Welcome to the Aanval Wiki. Snort, Suricata and Syslog Intrusion Detection, Situational Awareness and Risk Management.

Visit http://www.aanval.com/ for more information.

Library:How to Find the Right SIEM Solution. A Step-by-Step Guide and SIEM Features Comparison

From Aanval Wiki
Jump to: navigation, search

Back to Library Main

How to Find the Right SIEM Solution. A Step-by-Step Guide and SIEM Features Comparison.


SIEM (Security Information and Event Management) solutions are becoming a necessary part of an organization's security infrastructure, playing an important role in threat detection, incident response, forensic analysis, and improving overall security infrastructure. Today's SIEM should be a powerhouse of real-time data capture, event correlation analysis, and reporting. A truly effective SIEM should be strong in log management, reporting, and functionality, and in the depth to which it analyzes data and presents it to the administrator. More importantly, a SIEM should deliver scalability and a highly specialized database mechanism to handle big data for security event storage, correlation, and threat management.

The next generation SIEM is moving away from log filtering and compliance reporting to comprehensive situational awareness and deep data analysis. Tactical FLEX, Inc. is on the forefront of recognizing these critical changes and has designed Aanval v7 to deliver a highly interactive and scalable market-leading SIEM solution complete with advanced data analysis and an unmatched level of Internet and local network-security situational awareness. In addition, Aanval v7‘s False Positive Protection’s event validation engine automatically tags and filters events to help keep false positives from overpowering true risks, allowing analysts and engineers to focus and get back to protecting their network. Aanval v7 also includes a powerful new GeoLocation mapping framework that gives organizations the ability to conduct various impressive geolocation plotting. Visualize attack data based on source, destination, risk level, and quantity of events--and all of this plotted on a fully interactive map of the world. A major focus of Aanval is performance and scalability; Aanval v7 is built with an accelerated real-time event processing system that handles as many as 1,500 events per second and scales beautifully with hardware to process as many as 5,000 events per second. The improved background processing systems of Aanval v7 overall are simpler, more powerful, and more capable than ever before. In addition, Aanval v7 is uniquely and completely written in standard HTML and Javascript, and more importantly void of Adobe Flash. The completely re-written codebase enables Aanval v7 to work in every browser and across every mobile platform, thus providing a competitive edge over other SIEM platforms.

Is a SIEM Right for Your Business?

To determine if a SIEM tool is right for you and your organization, here’s a step-by-step guide collected from various leading security experts including SC Magazine, CIO Magazine, Tech Republic, and Network World News to help prospective buyers evaluate vendor offerings and make the right SIEM technology decisions.

A Guide to SIEM Shopping

  1. Determine your security objectives and business goals.
  2. Review important SIEM features and capabilities listed.
  3. Note features that are also not vital to your department and organization.
  4. Create a list of product questions: include license fees, upgrade license costs with new releases, storage fees, support fees, user fees, third-party licenses, and other additional fees.
  5. Create a list of questions pertaining to installation, hardware, operating system, codebase, and BI reporting.
  6. Assess software vendor viability.
  7. Evaluate answers, cost factors, and overall cost to deploy.
  8. Ask for a demonstration of the product.
  9. Conduct a proof-of-concept.

A Guide to Assessing Software Vendor Viability

The River Guide, Inc., a consulting firm helping small- and medium-sized organizations make the right software technology decisions, provides an important guide on how to assess software vendor viability. When assessing strategic and technological viability, River Guide, Inc. suggests considering:

  1. Ongoing investment. Simply keeping the doors open isn't good enough. You need a vendor that will continually invest in product enhancements and product releases.
  2. Product portfolio position. Is the vendor really focused on the product you are buying? Some vendors have numerous products for multiple industries and have a wide variety of product offerings. In some cases, the vendor may "starve" the development of one product to "feed" another. So while the resources of a large vendor may work to your advantage, be sure to assess just how important the software product is to the vendor's overall strategy.
  3. Role during consolidation. To avoid our second scenario in which your new vendor is acquired and the product "sunsetted," assess what comes of the vendor in a consolidating market. A large and growing vendor is more likely to be an acquirer; a small and undifferentiated vendor is more likely to be acquired. One exception is the small, yet highly differentiated vendor; they may well be acquired, but the product will likely receive more investment and attention from the new parent company.

