4. page 4SureLog
Next - Generation SIEM
1. Surelog: Integrated Next Generation SIEM and Log Management
ANET
Security Informa-
tion and Event
Management
Advanced Correla-
tion Engine
Security Operati-
ons Center
Log Management
Log Forensics Threat Intelligence
Security Reporting Real-Time Alerts
Event Correlation &
Analysis
Compliance
Management
Rich Taxonomy Protecting Against
Insider Attacks
ANET SureLog delivers next-generation SIEM, log ma-
nagement and intelligent security search in a simple,
easyto-install and cost-effective solution that provi-
des immediate value for security and compliance to
organizations of any size.
SureLog has a highly flexible architecture and sup-
port for high volume data throughput rates. As well
as the flexible architecture, SureLog possesses a
superior correlation engine. The system lets you de-
fine complex combinations of events that you need
to be alerted on by easily creating and customizing
correlation rules with a graphical, drag-and-drop rule
creator.
SureLog supports 155 brands and 350 devices and
categorize logs into 1513 groups.
The sophisticated threat intelligence management
allows SureLog to dynamically collect black lists and
update its database.
• Multi-Functional Security Management Platform
• Integrated Security and Log Management Plat-
form
• Real-time security management across thousan-
ds of devices, including applications as diverse as
satellite, cryptography and security devices.
• Granular control over any type of event defini-
tion, with the ability to collect, normalizes and
integrates data from any device, application or
service.
6. page 6SureLog
Next - Generation SIEM
2. All-In-One It Security Management
ANET
Superior SIEM and log management platform that
seamlessly combines SIEM, Log Management with
Host and Network Forensics, in a unified Security
Intelligence Platform.
SIEM
SureLog is a web based, agent-less, SIEM, log analy-
sis and reporting software. The software applicati-
on monitors, collects, analyzes, and archives logs
and monitoring parameters from enterprise-wide
network perimeter security devices, Routers, Swit-
ches, SNMP Devices, VM, DHCP servers, Linux or
Windows Systems then generate reports. The devi-
ces are, Firewalls, Proxy servers, Intrusion Detection
System (IDS)/Intrusion Prevention System (IPS), and
Virtual Private Networks (VPN), Mail Servers like MS
Exchange Servers, Zimbra Mail Servers, Postfix Mail
Servers etc.. , distributed Windows hosts, distribu-
ted Unix hosts, Routers, Switches, and other SysLog
devices, Application like IIS web server, IIS FTP server,
MS SQL server, Oracle database server, DHCP Win-
dows and Linux servers. The SureLog application
generates graphs and reports that help in analyzing
system problems with minimal impact on network
performance. Two prominent features of the applica-
tion are correlation and security reports.
CorrelationEngine
The Correlation Engine leverages predefined rules
to identify attack patterns and malicious behavior.
When trying to penetrate a system, attackers often
take advantage of the fact that security controls are
rarely working together and are rarely monitored.
Correlation Engine helps to automate that analysis
so that attacks can be quickly identified and breac-
hes can be quickly contained.
AdvantagesofSureLog
CorrelationEngine
Below are some
advantages of
SureLog:
• SureLog is fast -Supports 50,000 EPS with thou-
sands of rules
• SureLog can trace multiple logs with different
types within a defined time frame. A sample rule
to support this advantage is: Detect an unusual
condition where a source has authentication fa-
ilures at a host, but is not followed by successful
authentication at the same host within 2 hours
• SureLog can correlate different logs (Example:
Windows User Creation Event and Telnet Event)
according to related fields. A sample rule to sup-
port this advantage is: Look for a new account
being created followed by immediate authenti-
cation activity from that same account. It would
detect the backdoor account creation followed
by the account being used to telnet back into the
system
• SureLog can trace a log being created with desi-
red parameters or not. A sample rule to support
this advantage is: Detect an unusual condition
where a source has authentication failures at a
host, is not followed by a successful authenticati-
on at the same host within 2 hours.
• SureLog can audit privileged user activity such
as new account creation for greater operational
transparency
• SureLog can correlate privileged user behavior
with specific network activity. A sample rule to
support this advantage is: Look for a new account
being created followed by immediate authenti-
cation activity from that same account. It would
detect the backdoor account creation followed
by the account being used to telnet back into the
system
• SureLog’s correlation rule editor is simple to use
• SureLog supports multiple filtering options
• SureLog supports compression-based correlation
feature: SureLog can monitor multiple occurren-
ces of the same event, removes redundancies,
and reports them as a single event
7. page 7SureLog
Next - Generation SIEM
2. All-In-One It Security Management
ANET
• SureLog supports threshold-based correlation:
SureLog has a threshold to trigger a report when
a specified number of similar events occur
• SureLog supports filter-based correlation: Sure-
Log Inspects each event to determine if it matc-
hes a pattern defined by a regular expression. If
a match is found, an action may be triggered as
specified in the rule.
