Introduction to Ravin

Ravin

Today, in any organization millions of events and alerts are generated by software, hardware, network and security devices daily.  Big amount of data, variety, different format and languages used in these events, makes it hard and costive to be identified, assessed and analyzed by human and may cause faults and mistakes or even be impossible in some situations.

Ravin Incident and Event Management Service, makes it possible to monitor all events and alerts in organization’s network continuously. All the alerts and events are collected and beside maintenance and long-term recovery, it has the ability to be monitored and analyzed continuously and immediately in order to detect the main cause of security events and response systematically.

One of the most important option in Ravin SIEM is its usage in organization’s security operation center (SOC). SOC shows up the state of network security and current flows with continuous monitoring (365*24).

 

Options and features

  • Using in organization’s security operation center (SOC)
  • Reduce the cost of collecting, identifying and analyzing alerts and events in different part of the organization network
  • Detect cyber-attacks and malwares and suspicious behaviors
  • Immediate security incident detection and network behavioral analyzes
  • Reduce the incident response time.
  • Generate statistical reports from security events, categories and priorities
  • Represents dashboard from immediate events and security incidents monitoring
  • Analyze and monitoring events and security incidents at any time

 

Ravin SIEM components

Ravin SIEM

 

Ravin is presented in different models for different hardwires according to event rate (EPS) and alert saving volume

 

 

Ravin NTLM

 

This type is commonly deployed out of line in organization network. Different flows are exported and analyzed and security alerts are sent to managers. The analyze result can also be sent to Ravin SIEM.on the other hand this service is a sensor for Ravin SIEM

 

Ravin NGIDS

 

This type is commonly deployed out of line in organization network. traffic contents are assessed and analyzed with the purpose of detecting security and destructive events and the result is sent to Ravin SIEM. This service is categorized as Ravin SIEM network layer sensor

 

Ravin EDR

 

This type is installed as a software agent in network hosts. Agents export risky security behaviors from hosts and sends to central Ravin service to be analyzed and correlated with other network events. This service is categorized as Ravin host layer sensor

 

