2. CryptoSIM
Executive’s Brief
IT threats against organizations are increasing day by day. These threats
may be in forms of worms, viruses, Trojans, phishing and similar attacks
deployed by internal or external attackers, causing fatal events for
companies like company’s secrets theft. Firewalls or attack prevention
systems are capable of preventing the placement of all intricate worms or
rootkits in an in-house computer. Employee’s PC can easily get infected
with malwares from an infected web sites or social network applications
accessed by them.
Nowadays, Trojans, worms and viruses are specifically programmed for
firms and access information can be gathered due to phishing and social
engineering attacks. Such threats have made systems vulnerable to
attacks which is not preventable with normal IDS systems. Harmful codes
specifically developed for companies cannot be detected by anti-virus
systems operating on signature-basis. Attacks structures are getting
updated and more and more complex. Furthermore attacks to business
applications are harder to identify by firewalls and detection systems
constituting the border protection software. Recent Security violations
especially in regard to cellular phones proved that each mobile device,
server, client, notebook or any other smart device are prone to security
vulnerabilities.
As threats are becoming more sophisticated and mobile devices are
exposed to attacks, signature-based detection systems cannot detect
attacks. As information security increasingly turns into a chaotic
structure, all systems, servers, mobile devices and business application
logs should be gathered and analyzed, correlated, differentiated, and
their anomalies should be examined. These billions records cannot be
examined and inspected by human resources. Therefore, automated
systems are required to do the analysis and find the correlations using
correlation directives which are the artificial intelligence. Systems named
as SIEM can make such analysis and correlations. CryptoSIM is an
integrated Security Information and Event Management system
representing unique correlation and analysis via its correlation directives.
CryptoSIM proactively captures the log data, and provides the possibility
to analyze and diagnose threats and anomalies and notifies existence of
potential threats.
IT teams can use CryptoSIM to meet the security management necessities
beside legal compliance mandates apart from security analysis and
warnings. They can test the existing compatibility levels using
compatibility template reports available in CryptoSIM.
CryptoSIM provides a thorough analysis of event data and plenty of
reporting templates over audit records, it ensures first-hand analysis for
both existing security units and supervisors.
Normalization
Normalization is in fact assigning a universal data structure format on
collected data for equivalent fields and then differentiate it over the log.
This process makes comparison and correlation calculation between
events possible within a unified schema and can be deployed in a plug-in
structure.
Categorization
Categorization is a method used to classify the logs. Events are translated
into a taxonomy based on their category and sub-category.
Unification
Unification is simplification of recurring events into a single event.
Event Correlation
Correlation is the process of representing the relations between records
of incidents from multiple resources where correlation rules defines the
relation patterns among disparate events. In other words, it gives an all-
encompassing view of various evens relation for security behavioral
inspection. CryptoSIM correlation engine supports different real time
correlation types which are;
Simple Correlation is examination through correlation of the
logs from one resource. Five erroneous connection trials to a
server within one minute is classified under this category.
Logical Correlation is being implemented by the Correlation
Directives using logical tree structures. This type of structure is
also known as AND/OR tree, and is generally used in artificial
intelligence systems. When a condition node overlaps, the
correlation engine will head to sub-nodes. As the correlation
engine advances in overlapping conditions, the reliability of the
correlation varies in accordance. As more evidences are obtained
that there has been an attack going on, the probability of the
alarm increases as well. As an example; if an attack perceived by
the Detection system has passed from the firewall, and if a
request is received from the concerned server without two-
directional traffic; then the system reports this as ‘the attacked
server is influenced’. Here the logs of more than one system was
received and examined, and all conditions of the nodes were
met, so reliability probability is high.
Contextual Correlation; this kind of correlations underline asset
value and type. If the asset value is high, then the risk value will
be high, and necessary alarms will be produced. If the asset
value is low (for example in test systems) then the risk value will
be low, and there will be a different reply form. The asset type
will be considered as well. For instant, when the attack detection
system perceives an attack that concerns Windows servers but
the attacked system is Linux, the priority value decreases.
