SureLog SIEM

www.anetusa.net

SureLog

International Edition//2016

The EasiestSolution for Next-Generation SIEM

page 2SureLogNext - Generation SIEM

SureLogInternational Edition//2016

1. SURELOG: INTEGRATED SIEM AND LOG MANAGEMENT P-3

2. All-in-One IT Security Monitoring P-4

SIEM ...............................................................................................................................................P-4

CorrelationEngine ............................................................................................................P-5

AdvantagesofSureLogCorrelationEngine ........................................................................P-5

SimpleCorrelationRules ................................................................................................P-6

AdvancedCorrelationRules ................................................................................................P-7

Taxonomy ........................................................................................................................P-8

LOG MANAGEMENT ........................................................................................................................P-9

ComprehensiveLogDataCollectionandLogManagement...........................................P-9

Cross-platformLogCollection ..................................................................................P-10

WindowsEventLogs:Agent-lessorAgent-based ..........................................................P-10

Syslog .................................................................................................................................P-10

FlatFileLogs ......................................................................................................................P-10

Tagging ......................................................................................................................P-11

ScalableLogCentralization ..............................................................................................P-11

Log Archiving and Retrieval ..............................................................................................P-11

ActivityAuditing ..........................................................................................................P-11

3. SURELOG ADVANTAGES P-11

What problems does it solve? ..................................................................................P-12

Whatfeaturesdoesitoffer? ..............................................................................................P-12

Chapter 1

SURELOG: INTEGRATED NEXT-GENERATION SIEM AND LOG MANAGEMENT


1. Surelog: Integrated Next Generation SIEM and Log Management

AN

ET

Security Informa-tionandEventManagement

Advanced Correla-tionEngine

SecurityOperati-ons Center

Log Management

Log Forensics Threat Intelligence

SecurityReporting Real-Time Alerts

EventCorrelation&Analysis

Compliance Management

Rich Taxonomy ProtectingAgainstInsiderAttacks

ANETSureLogdeliversnext-generationSIEM,logma-nagementandintelligentsecuritysearchinasimple,easyto-installandcost-effectivesolutionthatprovi-des immediate value for security and compliance to organizationsofanysize.

SureLoghasahighlyflexiblearchitectureandsup-port for high volume data throughput rates. As well astheflexiblearchitecture,SureLogpossessesasuperiorcorrelationengine.Thesystemletsyoude-finecomplexcombinationsofeventsthatyouneedtobealertedonbyeasilycreatingandcustomizingcorrelationruleswithagraphical,drag-and-droprulecreator.

SureLogsupports155brandsand350devicesandcategorizelogsinto1513groups.

ThesophisticatedthreatintelligencemanagementallowsSureLogtodynamicallycollectblacklistsandupdate its database.

• Multi-FunctionalSecurityManagementPlatform• Integrated Security and Log Management Plat-

form• Real-timesecuritymanagementacrossthousan-

dsofdevices,includingapplicationsasdiverseassatellite,cryptographyandsecuritydevices.

• Granularcontroloveranytypeofeventdefini-tion,withtheabilitytocollect,normalizesandintegratesdatafromanydevice,applicationorservice.

Chapter 2

ALL-IN-ONE ITSECURITY MONITORING


2. All-In-One It Security Management

AN

ET

SuperiorSIEMandlogmanagementplatformthatseamlesslycombinesSIEM,LogManagementwithHostandNetworkForensics,inaunifiedSecurityIntelligencePlatform.

SIEMSureLogisawebbased,agent-less,SIEM,loganaly-sisandreportingsoftware.Thesoftwareapplicati-onmonitors,collects,analyzes,andarchiveslogsand monitoring parameters from enterprise-wide networkperimetersecuritydevices,Routers,Swit-ches,SNMPDevices,VM,DHCPservers,LinuxorWindows Systems then generate reports. The devi-cesare,Firewalls,Proxyservers,IntrusionDetectionSystem(IDS)/IntrusionPreventionSystem(IPS),andVirtualPrivateNetworks(VPN),MailServerslikeMSExchangeServers,ZimbraMailServers,PostfixMailServersetc..,distributedWindowshosts,distribu-tedUnixhosts,Routers,Switches,andotherSysLogdevices,ApplicationlikeIISwebserver,IISFTPserver,MSSQLserver,Oracledatabaseserver,DHCPWin-dowsandLinuxservers.TheSureLogapplicationgenerates graphs and reports that help in analyzing systemproblemswithminimalimpactonnetworkperformance. Two prominent features of the applica-tionarecorrelationandsecurityreports.

