Transcript Net Report Presentation

Net Report Presentation
Version 5
2009
© Net Report 2009. All rights reserved.
Agenda
• Company Overview
• Product Overview
• Key Features
•
•
•
•
Log Centralisation & Archival
Dashboard Generation & Reporting
Event Correlation & Alerting
Forensic Analysis & Data Manipulation
• Summary
July 17, 2015
© Net Report 2009. All rights reserved.
2
Company Overview
July 17, 2015
© Net Report 2009. All rights reserved.
About Net Report
• Created in 2002 following the buy-out of the
Business Intelligence product DataSet which
was created in 1985.
• 2007 Sales Turnover 1.5 M USD.
• Private and Employee Shareholders.
• Over 200 Large Account Clients.
• Over 15 MSSP Centres.
• Present in over 20 countries.
July 17, 2015
© Net Report 2009. All rights reserved.
4
Net Report: SIEM Solution
• End-to-end Log Lifecycle Management
Comprehensive cover for all your Business needs:
• Log centralization and archival.
• Dashboard generation and reporting.
• Event correlation and alerting.
• Forensic analysis and data manipulation.
• Veritable Business Intelligence Solution
• Transform your raw security event data into real Business
Intelligence Knowledge.
• Regulatory Compliance
• Ensure compliance with International Directives, such as
Sarbanes-Oxley, Basel II and the LSF.
July 17, 2015
© Net Report 2009. All rights reserved.
5
Key Questions
• What’s going on in your network?
• Are your employees using your IT-infrastructure
for business or personal purposes?
• Is your IT-infrastructure tailored to your needs?
• Does your security policy match the reality of
the network?
• Do you comply with International Regulations
such as Sarbanes-Oxley, Basel II and LSF?
July 17, 2015
© Net Report 2009. All rights reserved.
7
Key Functional Needs
• On-demand reporting on critical information
on disparate devices: Firewall/BPN, IDS/IPS,
Proxy, Mail Server, Anti-Virus Gateway and
Web Server.
• Reduce the cost of managing heterogeneous
network euipment via a single console and an
automated process.
• Ensure appropriate resource andnetwork use
by employees.
• Optimize system and network resource use.
• Easily investigate events.
• Create your own reports.
July 17, 2015
© Net Report 2009. All rights reserved.
8
Product Overview
July 17, 2015
© Net Report 2009. All rights reserved.
Four Products
A packaged solution for log analysis, reporting and customisable
dashboards.
A real-time security event management platform, including a raw
Data Storage and Archival Module, a Correlation and Alerting
Console and Net Report Log Analyser.
Analyse huge volumes of data from any angle on multiple data
sources, create ad hoc queries and customisable reports with your
company’s look & feel.
Easy to deploy and administer Net Report Appliance Models 1 & 2
offer configuration flexibility in a 2U chassis for organizations that
require space-conscious internal storage capacity.
July 17, 2015
© Net Report 2009. All rights reserved.
10
Architecture
Enhance Data
LDAP, ADS, SQL, RDNS
Appliance
Correlate
OLAP
Cubes
July 17, 2015
© Net Report 2009. All rights reserved.
11
Data Architecture
Log (Raw format)
Data stored for 7-15 days
Every event is available
Write enriched
contextual flat file,
copy of database information
(CSV)
Generate flat file to
prepare legal archival
(XML-Syslog trace)
Daily Aggregation
Data stored for 62-93 days
Counts each event per day
Monthly Aggregation
Data stored for 6 months
to 7 years
Counts each event per month
CSV
Temporary Storage Zone
(2 days)
July 17, 2015
© Net Report 2009. All rights reserved.
Long-term Archival Zone
(6 months to several years)
12
Products Supported
July 17, 2015
© Net Report 2009. All rights reserved.
13
Key Features
July 17, 2015
© Net Report 2009. All rights reserved.
Complete Solution
Business Intelligence
& Compliance
July 17, 2015
© Net Report 2009. All rights reserved.
15
Centralisation & Archival
July 17, 2015
© Net Report 2009. All rights reserved.
16
Log Centralisation & Archival
• Centralizes all your Data
• All data is centralized in a database for dashboard generation and
forensic investigation.
• Log Formats Archived
• Net Report archives all your log files in the following formats: Syslog,
Flat File and proprietary API formats.
• Legal Value
• Log data is archived in its native format to ensure its credibility when
used as evidence before a court.
• Integrity Checks, Encryption & Compression
• Log data can be compressed (zipped) and encrypted on a daily
basis (files named by device type and/or date).
