The Easiest Solution for Next-Generation SIEM SureLog International Edition //2016 www.anetusa.net
The Easiest
Solution for Next-Generation
SIEM
SureLog
International Edition
//2016www.anetusa.net
SureLogNext –Generation SIEM
ANETAgenda
• Introduction to SureLog
• What is SureLog
• Benefits of SureLog
SureLogNext –Generation SIEM
ANETMore Than Just a SIEM
Integrated Log Management and SIEM Solution
SureLogNext –Generation SIEM
ANETAdvanced Correlation Engine
Observed Rule: This is the most frequently used component and it performs a criteria match based on the elements of an event that are contained within it. One or more filters can be within a Match Component. Each Match Component within a rule may match separate events in order to satisfy the rule.
Threshold Rule: Count Based rules. This rule will look for total count of predefined event within a time window. The threshold should be adjusted based on use case
Trend Monitor Rule: By trending any event, SureLog can find deviations from time to time that may be indications of important security or performance events
SureLogNext –Generation SIEM
ANETAdvanced Correlation Engine
SureLogNext –Generation SIEM
ANETAdvanced Correlation Engine
Statistical Rule: As the label describes, this component uses the traditional model for Standard Deviation and applies this deviation to the filters contained within the component. In addition to traditional Deviation, we’ve added Percent from Average and Fixed Value from Average as additional comparison operators.
• Population Standard Deviation
• Sample Standard Deviation
• Variance(Sample Standard)
• Variance (Population Standard)
This provides more flexibility than regular standard deviation. For a quick primer on Standard Deviation, see this Wiki link: http://en.wikipedia.org/wiki/Standard_deviation.
SureLogNext –Generation SIEM
ANETAdvanced Correlation Engine
Value Changed Rule: Match when a field has two different values within some time
Never Seen Before Rule: Match when a never before seen term appears in a field
SureLogNext –Generation SIEM
ANETAdvanced Correlation Engine
New correlation engine also has many new features like: Suppression (Starts Time), Expire Time, Timer (Periodic running), etc..
New correlation engine has many new operators like: Starts with in List, Regex search in List, matches etc..
SureLogNext –Generation SIEM
ANETAdvanced Correlation Engine
SureLogNext –Generation SIEM
ANETAdvanced Correlation Engine
Wizard Driven Rule Samples:1. If 100 packets are blocked within 15 minutes by UTM/FireWall from the same outside source IP to
distinct destination inside IPs and then starts a traffic session from ANY of the inside (destination) IPs to the (outside) IP, send ALL IPs (Source, Destination) as a mail
2. If 100 packets are blocked within 15 minutes by UTM/FireWall from the same outside source IP to distinct destination inside IPs and then starts a traffic session from ALL of the inside (destination) IPs to the (outside) IP, send Outside IP as a mail
3. Monitor weekly running processes by a user and compare the trend with the current week running process list
4. Detects An Unusual Condition Where A Source Has Authentication Failures At A Host But That Is Not Followed By A Successful Authentication by the Same User At The Same Host Within 2 Hours
5. If the traffic on port X exceeds the standard deviation of historic traffic patterns then trigger an alert (e.g., new worm, bot communicating with C&C).
6. If attack type is destructive (e.g., buffer overflow vs. SYN scan), and target is a critical asset (production server vs. workstation), then trigger an alert.
7. Detect a scenario where the server stopped but did not start again within an interval of 5 minutes
SureLogNext –Generation SIEM
ANETHistorical Correlation
Use historical correlation to run past events through the custom rules engine to identify threats or security incidents that already occurred.
By default, an SureLog SIEM deployment analyzes information that is collected from log sources in near real-time. With historical correlation, you can correlate by either the start time or the device time. Start time is the time that the event was received by SureLog. Device time is the time that the event occurred on the device.
SureLogNext –Generation SIEM
ANETSureLog
SureLogNext –Generation SIEM
ANETRisk Calculation
Content Based Risk Calculation
Content Based Risk Calculation: If log type is critical (e.g., failed login), and target is a critical asset (production server vs. workstation), maybe time is suspicious (during lunch) then risk of this event is important. Alarm will be triggered without developing additional correlation rule.
