ِData Fusion and Log correlation tools & case-studies
1. Fusion and Correlation
Tools & Case-studies
Iran Telecommunication Research Center(ITRC)
Communication Technology Department
Web ranking project
By: Mahdi Sayyad
November, 2017
2. Outline
Who we are?
Our Work Process
Applied researches on Fusion
Applied researches on Correlation
Data Fusion Tools
Log/event Correlation Tools
Conclusions
3. Our Team
Mahdi Sayyad
MS in Computer Engineering ,CEH
,CCNA, ISMS Lead Auditor,
Cybersecurity Researcher, Co-Founder
of ICSGROUP.
7+ year experience in InfoSec and
Cybersecurity analysis
Mohammad H. Bazrafkan
MS in Information Security, CEH, OSCP, Co-
Founder ARTINERTEBAT.
6+ year experience in InfoSec and
Cybersecurity analysis
4. Our Research Process
Requirements
analysis
•Problem Definition
•Requirement Skills
•Scope Determination
•Team Selection and
acquisition
Information
Gathering and
Resource
Selection
•Papers(journals and
Conferences)
•Books(handbooks and
proceeding studies)
•Thesis
•Technical reports
•Workshop presentation
•Main Keywords: Data
Fusion/Log Correlation/web
log Analytics
Review and Study
•Fundamentals and
scope define
•Models and
Architectures
•Tools and Techniques
Feasibility
Analysis and
Proposed
solutions
•Leveraging tools and
techniques for use
case
•Selection and
Developing proposed
solution
Reporting
• Phase 1
• Phase 2
• Phase 3
23. Oracle FusionDevelopment: Intro& features
A fundamental approach based on assembled solutions, not written. Solutions are built by
assembling services together and in the process transcending disparate technology
boundaries. Fusion applications and services are built on Fusion Development is very similar
to Extreme Programming and Iterative development, and is heavily influenced by SOA. The
focus is on applications that can be quickly built and easily managed.
Features
Fusion Development enables rapid application development through composition instead
of coding
barriers for an enterprise to make changes are lowered
Rapid application development and changes can incent rapid decision-making
24. Oracle FusionDevelopment: Architectureandcomponents
Oracle Fusion Composed of two parts:
Fusion Middleware(FMW): Comprises of Oracle Application Server and other stack
components that Oracle has acquired in past few years.
o Fusion Middleware products covering areas like: Oracle business Intelligence(BI), Oracle Identify
manager, Content manager, Service-Oriented Architecture(SOA)
Fusion Application(OFA): Is next generation suite of applications that replace E-Bussiness
Suite. It will assimilate best of features from:
o E-business Suite
o JD Edwards
o PoepleSoft
o Siebel
Fusion Applications is build on top of Oracle Fusion Middleware Technology stack using
Oracle Fusion Architecture as blueprint.
27. Logfusion: Intro& features
LogFusion is a powerful real-time log monitoring application designed
for system administrators and developers! Use custom highlighting rules,
filtering and more. You can even sync your LogFusion settings between
computers.
Main Features:
oSupports Many Log Types and create log categories
oRow Highlighting, Advanced Text Filtering
oWatched Folders
oCustom Columns
oSync Highlight Rules
oAuto-Scroll (like 'tail')
oScrollbar Highlight Markings
29. AltamiracorpLumify: Intro & features
Altamira LUMIFY an open source big data fusion, analysis, and visualization platform that
supports the development of actionable intelligence. Includes concepts:
Ontology: structure for organizing information(i.e., your data model)
Entities: any “thing” you want to represent(e.g., person, place, event)
Relationships: a link between two entities(e.g., leader-of, work-for, sibling-of)
Properties: data about an entity(e.g., first name, last name, date of birth)
Graph: collection of entities and relationships between them
Main Features:
o Speed and Scale
o Open Data. Your Data. Any Data.
o Bring Your Own Analytics
o Browser Based
o Collaborate in Real Time
o Better Decisions from your Data By visually linking data points
What can Do:
o Search
o Link analysis
o Knowledge Building
o Graph Visualization
o Multimedia analysis
o Geospatial analysis
31. It’s free and open source…
AltamiracorpLumify:Price& Licensing
32. Lucidworks Fusion is the platform for intelligent search and search
analytics. Fusion leverages Apache Solr, the open source search engine,
and Apache Spark, the open source cluster computing framework,
to give you fast, scalable, proven, and reliable processing for
customized search and analytics over all of your data.
Features:
Simplified Development
Robust Deployment Platform
Enterprise Features OOTB
AI-Driven Relevance
Data That Is Accessed Your Way
Data Analytics
Analytics Dashboards
Lucidworks Fusion:Intro& features
38. Solarwinds LogEvent Manager(LEM): Intro &features
Powerful log analysis, true real-tie event correlation & advanced IT search.
