4. SureLog
Next –Generation SIEM
ANET
Advanced Correlation Engine
Observed Rule: This is the most frequently used component and it
performs a criteria match based on the elements of an event that are
contained within it. One or more filters can be within a Match
Component. Each Match Component within a rule may match
separate events in order to satisfy the rule.
Threshold Rule: Count Based rules. This rule will look for total count
of predefined event within a time window. The threshold should be
adjusted based on use case
Trend Monitor Rule: By trending any event, SureLog can find
deviations from time to time that may be indications of important
security or performance events
6. SureLog
Next –Generation SIEM
ANET
Advanced Correlation Engine
Statistical Rule: As the label describes, this component uses the
traditional model for Standard Deviation and applies this deviation to
the filters contained within the component. In addition to traditional
Deviation, we’ve added Percent from Average and Fixed Value from
Average as additional comparison operators.
• Population Standard Deviation
• Sample Standard Deviation
• Variance(Sample Standard)
• Variance (Population Standard)
This provides more flexibility than regular standard deviation. For a quick
primer on Standard Deviation, see this Wiki link:
http://en.wikipedia.org/wiki/Standard_deviation.
7. SureLog
Next –Generation SIEM
ANET
Advanced Correlation Engine
Value Changed Rule: Match when a field has two different values
within some time
Never Seen Before Rule: Match when a never before seen term
appears in a field
8. SureLog
Next –Generation SIEM
ANET
Advanced Correlation Engine
New correlation engine also has many new features like:
Suppression (Starts Time), Expire Time, Timer (Periodic running),
etc..
New correlation engine has many new operators like: Starts with
in List, Regex search in List, matches etc..
10. SureLog
Next –Generation SIEM
ANET
Advanced Correlation Engine
Wizard Driven Rule Samples:
1. If 100 packets are blocked within 15 minutes by UTM/FireWall from the same outside source IP to
distinct destination inside IPs and then starts a traffic session from ANY of the inside (destination) IPs to the
(outside) IP, send ALL IPs (Source, Destination) as a mail
2. If 100 packets are blocked within 15 minutes by UTM/FireWall from the same outside source IP to
distinct destination inside IPs and then starts a traffic session from ALL of the inside (destination) IPs to the
(outside) IP, send Outside IP as a mail
3. Monitor weekly running processes by a user and compare the trend with the current week running process list
4. Detects An Unusual Condition Where A Source Has Authentication Failures At A Host But That Is Not Followed
By A Successful Authentication by the Same User At The Same Host Within 2 Hours
5. If the traffic on port X exceeds the standard deviation of historic traffic patterns then trigger an alert (e.g.,
new worm, bot communicating with C&C).
6. If attack type is destructive (e.g., buffer overflow vs. SYN scan), and target is a critical asset (production server
vs. workstation), then trigger an alert.
7. Detect a scenario where the server stopped but did not start again within an interval of 5 minutes
11. SureLog
Next –Generation SIEM
ANET
Historical Correlation
Use historical correlation to run past events through the custom
rules engine to identify threats or security incidents that already
occurred.
By default, an SureLog SIEM deployment analyzes information
that is collected from log sources in near real-time. With
historical correlation, you can correlate by either the start time or
the device time. Start time is the time that the event was
received by SureLog. Device time is the time that the event
occurred on the device.
13. SureLog
Next –Generation SIEM
ANET
Risk Calculation
Content Based Risk Calculation
Content Based Risk Calculation: If log type is critical (e.g., failed login),
and target is a critical asset (production server vs. workstation), maybe
time is suspicious (during lunch) then risk of this event is important.
Alarm will be triggered without developing additional correlation rule.
Rule Based Risk Calculation
Alarms can be created with one or more correlation rules. If attack type
is destructive (e.g., buffer overflow vs. SYN scan), and target is a critical
asset (production server vs. workstation), then trigger an alert
14. SureLog
Next –Generation SIEM
ANET
Rich Taxonomy
Taxonomy is a mapping of information from heterogeneous sources to a
common classification. A taxonomy aids in pattern recognition and also
improves the scope and stability of correlation rules. When events from
heterogeneous sources are normalized they can be analyzed by a smaller
number of correlation rules, which reduces deployment and support
labor. In addition, normalized events are easier to work with when
developing reports and dashboards
15. SureLog
Next –Generation SIEM
ANET
• Some of the existing 1500+
taxonomy groups in SureLog:
• Reconnaissance->Scan->Host
• TCPTrafficAudit->TCP SYN Flag
• ICMPTrafficAudit
• NamingTrafficAudit
• Malicious->Web->SQL
• Flow->Fragmentation
• httpproxy->TrafficAudit accept
• HTTPDynamicContentAccess
• WebTrafficAudit.Web Content
• HealthStatus.Informational.Traffic.Start
• Malicious.BufferOverflow
• Malicious.Trojan
• PolicyViolation
• Malicious.Web.Attack
Rich Taxonomy
18. SureLog
Next –Generation SIEM
ANET
Multilayer Data Management
• BIG DATA Architecture
• SureLog uses a custom, extremely fast, data
execution engine for its large-scale, real-time data
and warehouse reporting. Capacity and
performance are measured in trillions of logs
within SureLog- allowing reporting across
thousands of devices simultaneously.
19. SureLog
Next –Generation SIEM
ANET
Change Management
SureLog supports change reporting in log data, give answers to what is
changed in log data in a defined time period within selected time range.
Example: What is the traffic counts for all IPs (Top N IPs) for the last
month in a daily period?
