ANET SureLog SIEM
-
Upload
ertugrul-akbas -
Category
Technology
-
view
59 -
download
1
Transcript of ANET SureLog SIEM
www.anetusa.net
SureLog
International Edition//2016
The EasiestSolution for Next-Generation SIEM
page 2SureLogNext - Generation SIEM
SureLogInternational Edition//2016
1. SURELOG: INTEGRATED SIEM AND LOG MANAGEMENT P-3
2. All-in-One IT Security Monitoring P-4
SIEM ...............................................................................................................................................P-4
CorrelationEngine ............................................................................................................P-5
AdvantagesofSureLogCorrelationEngine ........................................................................P-5
SimpleCorrelationRules ................................................................................................P-6
AdvancedCorrelationRules ................................................................................................P-7
Taxonomy ........................................................................................................................P-8
LOG MANAGEMENT ........................................................................................................................P-9
ComprehensiveLogDataCollectionandLogManagement...........................................P-9
Cross-platformLogCollection ..................................................................................P-10
WindowsEventLogs:Agent-lessorAgent-based ..........................................................P-10
Syslog .................................................................................................................................P-10
FlatFileLogs ......................................................................................................................P-10
Tagging ......................................................................................................................P-11
ScalableLogCentralization ..............................................................................................P-11
Log Archiving and Retrieval ..............................................................................................P-11
ActivityAuditing ..........................................................................................................P-11
3. SURELOG ADVANTAGES P-11
What problems does it solve? ..................................................................................P-12
Whatfeaturesdoesitoffer? ..............................................................................................P-12
Chapter 1
SURELOG: INTEGRATED NEXT-GENERATION SIEM AND LOG MANAGEMENT
page 4SureLogNext - Generation SIEM
1. Surelog: Integrated Next Generation SIEM and Log Management
AN
ET
Security Informa-tionandEventManagement
Advanced Correla-tionEngine
SecurityOperati-ons Center
Log Management
Log Forensics Threat Intelligence
SecurityReporting Real-Time Alerts
EventCorrelation&Analysis
Compliance Management
Rich Taxonomy ProtectingAgainstInsiderAttacks
ANETSureLogdeliversnext-generationSIEM,logma-nagementandintelligentsecuritysearchinasimple,easyto-installandcost-effectivesolutionthatprovi-des immediate value for security and compliance to organizationsofanysize.
SureLoghasahighlyflexiblearchitectureandsup-port for high volume data throughput rates. As well astheflexiblearchitecture,SureLogpossessesasuperiorcorrelationengine.Thesystemletsyoude-finecomplexcombinationsofeventsthatyouneedtobealertedonbyeasilycreatingandcustomizingcorrelationruleswithagraphical,drag-and-droprulecreator.
SureLogsupports155brandsand350devicesandcategorizelogsinto1513groups.
ThesophisticatedthreatintelligencemanagementallowsSureLogtodynamicallycollectblacklistsandupdate its database.
• Multi-FunctionalSecurityManagementPlatform• Integrated Security and Log Management Plat-
form• Real-timesecuritymanagementacrossthousan-
dsofdevices,includingapplicationsasdiverseassatellite,cryptographyandsecuritydevices.
• Granularcontroloveranytypeofeventdefini-tion,withtheabilitytocollect,normalizesandintegratesdatafromanydevice,applicationorservice.
Chapter 2
ALL-IN-ONE ITSECURITY MONITORING
page 6SureLogNext - Generation SIEM
2. All-In-One It Security Management
AN
ET
SuperiorSIEMandlogmanagementplatformthatseamlesslycombinesSIEM,LogManagementwithHostandNetworkForensics,inaunifiedSecurityIntelligencePlatform.
SIEMSureLogisawebbased,agent-less,SIEM,loganaly-sisandreportingsoftware.Thesoftwareapplicati-onmonitors,collects,analyzes,andarchiveslogsand monitoring parameters from enterprise-wide networkperimetersecuritydevices,Routers,Swit-ches,SNMPDevices,VM,DHCPservers,LinuxorWindows Systems then generate reports. The devi-cesare,Firewalls,Proxyservers,IntrusionDetectionSystem(IDS)/IntrusionPreventionSystem(IPS),andVirtualPrivateNetworks(VPN),MailServerslikeMSExchangeServers,ZimbraMailServers,PostfixMailServersetc..,distributedWindowshosts,distribu-tedUnixhosts,Routers,Switches,andotherSysLogdevices,ApplicationlikeIISwebserver,IISFTPserver,MSSQLserver,Oracledatabaseserver,DHCPWin-dowsandLinuxservers.TheSureLogapplicationgenerates graphs and reports that help in analyzing systemproblemswithminimalimpactonnetworkperformance. Two prominent features of the applica-tionarecorrelationandsecurityreports.