The SIEM Features Comparison Guide

Below is a sampling of SIEM features, their industry descriptions, and further details of how they function in Aanval v7.

Feature Description Functionality in Aanval SAS
Situational Awareness An advanced feature providing the ability to identify areas of the network that are at most risk as well as security threats. New in Aanval v7 is our unique Situational Awareness engine, which provides an in-depth event and architecture analysis of the host network.
Situational Awareness within Aanval allows analysts to quickly identify which specific devices, services, and approximate areas of the network that are most at risk and which are more likely to be a problem in the future.
Analysts can configure networks, devices, IP addresses, services, and ports within Aanval that allow our Situational Awareness engine to quickly summarize network event information and provide analysts with the resources they need to identify actual risks and make critical decisions.
See Also: Situational Awareness.
False Positive Protection Ability to efficiently validate security events and identify potential false positives. Goal is keep false positives from overpowering true risks. Aanval includes a powerful event validation engine that performs real-time analyses of events against customizable network, device, and service definitions.
Aanval v7's event validation engine automatically tags and filters events to help keep false positives from overpowering true risks, allowing analysts and engineers to focus and get back to protecting the network.
False positives are the number one reason intrusion analysis systems fail to provide accurate and timely results. Even small numbers of false positives are costing organizations significant amounts of time, resources, and allocated budgets to manage.
See Also: Event Validation.
Event Correlation Technology of linking multiple security events together to detect suspicious behavior and network vulnerabilities.
The association of different but related security events to provide broader context than a single event can provide.
Aanval is a fully integrated event management and attack data correlation engine. Aanval compares and correlates attacks in real-time and provides easy-on-the-eyes charts and visual representations of related attack data across Snort, Suricata, and syslog sourced data.
Using every detail of a normalized event, Aanval compares events against one another as well as groups of events to identify complex attack patterns or determine if a single attack may or may not be related to larger attacks happening within the same timeframe.
Correlation is performed in both real-time and on-demand, allowing analysts to select an event and see which events may be related.
Ranking is simple to understand, Aanval provides a % value for each correlated event, letting the analyst know how confident Aanval is in its decision.
Network Scanning The ability to scan host, outside, and offending networks and IPs. Powered by Nmap version 6, three new features are available for Aanval SAS: Network Host Scanning searches the host network for new and unknown connected devices; Rogue Host Detection automatically alerts users of new and rogue hosts connected to the network; and Offensive Reconnaissance manually or automatically scans offending IPs for their OS fingerprint, up/down state, and available services, and conveniently stores found data for display and an improved situational awareness. Also use the feature to scan local IPs and hosts.
GeoLocation Capability to view real-time IP GeoLocation data. Aanval v7 includes a powerful new mapping framework that gives us the ability to do some pretty impressive geolocation plotting. Aanval provides live and interactive IP geolocation displays to aid analysts in quickly identifying the global location of offending traffic. IP addresses of intrusion events are plotted on a fully interactive global map in both real-time and static forms.
Visualize attack data based on source, destination, risk level, and quantity of events--and all of this plotted on a fully interactive map of the world. Additionally these advanced displays help define patterns of attack that might otherwise go unnoticed.
View various geolocation-based displays including our real-time Live GeoLocation display as well as newly updated Frequent Offenders and Frequent Attackers displays.
Know precisely where your network threats originate! Zoom, drag, and hover your mouse for details of both static and real-time geolocation details.
See Also: Live GeoLocation.
Advanced Displays Ability to display various angles on attack data and correlated events. Dozens of displays designed to provide Analysts with near limitless viewing angles on attack data and correlated events. Events sorted and graphed by risk, signature statistics and interactive timelines are only a few of the powerful new features in this release of Aanval.
Additionally, Aanval includes powerful GeoLocation IP details to allow analysts to quickly identify attack proximity for complete situational awareness.
See Also: Live GeoLocation and Situational Awareness.
Tagging New system that allows default or custom tags to be added to events. Aanval v7 brings about the addition of a very powerful event tagging system, which allows individual users as well as teams to tag events with an unlimited number of keywords that may define that various characteristics of an intrusion event.
Default tags are provided and each user can create their own set of custom tags. Tags can be added to events individually as needed or through the automated action system as events are imported and normalized.
Searching and reporting by tags is supported and tag statistics displays are included as well.
See Also: Tagging.
Timeline Browser Ability to display and view timeline information of current and historical events for advanced analysis. An analyst’s brain is very much tied to a timeline of events when mitigating an ongoing attack or investigating historical event results.
Aanval includes advanced new timeline-based charts and graphs in addition to our standard sets. This graphing ability allows an analyst to see data from new angles and identify patterns that may have previously gone unnoticed.
Charts and graphs are Javascript-based, enabling them to work on all desktop and mobile platforms.
Greater Storage Technology and Long Term Retention Capacity to store massive amounts of both real-time and historical events long-term. Ability to archive events on a long-term basis to perform event correlation, event searches, reporting, and auditing requirements.
Significant research and intense development of Aanval v7 brings about the ability to store nearly an unlimited number of events within the console. As long as disk space is available, event storage continues without affecting performance.
Deployed installations with more than 100 million, 500 million, and even 1+ billion events are not uncommon.
Data can be stored locally or remotely and remains easily accessible for searching, reports, and statistics.
