Ravin ۱۳۹۶-۷-۱۵ ۲۱:۰۱:۲۶ +۰۳:۳۰

Security incidents are inevitable in computer networks. It is no guaranty for comprehensive preventing of attacks in enterprise networks while using security products such as firewall, NIDS, HIDS and etc. detection and rapid reaction to security attacks, need to collect, analyze and monitor important events continuously to provide security situation awareness for an organization. Based on best efforts, suitable solution for surround on security situation of a computer network and detection and response to cyber-attacks is deployment of a Security Operation Center. SOC as a comprehensive and integrated solution, raises defense level of cyberspace security against attackers. PayamPardaz Corporation has a successful experience in design and development of network security products such as Network intrusion detection system, UTM and VPN for two decades. PayamPardaz released RAVIN product as a powerful SIEM for deployment of a security operation center since 2012. SIEM (Security information and event management) is the technological heart of a SOC beside of processes and security analysts.

شرکت مهندسی پیام پرداز - مرکز عملیات امنیت

Network Intrusion Detection System
Description Features
Up to 10Gbe Throughput 
Up to 5 million concurrent sessions without packet loss Concurrent sessions
Detects new and unknown attacks using  anomaly detection methods based on learning Behavioral anomaly detection
It has more than 18000 predefined attack signatures that can be updated continuously. This set contains different types of attacks such as scan, gain access, data manipulation, propagation, activity of malwares and denial of services. comprehensive set of attack signatures
Web based graphical user interface GUI
Network traffic analysis sensor
Description Features
application-layer detecting of more than 170 protocols, regardless of the port being used. This means that it is possible to both detect known protocols on non-standard ports (e.g. detect http on ports other than 80), and also the opposite (e.g. detect Skype traffic on port 80). This is because nowadays the concept of port=application no longer holds. Auto detect application-layer protocols  
defines charts of packet rate, flow rate and volume usage in various time periods for different application layer protocols and add them to dashboards. Network traffic monitoring
Receives and processes netflow reports Support netflow
analyzes the traffic flow information and extracts new attack evidences. It learn behavior of services and users and detect abnormal manners. Traffic flow analysis
Up to 10Gbe Throughput
Detect malicious behaviors of attackers and automative malwares by comply network traffic flow with security policies. Administrators cloud define arbitrary rules per each security policy. Compliance Checking
Signature based sensors problem is the lack of predefined signatures existance for detecting Zero-day attacks and malwares. Most of this attacks could cause effect on the network traffic flows.Analyzing these effects as the evidences of malicious activities, helps detecting zero-day attacks. Detect Zero-day attacks
Log collector
Description Features
Supports adding new organization’s applications to receive their logs. Customizable for supporting various sensors.
To be able to process Up to 20 thousands event per second on one appliance and  scalable for higher rates. Throuput
Unlimited sensor numbers Number of supported Sensors
it is possible to define arbitrary filters for eliminating unusable logs or preventing entrance of some logs according to organization security policies. Event filters
For reducing required bandwidth for transmitting logs through network from log collector to log manager, the log is compressed by 10:1 rate. Compression rate
The security of the data is fulfiled by providing confidentiality and integrity of connections between modules. Secure transmit
useing a cache for retaining received logs temporarily to prevent data loss in network disconnection. Reliable transmit 
Log management and Archive
Description Feature
Receive and store up to 50,000 EPS Event Per Second 
Depends on storage resource volume, retention of logs is possible for three, six and 12 months. Long Retention period
Encrypts stored data in archive to prevent unauthorized access to data. Data encryption
Compress raw and normalized logs by at least 10:1 rate. Compression
IDMEF and IODEF formats are used to exchange message of events and incidents between security operation center components. Message Exchange Format
For analysts of security operations center, facilities has been provided for searching and real-time retrieval of archived data based on various parameters. Realtime Data Retrieval
Supports the storing of data for long term archive on a external storage such as SAN and NAS. External Storage
Correlation & Response Engine
Description Feature
Upon completion of the attacks symptoms, the incident will be reported to stop the progress of the attack. Realtime Analysis
Some attacks create the necessary conditions for achieving desired goal over long periods of time. For proactiving detection of their stages, different stages of the attack is related and as a result, the final goal of the attacker will be understood.     Multisage correlation
In order to complete symptoms of the reported incidents and reduce false positive alarms, logs of network services and devices is analyzed and correlated with alerts of security softwares and devices. Cross-Device Correlation
Detect and eliminate false positive alerts if corresponding vulnerabilities is not exist in attack targets. verification based on assets vulnerabilities
the correlation engine does not miss attacks while reduces very high percent of reported events. Efficient correlation engine
Generalized correlation rules is selected and existed in the system. These predefined rules can be customized for organization situations. In addition, analysts of security operation center can inject special purpose correlation rules to the correlation engine. Predefined and customizable correlation rules
Detect abnormal events by statistical analysis of  log producted by profiles of assets. behavioral abnormal analysis
Unlimited The number of supported rules
Up to 5000 EPS for an appliance and more throughputs can also be achieved by replicating multiple of them. Event per second throughput