Main Features:
o Real-time log analysis – in-memory processing
o Event Correlation - giving “context” to disparate events from different
manufacturers
o Active Response – proactively defend your network
o Compliance – PCI, SOX, GLBA, HIPAA, NERC CIP and more
o Correlation rules – over 700 out-of-box network and security monitoring rules, a
flexible and powerful rule builder, behavior detection
o Node-based licensing mode
o Virtual Appliance(.OVA) ready to deploy with VMWare ESX, Microsoft Hyper-V
39. Solarwinds LogEvent Manager(LEM): Architectureand
Components
• LEM Manager:
o Syslog server
o Database
o Webserver
o Correlation Engine
• LEM Agent(Win&Lin)
• LEM Reports Console
41. Logrythm: Intro & features
The LogRhythm Security Intelligence Platform is a highly configurable, cross-platform log management
and security information and event management (founded in 2003).
Markets and use cases: As well as large enterprises, plays well in government agencies,
MSSPs and mid-sized businesses.
Metrics: LogRhythm’s decentralized architecture is said to make it highly scalable.
Security qualifications: FISMA, GPG13, PCI DSS, HIPAA, NERC CIP, SOX and ISO 27001.
Intelligence: Machine analytics to surface advanced threats. Its risk-based priority algorithm
applies risk and threat factors to automatically qualify alarms based on highest risk
Delivery: Can be deployed as an appliance, software or virtual instance.
42. Logrythm: Intro& features
Agents: LogRhythm can collect all types of Windows Event Logs with or without the use of an
agent. Its agent technology facilitates the aggregation of log data, security events and other
machine data. Data Collectors can operate locally or remotely.
Pricing: Subscription pricing is tied to volume consumption. Licensing is also based on a daily
(rather than hourly) average of messages per second (MPS).
LogRhythm held a consistent processing, analysis and indexing rate of 300,000
messages per second (MPS)
43. Logrythm: ArchitectureandComponents
• Main Components:
o Platform Manager
o Data Collector
o System Monitor Agent
o Network Monitor
o Data Processor
o AI Engine
o Data Indexer
• Scalability and performance
at several tiers:
Collection
Processing
Machine analytics
Persistence
Search analytics
44. Logrythm: Price & Licensing
Starting at US $35,000
/ UK £27,000, plus 20
percent for annual
maintenance.
45. Splunk: Intro & features
It's a powerful software/Engine which can be used to search,investigate, troubleshoot,
monitor, visualize,alert, and report on everything that's happening in your entire IT
infrastructure from one location in real time.
Features:
o Splunk will search logs of all machines/Servers /Network devices from your enterprise and will
present available info as result just like Google
o you don't need to login to multiple servers and dig for all logs for particular event .Splunk will do it
for you in smarter way.
o You can even monitor your twitter feeds, gmail, mailbox etc using splunk.
o Splunk do not require any database like Oracle or MS SQL to store its data.It stores it's data in
indexes.so no additional cost for DB
o Its a data mining tool for Big Data.Built in to handle Big/large data without affecting performance
o It can work as monitoring tool,SIEM,reporting tool,analysys tool, root cause analysis....and much
more
47. Splunk: Price &Licensing
It all depends on the volume that you're indexing daily i.e. how much log data you are
sending to splunk to process/store.
48. ManageEngine EventLogAnalyzer: Intro& features
a web-based tool provides end-to-end log management, with agent and agentless methods of log collection,
custom log parsing, complete log analysis with reports and alerts, a powerful log search engine, and flexible log
archiving options.
Features:
o Multiple log format support: Correlation is carried out across multiple log formats(Real-time event
correlation), enabling you to correlate logs from Windows and Unix systems, network devices, and more.
o Enhanced field-level correlation: Correlation can be done based on multiple log field values to provide fine-
grained attack detection.
o Predefined rules: The module is packaged with 25 predefined complex attack patterns.
o Custom rule builder: The custom correlation rule builder has been upgraded to include over 250 predefined
network actions and advanced filters.
Check for unique, constant, or shared field values among the actions that make up a rule.
Use multiple comparison conditions for fields, namely 'equals', 'not equal to', 'starts with', or 'ends with'.
Create rules for individual log types using specific network actions, or rules common to all log types with generic network actions.
o Incident management integration: All correlation alerts can be viewed and managed with the in-built incident
management console.