20. SureLog
Next –Generation SIEM
ANET
Advanced User Management
The SureLog SIEM allows for granular and deeply-tiered user control.
Permissions can be determined with a high level of specificity and nested
into multiple hierarchies. User profiles can be replicated to provide
administrators an efficient template method for creating user accounts.
The Open Source SIEM provides basic controls of user permission and a
single simple user hierarchy. Profile templates cannot be used to create
new user accounts
• Reports
• Correlation Rules
• Administrative Activities are role based
22. SureLog
Next –Generation SIEM
ANET
Drill Down Support
You can organize data in a variety of ways to show the relationship of
the general to the detailed.
You can put all the data in the report, but set it to be hidden until a
user clicks to reveal details;
You can display the data in a data region, such as a table or chart,
which is nested inside report. You can display the data in a sub report
that is completely contained within a main report. Or, you can put the
detail data in drill down reports, separate reports that are displayed
when a user clicks a link.
24. SureLog
Next –Generation SIEM
ANET
Dashboards & Monitoring
Unlimited user defined report creation supported. Dashboard refresh
settings are configurable. One of the new dashboard feature is: you can
configure dashboards that will be displayed periodically which gives slide
show affect
25. SureLog
Next –Generation SIEM
ANET
Intelligent Response
ANET SureLog SIEM product can handle correlation alerts and actions in
smart way through intelligent response system.
Mail sending
Executing script
• Visual basic
• Batch file
• Perl script
• Phyton script
Executing java code
Running application
Dynamic list update. Example: Adding or removing new IP to the banned IP
list, Adding or removing a new user to those which try more than three failed
login attempts to the same machine within the last week.,etc.
26. SureLog
Next –Generation SIEM
ANET
Intelligent Response
Suspend Users: If an account compromise is suspected, halt a user’s
account access
Suspend Network Access: If data exfiltration is occurring, the incident
response team can kill the connection by updating the access control
list used by corporate firewalls.
Kill Processes: If a team detects unknown or blacklisted processes on
critical devices, Intelligent Response can kill the specific running
program.
27. SureLog
Next –Generation SIEM
ANET
Manageable Threat Intelligence
Threat Intelligence is integrated with different global sources and takes
black lists from there and works as warning system by using these data.
SureLog Threat Intelligence module constantly updates its rich feed
sources and enables rapid discovery of events involving communications
with suspicious or malicious IP addresses.
28. SureLog
Next –Generation SIEM
ANET
Manageable Threat Intelligence
SureLog aggregates information from numerous sources and applies
automated confidence algorithms to produce intelligence and reputation
data. A large library of openly available information lists, which is
consolidated, classified and automatically analyzed to derive intelligence
and reputation information with confidence
• Sources include:
• Botnet Domains
• Botnet URL’s
• Malware Domains
• Malware URL’s
• Email Phishing
• Phishing Domains
• Phishing URL’s
29. SureLog
Next –Generation SIEM
ANET
SureLog Incident Management module helps organization to identify,
analyze, and correct hazards to prevent a future re-occurrence. Incidents will
be assigned to specialist security admins. A resolution or work-around should
be established as quickly as possible in order to correct the security breaches.
Incident Management
30. SureLog
Next –Generation SIEM
ANET
SureLog consolidates and normalizes output from multiple vulnerability
scanners.
SureLog provides analyzed and prioritized vulnerabilities by applying threat
intelligence and full data-enrichment capabilities.
SureLog supports log data from vulnerability scanners such as Nessus, Qualys,
OpenVas, and NMAP.
VA Reports
31. SureLog
Next –Generation SIEM
ANET
SureLog supports 500+ log types like:
Rich Normalizer Library
Apache HTTP Server
Cisco IOS
Cisco IronPort
Cisco PIX Firewall
Fortinet FortiGate Security Gateway
Juniper Networks Firewall and VPN
Linux iptables Firewall
Linux OS
Microsoft ISA
Microsoft SQL Server
Microsoft Windows OS
Microsoft Windows DHCP&DNS
Microsoft Windows IIS
Nessus
NMAP
OpenVas
Oracle RDBMS OS Audit Record
Qualys
Sophos
SonicWall UTM/Firewall/VPN
Sourcefire Defense Center
Symantec Endpoint Protection
TippingPoint Intrusion Prevention System
Websense
33. SureLog
Next –Generation SIEM
ANET
Custom&Extended Parser API
SureLog's simple and XML based parsers API will give the power of
parser engine to the developers
Developers
• Can change the output of the normalization engine with Extended Parser API
• Can develop new parser for unparsed log types with Custom Parser API
34. SureLog
Next –Generation SIEM
ANET
Intuitive Browser Based UI
SureLog's simple and user friendly interfaces helps you to find your way
even in complex definitions like advanced correlation rules or extended
event queries. We made every effort to fulfill the requirements and yet
be simple and fast. Browser based single UI makes it easy to configure,
control and manage all aspects of the system centrally including mobile
devices. SureLog is designed for you to have the best user experience
from a SIEM solution.
35. SureLog
Next –Generation SIEM
ANET
TAGS
SureLog brings about the addition of a very powerful event tagging system, which allows
individual users as well as teams to tag events with an unlimited number of keywords that
may define that various Characteristics of an event (intrusion, financial, departmental and
topological).
System users can create their own set of custom tags. Tags can be added to events
individually as needed or through the automated action system as events are imported and
normalized. Searching and reporting by tags is supported and tag statistics displays are
included as well.