Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Crypto sim_cryptolog_cryptospot_v3


Published on

Crypto sim_cryptolog_cryptospot_v3

Published in: Technology
  • Login to see the comments

  • Be the first to like this

Crypto sim_cryptolog_cryptospot_v3

  1. 1. CryptTech Inc. CryptTECH CryptoSIM, CryptoLOG, CryptoSPOT Information Security Intelligence
  2. 2. CryptoSIM Executive’s Brief IT threats against organizations are increasing day by day. These threats may be in forms of worms, viruses, Trojans, phishing and similar attacks deployed by internal or external attackers, causing fatal events for companies like company’s secrets theft. Firewalls or attack prevention systems are capable of preventing the placement of all intricate worms or rootkits in an in-house computer. Employee’s PC can easily get infected with malwares from an infected web sites or social network applications accessed by them. Nowadays, Trojans, worms and viruses are specifically programmed for firms and access information can be gathered due to phishing and social engineering attacks. Such threats have made systems vulnerable to attacks which is not preventable with normal IDS systems. Harmful codes specifically developed for companies cannot be detected by anti-virus systems operating on signature-basis. Attacks structures are getting updated and more and more complex. Furthermore attacks to business applications are harder to identify by firewalls and detection systems constituting the border protection software. Recent Security violations especially in regard to cellular phones proved that each mobile device, server, client, notebook or any other smart device are prone to security vulnerabilities. As threats are becoming more sophisticated and mobile devices are exposed to attacks, signature-based detection systems cannot detect attacks. As information security increasingly turns into a chaotic structure, all systems, servers, mobile devices and business application logs should be gathered and analyzed, correlated, differentiated, and their anomalies should be examined. These billions records cannot be examined and inspected by human resources. Therefore, automated systems are required to do the analysis and find the correlations using correlation directives which are the artificial intelligence. Systems named as SIEM can make such analysis and correlations. CryptoSIM is an integrated Security Information and Event Management system representing unique correlation and analysis via its correlation directives. CryptoSIM proactively captures the log data, and provides the possibility to analyze and diagnose threats and anomalies and notifies existence of potential threats. IT teams can use CryptoSIM to meet the security management necessities beside legal compliance mandates apart from security analysis and warnings. They can test the existing compatibility levels using compatibility template reports available in CryptoSIM. CryptoSIM provides a thorough analysis of event data and plenty of reporting templates over audit records, it ensures first-hand analysis for both existing security units and supervisors. Normalization Normalization is in fact assigning a universal data structure format on collected data for equivalent fields and then differentiate it over the log. This process makes comparison and correlation calculation between events possible within a unified schema and can be deployed in a plug-in structure. Categorization Categorization is a method used to classify the logs. Events are translated into a taxonomy based on their category and sub-category. Unification Unification is simplification of recurring events into a single event. Event Correlation Correlation is the process of representing the relations between records of incidents from multiple resources where correlation rules defines the relation patterns among disparate events. In other words, it gives an all- encompassing view of various evens relation for security behavioral inspection. CryptoSIM correlation engine supports different real time correlation types which are;  Simple Correlation is examination through correlation of the logs from one resource. Five erroneous connection trials to a server within one minute is classified under this category.  Logical Correlation is being implemented by the Correlation Directives using logical tree structures. This type of structure is also known as AND/OR tree, and is generally used in artificial intelligence systems. When a condition node overlaps, the correlation engine will head to sub-nodes. As the correlation engine advances in overlapping conditions, the reliability of the correlation varies in accordance. As more evidences are obtained that there has been an attack going on, the probability of the alarm increases as well. As an example; if an attack perceived by the Detection system has passed from the firewall, and if a request is received from the concerned server without two- directional traffic; then the system reports this as ‘the attacked server is influenced’. Here the logs of more than one system was received and examined, and all conditions of the nodes were met, so reliability probability is high.  