Correlation Engine

TheCorrelationEngineleveragespredefinedrulestoidentifyattackpatternsandmaliciousbehavior.Whentryingtopenetrateasystem,attackersoftentakeadvantageofthefactthatsecuritycontrolsarerarelyworkingtogetherandarerarelymonitored.CorrelationEnginehelpstoautomatethatanalysissothatattackscanbequicklyidentifiedandbreac-hescanbequicklycontained.

Advantages of SureLogCorrelation Engine

Below are some advantages of SureLog:

• SureLogisfast-Supports50,000EPSwiththou-sands of rules

• SureLogcantracemultiplelogswithdifferenttypeswithinadefinedtimeframe.Asampleruleto support this advantage is: Detect an unusual conditionwhereasourcehasauthenticationfa-iluresatahost,butisnotfollowedbysuccessfulauthenticationatthesamehostwithin2hours

• SureLogcancorrelatedifferentlogs(Example:WindowsUserCreationEventandTelnetEvent)accordingtorelatedfields.Asampleruletosup-portthisadvantageis:Lookforanewaccountbeingcreatedfollowedbyimmediateauthenti-cationactivityfromthatsameaccount.Itwoulddetectthebackdooraccountcreationfollowedbytheaccountbeingusedtotelnetbackintothesystem

• SureLog can trace a log being created with desi-red parameters or not. A sample rule to support thisadvantageis:Detectanunusualconditionwhereasourcehasauthenticationfailuresatahost,isnotfollowedbyasuccessfulauthenticati-on at the same host within 2 hours.

• SureLogcanauditprivilegeduseractivitysuchasnewaccountcreationforgreateroperationaltransparency

• SureLog can correlate privileged user behavior withspecificnetworkactivity.Asampleruletosupportthisadvantageis:Lookforanewaccountbeingcreatedfollowedbyimmediateauthenti-cationactivityfromthatsameaccount.Itwoulddetectthebackdooraccountcreationfollowedbytheaccountbeingusedtotelnetbackintothesystem

• SureLog’scorrelationruleeditorissimpletouse• SureLogsupportsmultiplefilteringoptions• SureLogsupportscompression-basedcorrelation

feature:SureLogcanmonitormultipleoccurren-cesofthesameevent,removesredundancies,and reports them as a single event



AN

ET

• SureLogsupportsthreshold-basedcorrelation:SureLog has a threshold to trigger a report when aspecifiednumberofsimilareventsoccur

• SureLogsupportsfilter-basedcorrelation:Sure-Log Inspects each event to determine if it matc-hesapatterndefinedbyaregularexpression.Ifamatchisfound,anactionmaybetriggeredasspecifiedintherule.

• SureLogsupportssequence-basedcorrelati-on: SureLog helps establish causality of events. Eventscanbecorrelatedbasedonspecificsequ-entialrelationships.Forexample,synchronizingmultipleeventssuchas“EventA”beingfollowedby“EventB”totriggeranaction.

• Itstime-basedcorrelationisusefulforcorrela-tingeventsthathavespecifictime-basedrela-tionships.Someproblemscanbedeterminedonlythroughtemporalcorrelation.Forexample,time-basedcorrelationcanbeusedtoimplementcleanuprulesgivenaspecificinterval

• SureLogsupportsrulesuspending.Preventingrulefiringforadefinedtimeperiod

Simple Correlation Rules

UserAuthentication

• Alerton5ormorefailedloginsin1minuteonasingle user ID

AttacksontheNetwork

• Alerton15ormoreFirewallDrop/Reject/DenyEvents from a single IP Address in one minute

• Alert on 3 or more IPS Alerts from a single IP Addressinfiveminutes.

VirusDetection/Removal

• Alertwhenasinglehostseesanidentifiablepie-ce of malware

• Alert when a single host fails to clean malware within1hourofdetection.

• Alertwhenasinglehostconnectsto50ormoreuniquetargetsin1minute

• Alertwhen5ormorehostsonthesamesubnettrigger the same Malware Signature (AV or IPS) within a 1 hour interval.

Web Server

• Fileswithexecutableextensions(cgi,asp,aspx,jar,php,exe,com,cmd,sh,bat),arepostedtoawebserver,fromanexternalsource

• Black-listedapplications• Alertwhenanunauthorizedapplication(e.g.

