VaultBox: Enhancing the Security and Effectiveness of Security Analytics

Abstract

Security tools like Firewalls, IDS, IPS, SIEM, EDR, and NDR effectively detect and block threats. However, these tools depend on the system, application, and event logs. Logs are the key ingredient for various purposes, including troubleshooting performance issues, satisfying compliance mandates, and monitoring and improving security. In addition, logs from multiple machines are collected and fed to the Security Information and Event Management (SIEM) system for further security analysis. Therefore, a SIEM system’s efficiency and effectiveness depend heavily on the quality and quantity of logs provided. Unfortunately, logs are often targeted brutally and tampered with after a successful intrusion to cover the attack’s traces. Thus it becomes critical to protect the confidentiality, integrity, availability, and authenticity of logs at rest or transit. This paper proposes a novel scheme to prevent logs from tampering, detect any tampering, and recuperate logs if lost or corrupt. Our scheme is forward-secure, replicated, randomized, and rate-less, aiming to help securely store and transmit logs to SIEM.

Appendices

A Security Definitions

A logging protocol is an algorithm running on a logging device \(D_i\) that receives messages from \(sender \ S\) and writes entries to its logging device \(L_i\). The log on logging device \(L_i\) is a finite but increasingly long sequence of entries. An essential part of each secure logging protocol is a verifier protocol. A verifier protocol is an algorithm run by the \(verifier \ V\) that accesses some log \(L_i,\) extracts the log entries stored on \(L_i,\) and each log entry computes whether to accept or reject the entry. The decision of the Verifier is the basis for defining security properties below. For all properties, we assume that there is a “ground truth”, i.e., a sequence \(<e_1, e_2, ...>\) of events that happened. Our scheme \(\textsf {VaultBox}\) aims to achieve the following security properties.

Definition 1 (Correctness)

A logging protocol satisfies correctness for log \(L_k\) if and only if a corresponding event actually happened for each entry in the log of \(L_k\) that the Verifier accepts. Correctness dictates that under normal operation, any sequence of messages of size at most T added to channelC by \(sender \ S\) can be correctly read by \(verifier \ V\) in an order-preserving way; in particular, the T most recent messages of C and their exact order can be determined by V. More formally, let \(<e_1,e_2,...>\) denote the event sequence that actually happened and \(<l_1,l_2,...>\) be the sequence of log entries in \(L_k\) accepted by the verifier. Then the following condition should hold:

$$\begin{aligned} \forall {i} : l_i \Rightarrow \exists {e_j} : e_j \sim l_i \end{aligned}$$

Definition 2 (Immutability)

A logging protocol satisfies immutability for log \(L_k\) if \(\mathcal {A}\) cannot undetectably forge the messages that are contained in channel C at the time of compromise. Although \(\mathcal {A}\) takes full control of \(sender \ S, \mathcal {A}\) may only make two uses of the channel:

• \(\mathcal {A}\) may either write in C legitimate messages in L,  or

• \(\mathcal {A}\) may destroy the delivery of chosen messages in C, but in a detectable way, since a failure message, \(\bot \) is substituted.

Definition 3 (Stealth)

A logging protocol satisfies stealth for log \(L_k\) if \(\mathcal {A}\) can learn nothing about the contents of C that is not explicitly added to it by \(\mathcal {A}\).

• At the pre-compromise state, \(\mathcal {A}\) cannot learn anything about the contents of the channel: at all times, C itself perfectly hides its contents. Not only can messages in the channel be written such that the \(\mathcal {A}\) never learns them, but \(\mathcal {A}\) does not even learn of their existence.

• At the point of compromise, \(\mathcal {A}\) cannot learn the messages present in the channel or even learn if such messages exist in the channel. \(\mathcal {A}\) can only learn the current slot in C, but since this index is initially randomized, it conveys no information about the usage of C thus far.

• At the post-compromise state, \(\mathcal {A}\) completely controls all the messages added to the channel and the positions of the messages that V will fail to produce.

B Security Analysis

We briefly provide the intuition behind the above valuable properties.

Correctness. Messages are included in the buffer at a random position in order of their arrival. Under normal operation of the system, it is always possible for the receiver to replay the random coins to generate the corresponding secret keys for Authenticated Decryption and reconstruct the exact sequence of the most recent messages written in the buffer.

Immutability. Since any message added in the buffer is encrypted and verifiable through Authenticated Encryption scheme, individual messages cannot be undetectably tampered with. Additionally, since the seed to replay the random coins is generated forward-securely, messages in an individual buffer cannot be undetectably received out of order, across different buffers, or within the buffer.

Stealth. Since both individual messages and buffers are encrypted through the inner layer and outer layer Authenticated Encryption and since the buffer is of fixed size T, observing buffers before the compromise or actual buffer contents after the compromise reveals no information about the actual messages previously added in the channel or about whether messages have been ever added.