Contextual Correlation; this kind of correlations underline asset value and type. If the asset value is high, then the risk value will be high, and necessary alarms will be produced. If the asset value is low (for example in test systems) then the risk value will be low, and there will be a different reply form. The asset type will be considered as well. For instant, when the attack detection system perceives an attack that concerns Windows servers but the attacked system is Linux, the priority value decreases.  Cross correlation; cross correlation evaluates malicious data additionally. The logs from security vulnerabilities and the logs from attack detection systems are correlated, and the priority value is determined accordingly.  Retrospective correlation; While CryptoSIM is able to correlate in the server memory in real time, it also can apply correlation rules on the old logs to investigate the occurrence of the pattern formations in the past.  Hierarchical correlation; CryptoSIM can send the correlated records to a superior correlation engine for further inspection. The records kept in the first correlation can be re-correlated in the next correlation engine according to distinct rules. As a result N-level relation extraction becomes possible. Risks Evaluation Security Risk values calculation are supported by CryptoSIM in view of their Asset value, Priority Value and Reliability value.
  3. 3. Incident Management CryptoSIM also provides an incident management system which makes it possible to apply controlling actions against security incidents. CryptoLOG Dashboard CryptoLOG Dashboard screen can detect and represent all logs collected and processed by the system according to their categories. The processor, memory and disk performance can be monitored based on real time EPS - Event per Second. Distribution of log sources are shown on monthly, weekly and daily basis for total record numbers in charts and graphs on dashboard screen. Thus, it depicts the total activity performance of the network on same interface which simplifies monitoring to detect an unusual process. CryptoLOG dashboard is equipped with scrolls and enables abrupt access for supervisors to drill down on more detailed information on the statistics of graphs and events. Automatic transition of the system can be ensured by defining the desired number of Special Indicators between statistical chart or alarm screens. This screen is reflected using projection or LCD panel to allow illustration of hundreds of charts in requested intervals. Log Collection and Advanced Plug-in Structure CryptoLOG log collection process can be performed through several methods. The most used methods can be listed as OPSEC, Syslog, agent, socket, SNMP, ODBC, OLE DB, native DB, WMI, remote registry, share, samba, ftp, sftp or ssh. CryptoLOG offers a unique log processing capacity with its advanced plug-in structure. Plug-in substructure uses regex or CryptoLOG pattern processing functions. Both methods allow extra plug-in’s to be written electing wizards or direct plug-in steps. Plug- in codes can be written and added in addition to these methods. Cryptolog involves C# and VB code operating engines by default. Desired codes can be added within the plug-in. CryptoLOG has over 300 prepared plug-ins by default. It is up to the user which plug-in to use on the flexible powerful plug-in interface. Alarm fields and messages can be defined on the plug-ins. When a log is processed, it produces the alarm specified by the system user independent from its confirming template or field. Up-to-date plug-ins can be automatically drawn with a client over web repository. Statistical Reports In addition to statistical data, several kinds of reports on collected logs statistics are available on the system. These reports can be formed through query optionally in real time or scheduled on specified times by user. These reports are not static and are customizable based on their application. Reports can be obtained over desired fields of the logs, and can be conveyed to PDF, EXCEL, WORD and CSV environment. Furthermore, statistical information about fields can be obtained over plug-ins. As logs are collected, CryptoLOG keeps counters according to their fields, and reports about these counters can be obtained on user’s request immediately where normally demonstration of reports takes hours of time if the system would not have real time calculations. The rapid access to reports is one of the unique advantages of CryptoLOG which takes just a few seconds in major systems with billions of records. Immediate Statistical Reports Immediate Statistic module can be obtained over a desired time interval and ensures that analysis can be made over the desired field independent from the statistical counters defined on the plug-in. Traditional Reports The reports menu on CryptoLOG provides the possibility to use over 300 prepared report templates. Reports can be produced according to the desired parameters by selecting the proper report templates. Scheduled reports can be taken from the system based on time dependent applications. These reports can be sent to a specific person via e-mail on request. Report templates can be easily prepared using report preparation wizards, and if desired, regular expressions are described in each log field (RegEx) on the advanced reporting section. Compatibility reports can be taken over GLBA, SOX, HIPAA, FISMA, PCI templates. All kinds of templates can be issued, and the firms can form their compatibility templates in accordance with their own policies.