Storage mechanism accommodates for future growth, eliminating external storage expansion costs.
Live and Real-Time Monitoring Ability to view and respond events in real-time. Aanval v7 includes significant updates and enhancements to our popular and well-known Live Event Monitor. Displays real-time events per second, per hour, and per day displays.
Provides multiple advanced real-time event and statistic displays to help users grasp current security situational awareness.
Live Event Monitor displays real-time security events and gives a credible picture of the organization’s entire network security at any given moment.
See Also: Situational Awareness.
Codebase The whole collection of source code used to build a particular application or component. Aanval v7 is uniquely and completely written in standard HTML and Javascript, and more importantly void of Adobe Flash.
The completely re-written codebase enables Aanval v7 to work in every browser and across every mobile platform, thus providing a competitive edge over other SIEM platforms.
Advanced Search Technology Technology to search both real-time events and historical data. Search results and correlation displays in addition to being extremely powerful are quick, simple, and efficient.
Find targeted events using specific meta-data criteria as well as perform full clear text searches of all event fields including payload data for Snort, Suricata, and syslog.
Additionally, Aanval supports a wide range of custom search keywords to locate events based upon time periods, risk level, relation to one another, and more.
See Also: Advanced Search Help.
Charts and Graphs Visual summary of event data. Aanval provides a great balance between raw event data and graphical representation.
Charts and graphs, static, interactive and real-time animated views, are available in searches, summaries, reports, and dedicated displays.
Our charting and graphing capabilities are based on industry-standard Javascript technology, ensuring they display equally and impressively on all desktop and mobile devices.
Log Management Compatibility Ability to capture events from different log sources. Fully capable in processing and managing massive amounts of syslog event data from any network device that supports it.
Aside from Snort and Suricata, routers, firewalls, switches, servers, and more can be integrated into the Aanval Console for complete data management.
Background Processing System The ability of a system to perform tasks. The improved background processing systems of Aanval v7 are simpler, more powerful, and more capable than ever before.
Designed with an accelerated real-time event processing system that handles as many as 1,500 events per second and scales beautifully with hardware to process as many as 5,000 events per second.
Improved BPU system allows for custom configuration of BPU job functions and queuing. System also displays BPU status indicators and status page.
See Also: Background Processing Units.
Ease of Use Simplicity of the SIEM tool to utilize and efficiently manage. Simple to deploy and easy-to-use SIEM solution.
Supports multi-machine architecture deployments.
Scalability and Implementation Ability to handle every network environment. Designed to handle every network environment from small business single-sensor deployments to large scale multiple-sensor enterprise and government environments.
Forensic Analysis Analysis of detected security events in the interest of figuring out what happened, when it happened, how it happened, and who was involved. Efficiently streamlines the process of viewing, correlating, and collecting data of suspicious events for forensic investigation.
Reference and access older data with speed since forensic is usually a race against time and the attackers.
User Log Activity Ability to monitor, manage, and provide detailed logs of user activities. Provides managers the ability to evaluate and monitor console activity and productivity of users.
View account activity logs and usage history.
Reporting Tools Instrument to help put security data in an understandable format. Ability to generate reports from captured and stored log data to be used to make informed security decisions. Aanval's reporting system utilizes the same advanced core search engine as the primary console. Reporting on select searches has never been easier and more efficient. Reports may be displayed, scheduled, managed, and emailed all from within a simple to use, yet powerful interface.
Reports are available in a verity of formats: HTML, XML, TEXT, and native console formats.
Vendor Viability Assess the vendor’s technology and strategic viability. Publicly released in March of 2004.
Currently the longest running Snort interface under continuous development on the market today.
Continually investing in product enhancements with both minor and major releases and license upgrades.
Installation and Operating System Setup of a program or software. Designed to work with every version of Snort, Suricata, and can process syslog data from any device capable of external logging.
Supported on all current flavors of Linux, Unix, and Mac OS X, and requires up-to-date installations of MySQL, Apache, and PHP to operate as intended.
Snort Signature Management Management tool to manage Snort sensor rule configurations and policies. Supports Snort signatures from any current source including signatures created by Sourcefire and Emerging Threats.
Users can create and manage Snort signature policies that can be deployed manually or automatically across single- or multiple-sensor architectures.
Provides option to download signature packs from snort.org as well as any of the widely available custom signature packs on the Internet.
Automated Actions Ability to automate specific actions and tasks to deliver operational efficiency. Aanval includes a sophisticated criteria-based event action system, which reacts to incoming events in real-time.
Our sophisticated actions module is capable of sending emails, generating audio alerts, performing maintenance, and even executing customized shell scripts to do just about anything.
Many clients build and deploy advanced action scripts to update firewall rules, generate custom statistics, and even trigger remote operations.
Event Details Ability to provide consistent and in-depth security event information. Aanval provides a consistent layout for all event details regardless of source (Snort, Suricata, or syslog data). Aanval displays appropriate network layer details, protocols, fully encoded/decoded payload, as well as the signature that triggered the event.
External network address lookups can be done with a single click as well as tagging events and adding notes are among the various features of the event details display.
Apps Development of web app tools to accompany SIEM platform. First and only intrusion console to provide native iOS access to live Snort, Suricata, and syslog event data.
Designed to work with both free and commercial versions of Aanval.
Access event details, frequent events, frequent offenders, and sensor statistics directly from iPhone, iPod Touch, and iPad.