At the end of event analysis, attack graph will be displayed  for better visually understanding of incident. Visual attack graph
uses central knowledge management engine to handle processes of creating and updating of knowledge and guarantees integrity of knowledge. knowledge base contains information about security policies and priorities of organization,  vulnerabilities of assets and etc. Integrated knowledge base
In addition to integrated ticketing system for task tracking, neccessary automatic instruments are implemented based on a standard incident handling process. This feature is not presented in common SIEM products. Incident handling process
supports  interaction with CERT, NOS and forensics teams  interaction with organization teams
For every detected incident, a useful guideline is proposed. This guideline describes how to  response to incidents and also presents operational instructions for denying a malicious traffic or removing a malware and etc and the SOC analysts could  modify response guidelines or add new special cases to them. This feature is not presented in common SIEM products. incident handling guidelines
Correlation & Response Engine
Description Feature
Upon completion of the attacks symptoms, the incident will be reported to stop the progress of the attack. Realtime Analysis
Some attacks create the necessary conditions for achieving desired goal over long periods of time. For proactiving detection of their stages, different stages of the attack is related and as a result, the final goal of the attacker will be understood.     Multisage correlation
In order to complete symptoms of the reported incidents and reduce false positive alarms, logs of network services and devices is analyzed and correlated with alerts of security softwares and devices. Cross-Device Correlation
Detect and eliminate false positive alerts if corresponding vulnerabilities is not exist in attack targets. verification based on assets vulnerabilities
the correlation engine does not miss attacks while reduces very high percent of reported events. Efficient correlation engine
Generalized correlation rules is selected and existed in the system. These predefined rules can be customized for organization situations. In addition, analysts of security operation center can inject special purpose correlation rules to the correlation engine. Predefined and customizable correlation rules
Detect abnormal events by statistical analysis of  log producted by profiles of assets. behavioral abnormal analysis
Unlimited The number of supported rules
Up to 5000 EPS for an appliance and more throughputs can also be achieved by replicating multiple of them. Event per second throughput
At the end of event analysis, attack graph will be displayed  for better visually understanding of incident. Visual attack graph
uses central knowledge management engine to handle processes of creating and updating of knowledge and guarantees integrity of knowledge. knowledge base contains information about security policies and priorities of organization,  vulnerabilities of assets and etc. Integrated knowledge base
In addition to integrated ticketing system for task tracking, neccessary automatic instruments are implemented based on a standard incident handling process. This feature is not presented in common SIEM products. Incident handling process
supports  interaction with CERT, NOS and forensics teams  interaction with organization teams
For every detected incident, a useful guideline is proposed. This guideline describes how to  response to incidents and also presents operational instructions for denying a malicious traffic or removing a malware and etc and the SOC analysts could  modify response guidelines or add new special cases to them. This feature is not presented in common SIEM products. incident handling guidelines
GUI
Description Feature
Every users can define customized dashboards designed by arbitrary charts of various security events and reports. Security dashboards
Web-based graphical user interface features is provided to manage, configure, search and follow-up process for identifing, analying and handling the incidents. GUI
GUI shows activity status of the registered sensors. Sensor monitor
The system has many predefined useful reports. Each user can define arbitrary reports. The defined reports are generated at scheduled times in pdf, html and exel formats. Various reports
Each user in SOC teams is possible to manage accessibility of various product components such as configuring, monitoring and incident handling. User management
Once a task is assigned to a user, he will be notified via email. Email Notification
The system contains asset discovery and vulnerability assessment tools, for discovering assets and theirs vulnerabilities automatically and adding assets information to knowledge base. In addition it can connect to an external asset discovery and vulnerability assessment  tool if exists any in the organization. Asset discovery and vulnerability assessment
Device Management
Description Feature
Send command to active network devices to prevent from attacks by block malicious traffic, disable users and kill processes and etc. Automatic commander
Administrators could define arbitrary actions by create a manual script and use it for reponse to attacks. Custom script
It support different devices and protocols to send commands:

  • Network devices operating systems
  • Unified threat managemtn systems
  • Network layer and application firewalls
  • SFTP
  • Printers
  • Alarm notification systems
  • Operating systems windows, linux, ..
  • SSH, Telnet
Supported Devices
Support Services
Description Feature
support (24*7) relevant to SLA support 24*7
Ticketing system for following-up customers requests. Ticketing system
User guide for the system outputs such as detailed information  of attacks and security incidents is given to people working in Security Operations Center enabling to effectively analysis events. User manual
Training for personnel of security operations center will be achieved. Therefore, The trained staff can work with the system autonomously. Training
Updating the knowledge of detecting attacks is fully supported. In addition, special-purpose correlation rules to suit the requirements and policies of the organization in accordance relevant to SLA is also supported. Support of knowledge

