ANET SureLog International Edition Main Advantages

SureLog International Edition

www.anet.net.nz

ANET Security Information & Event Management Systems

ANET SureLog

ANET SureLog Main Advantages

• Integrated Log Management and SIEM Solution.

• It has fully authorized menus, reports, and dashboard. Authorization based on : Log Source, the direction of the traffic like inbound or outbound, the group included in the domain, etc.

• More than one user-based dashboards can be created. It can be designed in such a way that each user can see their own dashboard with different widgets.


• It comes with many new features which doesn’t exist in many global competitors.

• TAG support• Custom user group creation and user group based

authorization• Traffic and security statistics reports

• Taxonomy module

• Threat Intelligence


• The more sophisticated correlation engine than the other competitive products.• Advanced rules• Visual rule editor• Creating rules from the dynamic lists• Updating the global lists dynamically• Rule suspending• Time based rules• Automatic actions to a triggered correlated event

• Big Data

• Distributed architecture

• FastTrack feature

The products

Taxonomy

Feb 15 22:01:35 [xx] ns5gt: NetScreen device_id=ns5gt [Root]system-alert-00016: Port scan! From 1.2.3.4:54886 to 2.3.4.5:406, proto TCP (zone Untrust, int untrust). Occurred 1 times. (2015-02-15 22:09:03)

Log Search:Src, Dst, URL,User, EventID,Process, Domin, vb..

1.2.3.4www.facebook.comErtugrul548862.3.4.5406anetlocal.

Log Taxonomy

• Reconnaissance->Scan->Host• TCPTrafficAudit->TCP SYN Flag• ICMPTrafficAudit• NamingTrafficAudit• Malicious->Web->SQL• Flow->Fragmentation

True correlation

SIEM

Detect the IP which makes scanning from outside.

http://www.facebook.com/


SureLog Correlation:

• SureLog is fast -Supports 50,000 EPS with thousands of rules

• Rule Chains.

• Advanced correlation rules

• SureLog supports rule suspending. Preventing rule firing for a defined time period. Suspend Rule A 1 hour after fire

• Compression-based correlation. Monitors multiple occurrences of the same event, removes redundancies and reports them as a single event.

•



• Has a visual user interface for writing correlation rules.

• Has TAG feature which doesn’t exist even in many global products (Adding fields automatically or manually by the user).

• Threshold-based correlation. Has a threshold to trigger a report when a specified number of similar events occur.

• Filter-based correlation. Inspects each event to determine if it matches a pattern defined by a regular expression. If a match is found, an action may be triggered as specified in the rule.

•



• Sequence-based correlation. Helps to establish causality of events. Events can be correlated based on specific sequential relationships. For example, synchronizing multiple events such as event A being followed by event B to trigger an action.

• Time-based correlation

• Supports non-negative case rules which doesn't exist event in many global products.

•



• Supports Context base correlation which doesn’t exist even in many global products.

• Supports hierarchical correlation which doesn’t exist even in many global products.

• Supports dynamic correlation list management which doesn’t exist even in many global products.

•




• It has a wide support of operators. Sample:

• For example, «in list» operator doesn't exist even in many global products. Moreover, «not in list» operator exists only in some of the products of the leading players in SIEM Gartner report.

•


The correlation rules examples:

• Attack Followed by Account Change

• Scan Followed by an Attack

• Detects An Unusual Condition Where A Source Has Authentication Failures At A Host But That Is Not Followed By A Successful Authentication At The Same Host Within 2 Hours

•



• Look for a new account being created followed by immediate authentication activity from that same account would detect the backdoor account creation followed by the account being used to telnet back into the system

• Monitor same source having excessive logon failures at distinct hosts,

• Check whether the source of an attack was previously the destination of an attack (within 15 minutes)

•



• Check whether there are 5 events from host firewalls with severity 4 or greater in 10 minutes between the same source and destination IP

• Look for a new account being created, followed shortly by access/authentication failure activity from the same account

• Monitor system access outside of business hours

•




• Warn one if more than 100 packets are blocked by UTM/FireWall from the same source IP and don’t warn within an hour. (Millions of packets are blocked in case of DDOS attack. If email is sent for each, you are exposed to yourself DDOS attack.)

• Warn if a traffic is occurred to a source or from a source in IPReputation list.

• Warn if the servers are accessed out of hours.