Cross correlation; cross correlation evaluates malicious data
additionally. The logs from security vulnerabilities and the logs
from attack detection systems are correlated, and the priority
value is determined accordingly.
Retrospective correlation; While CryptoSIM is able to correlate
in the server memory in real time, it also can apply correlation
rules on the old logs to investigate the occurrence of the pattern
formations in the past.
Hierarchical correlation; CryptoSIM can send the correlated
records to a superior correlation engine for further inspection.
The records kept in the first correlation can be re-correlated in
the next correlation engine according to distinct rules. As a result
N-level relation extraction becomes possible.
Risks Evaluation
Security Risk values calculation are supported by CryptoSIM in view of
their Asset value, Priority Value and Reliability value.
3. Incident Management
CryptoSIM also provides an incident management system which makes it
possible to apply controlling actions against security incidents.
CryptoLOG
Dashboard
CryptoLOG Dashboard screen can detect and represent all logs collected
and processed by the system according to their categories. The processor,
memory and disk performance can be monitored based on real time EPS -
Event per Second. Distribution of log sources are shown on monthly,
weekly and daily basis for total record numbers in charts and graphs on
dashboard screen. Thus, it depicts the total activity performance of the
network on same interface which simplifies monitoring to detect an
unusual process. CryptoLOG dashboard is equipped with scrolls and
enables abrupt access for supervisors to drill down on more detailed
information on the statistics of graphs and events. Automatic transition of
the system can be ensured by defining the desired number of Special
Indicators between statistical chart or alarm screens. This screen is
reflected using projection or LCD panel to allow illustration of hundreds of
charts in requested intervals.
Log Collection and Advanced Plug-in Structure
CryptoLOG log collection process can be performed through several
methods. The most used methods can be listed as OPSEC, Syslog, agent,
socket, SNMP, ODBC, OLE DB, native DB, WMI, remote registry, share,
samba, ftp, sftp or ssh. CryptoLOG offers a unique log processing
capacity with its advanced plug-in structure. Plug-in substructure uses
regex or CryptoLOG pattern processing functions. Both methods allow
extra plug-in’s to be written electing wizards or direct plug-in steps. Plug-
in codes can be written and added in addition to these methods.
Cryptolog involves C# and VB code operating engines by default. Desired
codes can be added within the plug-in.
CryptoLOG has over 300 prepared plug-ins by default. It is up to the user
which plug-in to use on the flexible powerful plug-in interface. Alarm
fields and messages can be defined on the plug-ins. When a log is
processed, it produces the alarm specified by the system user
independent from its confirming template or field. Up-to-date plug-ins
can be automatically drawn with a client over web repository.
Statistical Reports
In addition to statistical data, several kinds of reports on collected logs
statistics are available on the system. These reports can be formed
through query optionally in real time or scheduled on specified times by
user.
These reports are not static and are customizable based on their
application. Reports can be obtained over desired fields of the logs, and
can be conveyed to PDF, EXCEL, WORD and CSV environment.
Furthermore, statistical information about fields can be obtained over
plug-ins. As logs are collected, CryptoLOG keeps counters according to
their fields, and reports about these counters can be obtained on user’s
request immediately where normally demonstration of reports takes
hours of time if the system would not have real time calculations. The
rapid access to reports is one of the unique advantages of CryptoLOG
which takes just a few seconds in major systems with billions of records.
Immediate Statistical Reports
Immediate Statistic module can be obtained over a desired time interval
and ensures that analysis can be made over the desired field independent
from the statistical counters defined on the plug-in.
Traditional Reports
The reports menu on CryptoLOG provides the possibility to use over 300
prepared report templates. Reports can be produced according to the
desired parameters by selecting the proper report templates. Scheduled
reports can be taken from the system based on time dependent
applications. These reports can be sent to a specific person via e-mail on
request. Report templates can be easily prepared using report
preparation wizards, and if desired, regular expressions are described in
each log field (RegEx) on the advanced reporting section.