• SureLog supports sequence-based correlati-
on: SureLog helps establish causality of events.
Events can be correlated based on specific sequ-
ential relationships. For example, synchronizing
multiple events such as “Event A” being followed
by “Event B” to trigger an action.
• Its time-based correlation is useful for correla-
ting events that have specific time-based rela-
tionships. Some problems can be determined
only through temporal correlation. For example,
time-based correlation can be used to implement
cleanup rules given a specific interval
• SureLog supports rule suspending. Preventing
rule firing for a defined time period
SimpleCorrelationRules
UserAuthentication
• Alert on 5 or more failed logins in 1 minute on a
single user ID
AttacksontheNetwork
• Alert on 15 or more Firewall Drop/Reject/Deny
Events from a single IP Address in one minute
• Alert on 3 or more IPS Alerts from a single IP
Address in five minutes.
VirusDetection/Removal
• Alert when a single host sees an identifiable pie-
ce of malware
• Alert when a single host fails to clean malware
within 1 hour of detection.
• Alert when a single host connects to 50 or more
unique targets in 1 minute
• Alert when 5 or more hosts on the same subnet
trigger the same Malware Signature (AV or IPS)
within a 1 hour interval.
WebServer
• Files with executable extensions (cgi, asp, aspx,
jar, php, exe, com, cmd, sh, bat), are posted to a
web server, from an external source
• Black-listed applications
• Alert when an unauthorized application (e.g.
Teamviewer, LogmeIn, Nmap, Nessus, etc.) is run
on any host
MonitoredLogSources
• Alert when a monitored log source has not sent
an event in 1 Hour
UserActivityReports
• All Active User Accounts (any successful login
grouped by account name in the past XX days)
• Active User List by Authentication type
a) VPN Users
b) Active Directory Users
c) Infrastructure Device Access (Firewalls, Rou-
ters, Switches, IPS)
• User Creation, Deletion and Modification (A list
of all user accounts created, deleted or modified)
• Access by any Default Account – (Guest, Root,
Administrator, or other default account usage)
• Password resets by admin accounts in the past 7
days.
AccessReports
• Access to any protected/monitored device by an
untrusted network
a) VPN Access to Server Zone
b) Access by a Foreign Network to Server Zone
Malware
• A list of host addresses for any identified malwa-
8. page 8SureLog
Next - Generation SIEM
2. All-In-One It Security Management
ANET
re name
• A count of any given malware (grouped by An-
ti-Virus Signature), over the past XX days
Emailactivity
• Top 10 E-mail subjects
• Top 10 addresses to send email
• Top 10 addresses to receive email
• Top 10 addresses to send email with largest total
size (MB)
• Top 10 addresses to receive email with largest
total size (MB)
WebContent
• Top 10 Destinations by Domain Name
• Top 10 Blocked Destinations by Domain
• Name
• Top 10 Blocked Sources by IP Address
• Top 10 Blocked categories
• Total sent and received bytes grouped by IP add-
resses
UserAccountactivity
• Top 10 Failed Logins
AdvancedCorrelationRules
• Attack Followed by Account Change
• Scan Followed by an Attack
• Detects An Unusual Condition Where A Source
Has Authentication Failures At A Host But That Is
Not Followed By A Successful Authentication At
The Same Host Within 2 Hours
• Look for a new account being created followed
by immediate authentication activity from that
same account would detect the backdoor ac-
count creation followed by the account being
used to telnet back into the system
• Monitor same source having excessive logon
failures at distinct hosts,
• Check whether the source of an attack was
previously the destination of an attack (within 15
minutes)
• Check whether there are 5 events from host
firewalls with severity 4 or greater in 10 minutes
between the same source and destination IP
• Look for a new account being created, followed
shortly by access/authentication failure activity
from the same account
• Monitor system access outside of business hours
Taxonomy
This is a mapping of information from heterogeneo-
us sources to a common classification. A taxonomy
aids in pattern recognition and also improves the
scope and stability of correlation rules. When events
from heterogeneous sources are normalized they
can be analyzed by a smaller number of correlation
rules, which reduces deployment and support labor.