•



• The rule editor:

•



• Taxonomy:

Some of the existing 1537 taxonomy groups in SureLog:

Reconnaissance->Scan->HostTCPTrafficAudit->TCP SYN FlagICMPTrafficAuditNamingTrafficAuditMalicious->Web->SQLFlow->Fragmentationhttpproxy->TrafficAudit acceptHTTPDynamicContentAccess

WebTrafficAudit.Web ContentHealthStatus.Informational.Traffic.StartMalicious.BufferOverflowMalicious.TrojanPolicyViolationMalicious.Web.Attack

•



• Taxonomy is a mapping of information from heterogeneous sources to a common classification. A taxonomy aids in pattern recognition and also improves the scope and stability of correlation rules. When events from heterogeneous sources are normalized they can be analyzed by a smaller number of correlation rules, which reduces deployment and support labor. In addition, normalized events are easier to work with when developing reports and dashboards



• Threat Intelligence: Threat Intelligence is integrated with different global sources and takes black lists from there and works as warning system by using these data.

• Processed, sorted • information

• Evaluated and • interpreted by trained • Intelligence Analysts globally


The attributes or parameters of the event can be given to mail sending or executing script or dynamic list management module. For example:

• Event source• Event destination ip• Username• ComputerName• ProcessName• Software Name

• http://www.slideshare.net/anetertugrul/anet-surelog-siem-intelligentresponse-54274144

http://www.slideshare.net/anetertugrul/anet-surelog-siem-intelligentresponse-54274144




Dynamic list updating and defining is a feature of SureLog which are not provided by any other product in the world. This feature allows incredible flexibility and wide range of uses for the Detection module. For example, Warn if a user in Administrator group tries failed logon attempt. Here, Administrator group is kept up to date dynamically with the other rules. For example, if a user is added in Admin group, update Administrator user list.


A sample scenario for a Potantial Zombi PC:

• If a PC inside makes DNS query to potantially malicious domain name (Traces of IDS/IPS).

• And, if the same PC tries to access to internet through the tcp ports bigger than 1024 in the next 24 hours.

• And/or, if the same PC makes internet requests out of hours within next week (Traces of Proxy/FW).

• Then, open problem registration to helpdesk for resetting up the PC.

Correlation – Existing Rules Libray

• It is the only software having 500+ existing rules.• Cisco • Firewalls

• IDS/IPS• Connections

• General Applications• FTP• DNS

• WEB Server• Security

• Network Monitor• Telnet• URL

• Operating Systems

Correlation – Existing Rules Library

• Windows• User Management• Group Management• Machine Management• Authentication• Windows Firewall• Authorization• Audit Policy• Software Management• Access Violation• File Management• Risk Management• Password Management• Service Management•

• Performance Monitoring• File Replication• Windows File Protection• Printer• System Uptime• NTDS Defragmentation• Network• Hardware Errors


Authorization:

Capability to create custom user and group and user and group based authorization for

• Menus• Reports• Dashboards

All of these can be authorized user and group based.



• TAG support

SureLog brings about the addition of a very powerful event tagging system, which allows individual users as well as teams to tag events with an unlimited number of keywords that may define that various Characteristics of an event (intrusion, financial, departmental and topological). System users can create their own set of custom tags. Tags can be added to events individually as needed or through the automated action system as events are imported and normalized. Searching and reporting by tags is supported and tag statistics displays are included as well.


• Traffic and security statistics reports

Distributed Architecture

Supports master-slave mode installation. Hundreds of thousands of EPS capacity and centralized correlation can be achieved.

Hadoop Entegration For Big Data

Ready for integration with Apache Hadoop

FastTrack Feature

A log solution not only parses and then analyzes the logs to add in the frameworks, but also correlates the events and reflects them in the reports. ANET SureLog produces result oriented reports by following the logs that contain the scenario tracking with FastTrack feature.

For example: • The reports of files deleted in File Server

• Windows Evet IDs 4656,4658,4660 and 4663 processed together

• In case of hacking someone else's account, the reports of files deleted, logs, and the machine deleting

• . Windows Evet IDs 528, 529, 538, 540, 4624, 4625, 4656,4658,4660 and 4663 processed together

FastTrack Feature

FastTrack feature is to create a new report data with multiple fields of multiple log data for the purpose of report creation rather than the correlation engine association.

The software which doesn't include FastTrack feature try to create the reports through single log. For example, the operations on files and folders use only Event ID number 5145 to crate the reports like file tracking, file deleting. But, they ignore two things:

1-This Event ID is valid only for shared directories and files.

2-File events are not solved with a single event. The scenario and track of time are required.

ANET SureLog SIEM IntelligentResponse Feature

Mail sending

Executing script o Visual basico Batch dosyao Perl scripto Phyton script

Executing java code

Running application Dynamic list update For example: Adding or

removing new IP to the banned IP list, Adding or removing a new user to those which try more than three failed login attempts to the same machine within the last week.,etc.

ANET SureLog SIEM IntelligentResponse Feature

The parameters related with events can be assigned to email sending, script or program execution or dynamic list management module as shown in the following screen. For example:

The source of event The destination IP of event Username Computer Name Process Name Software Name