51. ManageEngine EventLogAnalyzer: Price& Licensing
Free Edition Premium Edition Distributed Edition
Starts at $495 Starts at $1,995
Centralized collection and archival ✓ ✓ ✓
Universal Log Parsing and indexing ✗ ✓ ✓
File Integrity Monitoring ✗ ✓ ✓
Real-time event correlation and alerts ✗ ✓ ✓
Compliance reporting ✓ ✓ ✓
Log forensics ✓ ✓ ✓
Scalable architecture ✗ ✗ ✓
Multi-geographical location monitoring with
distributed central-collector
✗ ✗ ✓
Site specific reports ✗ ✗ ✓
Rebranding and client specific views ✗ ✗ ✓
52. Logalyze: Intro& features
a free, open-source, java-based log management tool to collects, parses,
indexes and stores log data from any device, OS or application.
Features:
o Process log data at a high rate
o Parse any log row with built in or custom made Log Templates
o Ability to analyze custom business application logs
o Browse or search logs with a web based administration GUI like with Google
o Create multi dimensional statistics real-time based on individual fields of log
o Securely transport log data to other LOGalyze
o engines or syslog devices
o Compatible with rsyslog, syslog-ng, Lasso, Snare
o Connect remotely to SOAP API service
o The AHR ticketing system provides powerful tool closing your open incidents more quickly.
53. Logalyze: Architectureand Components
contains two main component:
LOGalyze Engine is a standalone log
analyzer engine. It runs as a
service, collects or receives log
data, analyze them and provide
automated reports, synthetic
events, alerts.
LOGalyze Admin is a RIA web
interface for managing the Engine,
search log data and display
reports, alerts
Engine offers a SOAP Web Services interface, so any SOAP client
can connect to it
55. ELK Stack: Intro& features
ELK stands for Elasticsearch, Logstash and Kibana. The trio, joined together to give
users the ability to run log analysis on top of open sourced software that everyone
can run for free.
Features:
o Real-time data and real-time analytics.
o Scalable, high-availability, multi-tenant.
o Full text search.
o Document orientation
o Simple to use and DevOps friendly(Elasticsearch rest API)
o price!- free and open source
56. ELK Stack: Architectureand Components
Main Components:
o Elasticsearch: Store
o Logstash:
Filtering/parsing
o Kibana: Visualize
58. Graylog: Intro & features
Graylog (formerly known as Graylog2) is an open source syslog management platform, helps you to
collect, index and analyze syslog on a centralized location.
Features:
o Collect and parse: Parse and enrich logs, wire data, and event data from any data source. (3rd
party collectors such as beats, fluentd and nxlog)
o Analyze and Search: Search through terabytes of log data to discover and analyze important
information. Use the powerful search syntax to find exactly what you are looking for. Save
search queries to share
o Drill-Down and Visualize: Create dashboards to visualize metrics and observe trends in one
central location. Use field statistics, quick values, and charts from the search results page to dive
in for deeper analysis of your data.
o Alert and Trigger: Trigger actions or get notified when something needs attention, such as failed
login attempts, exceptions or performance degradation
o Enterprise Ready: Extend the functionality of Graylog
o REST API: Both configuration settings and log data are available through the Graylog REST API
Graylog has been successful in providing log management software because it was built for log
management from the beginning.
59. Graylog: ArchitectureandComponents
Main components:
o Elasticsearch
o Mongodb: storing meta information
and configuration data
o Graylog: focus on CPU Power
Graylog-Server
Graylog-web-interface
61. has several Graylog nodes behind a load
balancer distributing the processing load.
The load balancer can ping the Graylog
nodes via HTTP on the Graylog REST API to
check if they are alive and take dead nodes
out of the cluster.
Graylog: big environments
62. Graylog: Price and licensing
Enterprise PlatinumEnterprise GoldGraylog SilverOpen Source
Graylog Enterprise for users with
data > 200 GB/day
Graylog Enterprise for
users with data up to 200
GB/day
Reduce risk with 10 support
requests per year on Graylog
Open Source.
Graylog is open source and will
always be free to use
Contact us for
custom pricing
$9,000
per node/year
$6,000
per node/year
Free Forever
Graylog Enterprise Features for > 200
GB/day:
Audit Log
Archiving
Platinum Support
Graylog Enterprise Features
for up to 200 GB/day:
Audit Log
Archiving
Gold Support
Open Source Features Plus:
• Personalized Engineer Support
Silver Support
Open Source Features Include:
• LDAP Role-based access control
• Configurable data retention
policy
• Alerting
• Encrypted Communication
• API Access
• Custom alerting
• Online community Support
64. Conclusion
Highlighted approach
• An ontology-based data integration approach for web analytics in e-commerce,2015
• Web Warehouse – A New Web Information Fusion Tool for Web Mining, 2006
• LEC Log Event Correlation Architecture Based on Continuous Query,2009
Fusion Tool
• Lumify (stream)
• Lucidwork fusion (batch)
Log Correlation Tool
• Splunk