In addition, normalized events are easier to work
with when developing reports and dashboards
9. page 9SureLog
Next - Generation SIEM
2. All-In-One It Security Management
ANET
SureLog supports 155 brands and 350 devices. Cate-
gorize (Taxonomy) logs into 1513 groups like
• Compromised->RemoteControlApp->Response
• HealthStatus->Informational->HighAvailability->-
LinkStatus->Down
• IPTrafficAudit->IP Too many fragments
• IPSpoofAccess->ICMP CODE Redirect for the Host
• FileTransferTrafficAudit->Authentication Failed
• NamingTrafficAudit
• Session->Start
• ICMP Destination Network is Administratively
Prohibited
LOG MANAGEMENT
SureLog unique log management feature being able
to collect log data from across an enterprise regard-
less of their source, present the logs in a uniform and
consistent manner and manage the state, location
and efficient access to those logs is an essential
element to any comprehensive Log Management
and Log Analysis solution. The SureLog solution was
designed to address core log management needs
including:
• The ability to collect any type of log data regard-
less of source
• The ability to collect log data with or without ins-
talling an agent on the log source device, system
or application.
• The ability to “normalize” any type of log data for
more effective reporting and analysis
• The ability to “scale-down” for small deploy-
ments and “scale-up” for extremely large envi-
ronments
• An open architecture allowing direct and secure
access to log data via third-party analysis and
reporting tools
• A role based security model providing user ac-
countability and access control
• Automated archiving for secure long term reten-
tion
• Wizard-based retrieval of any archived logs in
seconds
ComprehensiveLogDataCollection
andLogManagement
Being able to collect log data from across an enterp-
rise regardless of their source, present the logs in
a uniform and consistent manner and manage the
state, location and efficient access to those logs is an
essential element to any comprehensive Log Mana-
gement and Log Analysis solution. The SureLog solu-
tion was designed to address core log management
needs including:
• The ability to collect any type of log data regard-
less of source
• The ability to collect log data with or without ins-
talling an agent on the log source device, system
or application.
• The ability to “normalize” any type of log data for
more effective reporting and analysis
• The ability to “scale-down” for small deploy-
ments and “scale-up” for extremely large envi-
ronments
• An open architecture allowing direct and secure
10. page 10SureLog
Next - Generation SIEM
2. All-In-One It Security Management
ANET
access to log data via third-party analysis and repor-
ting tools
• A role based security model providing user ac-
countability and access control
• Automated archiving for secure long term reten-
tion
• Wizard-based retrieval of any archived logs in
seconds
Cross-platformLogCollection
Today’s IT operations require many technologies;
routers, firewalls, switches, file servers, and appli-
cations to name a few. SureLog has been designed
to collect from them all through intelligent use of
agent-less and agent-based techniques.
Windows Event Logs: Agent-less or Agent-based
SureLog can collect all types of Windows Event
Logs with or without the use of an agent. Many
Windows-based applications write their logs to the
Application Event Log or a custom Event Log.
Examples of supported log sources that can be colle-
cted by SureLog in real time include:
• Windows System Event Log
• Windows Security Event Log
• Windows Application Event Log
• Microsoft Exchange Server application logs
• Microsoft SQL Server application logs
• Windows based ERP and CRM systems applicati-
on logs
Syslog
Many log sources, including most network devices
(e.g. routers, switches, firewalls) transmit logs via
Syslog. SureLog includes an integrated Syslog server
for receiving and processing these messages. Simply
point any syslog generating device to SureLog and
it will automatically begin collecting and processing
those logs.
FlatFileLogs
SureLog can collect logs written to any ASCII-ba-
sed text file. Whether it is a commercial system or
homegrown application, SureLog can collect and
manage them.
Examples of supported log sources using this met-
hod include:
• Web servers logs (e.g. Apache, IIS)
• Linux system logs
• Windows Forefront TMG / UAG and ISA Server
logs
• DNS and DHCP server logs
• Host based intrusion detection/prevention sys-
tems
• Homegrown application logs
• MS Exchange message tracking logs
Since so much sensitive information resides in da-
tabases, it is important to monitor and track access
and activity surrounding important databases. The
actual and reputational cost of a theft of customer
records can be very large. SureLog can help. Su-
reLog collects, analyzes, alerts, and reports on logs
from Oracle, Microsoft SQL Server. It also captures
data from custom audit logs and applications that
run on the database. This capability enables custo-
mer to use SureLog for real-time database monito-
ring to guard against insider and outsider threats.
Tagging
SureLog brings about the addition of a very powerful
event tagging system, which allows individual users
as well as teams to tag events with an unlimited
number of keywords that may define that various
Characteristics of an event (intrusion, financial,
departmental and topological). System users can
create their own set of custom tags. Tags can be
added to events individually as needed or through
the automated action system as events are imported
and normalized. Searching and reporting by tags is
supported and tag statistics displays are included as
well.