July 17, 2015
© Net Report 2009. All rights reserved.
17
Archival Architecture
July 17, 2015
© Net Report 2009. All rights reserved.
18
Dashboards & Reporting
July 17, 2015
© Net Report 2009. All rights reserved.
19
Dashboards
• Consolidated Dashboards
• Net Report interprets and presents your log data statistics
in easy-to-read,
Dashboards.
systematically
categorized,
graphical
• Dashboard publication
• Dashboards are generated and scheduled according to
the Parameters you entered in the Net Report Web Portal.
• Drill-Down
• Scheduled aggregation and purge features enable Net
Report to reduce the size of your database volume by 25.
Intuitive drill-down to the information you need.
• Chronologically Interlinked Files
• Dynamic Previous and Next arrows enable you to navigate
between reports from different days, months and years.
July 17, 2015
© Net Report 2009. All rights reserved.
20
Our Dashboards
*
*
Default
Categories
* *
* Available in 2008
July 17, 2015
© Net Report 2009. All rights reserved.
21
UTM Dashboards
July 17, 2015
© Net Report 2009. All rights reserved.
22
Firewall Dashboards
July 17, 2015
© Net Report 2009. All rights reserved.
23
IDS / IPS Dashboards
July 17, 2015
© Net Report 2009. All rights reserved.
24
Content Filtering Dashboards
July 17, 2015
© Net Report 2009. All rights reserved.
25
Web Traffic Statistics Dashboards
July 17, 2015
© Net Report 2009. All rights reserved.
26
Mail Server Dashboards
July 17, 2015
© Net Report 2009. All rights reserved.
27
Proxy Dashboards
July 17, 2015
© Net Report 2009. All rights reserved.
28
Microsoft WMI Dashboards
July 17, 2015
© Net Report 2009. All rights reserved.
29
Alerting & Correlation
July 17, 2015
© Net Report 2009. All rights reserved.
30
Alerting & Correlation
• Easier Decision Making
• We correlate events from a wide range of network devices to
provide faster decision making and greater enterprise security.
Objective
• Automate Alerting
Only raise alerts and events
• By defining the appropriate
(keys),
you hopedpatterns
you’d never
see!thresholds, rules and
actions.
• Reduce Aministration Costs
• Thanks to automated security event management, you improve
your team’s availability and efficiency.
• Real-Time Analysis
• Net Report mines and analyses huge volumes of data and
correlates alerts coming from different devices.
July 17, 2015
© Net Report 2009. All rights reserved.
31
Alerting Administration
• Alert Summary
• Displays alerts that are either to be acknowledged or in progress. Alerts can
easily be managed by clicking the In Progress or To be Acknowledged icons
in the Status column.
• Information
• Displays Information type alerts.
• Resolved
• Displays the alerts that have been treated and resolved.
• Search
• Displays all the alerts, clicking any of the icons or hyperlinks enables you to
filter and group alerts. For example, filter events through an IP Address.
July 17, 2015
© Net Report 2009. All rights reserved.
32
Correlation Scenario Examples (1)
• For IPS/IDS Devices
• A vulnerability assessment based on the CVE code sent by the IDS or IPS on the
alert and the reality of the vulnerability on the target (integration of information
coming from vulnerability scanners in the vulnerability base IP;CVE;RESULT,
alerting on the real vulnerabilities.
• IPS blocked IP addresses are memorized for correlation with firewalls (placed
after the former) accepting traffic from the attacker, alerting that the attacker has
penetrated the internal network.
• Other IPS alarms are sent as “information” by the console for aggregation/classic
correlation.
• For Firewall/Router type devices with an Access List
• Firewall security policy control via the control of authorized ports in a
database/dictionary, including the following information: DEVICE;PORT;STATUS
alerts if the security policy is violated.
• Repeated blocked actions from identical IP addresses are controlled,
“Information” alerts are sent when thresholds are breached over a certain period
of time (for example, 10 times in 10 minutes).
July 17, 2015
© Net Report 2009. All rights reserved.
33
Correlation Scenario Examples (2)
• For Anti Virus / Anti Spam / Anti(x) Devices
• An Alert is sent as soon as an outbound virus is identified
• An Information alert is sent for outbound spam on the 10th spam from the
same user in the last 10 minutes.
• An Alert is sent for an inbound virus gauged on a threshold based on the
average number* of monthly viruses (*=please contact me for more
information concerning all the possible calculations) received during five
minutes.
• An Information alert is sent for an inbound virus gauged on a threshold based
on the average number* of daily viruses received during five minutes.