Correlation Engine
TheCorrelationEngineleveragespredefinedrulestoidentifyattackpatternsandmaliciousbehavior.Whentryingtopenetrateasystem,attackersoftentakeadvantageofthefactthatsecuritycontrolsarerarelyworkingtogetherandarerarelymonitored.CorrelationEnginehelpstoautomatethatanalysissothatattackscanbequicklyidentifiedandbreac-hescanbequicklycontained.
Advantages of SureLogCorrelation Engine
Below are some advantages of SureLog:
• SureLogisfast-Supports50,000EPSwiththou-sands of rules
• SureLogcantracemultiplelogswithdifferenttypeswithinadefinedtimeframe.Asampleruleto support this advantage is: Detect an unusual conditionwhereasourcehasauthenticationfa-iluresatahost,butisnotfollowedbysuccessfulauthenticationatthesamehostwithin2hours
• SureLogcancorrelatedifferentlogs(Example:WindowsUserCreationEventandTelnetEvent)accordingtorelatedfields.Asampleruletosup-portthisadvantageis:Lookforanewaccountbeingcreatedfollowedbyimmediateauthenti-cationactivityfromthatsameaccount.Itwoulddetectthebackdooraccountcreationfollowedbytheaccountbeingusedtotelnetbackintothesystem
• SureLog can trace a log being created with desi-red parameters or not. A sample rule to support thisadvantageis:Detectanunusualconditionwhereasourcehasauthenticationfailuresatahost,isnotfollowedbyasuccessfulauthenticati-on at the same host within 2 hours.
• SureLogcanauditprivilegeduseractivitysuchasnewaccountcreationforgreateroperationaltransparency
• SureLog can correlate privileged user behavior withspecificnetworkactivity.Asampleruletosupportthisadvantageis:Lookforanewaccountbeingcreatedfollowedbyimmediateauthenti-cationactivityfromthatsameaccount.Itwoulddetectthebackdooraccountcreationfollowedbytheaccountbeingusedtotelnetbackintothesystem
• SureLog’scorrelationruleeditorissimpletouse• SureLogsupportsmultiplefilteringoptions• SureLogsupportscompression-basedcorrelation
feature:SureLogcanmonitormultipleoccurren-cesofthesameevent,removesredundancies,and reports them as a single event
page 7SureLogNext - Generation SIEM
2. All-In-One It Security Management
AN
ET
• SureLogsupportsthreshold-basedcorrelation:SureLog has a threshold to trigger a report when aspecifiednumberofsimilareventsoccur
• SureLogsupportsfilter-basedcorrelation:Sure-Log Inspects each event to determine if it matc-hesapatterndefinedbyaregularexpression.Ifamatchisfound,anactionmaybetriggeredasspecifiedintherule.
• SureLogsupportssequence-basedcorrelati-on: SureLog helps establish causality of events. Eventscanbecorrelatedbasedonspecificsequ-entialrelationships.Forexample,synchronizingmultipleeventssuchas“EventA”beingfollowedby“EventB”totriggeranaction.
• Itstime-basedcorrelationisusefulforcorrela-tingeventsthathavespecifictime-basedrela-tionships.Someproblemscanbedeterminedonlythroughtemporalcorrelation.Forexample,time-basedcorrelationcanbeusedtoimplementcleanuprulesgivenaspecificinterval
• SureLogsupportsrulesuspending.Preventingrulefiringforadefinedtimeperiod
Simple Correlation Rules
UserAuthentication
• Alerton5ormorefailedloginsin1minuteonasingle user ID
AttacksontheNetwork
• Alerton15ormoreFirewallDrop/Reject/DenyEvents from a single IP Address in one minute
• Alert on 3 or more IPS Alerts from a single IP Addressinfiveminutes.
VirusDetection/Removal
• Alertwhenasinglehostseesanidentifiablepie-ce of malware
• Alert when a single host fails to clean malware within1hourofdetection.
• Alertwhenasinglehostconnectsto50ormoreuniquetargetsin1minute
• Alertwhen5ormorehostsonthesamesubnettrigger the same Malware Signature (AV or IPS) within a 1 hour interval.