Rule Based Risk Calculation
Alarms can be created with one or more correlation rules. If attack type is destructive (e.g., buffer overflow vs. SYN scan), and target is a critical asset (production server vs. workstation), then trigger an alert
SureLogNext –Generation SIEM
ANETRich Taxonomy
Taxonomy is a mapping of information from heterogeneous sources to a common classification. A taxonomy aids in pattern recognition and also improves the scope and stability of correlation rules. When events from heterogeneous sources are normalized they can be analyzed by a smaller number of correlation rules, which reduces deployment and support labor. In addition, normalized events are easier to work with when developing reports and dashboards
SureLogNext –Generation SIEM
ANET
• Some of the existing 1500+taxonomy groups in SureLog:
• Reconnaissance->Scan->Host
• TCPTrafficAudit->TCP SYN Flag
• ICMPTrafficAudit
• NamingTrafficAudit
• Malicious->Web->SQL
• Flow->Fragmentation
• httpproxy->TrafficAudit accept
• HTTPDynamicContentAccess
• WebTrafficAudit.Web Content
• HealthStatus.Informational.Traffic.Start
• Malicious.BufferOverflow
• Malicious.Trojan
• PolicyViolation
• Malicious.Web.Attack
Rich Taxonomy
SureLogNext –Generation SIEM
ANETRich Taxonomy
Enrich log data with context
data in real-time
SureLogNext –Generation SIEM
ANETMultilayer Data Management
• Column-oriented DBMS: https://en.wikipedia.org/wiki/Column-oriented_DBMS
• ElasticSearch
SureLogNext –Generation SIEM
ANETMultilayer Data Management
• BIG DATA Architecture
• SureLog uses a custom, extremely fast, data execution engine for its large-scale, real-time data and warehouse reporting. Capacity and performance are measured in trillions of logs within SureLog- allowing reporting across thousands of devices simultaneously.
SureLogNext –Generation SIEM
ANETChange Management
SureLog supports change reporting in log data, give answers to what is changed in log data in a defined time period within selected time range. Example: What is the traffic counts for all IPs (Top N IPs) for the last month in a daily period?
SureLogNext –Generation SIEM
ANETAdvanced User Management
The SureLog SIEM allows for granular and deeply-tiered user control. Permissions can be determined with a high level of specificity and nested into multiple hierarchies. User profiles can be replicated to provide administrators an efficient template method for creating user accounts. The Open Source SIEM provides basic controls of user permission and a single simple user hierarchy. Profile templates cannot be used to create new user accounts
• Reports
• Correlation Rules
• Administrative Activities are role based
SureLogNext –Generation SIEM
ANETGoogle Like Search & Kibana Integration
SureLogNext –Generation SIEM
ANETDrill Down Support
You can organize data in a variety of ways to show the relationship of the general to the detailed.
You can put all the data in the report, but set it to be hidden until a user clicks to reveal details;
You can display the data in a data region, such as a table or chart, which is nested inside report. You can display the data in a sub report that is completely contained within a main report. Or, you can put the detail data in drill down reports, separate reports that are displayed when a user clicks a link.
SureLogNext –Generation SIEM
ANETTime Analysis
SureLogNext –Generation SIEM
ANETDashboards & Monitoring
Unlimited user defined report creation supported. Dashboard refresh settings are configurable. One of the new dashboard feature is: you can configure dashboards that will be displayed periodically which gives slide show affect
SureLogNext –Generation SIEM
ANETIntelligent Response
ANET SureLog SIEM product can handle correlation alerts and actions in
smart way through intelligent response system.
Mail sending
Executing script
• Visual basic
• Batch file
• Perl script
• Phyton script
Executing java code
Running application
Dynamic list update. Example: Adding or removing new IP to the banned IP
list, Adding or removing a new user to those which try more than three failed
login attempts to the same machine within the last week.,etc.
