Introduction to Ravin
Ravin
Today, in any organization millions of events and alerts are generated by software, hardware, network and security devices daily. Big amount of data, variety, different format and languages used in these events, makes it hard and costive to be identified, assessed and analyzed by human and may cause faults and mistakes or even be impossible in some situations.
Ravin Incident and Event Management Service, makes it possible to monitor all events and alerts in organization’s network continuously. All the alerts and events are collected and beside maintenance and long-term recovery, it has the ability to be monitored and analyzed continuously and immediately in order to detect the main cause of security events and response systematically.
One of the most important option in Ravin SIEM is its usage in organization’s security operation center (SOC). SOC shows up the state of network security and current flows with continuous monitoring (365*24).
Options and features
- Using in organization’s security operation center (SOC)
- Reduce the cost of collecting, identifying and analyzing alerts and events in different part of the organization network
- Detect cyber-attacks and malwares and suspicious behaviors
- Immediate security incident detection and network behavioral analyzes
- Reduce the incident response time.
- Generate statistical reports from security events, categories and priorities
- Represents dashboard from immediate events and security incidents monitoring
- Analyze and monitoring events and security incidents at any time
Ravin SIEM components
Ravin SIEM
Ravin is presented in different models for different hardwires according to event rate (EPS) and alert saving volume
|
|
|
Ravin NTLM
This type is commonly deployed out of line in organization network. Different flows are exported and analyzed and security alerts are sent to managers. The analyze result can also be sent to Ravin SIEM.on the other hand this service is a sensor for Ravin SIEM
|
Ravin NGIDS
This type is commonly deployed out of line in organization network. traffic contents are assessed and analyzed with the purpose of detecting security and destructive events and the result is sent to Ravin SIEM. This service is categorized as Ravin SIEM network layer sensor
|
|
Ravin EDR
This type is installed as a software agent in network hosts. Agents export risky security behaviors from hosts and sends to central Ravin service to be analyzed and correlated with other network events. This service is categorized as Ravin host layer sensor |
Properties and Features
Network Intrusion Detection System | |
Description | Features |
Up to 10Gbe | Throughput |
Up to 5 million concurrent sessions without packet loss | Concurrent sessions |
Detects new and unknown attacks using anomaly detection methods based on learning | Behavioral anomaly detection |
It has more than 18000 predefined attack signatures that can be updated continuously. This set contains different types of attacks such as scan, gain access, data manipulation, propagation, activity of malwares and denial of services. | comprehensive set of attack signatures |
Web based graphical user interface | GUI |
Network traffic analysis sensor | |
Description | Features |
application-layer detecting of more than 170 protocols, regardless of the port being used. This means that it is possible to both detect known protocols on non-standard ports (e.g. detect http on ports other than 80), and also the opposite (e.g. detect Skype traffic on port 80). This is because nowadays the concept of port=application no longer holds. | Auto detect application-layer protocols |
defines charts of packet rate, flow rate and volume usage in various time periods for different application layer protocols and add them to dashboards. | Network traffic monitoring |
Receives and processes netflow reports | Support netflow |
analyzes the traffic flow information and extracts new attack evidences. It learn behavior of services and users and detect abnormal manners. | Traffic flow analysis |
Up to 10Gbe | Throughput |
Detect malicious behaviors of attackers and automative malwares by comply network traffic flow with security policies. Administrators cloud define arbitrary rules per each security policy. | Compliance Checking |
Signature based sensors problem is the lack of predefined signatures existance for detecting Zero-day attacks and malwares. Most of this attacks could cause effect on the network traffic flows.Analyzing these effects as the evidences of malicious activities, helps detecting zero-day attacks. | Detect Zero-day attacks |
Log collector | |
Description | Features |
Supports adding new organization’s applications to receive their logs. | Customizable for supporting various sensors. |
To be able to process Up to 20 thousands event per second on one appliance and scalable for higher rates. | Throuput |
Unlimited sensor numbers | Number of supported Sensors |
it is possible to define arbitrary filters for eliminating unusable logs or preventing entrance of some logs according to organization security policies. | Event filters |
For reducing required bandwidth for transmitting logs through network from log collector to log manager, the log is compressed by 10:1 rate. | Compression rate |
The security of the data is fulfiled by providing confidentiality and integrity of connections between modules. | Secure transmit |
useing a cache for retaining received logs temporarily to prevent data loss in network disconnection. | Reliable transmit |
Log management and Archive | |
Description | Feature |
Receive and store up to 50,000 EPS | Event Per Second |
Depends on storage resource volume, retention of logs is possible for three, six and 12 months. | Long Retention period |
Encrypts stored data in archive to prevent unauthorized access to data. | Data encryption |
Compress raw and normalized logs by at least 10:1 rate. | Compression |
IDMEF and IODEF formats are used to exchange message of events and incidents between security operation center components. | Message Exchange Format |
For analysts of security operations center, facilities has been provided for searching and real-time retrieval of archived data based on various parameters. | Realtime Data Retrieval |
Supports the storing of data for long term archive on a external storage such as SAN and NAS. | External Storage |
Correlation & Response Engine | |
Description | Feature |
Upon completion of the attacks symptoms, the incident will be reported to stop the progress of the attack. | Realtime Analysis |
Some attacks create the necessary conditions for achieving desired goal over long periods of time. For proactiving detection of their stages, different stages of the attack is related and as a result, the final goal of the attacker will be understood. | Multisage correlation |
In order to complete symptoms of the reported incidents and reduce false positive alarms, logs of network services and devices is analyzed and correlated with alerts of security softwares and devices. | Cross-Device Correlation |
Detect and eliminate false positive alerts if corresponding vulnerabilities is not exist in attack targets. | verification based on assets vulnerabilities |