  4. 4. Forensic Analysis CryptoLOG provides an advanced query for Forensic inspections. More than one Query can be performed at a time. Queries can be made over processed and differentiated log lines. Original logs are shown in queries on request basis, and the results of such queries can be conveyed to PDF, EXCEL, WORD and CSV format. High Availability CryptoLOG operates on active-passive basis with its grouping substructure, and provides high availability. It can also operate on an active-active basis, which allows load sharing on systems. Non-Repudiation and 5651: CryptoLOG takes the hashes of the logs it processes in accordance with its inherent non-repudiation substructure and stamps them with time stamps and signs with digital signature. This transaction is made every second. Due to request; when log files are closed or at the end of the day, they are stamped using timestamp service of UEKAE. CryptoLOG allows selection of hash and signature algorithms used with parametric substructure. RSA (1024 bit) or DSA are used by default in signature algorithms. Hashing algorithms can be selected optionally between MD5, SHA1, SHA216, and SHA512. Each log line can be signed on request basis. Cryptolog ensures the possibility of external data transfer for legal regulations. By selecting External data transfer for Legal Query in Forensic Analysis section, the original log files, digital signature files with hash and timestamp information and certificates can be transferred to external storages. Archive and Back-up CryptoLOG can back-up the system configuration and plug-in at the requested storage pool, and also can transfer the logs processed to different environments reliably. Query can be made over archived logs on request basis. Consequently, no additional transaction is necessary when there is the need of query over archive records. CryptoLOG logs can be compressed by a rate of 1:30. Analyses and reports can be made directly over compressed data without any additional transaction. User Management and Authorization CryptoLOG offers an advanced authorized substructure in sense of menu and function. User management is made on role basis, and the formed roles can be assigned desired features and authorities by the system administrators. Authorizations existing in this section go as low as the plug-in level. Agent Management: Cryptolog agents can be administered from a centralized system. It can be installed on remote servers and clients, and the configurations of the agents can be made over the dashboard from the center. Groups can be formed in this section, and policy/configuration can be sent to agents under a certain group collectively. Besides, operating and non-operating agents can also be checked over screens showing the operational status of the agents. CryptoSPOT CryptoSPOT is a hotspot product. It is developed for practical use of the cable or wireless internet service provided with or without a fee in multi- user environments. In addition to users defined over it; it can ensure user authorization connecting to 3rd party databases such as SMS services, Active Directory and hotel’s software. Thus, it offers flexible use in different environments. It is possible to record the internet accesses over hotspot system and send them to a third log storage systems. User Definitions; For each user, name, user name, password, timeout, period of use, download/upload bandwidth limit, simultaneous use permit values can be entered. Mac address definition screen exists for devices that should be allowed to the internet without passing over captive portal. Users who are asked to obtain a password via SMS can be recorded by default, and can be directly recorded over the login screen. Active Directory/LDAP resources can be defined. All users in these resources can be permitted, and internet allowance to only determined groups and/or different speeds can also be defined. There are policy screens related to these transactions. Configurations; Entire network (IP, gateway, DNS and route) configuration can be made over the interface. More than one hotspot network can be defined. DHCP IP distribution interval etc. configuration for each network can be made distinctively over the interface. Syslog configuration is available for logs to logging systems. Furthermore welcome screen configurations are available over the interface. Login methods that can be used in these screens (SMS, local, Active directory) are available separately or within the same profile. Not only different profile definition is possible for each hotspot network, but also common login profile is available. Users can be initiated only by arrangement of the concerned access information within pre-defined SMS services. As to undefined SMS services, their addition is quite easy with its modular structure.