SureLogNext –Generation SIEM
ANETIntelligent Response
Suspend Users: If an account compromise is suspected, halt a user’s account access
Suspend Network Access: If data exfiltration is occurring, the incident response team can kill the connection by updating the access control list used by corporate firewalls.
Kill Processes: If a team detects unknown or blacklisted processes on critical devices, Intelligent Response can kill the specific running program.
SureLogNext –Generation SIEM
ANETManageable Threat Intelligence
Threat Intelligence is integrated with different global sources and takes black lists from there and works as warning system by using these data.
SureLog Threat Intelligence module constantly updates its rich feed sources and enables rapid discovery of events involving communications with suspicious or malicious IP addresses.
SureLogNext –Generation SIEM
ANETManageable Threat Intelligence
SureLog aggregates information from numerous sources and applies automated confidence algorithms to produce intelligence and reputation data. A large library of openly available information lists, which is consolidated, classified and automatically analyzed to derive intelligence and reputation information with confidence
• Sources include:
• Botnet Domains
• Botnet URL’s
• Malware Domains
• Malware URL’s
• Email Phishing
• Phishing Domains
• Phishing URL’s
SureLogNext –Generation SIEM
ANET
SureLog Incident Management module helps organization to identify, analyze, and correct hazards to prevent a future re-occurrence. Incidents will be assigned to specialist security admins. A resolution or work-around should be established as quickly as possible in order to correct the security breaches.
Incident Management
SureLogNext –Generation SIEM
ANET
SureLog consolidates and normalizes output from multiple vulnerability scanners.
SureLog provides analyzed and prioritized vulnerabilities by applying threat intelligence and full data-enrichment capabilities.
SureLog supports log data from vulnerability scanners such as Nessus, Qualys, OpenVas, and NMAP.
VA Reports
SureLogNext –Generation SIEM
ANET
SureLog supports 500+ log types like:
Rich Normalizer Library
Apache HTTP ServerCisco IOS Cisco IronPortCisco PIX FirewallFortinet FortiGate Security GatewayJuniper Networks Firewall and VPNLinux iptables Firewall Linux OSMicrosoft ISAMicrosoft SQL ServerMicrosoft Windows OSMicrosoft Windows DHCP&DNSMicrosoft Windows IISNessus
NMAPOpenVasOracle RDBMS OS Audit RecordQualysSophosSonicWall UTM/Firewall/VPN Sourcefire Defense CenterSymantec Endpoint ProtectionTippingPoint Intrusion Prevention System Websense
SureLogNext –Generation SIEM
ANETSureLog
SureLogNext –Generation SIEM
ANETCustom&Extended Parser API
SureLog's simple and XML based parsers API will give the power of parser engine to the developers
Developers
• Can change the output of the normalization engine with Extended Parser API
• Can develop new parser for unparsed log types with Custom Parser API
SureLogNext –Generation SIEM
ANETIntuitive Browser Based UI
SureLog's simple and user friendly interfaces helps you to find your way even in complex definitions like advanced correlation rules or extended event queries. We made every effort to fulfill the requirements and yet be simple and fast. Browser based single UI makes it easy to configure, control and manage all aspects of the system centrally including mobile devices. SureLog is designed for you to have the best user experience from a SIEM solution.
SureLogNext –Generation SIEM
ANETTAGS
SureLog brings about the addition of a very powerful event tagging system, which allows individual users as well as teams to tag events with an unlimited number of keywords thatmay define that various Characteristics of an event (intrusion, financial, departmental and topological).
System users can create their own set of custom tags. Tags can be added to eventsindividually as needed or through the automated action system as events are imported andnormalized. Searching and reporting by tags is supported and tag statistics displays are included as well.
SureLogNext –Generation SIEM
ANETStatistics Reports
Traffic and security statistics reports
SureLogNext –Generation SIEM
ANETDistributed Architecture
Supports master-slave mode installation. Hundreds of thousands of EPS capacity and centralized correlation can be achieved.