of the asset to that vulnerability, and the value of asset.
CiscoWorks SIMS provides the following vulnerability correlation capabilities and benefits:

• "No-rules" correlation helps ensure rapid deployment of vulnerability correlation.

• CiscoWorks SIMS correlates data from any CVE-compliant IDS with vulnerability scanner data from leading vulnerability management products including Nessus, ISS Internet Scanner, Harris STAT, eEyE Retina, Foundstone, Qualys, and nCircle.

• Automated vulnerability and exposure scoring based on current vulnerability profiles reduces risk while allowing time to be spent investigating and mitigating actual threats.

• IDS validation eliminates false positives associated with IDS data.

• Vulnerability data correlated against the asset value and threat shows the impact of specific events and helps enable real-time responsiveness to true threats.

• Advanced vulnerability reporting allows the security organization to demonstrate progress in eliminating vulnerabilities that relate to important business objectives such as policy compliance. This also aids the development and revision of mitigation and policy compliance strategies.

• An integrated knowledge base incorporates the latest vendor vulnerability information to provide security personnel with the knowledge to respond to threats, while saving time searching the Internet for the appropriate information.


CiscoWorks allows security personnel to deploy and modify preexisting event correlation rules or develop custom rules that allow for multiple states for improved threat identification. CiscoWorks SIMS combines this support for long-running rules with an intuitive rules development GUI to make it easy for users to define, modify, and deploy robust rules.
CiscoWorks SIMS provides the following features and benefits for rules-based correlation:

• A highly intuitive graphical rules builder interface (Figure 1) allows users to easily create, modify, and view correlation rules without scripting. An intuitive graphical state designer helps users simply drag and drop predefined rule objects to create new scenarios that are easy to track, test, and maintain.

• Comprehensive, preconfigured correlation rules are provided out of the box to address a variety of security scenarios, all of which can be easily customized to suit particular environments and requirements. This helps security organizations realize near-term return on investment (ROI) and eliminates the need to write custom rules for common scenarios. Customers receive new, predefined rules as part of their support contract.

• Stateful rules can be created by defining security scenarios that include one or more events, one or more actions, and finally, a specified timeout period. Detection and response logic can incorporate timing, Boolean conditions, and sequencing specifications. Rules can be simple, two-state scenarios that detect incidents such as reconnaissance activity followed by a Web attack, or complex, multi-state scenarios such as a failed login sequence. This support for multiple states greatly reduces false positives by allowing security analysts to better identify real threats.

Figure 0.

Figure 1. Rules Correlation State View

CiscoWorks SIMS provides a multi-state rules correlation engine that allows a rule to run long enough to allow multiple conditions to be met before an alert is issued, or an alert to be issued as soon as a particular condition is met.

• A unique, multithreaded rule structure uses a tree-structure design to consolidate multiple scenarios, limiting the number of rules needed for an organization.

• Automated response mechanisms can be implemented to help enable rapid containment and resolution of potential security breaches by associating actions with detected events.

• Event collection consolidates multiple events or event sequences into a much smaller number of composite events, limiting the number of alerts generated and the number of false positives.

• Rules can operate on event data generated by any network or security device from any vendor.


CiscoWorks SIMS supports statistical correlation out of the box to provide a purely mathematical perspective on network activity, offering an excellent complement to rules-based and vulnerability correlation. It applies statistical correlation by normalizing alarm IDs into incident types and then focuses on potential threats by scoring incident types to determine threat level. Threat scoring is a time-weighted measure of alarm severity combined with asset value. The greater the alarm severity or asset value, the greater the threat score.
CiscoWorks SIMS generates weighted threat scores for both intruders and assets, adjusting for both time sensitivity and asset value. These correlated threat scores are accurate measures in determining whether one or more assets are under attack. Higher scores translate to a higher threat potential against the device or asset in question.
CiscoWorks SIMS provides the following statistical correlation capabilities and benefits:

• A ready-to-use statistical security model provides effective incident detection out of the box. Implementation is fast and easy, and requires no baseline.

• Sophisticated scoring and categorization mechanisms can be custom tailored to user-defined threshold levels to help security personnel focus on high-priority activities with the greatest impact.

• Reports help security operation manager measure risk scores over a period of time to determine the organization's performance.

• Statistical correlation is performed independent of vendor or specific message formats generated by security devices such as firewalls, IDSs, and antivirus systems. Algorithms easily incorporate event data from any network or security device.