11. page 11SureLog
Next - Generation SIEM
2. All-In-One It Security Management
ANET
ScalableLogCentralization
SureLog is architected to scale easily and incremen-
tally as your needs grow. Whether you need to col-
lect 10 million or more than 1 billion logs per day, Su-
reLog can handle it. With SureLog you simply deploy
the capacity you need when you need it, preserving
your initial investment along the way. Deployments
can start with a single, turnkey appliance and grow
easily by adding incremental log manager appliances
as needs expand. With SureLog’s “building blocks”
distributed architecture, you can access and analyze
logs throughout your deployment with ease.
LogArchivingandRetrieval
Many businesses have compliance requirements to
preserve historic log data and be able to provide it in
its original form for legal or investigative purposes.
Collecting, maintaining and recovering historic log
data can be expensive and difficult. Imagine trying
to recover logs from a specific server two years ago.
Were the logs archived or saved anywhere. If so,
where have the logs been stored? What format are
they in? Can the correct archived log files be iden-
tified among the tens of thousands (or millions) of
other archive files…in a reasonable period of time?
With SureLog, the answers to these questions are
easy.
ActivityAuditing
For compliance verification, users’ and administra-
tors’ actions within SureLog are logged. SureLog
user activity reports provide powerful proof that
SureLog is actively used to analyze log data for comp-
liance purposes or not for illegal aims..
13. page 13SureLog
Next - Generation SIEM
3. SureLog Advantages
ANET
• Decision speed: Integrated analysis technology
processes highly complex decision logic in real-ti-
me – similar to how humans reason.
• Continuous learning: We continuously learn the
behavior of your environment by cross-corre-
lating log information, device availability and
performance statistics.
• Real-time alerting and historical forensics: Many
ready to use rules detect anomalous behavior
and events. Comprehensive search and reporting
capabilities simplify compliance reporting.
CustomerswhohaveusedSURELOG
haveexperienced:
• Improved productivity.
• Higher business operations uptime.
• Lower IT costs.
• Improved business performance.
• Ability to meet Service Level Agreements.
• By correlating customer service level commit-
ments you will have better visibility to required
response times.
• Monitor applications.
• Monitor ecosystem business services, not just
devices.
Whatproblemsdoesitsolve?
SureLog helps network security administrators & IT
Managers for security events monitoring efficiently
and real-time alerting. Also the SureLog software
generates reports to comply with various regulations
such as Health Insurance Portability and Accounta-
bility Act (HIPAA), Gramm-Leach-Bliley Act (GLBA),
Sarbanes-Oxley Act (SOX), and Payment Card In-
dustry Data Security Standards (PCI) and archives
logs for the purpose of network auditing and forensic
analysis.
Whatfeaturesdoesitoffer?
Multiple Device/ Vendor Support, Flexible Log Ar-
chiving, Capability to view traffic trends and usage
patterns, Multi-level drill down into top hosts, proto-
cols, web sites and more, VPN/ Squid Proxy Reports,
Multi-varied Reporting Capabilities, Centralized
event log management, Compliance reporting, Auto-
matic alerting, Historical trending, Security analysis,
Host grouping, Pre-built event reports, Customizable
report profiles, Report scheduling, Multiple report
formats. Compliant with Turkish Law 5651 which
guaranties that logs cannot be changed and digitally
signed.
14. About
ANET
Software
ANET is privately held software company incorporated in
VA, USA and branches in Turkey and new Zealand . Our
mission is to build a software company that embraces
“open development philosophy” and provides innovati-
ve solutions to customer problems in collaboration with
customers.
We are a SIEM pioneer with over 250 clients throughout
Europe experiencing the ANET difference.
15. TheMost
Important
PriorityisYour
Satisfaction
Contact Us
Headquarters:
Anet, Inc; PMB# 62 11350 Random Hills Rd
Suite 800 Fairfax, VA 22030
+1 (703) 346-1222
Offices:
74 / 2 Asquith Ave Mt Albert Auckland, New
Zealand
+64021 975 369
Istanbul Technology Development Zone
Sanayi Mah. Teknopark Blvd. No: 1 Pendik
34906, Istanbul, Turkey
+902163540581
E-5 Karayolu Ankara Asfaltaltı, Soğanlık
Sapağı Kartal / Istanbul 34912, Istanbul,
Turkey
+902163540580
info@anetusa.net
www.anetusa.net