In order to cover the needs of different customers and the enabling them to use different network structures, the product has been designed in a three-component model. These three components are log collector(LC), log management(LM) and correlation & response engine(CRE). In addition, two network monitoring sensors include network intrusion detection system(NIDS) and network traffic analysis(NTA) can be used for powerfull incident detection. This figure shows how the components of the product have been combined.

شرکت مهندسی پیام پرداز - مرکز عملیات امنیت

Various features of each component model are described in the following tables. LCS, is a software version of log collector that has been installed on operating system of a desktop or a server for collecting and transmitting logs to log management system. At various points in the network, for one or more network equipment closed together, a log collector (LC) appliance has been used. The task of this agent is transferring logs of equipment under its control to LM. Logs received by CRE are analyzed and the results are stored in the system archive. The staff of security operation centers can monitor the results as detected incidents.

شرکت مهندسی پیام پرداز - مرکز عملیات امنیت

In addition to the models mentioned above, SOC in a Box is an appliance in which all of these components is existed. This can be used in small and middle size networks that are locally spread and non-distributed. The following table shows the features and models for SOC in a Box system.

شرکت مهندسی پیام پرداز - مرکز عملیات امنیت

 

The following list describes the steps to deploy the Security Operations Center in a middle sized network.

۱) Requirements Engineering

  • Identify the network & select the sensors
  • Planning the setup
  • Determine the staff

۲) Setup and Customization

  • Setup the infrastructures
  • Configure sensors to send their logs
  • Add necessary security sensors to the network
  • Add required plugins to cover all of the selected sensors
  • Define new required reports
  • Customize knowledge base entries regarding to the operational environment situations & organization security policies

۳) Configure and Tune the system

  • Verify initial outputs of the system according to network facts
  • Determine the threshold values of correlation rules according to the initial feedbacks of the system.
  • Determine the verification filters for reducing false positives incidents

۴) Training and Delivery

  • train the security operation center staffs
  • deliver the system & its management to SOC staffs

 

Network Security Devices
Tarigh UTM Firewall/UTM/ WAF/VPN
Tarigh FV
Tarigh WAF
ModeSecurity
Keyhan VPN Server
IPTables
Cisco-PIX
Cisco-ASA
Cisco-FWSM
Juniper-Netscreen
IPFW
Cisco-VPN
Fortigate
Juniper-VPN
TippingPoint
FortiGuard
Sonicwall
ISA-Server
Checkpoint
Astaro
Netasq Alarm
Netasq Connection
Netasq Filter
Symantec Gateway Security
Sonicwall
Cisco ACS Csv
Cisco ACS Syslog
Cisco ACS Csv
Radius
Safeguard
Network Devices
Cisco Switch Router/Switch
Cisco Router
Huawei switch
Huawei Router
Cisco CSS
Nortel Switch
Foundry
Juniper Router
Security monitoring Sensors
RealSecure wgm HIDS/NIDS/ Honeypot
OSSec
Osirix
Juniper IDP
Snort
Suricata
Stongate
SourceFire
Bro IDS
Cisco IPS(SDEE)
Cisco CSA v45
Cisco CSA v60
Cisco CSA v52
Tipping Point
Samhain
TripeWire
Symantec Network Security
McAfee Intercept
 McAfee Intrushield
Enterasys Dragon
Amun
HoneyD
Operating Systems
۲۰۰۳ Workstation & Server, XP,Vista,Win7,Win8, Win2008workstation & Server Windows
Pam_unix,sudo,dhcp,usbdev Linux
FreeBSD,NetBSD,OpenBSD BSD
Servers
PureFTP Application servers/Web Proxies
ProFTPD
WuFTP
SSHD
NFS
Apache
IIS
Bind
VSFTP
Squid
Squid Guard
WebShield
WebSense
OpenNMS
DHCP
OpenLdap
Mail Server
Postfix Mail Server
Exchange
Courier
Dovecot
Axigen
Send Mail
Antimalware
Kaspersky Antivirus/AntiSpam
Bitdefender
Avast
Clamav
Sophos
Podvish
Symantec End Point Protection
Norton Antivirus
Spamassasin
Mcafee-Antivirus
Mcafee-Antispam
Database
MySQL Data Base
Oracle
PostgreSQL
Sybase
Scanners
NMap Asset Discovery/ Vulnerability Scanner
Nessus
NTop
Oval
Mcafee FoundStone