Teamviewer,LogmeIn,Nmap,Nessus,etc.)isrunon any host

Monitored Log Sources • Alert when a monitored log source has not sent

an event in 1 Hour

UserActivityReports

• AllActiveUserAccounts(anysuccessfullogingrouped by account name in the past XX days)

• ActiveUserListbyAuthenticationtypea) VPN Users b) ActiveDirectoryUsersc) InfrastructureDeviceAccess(Firewalls,Rou-ters,Switches,IPS)• UserCreation,DeletionandModification(Alist

ofalluseraccountscreated,deletedormodified)• AccessbyanyDefaultAccount–(Guest,Root,

Administrator,orotherdefaultaccountusage)• Passwordresetsbyadminaccountsinthepast7

days.

Access Reports

• Access to any protected/monitored device by an untrustednetwork

a) VPNAccesstoServerZoneb) AccessbyaForeignNetworktoServerZone

Malware

• Alistofhostaddressesforanyidentifiedmalwa-



AN

ET

re name • A count of any given malware (grouped by An-

ti-VirusSignature),overthepastXXdays

Emailactivity

• Top10E-mailsubjects• Top10addressestosendemail• Top10addressestoreceiveemail• Top10addressestosendemailwithlargesttotal

size(MB)• Top10addressestoreceiveemailwithlargest

totalsize(MB)

Web Content

• Top10DestinationsbyDomainName• Top10BlockedDestinationsbyDomain• Name • Top10BlockedSourcesbyIPAddress• Top10Blockedcategories• Total sent and received bytes grouped by IP add-

resses

UserAccountactivity • Top10FailedLogins

Advanced Correlation Rules

• AttackFollowedbyAccountChange• ScanFollowedbyanAttack• DetectsAnUnusualConditionWhereASource

HasAuthenticationFailuresAtAHostButThatIsNotFollowedByASuccessfulAuthenticationAtThe Same Host Within 2 Hours

• Lookforanewaccountbeingcreatedfollowed

byimmediateauthenticationactivityfromthatsameaccountwoulddetectthebackdoorac-countcreationfollowedbytheaccountbeingusedtotelnetbackintothesystem

• Monitor same source having excessive logon failuresatdistincthosts,

• Checkwhetherthesourceofanattackwaspreviouslythedestinationofanattack(within15minutes)

• Checkwhetherthereare5eventsfromhostfirewallswithseverity4orgreaterin10minutesbetweenthesamesourceanddestinationIP

• Lookforanewaccountbeingcreated,followedshortlybyaccess/authenticationfailureactivityfrom the same account

• Monitor system access outside of business hours

Taxonomy

Thisisamappingofinformationfromheterogeneo-ussourcestoacommonclassification.Ataxonomyaidsinpatternrecognitionandalsoimprovesthescopeandstabilityofcorrelationrules.Wheneventsfrom heterogeneous sources are normalized they canbeanalyzedbyasmallernumberofcorrelationrules,whichreducesdeploymentandsupportlabor.Inaddition,normalizedeventsareeasiertoworkwith when developing reports and dashboards



AN

ET

SureLogsupports155brandsand350devices.Cate-gorize(Taxonomy)logsinto1513groupslike • Compromised->RemoteControlApp->Response• HealthStatus->Informational->HighAvailability->-

LinkStatus->Down• IPTrafficAudit->IPToomanyfragments• IPSpoofAccess->ICMP CODE Redirect for the Host• FileTransferTrafficAudit->AuthenticationFailed• NamingTrafficAudit• Session->Start• ICMPDestinationNetworkisAdministratively

Prohibited

LOG MANAGEMENTSureLoguniquelogmanagementfeaturebeingableto collect log data from across an enterprise regard-lessoftheirsource,presentthelogsinauniformandconsistentmannerandmanagethestate,locationandefficientaccesstothoselogsisanessentialelement to any comprehensive Log Management andLogAnalysissolution.TheSureLogsolutionwasdesigned to address core log management needs including:

• The ability to collect any type of log data regard-less of source

• The ability to collect log data with or without ins-tallinganagentonthelogsourcedevice,systemorapplication.

