Why SureLog?

The Easiest

Solution for Next-Generation

SIEM

SureLog

International Edition

//2016www.anetusa.net

SureLogNext –Generation SIEM

ANETAgenda

• Introduction to SureLog

• What is SureLog

• Benefits of SureLog


ANETMore Than Just a SIEM

Integrated Log Management and SIEM Solution


ANETAdvanced Correlation Engine

Observed Rule: This is the most frequently used component and it performs a criteria match based on the elements of an event that are contained within it. One or more filters can be within a Match Component. Each Match Component within a rule may match separate events in order to satisfy the rule.

Threshold Rule: Count Based rules. This rule will look for total count of predefined event within a time window. The threshold should be adjusted based on use case

Trend Monitor Rule: By trending any event, SureLog can find deviations from time to time that may be indications of important security or performance events



Statistical Rule: As the label describes, this component uses the traditional model for Standard Deviation and applies this deviation to the filters contained within the component. In addition to traditional Deviation, we’ve added Percent from Average and Fixed Value from Average as additional comparison operators.

• Population Standard Deviation

• Sample Standard Deviation

• Variance(Sample Standard)

• Variance (Population Standard)

This provides more flexibility than regular standard deviation. For a quick primer on Standard Deviation, see this Wiki link: http://en.wikipedia.org/wiki/Standard_deviation.

http://en.wikipedia.org/wiki/Standard_deviation



Value Changed Rule: Match when a field has two different values within some time

Never Seen Before Rule: Match when a never before seen term appears in a field



New correlation engine also has many new features like: Suppression (Starts Time), Expire Time, Timer (Periodic running), etc..

New correlation engine has many new operators like: Starts with in List, Regex search in List, matches etc..



Wizard Driven Rule Samples:1. If 100 packets are blocked within 15 minutes by UTM/FireWall from the same outside source IP to

distinct destination inside IPs and then starts a traffic session from ANY of the inside (destination) IPs to the (outside) IP, send ALL IPs (Source, Destination) as a mail

2. If 100 packets are blocked within 15 minutes by UTM/FireWall from the same outside source IP to distinct destination inside IPs and then starts a traffic session from ALL of the inside (destination) IPs to the (outside) IP, send Outside IP as a mail

3. Monitor weekly running processes by a user and compare the trend with the current week running process list

4. Detects An Unusual Condition Where A Source Has Authentication Failures At A Host But That Is Not Followed By A Successful Authentication by the Same User At The Same Host Within 2 Hours

5. If the traffic on port X exceeds the standard deviation of historic traffic patterns then trigger an alert (e.g., new worm, bot communicating with C&C).

6. If attack type is destructive (e.g., buffer overflow vs. SYN scan), and target is a critical asset (production server vs. workstation), then trigger an alert.

7. Detect a scenario where the server stopped but did not start again within an interval of 5 minutes


ANETHistorical Correlation

Use historical correlation to run past events through the custom rules engine to identify threats or security incidents that already occurred.

By default, an SureLog SIEM deployment analyzes information that is collected from log sources in near real-time. With historical correlation, you can correlate by either the start time or the device time. Start time is the time that the event was received by SureLog. Device time is the time that the event occurred on the device.


ANETSureLog


ANETRisk Calculation

Content Based Risk Calculation

Content Based Risk Calculation: If log type is critical (e.g., failed login), and target is a critical asset (production server vs. workstation), maybe time is suspicious (during lunch) then risk of this event is important. Alarm will be triggered without developing additional correlation rule.

Rule Based Risk Calculation

Alarms can be created with one or more correlation rules. If attack type is destructive (e.g., buffer overflow vs. SYN scan), and target is a critical asset (production server vs. workstation), then trigger an alert


ANETRich Taxonomy

Taxonomy is a mapping of information from heterogeneous sources to a common classification. A taxonomy aids in pattern recognition and also improves the scope and stability of correlation rules. When events from heterogeneous sources are normalized they can be analyzed by a smaller number of correlation rules, which reduces deployment and support labor. In addition, normalized events are easier to work with when developing reports and dashboards


ANET

• Some of the existing 1500+taxonomy groups in SureLog:

• Reconnaissance->Scan->Host

• TCPTrafficAudit->TCP SYN Flag

• ICMPTrafficAudit

• NamingTrafficAudit

• Malicious->Web->SQL

• Flow->Fragmentation

• httpproxy->TrafficAudit accept

• HTTPDynamicContentAccess

• WebTrafficAudit.Web Content

• HealthStatus.Informational.Traffic.Start

• Malicious.BufferOverflow

• Malicious.Trojan

• PolicyViolation

• Malicious.Web.Attack

Rich Taxonomy


ANETRich Taxonomy

Enrich log data with context

data in real-time


ANETMultilayer Data Management

• Column-oriented DBMS: https://en.wikipedia.org/wiki/Column-oriented_DBMS

• ElasticSearch

https://en.wikipedia.org/wiki/Column-oriented_DBMS


ANETMultilayer Data Management

• BIG DATA Architecture

• SureLog uses a custom, extremely fast, data execution engine for its large-scale, real-time data and warehouse reporting. Capacity and performance are measured in trillions of logs within SureLog- allowing reporting across thousands of devices simultaneously.