Compatibility reports can be taken over GLBA, SOX, HIPAA, FISMA, PCI
templates. All kinds of templates can be issued, and the firms can form
their compatibility templates in accordance with their own policies.
4. Forensic Analysis
CryptoLOG provides an advanced query for Forensic inspections. More
than one Query can be performed at a time. Queries can be made over
processed and differentiated log lines. Original logs are shown in queries
on request basis, and the results of such queries can be conveyed to PDF,
EXCEL, WORD and CSV format.
High Availability
CryptoLOG operates on active-passive basis with its grouping
substructure, and provides high availability. It can also operate on an
active-active basis, which allows load sharing on systems.
Non-Repudiation and 5651:
CryptoLOG takes the hashes of the logs it processes in accordance with its
inherent non-repudiation substructure and stamps them with time
stamps and signs with digital signature. This transaction is made every
second. Due to request; when log files are closed or at the end of the day,
they are stamped using timestamp service of UEKAE. CryptoLOG allows
selection of hash and signature algorithms used with parametric
substructure. RSA (1024 bit) or DSA are used by default in signature
algorithms. Hashing algorithms can be selected optionally between MD5,
SHA1, SHA216, and SHA512. Each log line can be signed on request basis.
Cryptolog ensures the possibility of external data transfer for legal
regulations. By selecting External data transfer for Legal Query in
Forensic Analysis section, the original log files, digital signature files with
hash and timestamp information and certificates can be transferred to
external storages.
Archive and Back-up
CryptoLOG can back-up the system configuration and plug-in at the
requested storage pool, and also can transfer the logs processed to
different environments reliably. Query can be made over archived logs on
request basis. Consequently, no additional transaction is necessary when
there is the need of query over archive records. CryptoLOG logs can be
compressed by a rate of 1:30. Analyses and reports can be made directly
over compressed data without any additional transaction.
User Management and Authorization
CryptoLOG offers an advanced authorized substructure in sense of menu
and function. User management is made on role basis, and the formed
roles can be assigned desired features and authorities by the system
administrators. Authorizations existing in this section go as low as the
plug-in level.
Agent Management:
Cryptolog agents can be administered from a centralized system. It can be
installed on remote servers and clients, and the configurations of the
agents can be made over the dashboard from the center. Groups can be
formed in this section, and policy/configuration can be sent to agents
under a certain group collectively. Besides, operating and non-operating
agents can also be checked over screens showing the operational status
of the agents.
CryptoSPOT
CryptoSPOT is a hotspot product. It is developed for practical use of the
cable or wireless internet service provided with or without a fee in multi-
user environments. In addition to users defined over it; it can ensure user
authorization connecting to 3rd
party databases such as SMS services,
Active Directory and hotel’s software. Thus, it offers flexible use in
different environments. It is possible to record the internet accesses over
hotspot system and send them to a third log storage systems.
User Definitions;
For each user, name, user name, password, timeout, period of use,
download/upload bandwidth limit, simultaneous use permit values can
be entered.
Mac address definition screen exists for devices that should be allowed to
the internet without passing over captive portal. Users who are asked to
obtain a password via SMS can be recorded by default, and can be
directly recorded over the login screen. Active Directory/LDAP resources
can be defined. All users in these resources can be permitted, and internet
allowance to only determined groups and/or different speeds can also be
defined. There are policy screens related to these transactions.
Configurations;
Entire network (IP, gateway, DNS and route) configuration can be made
over the interface. More than one hotspot network can be defined. DHCP
IP distribution interval etc. configuration for each network can be made
distinctively over the interface. Syslog configuration is available for logs to
logging systems. Furthermore welcome screen configurations are
available over the interface. Login methods that can be used in these
screens (SMS, local, Active directory) are available separately or within
the same profile. Not only different profile definition is possible for each
hotspot network, but also common login profile is available.
Users can be initiated only by arrangement of the concerned access
information within pre-defined SMS services. As to undefined SMS
services, their addition is quite easy with its modular structure.