• For E-mail, E-mail Server Devices:
• An Alert is sent for outbound e-mail messages sending more than 500 e-mail
messages over five minutes (except for mailing lists which are excluded from
this alert category).
• For Authentication Systems:
• An Information alert is sent for repeated authentication failures (several alert
levels, brute force controls).
July 17, 2015
© Net Report 2009. All rights reserved.
34
Correlation Scenario Examples (3)
• For QOS / Load Balancing Systems
• An Alert is sent for repeated and lasting node failures (it is important to pay
attention to possible duplicates with network monitoring systems such as
nagios, HPOV…).
• For Proxy Systems
• Suspicious or excessive web use (for example 30 sites in 30 minutes).
• Proxy bypassing, direction internet connection (via a Firewall).
• For Windows, Domain Controller, File Servers:
• Permissions/Groups modification which violates the normal security policy (for
example, users changing their own privileges).
• A user tries to modify their privileges in order to join a new user group and
succeeds in doing so.
• Brute force attack, with one success (10 attempts and 1 success).
• A non-authorized user (according to the security policy) succeeds in deleting
files in specific directories on a server
July 17, 2015
© Net Report 2009. All rights reserved.
35
Forensic Analysis & Data Manipulation
July 17, 2015
© Net Report 2009. All rights reserved.
36
Forensic Analysis
• Multi-Device/Multi-Source
• Traceability Report
Date
Origin
Action
Source IP
Destination IP
Source Area
Destination Area
Rule / Attack
/ Results
• Net Report Tool Kit
• Flexible and powerful database query
tool
• Cubes – Dynamic Cross Tables
• OLAP Cubes
July 17, 2015
© Net Report 2009. All rights reserved.
37
Proxy Cubes
July 17, 2015
© Net Report 2009. All rights reserved.
38
Proxy Cubes
July 17, 2015
© Net Report 2009. All rights reserved.
39
OLAP IPS Cubes
July 17, 2015
© Net Report 2009. All rights reserved.
40
WMI Cubes
July 17, 2015
© Net Report 2009. All rights reserved.
41
Net Report Tool Kit (1)
July 17, 2015
© Net Report 2009. All rights reserved.
42
Net Report Tool Kit (2)
• Flexible Database Query Tool
• Net Report Tool Kit enables you to:
• Create new reports.
• Modify existing reports.
• Create Inter-Device reports.
•Customize reports to tailor them to your Enterprise’s look & feel.
• Create new cubes.
July 17, 2015
© Net Report 2009. All rights reserved.
43
Net Report Appliance Models 1 & 2
• Objective
• Reduce the complexity of managing security log data for
both large and smal enterprises.
• Advantages
• Easy to deploy and administer Net Report Appliance Models
1 & 2 offer configuration flexibility in a 2U chassis for
organizations that require space-conscious internal storage
capacity.
• Flexibility
• Net Report Appliance Models 1 & 2 incorporate the latest
version of Net Report Monitoring Center and add quick
installation options for increased deployment and
configuration flexibility.
• Powerful
• Net Report Appliances allow companies to analyse
thousands of events per second to several dozens of millions
of events per day.
July 17, 2015
© Net Report 2009. All rights reserved.
44
• Net Report Appliance Model 1
•
•
•
•
•
•
•
Rack 2U, 1 Quad Core Processor 2.33 Ghtz
4 GB RAM
3 Disks 15 K rpm with 146 GB in RAID 5 (292 GB usable )
Redundant Power Supply
Windows 2003 Server + SQL Server 2005 OEM Licenses
On-site Maintenance for 1-3 years
Net Report Appliance Monitoring License.
• Net Report Appliance Model 2
•
•
•
•
•
•
•
Rack 2U, 2 Quad Core Processors 2,33 Ghtz
4 GB RAM
3 Disks 15 K rpm with 300 GB in RAID 5 (600 GB)
Redundant Power Supply
Windows 2003 Server + SQL Server 2005 OEM Licenses
On-site Maintenance for 1-3 years
Net Report Appliance Monitoring License.
July 17, 2015
© Net Report 2009. All rights reserved.
45
Summary
© Net Report 2009. All rights reserved.
A Unique Solution
Net Report is a unique solution which offers you:
• A complete and integrated solution.
• Regulatory Compliance for security log management controls.
• Powerful top flight reporting.
• Easy investigation via OLAP Cubes.
• Real-time correlation and incident management.
Reasonable purchase prices
and small operational cost
July 17, 2015
© Net Report 2009. All rights reserved.
47