Web Server
• Fileswithexecutableextensions(cgi,asp,aspx,jar,php,exe,com,cmd,sh,bat),arepostedtoawebserver,fromanexternalsource
• Black-listedapplications• Alertwhenanunauthorizedapplication(e.g.
Teamviewer,LogmeIn,Nmap,Nessus,etc.)isrunon any host
Monitored Log Sources • Alert when a monitored log source has not sent
an event in 1 Hour
UserActivityReports
• AllActiveUserAccounts(anysuccessfullogingrouped by account name in the past XX days)
• ActiveUserListbyAuthenticationtypea) VPN Users b) ActiveDirectoryUsersc) InfrastructureDeviceAccess(Firewalls,Rou-ters,Switches,IPS)• UserCreation,DeletionandModification(Alist
ofalluseraccountscreated,deletedormodified)• AccessbyanyDefaultAccount–(Guest,Root,
Administrator,orotherdefaultaccountusage)• Passwordresetsbyadminaccountsinthepast7
days.
Access Reports
• Access to any protected/monitored device by an untrustednetwork
a) VPNAccesstoServerZoneb) AccessbyaForeignNetworktoServerZone
Malware
• Alistofhostaddressesforanyidentifiedmalwa-
page 8SureLogNext - Generation SIEM
2. All-In-One It Security Management
AN
ET
re name • A count of any given malware (grouped by An-
ti-VirusSignature),overthepastXXdays
Emailactivity
• Top10E-mailsubjects• Top10addressestosendemail• Top10addressestoreceiveemail• Top10addressestosendemailwithlargesttotal
size(MB)• Top10addressestoreceiveemailwithlargest
totalsize(MB)
Web Content
• Top10DestinationsbyDomainName• Top10BlockedDestinationsbyDomain• Name • Top10BlockedSourcesbyIPAddress• Top10Blockedcategories• Total sent and received bytes grouped by IP add-
resses
UserAccountactivity • Top10FailedLogins
Advanced Correlation Rules
• AttackFollowedbyAccountChange• ScanFollowedbyanAttack• DetectsAnUnusualConditionWhereASource
HasAuthenticationFailuresAtAHostButThatIsNotFollowedByASuccessfulAuthenticationAtThe Same Host Within 2 Hours
• Lookforanewaccountbeingcreatedfollowed
byimmediateauthenticationactivityfromthatsameaccountwoulddetectthebackdoorac-countcreationfollowedbytheaccountbeingusedtotelnetbackintothesystem
• Monitor same source having excessive logon failuresatdistincthosts,
• Checkwhetherthesourceofanattackwaspreviouslythedestinationofanattack(within15minutes)
• Checkwhetherthereare5eventsfromhostfirewallswithseverity4orgreaterin10minutesbetweenthesamesourceanddestinationIP
• Lookforanewaccountbeingcreated,followedshortlybyaccess/authenticationfailureactivityfrom the same account
• Monitor system access outside of business hours
Taxonomy
Thisisamappingofinformationfromheterogeneo-ussourcestoacommonclassification.Ataxonomyaidsinpatternrecognitionandalsoimprovesthescopeandstabilityofcorrelationrules.Wheneventsfrom heterogeneous sources are normalized they canbeanalyzedbyasmallernumberofcorrelationrules,whichreducesdeploymentandsupportlabor.Inaddition,normalizedeventsareeasiertoworkwith when developing reports and dashboards
page 9SureLogNext - Generation SIEM
2. All-In-One It Security Management
AN
ET
SureLogsupports155brandsand350devices.Cate-gorize(Taxonomy)logsinto1513groupslike • Compromised->RemoteControlApp->Response• HealthStatus->Informational->HighAvailability->-
LinkStatus->Down• IPTrafficAudit->IPToomanyfragments• IPSpoofAccess->ICMP CODE Redirect for the Host• FileTransferTrafficAudit->AuthenticationFailed• NamingTrafficAudit• Session->Start• ICMPDestinationNetworkisAdministratively
Prohibited
LOG MANAGEMENTSureLoguniquelogmanagementfeaturebeingableto collect log data from across an enterprise regard-lessoftheirsource,presentthelogsinauniformandconsistentmannerandmanagethestate,locationandefficientaccesstothoselogsisanessentialelement to any comprehensive Log Management andLogAnalysissolution.TheSureLogsolutionwasdesigned to address core log management needs including:
• The ability to collect any type of log data regard-less of source
• The ability to collect log data with or without ins-tallinganagentonthelogsourcedevice,systemorapplication.
