ANET SureLog SIEM IntelligentResponse Feature

The correlation systems consist of two parts.

1. Detection2. Response

The response part is divided in two sub-parts as alarm and taking action.

ANET Surelog SIEM Product developed by ANET software has many advantages in the detection side compared to its rivals [1,2,3,4].

The following cases and the similar cases can be detected with the detection module:

Warn if an insider PC makes a DNS query for a potentially malicious domain name. Afterwards, the same PC tries to access to internet within 24 hours over TCP ports which are bigger than 1024 and/or the same PC makes internet requests outside of business hours within a week.

Warn for a traffic whose protocol is UDP and target port is 67 is destined from inside to outside or from outside to inside and whose target IP is not registered DHCP servers list.

Warn if the same user logs into Linux server, afterwards logs into Windows server and any service in either of these two servers is stopped.

Detects An Unusual Condition Where A Source Has Authentication Failures At A Host But That Is Not Followed By A Successful Authentication At The Same Host Within 2 Hours

Warn once, if more than 100 packets are blocked by UTM/FireWall device from the same source IP in one minute and don't warn again within an hour. ( Millions of packets are blocked in case of DDOS attack. If mails are sent for all those warnings, you are exposed to yourself DDOS attack.)

Warn the source IP which causes UnusualUDPTraffic. Warn if network traffic occurs from the source or to a source in IPReputation List.

Warn, if network traffic occurs from the source or to a source in "malicious links" list published by National Cyber Response to Events (NCRE) Center.

After the detection module has handled the necessary tasks, the alarm and actions are as important as the detection. ANET SureLog SIEM product can handle those alerts and actions in smart way through intelligent response system. The power of this modele called Intelligent Response in fact emerges the power of correlation engine. Although SureLog product’s correlation engine is built upon fully visual wizards and drag & drop, the easily created rules through visual wizards are converted to JAVA [5] codes in the bacground and is run as a program thread. In this way, the users who know JAVA can create correlation rules by writing JAVA codes with the expertmode feature included in only SureLog product in the world and thereby all kinds of logic with either visual wizards or java codes can be run without any limit.

The system also have a capability to produce SureLog Correlation rules files from the java codes generated.

The sample java code is shown in Appendix 1.

The detection module, the response module if it detects an event.

Sending email Executing a script

o Visual basico Batch fileo Perlscripto Phytonscript

Executing java code Running application Updating dynamic list. For example adding or removing IP address in forbidden IP address list.

Dynamically updating this list for those who try more than 3 failed logon accesses in last week, or

adding a benign IP or URL that triggered an alarm to a Whitelist so that false positives aren’t generated in the future

Performs one or more actions pointed out above. This is an another advantage of ANET SureLog correlation module. The one or more responses specified above can be defined by using the following screen.

As seen in the following screen, the attributes or parameters can be given to mail sending or executing script or dynamic list management module. For example:

Event source Event destination ip Username ComputerName ProcessName Software Name …….

One or more parameters can be added (Source IP, Username,etc.) to the response defined in the Add Alert screen of Intelligent Response module shown above. In this way

The machine attacked can be shutdown by using the necessary scripts or the list defined before can be updated or a new list can be defined and these lists are used automatically by the other rules or the rules added newly or get done another process requested.

Dynamic list updating and defining is a feature of SureLog which are not provided by any other product in the world. This feature allows incredible flexibility and wide range of uses for the Detection module. For example, Warn if a user in Administrator group tries failed logon attempt. Here, Administrator group is kept up to date dynamically with the other rules. For example, if a user is added in Admin group, update Administrator user list.

References:

1. http://www.slideshare.net/anetertugrul/surelog-international-edition 2. http://www.slideshare.net/anetertugrul/gerek-siem-nedir-olmazsa-olmazlar-ve-gerek-siem-rn-

ile-gvenlik-analiz-senaryolar3. http://www.slideshare.net/anetertugrul/log-korelasyon-siem-kural-ornekleri-ve-korelasyon-

motoru-performans-verileri4. http://www.slideshare.net/anetertugrul/log-yonetimi-ve-siemkontrol-listesi 5. https://www.java.com/tr/