• Theabilityto“normalize”anytypeoflogdataformoreeffectivereportingandanalysis

• Theabilityto“scale-down”forsmalldeploy-mentsand“scale-up”forextremelylargeenvi-ronments

• An open architecture allowing direct and secure access to log data via third-party analysis and reportingtools

• A role based security model providing user ac-countability and access control

• Automated archiving for secure long term reten-tion

• Wizard-based retrieval of any archived logs in

seconds

Comprehensive Log Data Collection and Log Management

Beingabletocollectlogdatafromacrossanenterp-riseregardlessoftheirsource,presentthelogsina uniform and consistent manner and manage the state,locationandefficientaccesstothoselogsisanessentialelementtoanycomprehensiveLogMana-gementandLogAnalysissolution.TheSureLogsolu-tionwasdesignedtoaddresscorelogmanagementneeds including:

• The ability to collect any type of log data regard-less of source

• The ability to collect log data with or without ins-tallinganagentonthelogsourcedevice,systemorapplication.

• Theabilityto“normalize”anytypeoflogdataformoreeffectivereportingandanalysis

• Theabilityto“scale-down”forsmalldeploy-mentsand“scale-up”forextremelylargeenvi-ronments

• An open architecture allowing direct and secure



AN

ET

access to log data via third-party analysis and repor-tingtools• A role based security model providing user ac-

countability and access control• Automated archiving for secure long term reten-

tion• Wizard-based retrieval of any archived logs in

seconds

Cross-platform Log Collection

Today’sIToperationsrequiremanytechnologies;routers,firewalls,switches,fileservers,andappli-cationstonameafew.SureLoghasbeendesignedto collect from them all through intelligent use of agent-lessandagent-basedtechniques.Windows Event Logs: Agent-less or Agent-basedSureLog can collect all types of Windows Event Logs with or without the use of an agent. Many Windows-basedapplicationswritetheirlogstotheApplicationEventLogoracustomEventLog.Examples of supported log sources that can be colle-ctedbySureLoginrealtimeinclude:

• Windows System Event Log• Windows Security Event Log• WindowsApplicationEventLog• MicrosoftExchangeServerapplicationlogs• MicrosoftSQLServerapplicationlogs• WindowsbasedERPandCRMsystemsapplicati-

on logs

Syslog

Manylogsources,includingmostnetworkdevices(e.g.routers,switches,firewalls)transmitlogsviaSyslog. SureLog includes an integrated Syslog server for receiving and processing these messages. Simply pointanysysloggeneratingdevicetoSureLoganditwillautomaticallybegincollectingandprocessingthose logs.

Flat File Logs

SureLogcancollectlogswrittentoanyASCII-ba-sedtextfile.Whetheritisacommercialsystemorhomegrownapplication,SureLogcancollectandmanage them.

Examples of supported log sources using this met-hod include:

• Webserverslogs(e.g.Apache,IIS)• Linux system logs• Windows Forefront TMG / UAG and ISA Server

logs• DNS and DHCP server logs• Hostbasedintrusiondetection/preventionsys-

tems• Homegrownapplicationlogs• MSExchangemessagetrackinglogs

Sincesomuchsensitiveinformationresidesinda-tabases,itisimportanttomonitorandtrackaccessandactivitysurroundingimportantdatabases.Theactualandreputationalcostofatheftofcustomerrecords can be very large. SureLog can help. Su-reLogcollects,analyzes,alerts,andreportsonlogsfromOracle,MicrosoftSQLServer.Italsocapturesdatafromcustomauditlogsandapplicationsthatrun on the database. This capability enables custo-mertouseSureLogforreal-timedatabasemonito-ring to guard against insider and outsider threats.

Tagging

SureLogbringsabouttheadditionofaverypowerfuleventtaggingsystem,whichallowsindividualusersas well as teams to tag events with an unlimited numberofkeywordsthatmaydefinethatvariousCharacteristicsofanevent(intrusion,financial,departmental and topological). System users can create their own set of custom tags. Tags can be added to events individually as needed or through theautomatedactionsystemaseventsareimportedandnormalized.Searchingandreportingbytagsissupportedandtagstatisticsdisplaysareincludedaswell.



AN

ET

Scalable Log Centralization

SureLog is architected to scale easily and incremen-tally as your needs grow. Whether you need to col-lect10millionormorethan1billionlogsperday,Su-reLog can handle it. With SureLog you simply deploy thecapacityyouneedwhenyouneedit,preservingyourinitialinvestmentalongtheway.Deploymentscanstartwithasingle,turnkeyapplianceandgroweasily by adding incremental log manager appliances asneedsexpand.WithSureLog’s“buildingblocks”distributedarchitecture,youcanaccessandanalyzelogs throughout your deployment with ease.