• Theabilityto“normalize”anytypeoflogdataformoreeffectivereportingandanalysis
• Theabilityto“scale-down”forsmalldeploy-mentsand“scale-up”forextremelylargeenvi-ronments
• An open architecture allowing direct and secure access to log data via third-party analysis and reportingtools
• A role based security model providing user ac-countability and access control
• Automated archiving for secure long term reten-tion
• Wizard-based retrieval of any archived logs in
seconds
Comprehensive Log Data Collection and Log Management
Beingabletocollectlogdatafromacrossanenterp-riseregardlessoftheirsource,presentthelogsina uniform and consistent manner and manage the state,locationandefficientaccesstothoselogsisanessentialelementtoanycomprehensiveLogMana-gementandLogAnalysissolution.TheSureLogsolu-tionwasdesignedtoaddresscorelogmanagementneeds including:
• The ability to collect any type of log data regard-less of source
• The ability to collect log data with or without ins-tallinganagentonthelogsourcedevice,systemorapplication.
• Theabilityto“normalize”anytypeoflogdataformoreeffectivereportingandanalysis
• Theabilityto“scale-down”forsmalldeploy-mentsand“scale-up”forextremelylargeenvi-ronments
• An open architecture allowing direct and secure
page 10SureLogNext - Generation SIEM
2. All-In-One It Security Management
AN
ET
access to log data via third-party analysis and repor-tingtools• A role based security model providing user ac-
countability and access control• Automated archiving for secure long term reten-
tion• Wizard-based retrieval of any archived logs in
seconds
Cross-platform Log Collection
Today’sIToperationsrequiremanytechnologies;routers,firewalls,switches,fileservers,andappli-cationstonameafew.SureLoghasbeendesignedto collect from them all through intelligent use of agent-lessandagent-basedtechniques.Windows Event Logs: Agent-less or Agent-basedSureLog can collect all types of Windows Event Logs with or without the use of an agent. Many Windows-basedapplicationswritetheirlogstotheApplicationEventLogoracustomEventLog.Examples of supported log sources that can be colle-ctedbySureLoginrealtimeinclude:
• Windows System Event Log• Windows Security Event Log• WindowsApplicationEventLog• MicrosoftExchangeServerapplicationlogs• MicrosoftSQLServerapplicationlogs• WindowsbasedERPandCRMsystemsapplicati-
on logs
Syslog
Manylogsources,includingmostnetworkdevices(e.g.routers,switches,firewalls)transmitlogsviaSyslog. SureLog includes an integrated Syslog server for receiving and processing these messages. Simply pointanysysloggeneratingdevicetoSureLoganditwillautomaticallybegincollectingandprocessingthose logs.
Flat File Logs
SureLogcancollectlogswrittentoanyASCII-ba-sedtextfile.Whetheritisacommercialsystemorhomegrownapplication,SureLogcancollectandmanage them.
Examples of supported log sources using this met-hod include:
• Webserverslogs(e.g.Apache,IIS)• Linux system logs• Windows Forefront TMG / UAG and ISA Server
logs• DNS and DHCP server logs• Hostbasedintrusiondetection/preventionsys-
tems• Homegrownapplicationlogs• MSExchangemessagetrackinglogs
Sincesomuchsensitiveinformationresidesinda-tabases,itisimportanttomonitorandtrackaccessandactivitysurroundingimportantdatabases.Theactualandreputationalcostofatheftofcustomerrecords can be very large. SureLog can help. Su-reLogcollects,analyzes,alerts,andreportsonlogsfromOracle,MicrosoftSQLServer.Italsocapturesdatafromcustomauditlogsandapplicationsthatrun on the database. This capability enables custo-mertouseSureLogforreal-timedatabasemonito-ring to guard against insider and outsider threats.
Tagging
SureLogbringsabouttheadditionofaverypowerfuleventtaggingsystem,whichallowsindividualusersas well as teams to tag events with an unlimited numberofkeywordsthatmaydefinethatvariousCharacteristicsofanevent(intrusion,financial,departmental and topological). System users can create their own set of custom tags. Tags can be added to events individually as needed or through theautomatedactionsystemaseventsareimportedandnormalized.Searchingandreportingbytagsissupportedandtagstatisticsdisplaysareincludedaswell.
page 11SureLogNext - Generation SIEM
2. All-In-One It Security Management
AN
ET
Scalable Log Centralization
SureLog is architected to scale easily and incremen-tally as your needs grow. Whether you need to col-lect10millionormorethan1billionlogsperday,Su-reLog can handle it. With SureLog you simply deploy thecapacityyouneedwhenyouneedit,preservingyourinitialinvestmentalongtheway.Deploymentscanstartwithasingle,turnkeyapplianceandgroweasily by adding incremental log manager appliances asneedsexpand.WithSureLog’s“buildingblocks”distributedarchitecture,youcanaccessandanalyzelogs throughout your deployment with ease.