the correlation engine does not miss attacks while reduces very high percent of reported events. | Efficient correlation engine |
Generalized correlation rules is selected and existed in the system. These predefined rules can be customized for organization situations. In addition, analysts of security operation center can inject special purpose correlation rules to the correlation engine. | Predefined and customizable correlation rules |
Detect abnormal events by statistical analysis of log producted by profiles of assets. | behavioral abnormal analysis |
Unlimited | The number of supported rules |
Up to 5000 EPS for an appliance and more throughputs can also be achieved by replicating multiple of them. | Event per second throughput |
At the end of event analysis, attack graph will be displayed for better visually understanding of incident. | Visual attack graph |
uses central knowledge management engine to handle processes of creating and updating of knowledge and guarantees integrity of knowledge. knowledge base contains information about security policies and priorities of organization, vulnerabilities of assets and etc. | Integrated knowledge base |
In addition to integrated ticketing system for task tracking, neccessary automatic instruments are implemented based on a standard incident handling process. This feature is not presented in common SIEM products. | Incident handling process |
supports interaction with CERT, NOS and forensics teams | interaction with organization teams |
For every detected incident, a useful guideline is proposed. This guideline describes how to response to incidents and also presents operational instructions for denying a malicious traffic or removing a malware and etc and the SOC analysts could modify response guidelines or add new special cases to them. This feature is not presented in common SIEM products. | incident handling guidelines |
Correlation & Response Engine | |
Description | Feature |
Upon completion of the attacks symptoms, the incident will be reported to stop the progress of the attack. | Realtime Analysis |
Some attacks create the necessary conditions for achieving desired goal over long periods of time. For proactiving detection of their stages, different stages of the attack is related and as a result, the final goal of the attacker will be understood. | Multisage correlation |
In order to complete symptoms of the reported incidents and reduce false positive alarms, logs of network services and devices is analyzed and correlated with alerts of security softwares and devices. | Cross-Device Correlation |
Detect and eliminate false positive alerts if corresponding vulnerabilities is not exist in attack targets. | verification based on assets vulnerabilities |
the correlation engine does not miss attacks while reduces very high percent of reported events. | Efficient correlation engine |
Generalized correlation rules is selected and existed in the system. These predefined rules can be customized for organization situations. In addition, analysts of security operation center can inject special purpose correlation rules to the correlation engine. | Predefined and customizable correlation rules |
Detect abnormal events by statistical analysis of log producted by profiles of assets. | behavioral abnormal analysis |
Unlimited | The number of supported rules |
Up to 5000 EPS for an appliance and more throughputs can also be achieved by replicating multiple of them. | Event per second throughput |
At the end of event analysis, attack graph will be displayed for better visually understanding of incident. | Visual attack graph |
uses central knowledge management engine to handle processes of creating and updating of knowledge and guarantees integrity of knowledge. knowledge base contains information about security policies and priorities of organization, vulnerabilities of assets and etc. | Integrated knowledge base |
In addition to integrated ticketing system for task tracking, neccessary automatic instruments are implemented based on a standard incident handling process. This feature is not presented in common SIEM products. | Incident handling process |
supports interaction with CERT, NOS and forensics teams | interaction with organization teams |
For every detected incident, a useful guideline is proposed. This guideline describes how to response to incidents and also presents operational instructions for denying a malicious traffic or removing a malware and etc and the SOC analysts could modify response guidelines or add new special cases to them. This feature is not presented in common SIEM products. | incident handling guidelines |
GUI | |
Description | Feature |
Every users can define customized dashboards designed by arbitrary charts of various security events and reports. | Security dashboards |
Web-based graphical user interface features is provided to manage, configure, search and follow-up process for identifing, analying and handling the incidents. | GUI |
GUI shows activity status of the registered sensors. | Sensor monitor |
The system has many predefined useful reports. Each user can define arbitrary reports. The defined reports are generated at scheduled times in pdf, html and exel formats. | Various reports |
Each user in SOC teams is possible to manage accessibility of various product components such as configuring, monitoring and incident handling. | User management |
Once a task is assigned to a user, he will be notified via email. | Email Notification |
The system contains asset discovery and vulnerability assessment tools, for discovering assets and theirs vulnerabilities automatically and adding assets information to knowledge base. In addition it can connect to an external asset discovery and vulnerability assessment tool if exists any in the organization. | Asset discovery and vulnerability assessment |
Device Management | |
Description | Feature |
Send command to active network devices to prevent from attacks by block malicious traffic, disable users and kill processes and etc. | Automatic commander |
Administrators could define arbitrary actions by create a manual script and use it for reponse to attacks. | Custom script |
It support different devices and protocols to send commands:
|
Supported Devices |
Support Services | |
Description | Feature |
support (24*7) relevant to SLA | support 24*7 |
Ticketing system for following-up customers requests. | Ticketing system |
User guide for the system outputs such as detailed information of attacks and security incidents is given to people working in Security Operations Center enabling to effectively analysis events. | User manual |
Training for personnel of security operations center will be achieved. Therefore, The trained staff can work with the system autonomously. | Training |
Updating the knowledge of detecting attacks is fully supported. In addition, special-purpose correlation rules to suit the requirements and policies of the organization in accordance relevant to SLA is also supported. | Support of knowledge |
Models
Ravin SIEM Models
Log Collector Models
Log Management Models
Correlation Response Engine Models
Deployment scheduling
The following list describes the steps to deploy the Security Operations Center in a middle sized network.