Log Archiving and Retrieval

Manybusinesseshavecompliancerequirementstopreserve historic log data and be able to provide it in itsoriginalformforlegalorinvestigativepurposes.Collecting,maintainingandrecoveringhistoriclogdatacanbeexpensiveanddifficult.Imaginetryingtorecoverlogsfromaspecificservertwoyearsago.Werethelogsarchivedorsavedanywhere.Ifso,where have the logs been stored? What format are theyin?Canthecorrectarchivedlogfilesbeiden-

tifiedamongthetensofthousands(ormillions)ofotherarchivefiles…inareasonableperiodoftime?WithSureLog,theanswerstothesequestionsareeasy.

Activity Auditing

Forcomplianceverification,users’andadministra-tors’actionswithinSureLogarelogged.SureLoguseractivityreportsprovidepowerfulproofthatSureLogisactivelyusedtoanalyzelogdataforcomp-liance purposes or not for illegal aims..

Chapter 3

SURELOG ADVANTAGES


3. SureLog Advantages

AN

ET

• Decision speed: Integrated analysis technology processeshighlycomplexdecisionlogicinreal-ti-me – similar to how humans reason.

• Continuouslearning:Wecontinuouslylearnthebehavior of your environment by cross-corre-latingloginformation,deviceavailabilityandperformancestatistics.

• Real-timealertingandhistoricalforensics:Manyready to use rules detect anomalous behavior andevents.Comprehensivesearchandreportingcapabilitiessimplifycompliancereporting.

Customers who have used SURELOG have experienced:

• Improvedproductivity.• Higherbusinessoperationsuptime.• Lower IT costs. • Improved business performance. • Ability to meet Service Level Agreements. • Bycorrelatingcustomerservicelevelcommit-

mentsyouwillhavebettervisibilitytorequiredresponsetimes.

• Monitorapplications.• Monitorecosystembusinessservices,notjust

devices.

What problems does it solve?

SureLoghelpsnetworksecurityadministrators&ITManagersforsecurityeventsmonitoringefficientlyandreal-timealerting.AlsotheSureLogsoftwaregeneratesreportstocomplywithvariousregulationssuch as Health Insurance Portability and Accounta-bilityAct(HIPAA),Gramm-Leach-BlileyAct(GLBA),Sarbanes-OxleyAct(SOX),andPaymentCardIn-dustry Data Security Standards (PCI) and archives logsforthepurposeofnetworkauditingandforensicanalysis.

What features does it offer?

MultipleDevice/VendorSupport,FlexibleLogAr-

chiving,Capabilitytoviewtraffictrendsandusagepatterns,Multi-leveldrilldownintotophosts,proto-cols,websitesandmore,VPN/SquidProxyReports,Multi-variedReportingCapabilities,Centralizedeventlogmanagement,Compliancereporting,Auto-maticalerting,Historicaltrending,Securityanalysis,Hostgrouping,Pre-builteventreports,Customizablereportprofiles,Reportscheduling,Multiplereportformats.CompliantwithTurkishLaw5651whichguarantiesthatlogscannotbechangedanddigitallysigned.

About ANET Software

ANETisprivatelyheldsoftwarecompanyincorporatedinVA,USAandbranchesinTurkeyandnewZealand.Ourmissionistobuildasoftwarecompanythatembraces“opendevelopmentphilosophy”andprovidesinnovati-vesolutionstocustomerproblemsincollaborationwithcustomers.

WeareaSIEMpioneerwithover250clientsthroughoutEuropeexperiencingtheANETdifference.

The Most Important

Priority is Your Satisfaction

Contact Us

Headquarters:

Anet, Inc; PMB# 62 11350 Random Hills Rd Suite 800 Fairfax, VA 22030

+1 (703) 346-1222

Offices:

74 / 2 Asquith Ave Mt Albert Auckland, New Zealand

+64021 975 369

Istanbul Technology Development Zone Sanayi Mah. Teknopark Blvd. No: 1 Pendik 34906, Istanbul, Turkey

+902163540581

E-5 Karayolu Ankara Asfaltaltı, Soğanlık Sapağı Kartal / Istanbul 34912, Istanbul, Turkey

+902163540580

[email protected]

www.anetusa.net