Screen shots and details of Aanval v7 are available at http://www.aanval.com and product licenses, upgrades, training, and support service packages may be purchased from Tactical FLEX, Inc. at http://www.aanval.com/purchase. Aanval may be downloaded for testing and evaluation.

About Tactical FLEX, Inc.

For nearly a decade, Tactical FLEX, Inc. has taken great pride in providing best-of-breed security solutions to every type of organization around the world. Our wide spectrum of customers demonstrates our sincere commitment to an industry that remains at the forefront of the digital evolution of the world. Information security is our business, and our customers are our greatest asset. Tactical FLEX, Inc. is a trusted security vendor protecting more than 6,000 organizations within every industry in more than 100 countries. Our product Aanval® is the industry's most comprehensive end-to-end Snort and syslog intrusion detection, correlation, and threat management solution, built with a unique Situational Awareness engine, distinct false-positive protection technology, and a fully-integrated event management and attack data correlation engine. Learn more about Aanval SAS™ by visiting http://www.aanval.com

We invite you to visit our Industry Focus page at http://www.aanval.com/industry to find out how our products and services can aid securing your valuable assets and information. The Industry Focus website section was created to provide information security professionals a more expansive perspective on the security needs and challenges facing their industries. Every organization, regardless of specific industry, is facing similar and ever-increasing network and inter-network related security threats. Our products and services are designed not only for the important facets of the industries shown below, but for every organization with a network or internet connection.

Aanval® is also available for download as a free Community edition for testing and evaluation at http://www.aanval.com/download. Let Aanval SAS™ turn your security event data into actionable and comprehensive insights.