1) Requirements Engineering
- Identify the network & select the sensors
- Planning the setup
- Determine the staff
2) Setup and Customization
- Setup the infrastructures
- Configure sensors to send their logs
- Add necessary security sensors to the network
- Add required plugins to cover all of the selected sensors
- Define new required reports
- Customize knowledge base entries regarding to the operational environment situations & organization security policies
3) Configure and Tune the system
- Verify initial outputs of the system according to network facts
- Determine the threshold values of correlation rules according to the initial feedbacks of the system.
- Determine the verification filters for reducing false positives incidents
4) Training and Delivery
- train the security operation center staffs
- deliver the system & its management to SOC staffs
Supported applications and devices
Network Security Devices | |
Tarigh UTM | Firewall/UTM/ WAF/VPN |
Tarigh FV | |
Tarigh WAF | |
ModeSecurity | |
Keyhan VPN Server | |
IPTables | |
Cisco-PIX | |
Cisco-ASA | |
Cisco-FWSM | |
Juniper-Netscreen | |
IPFW | |
Cisco-VPN | |
Fortigate | |
Juniper-VPN | |
TippingPoint | |
FortiGuard | |
Sonicwall | |
ISA-Server | |
Checkpoint | |
Astaro | |
Netasq Alarm | |
Netasq Connection | |
Netasq Filter | |
Symantec Gateway Security | |
Sonicwall | |
Cisco ACS Csv | |
Cisco ACS Syslog | |
Cisco ACS Csv | |
Radius | |
Safeguard |
Network Devices | |
Cisco Switch | Router/Switch |
Cisco Router | |
Huawei switch | |
Huawei Router | |
Cisco CSS | |
Nortel Switch | |
Foundry | |
Juniper Router |
Security monitoring Sensors | |
RealSecure wgm | HIDS/NIDS/ Honeypot |
OSSec | |
Osirix | |
Juniper IDP | |
Snort | |
Suricata | |
Stongate | |
SourceFire | |
Bro IDS | |
Cisco IPS(SDEE) | |
Cisco CSA v45 | |
Cisco CSA v60 | |
Cisco CSA v52 | |
Tipping Point | |
Samhain | |
TripeWire | |
Symantec Network Security | |
McAfee Intercept | |
McAfee Intrushield | |
Enterasys Dragon | |
Amun | |
HoneyD |
Operating Systems | |
2003 Workstation & Server, XP,Vista,Win7,Win8, Win2008workstation & Server | Windows |
Pam_unix,sudo,dhcp,usbdev | Linux |
FreeBSD,NetBSD,OpenBSD | BSD |
Servers | |
PureFTP | Application servers/Web Proxies |
ProFTPD | |
WuFTP | |
SSHD | |
NFS | |
Apache | |
IIS | |
Bind | |
VSFTP | |
Squid | |
Squid Guard | |
WebShield | |
WebSense | |
OpenNMS | |
DHCP | |
OpenLdap |
Mail Server | |
Postfix | Mail Server |
Exchange | |
Courier | |
Dovecot | |
Axigen | |
Send Mail |
Antimalware | |
Kaspersky | Antivirus/AntiSpam |
Bitdefender | |
Avast | |
Clamav | |
Sophos | |
Podvish | |
Symantec End Point Protection | |
Norton Antivirus | |
Spamassasin | |
Mcafee-Antivirus | |
Mcafee-Antispam |
Database | |
MySQL | Data Base |
Oracle | |
PostgreSQL | |
Sybase |
Scanners | |
NMap | Asset Discovery/ Vulnerability Scanner |
Nessus | |
NTop | |
Oval | |
Mcafee FoundStone |