ANETChange Management

SureLog supports change reporting in log data, give answers to what is changed in log data in a defined time period within selected time range. Example: What is the traffic counts for all IPs (Top N IPs) for the last month in a daily period?


ANETAdvanced User Management

The SureLog SIEM allows for granular and deeply-tiered user control. Permissions can be determined with a high level of specificity and nested into multiple hierarchies. User profiles can be replicated to provide administrators an efficient template method for creating user accounts. The Open Source SIEM provides basic controls of user permission and a single simple user hierarchy. Profile templates cannot be used to create new user accounts

• Reports

• Correlation Rules

• Administrative Activities are role based


ANETGoogle Like Search & Kibana Integration


ANETDrill Down Support

You can organize data in a variety of ways to show the relationship of the general to the detailed.

You can put all the data in the report, but set it to be hidden until a user clicks to reveal details;

You can display the data in a data region, such as a table or chart, which is nested inside report. You can display the data in a sub report that is completely contained within a main report. Or, you can put the detail data in drill down reports, separate reports that are displayed when a user clicks a link.


ANETTime Analysis


ANETDashboards & Monitoring

Unlimited user defined report creation supported. Dashboard refresh settings are configurable. One of the new dashboard feature is: you can configure dashboards that will be displayed periodically which gives slide show affect


ANETIntelligent Response

ANET SureLog SIEM product can handle correlation alerts and actions in

smart way through intelligent response system.

Mail sending

Executing script

• Visual basic

• Batch file

• Perl script

• Phyton script

Executing java code

Running application

Dynamic list update. Example: Adding or removing new IP to the banned IP

list, Adding or removing a new user to those which try more than three failed

login attempts to the same machine within the last week.,etc.


ANETIntelligent Response

Suspend Users: If an account compromise is suspected, halt a user’s account access

Suspend Network Access: If data exfiltration is occurring, the incident response team can kill the connection by updating the access control list used by corporate firewalls.

Kill Processes: If a team detects unknown or blacklisted processes on critical devices, Intelligent Response can kill the specific running program.


ANETManageable Threat Intelligence

Threat Intelligence is integrated with different global sources and takes black lists from there and works as warning system by using these data.

SureLog Threat Intelligence module constantly updates its rich feed sources and enables rapid discovery of events involving communications with suspicious or malicious IP addresses.


ANETManageable Threat Intelligence

SureLog aggregates information from numerous sources and applies automated confidence algorithms to produce intelligence and reputation data. A large library of openly available information lists, which is consolidated, classified and automatically analyzed to derive intelligence and reputation information with confidence

• Sources include:

• Botnet Domains

• Botnet URL’s

• Malware Domains

• Malware URL’s

• Email Phishing

• Phishing Domains

• Phishing URL’s


ANET

SureLog Incident Management module helps organization to identify, analyze, and correct hazards to prevent a future re-occurrence. Incidents will be assigned to specialist security admins. A resolution or work-around should be established as quickly as possible in order to correct the security breaches.

Incident Management


ANET

SureLog consolidates and normalizes output from multiple vulnerability scanners.

SureLog provides analyzed and prioritized vulnerabilities by applying threat intelligence and full data-enrichment capabilities.

SureLog supports log data from vulnerability scanners such as Nessus, Qualys, OpenVas, and NMAP.

VA Reports


ANET

SureLog supports 500+ log types like:

Rich Normalizer Library

Apache HTTP ServerCisco IOS Cisco IronPortCisco PIX FirewallFortinet FortiGate Security GatewayJuniper Networks Firewall and VPNLinux iptables Firewall Linux OSMicrosoft ISAMicrosoft SQL ServerMicrosoft Windows OSMicrosoft Windows DHCP&DNSMicrosoft Windows IISNessus

NMAPOpenVasOracle RDBMS OS Audit RecordQualysSophosSonicWall UTM/Firewall/VPN Sourcefire Defense CenterSymantec Endpoint ProtectionTippingPoint Intrusion Prevention System Websense


ANETSureLog


ANETCustom&Extended Parser API

SureLog's simple and XML based parsers API will give the power of parser engine to the developers

Developers

• Can change the output of the normalization engine with Extended Parser API

• Can develop new parser for unparsed log types with Custom Parser API


ANETIntuitive Browser Based UI

SureLog's simple and user friendly interfaces helps you to find your way even in complex definitions like advanced correlation rules or extended event queries. We made every effort to fulfill the requirements and yet be simple and fast. Browser based single UI makes it easy to configure, control and manage all aspects of the system centrally including mobile devices. SureLog is designed for you to have the best user experience from a SIEM solution.


ANETTAGS

SureLog brings about the addition of a very powerful event tagging system, which allows individual users as well as teams to tag events with an unlimited number of keywords thatmay define that various Characteristics of an event (intrusion, financial, departmental and topological).

System users can create their own set of custom tags. Tags can be added to eventsindividually as needed or through the automated action system as events are imported andnormalized. Searching and reporting by tags is supported and tag statistics displays are included as well.


ANETStatistics Reports

Traffic and security statistics reports


ANETDistributed Architecture

Supports master-slave mode installation. Hundreds of thousands of EPS capacity and centralized correlation can be achieved.

Why SureLog?

Technology

Transcript of Why SureLog?