Log Archiving and Retrieval
Manybusinesseshavecompliancerequirementstopreserve historic log data and be able to provide it in itsoriginalformforlegalorinvestigativepurposes.Collecting,maintainingandrecoveringhistoriclogdatacanbeexpensiveanddifficult.Imaginetryingtorecoverlogsfromaspecificservertwoyearsago.Werethelogsarchivedorsavedanywhere.Ifso,where have the logs been stored? What format are theyin?Canthecorrectarchivedlogfilesbeiden-
tifiedamongthetensofthousands(ormillions)ofotherarchivefiles…inareasonableperiodoftime?WithSureLog,theanswerstothesequestionsareeasy.
Activity Auditing
Forcomplianceverification,users’andadministra-tors’actionswithinSureLogarelogged.SureLoguseractivityreportsprovidepowerfulproofthatSureLogisactivelyusedtoanalyzelogdataforcomp-liance purposes or not for illegal aims..
Chapter 3
SURELOG ADVANTAGES
page 13SureLogNext - Generation SIEM
3. SureLog Advantages
AN
ET
• Decision speed: Integrated analysis technology processeshighlycomplexdecisionlogicinreal-ti-me – similar to how humans reason.
• Continuouslearning:Wecontinuouslylearnthebehavior of your environment by cross-corre-latingloginformation,deviceavailabilityandperformancestatistics.
• Real-timealertingandhistoricalforensics:Manyready to use rules detect anomalous behavior andevents.Comprehensivesearchandreportingcapabilitiessimplifycompliancereporting.
Customers who have used SURELOG have experienced:
• Improvedproductivity.• Higherbusinessoperationsuptime.• Lower IT costs. • Improved business performance. • Ability to meet Service Level Agreements. • Bycorrelatingcustomerservicelevelcommit-
mentsyouwillhavebettervisibilitytorequiredresponsetimes.
• Monitorapplications.• Monitorecosystembusinessservices,notjust
devices.
What problems does it solve?
SureLoghelpsnetworksecurityadministrators&ITManagersforsecurityeventsmonitoringefficientlyandreal-timealerting.AlsotheSureLogsoftwaregeneratesreportstocomplywithvariousregulationssuch as Health Insurance Portability and Accounta-bilityAct(HIPAA),Gramm-Leach-BlileyAct(GLBA),Sarbanes-OxleyAct(SOX),andPaymentCardIn-dustry Data Security Standards (PCI) and archives logsforthepurposeofnetworkauditingandforensicanalysis.
What features does it offer?
MultipleDevice/VendorSupport,FlexibleLogAr-
chiving,Capabilitytoviewtraffictrendsandusagepatterns,Multi-leveldrilldownintotophosts,proto-cols,websitesandmore,VPN/SquidProxyReports,Multi-variedReportingCapabilities,Centralizedeventlogmanagement,Compliancereporting,Auto-maticalerting,Historicaltrending,Securityanalysis,Hostgrouping,Pre-builteventreports,Customizablereportprofiles,Reportscheduling,Multiplereportformats.CompliantwithTurkishLaw5651whichguarantiesthatlogscannotbechangedanddigitallysigned.
About ANET Software
ANETisprivatelyheldsoftwarecompanyincorporatedinVA,USAandbranchesinTurkeyandnewZealand.Ourmissionistobuildasoftwarecompanythatembraces“opendevelopmentphilosophy”andprovidesinnovati-vesolutionstocustomerproblemsincollaborationwithcustomers.
WeareaSIEMpioneerwithover250clientsthroughoutEuropeexperiencingtheANETdifference.
The Most Important
Priority is Your Satisfaction
Contact Us
Headquarters:
Anet, Inc; PMB# 62 11350 Random Hills Rd Suite 800 Fairfax, VA 22030
+1 (703) 346-1222
Offices:
74 / 2 Asquith Ave Mt Albert Auckland, New Zealand
+64021 975 369
Istanbul Technology Development Zone Sanayi Mah. Teknopark Blvd. No: 1 Pendik 34906, Istanbul, Turkey
+902163540581
E-5 Karayolu Ankara Asfaltaltı, Soğanlık Sapağı Kartal / Istanbul 34912, Istanbul, Turkey
+902163540580
www.anetusa.net