Properties and Features

Network Intrusion Detection System
Description Features
Up to 10Gbe Throughput
Up to 5 million concurrent sessions without packet loss Concurrent sessions
Detects new and unknown attacks using anomaly detection methods based on learning Behavioral anomaly detection
It has more than 18000 predefined attack signatures that can be updated continuously. This set contains different types of attacks such as scan, gain access, data manipulation, propagation, activity of malwares and denial of services. comprehensive set of attack signatures
Web based graphical user interface GUI
Network traffic analysis sensor
Description Features
application-layer detecting of more than 170 protocols, regardless of the port being used. This means that it is possible to both detect known protocols on non-standard ports (e.g. detect http on ports other than 80), and also the opposite (e.g. detect Skype traffic on port 80). This is because nowadays the concept of port=application no longer holds. Auto detect application-layer protocols
defines charts of packet rate, flow rate and volume usage in various time periods for different application layer protocols and add them to dashboards. Network traffic monitoring
Receives and processes netflow reports Support netflow
analyzes the traffic flow information and extracts new attack evidences. It learn behavior of services and users and detect abnormal manners. Traffic flow analysis
Up to 10Gbe Throughput
Detect malicious behaviors of attackers and automative malwares by comply network traffic flow with security policies. Administrators cloud define arbitrary rules per each security policy. Compliance Checking
Signature based sensors problem is the lack of predefined signatures existance for detecting Zero-day attacks and malwares. Most of this attacks could cause effect on the network traffic flows.Analyzing these effects as the evidences of malicious activities, helps detecting zero-day attacks. Detect Zero-day attacks
Log collector
Description Features
Supports adding new organization’s applications to receive their logs. Customizable for supporting various sensors.
To be able to process Up to 20 thousands event per second on one appliance and scalable for higher rates. Throuput
Unlimited sensor numbers Number of supported Sensors
it is possible to define arbitrary filters for eliminating unusable logs or preventing entrance of some logs according to organization security policies. Event filters
For reducing required bandwidth for transmitting logs through network from log collector to log manager, the log is compressed by 10:1 rate. Compression rate
The security of the data is fulfiled by providing confidentiality and integrity of connections between modules. Secure transmit
useing a cache for retaining received logs temporarily to prevent data loss in network disconnection. Reliable transmit
Log management and Archive
Description Feature
Receive and store up to 50,000 EPS Event Per Second
Depends on storage resource volume, retention of logs is possible for three, six and 12 months. Long Retention period
Encrypts stored data in archive to prevent unauthorized access to data. Data encryption
Compress raw and normalized logs by at least 10:1 rate. Compression
IDMEF and IODEF formats are used to exchange message of events and incidents between security operation center components. Message Exchange Format
For analysts of security operations center, facilities has been provided for searching and real-time retrieval of archived data based on various parameters. Realtime Data Retrieval
Supports the storing of data for long term archive on a external storage such as SAN and NAS. External Storage
Correlation & Response Engine
Description Feature
Upon completion of the attacks symptoms, the incident will be reported to stop the progress of the attack. Realtime Analysis
Some attacks create the necessary conditions for achieving desired goal over long periods of time. For proactiving detection of their stages, different stages of the attack is related and as a result, the final goal of the attacker will be understood. Multisage correlation
In order to complete symptoms of the reported incidents and reduce false positive alarms, logs of network services and devices is analyzed and correlated with alerts of security softwares and devices. Cross-Device Correlation
Detect and eliminate false positive alerts if corresponding vulnerabilities is not exist in attack targets. verification based on assets vulnerabilities
the correlation engine does not miss attacks while reduces very high percent of reported events. Efficient correlation engine
Generalized correlation rules is selected and existed in the system. These predefined rules can be customized for organization situations. In addition, analysts of security operation center can inject special purpose correlation rules to the correlation engine. Predefined and customizable correlation rules
Detect abnormal events by statistical analysis of log producted by profiles of assets. behavioral abnormal analysis
Unlimited The number of supported rules
Up to 5000 EPS for an appliance and more throughputs can also be achieved by replicating multiple of them. Event per second throughput
At the end of event analysis, attack graph will be displayed for better visually understanding of incident. Visual attack graph
uses central knowledge management engine to handle processes of creating and updating of knowledge and guarantees integrity of knowledge. knowledge base contains information about security policies and priorities of organization, vulnerabilities of assets and etc. Integrated knowledge base
In addition to integrated ticketing system for task tracking, neccessary automatic instruments are implemented based on a standard incident handling process. This feature is not presented in common SIEM products. Incident handling process
supports interaction with CERT, NOS and forensics teams interaction with organization teams
For every detected incident, a useful guideline is proposed. This guideline describes how to response to incidents and also presents operational instructions for denying a malicious traffic or removing a malware and etc and the SOC analysts could modify response guidelines or add new special cases to them. This feature is not presented in common SIEM products. incident handling guidelines
Correlation & Response Engine
Description Feature
Upon completion of the attacks symptoms, the incident will be reported to stop the progress of the attack. Realtime Analysis
Some attacks create the necessary conditions for achieving desired goal over long periods of time. For proactiving detection of their stages, different stages of the attack is related and as a result, the final goal of the attacker will be understood. Multisage correlation
In order to complete symptoms of the reported incidents and reduce false positive alarms, logs of network services and devices is analyzed and correlated with alerts of security softwares and devices. Cross-Device Correlation
Detect and eliminate false positive alerts if corresponding vulnerabilities is not exist in attack targets. verification based on assets vulnerabilities
the correlation engine does not miss attacks while reduces very high percent of reported events. Efficient correlation engine
Generalized correlation rules is selected and existed in the system. These predefined rules can be customized for organization situations. In addition, analysts of security operation center can inject special purpose correlation rules to the correlation engine. Predefined and customizable correlation rules
Detect abnormal events by statistical analysis of log producted by profiles of assets. behavioral abnormal analysis
Unlimited The number of supported rules
Up to 5000 EPS for an appliance and more throughputs can also be achieved by replicating multiple of them. Event per second throughput
At the end of event analysis, attack graph will be displayed for better visually understanding of incident. Visual attack graph
uses central knowledge management engine to handle processes of creating and updating of knowledge and guarantees integrity of knowledge. knowledge base contains information about security policies and priorities of organization, vulnerabilities of assets and etc. Integrated knowledge base
In addition to integrated ticketing system for task tracking, neccessary automatic instruments are implemented based on a standard incident handling process. This feature is not presented in common SIEM products. Incident handling process
supports interaction with CERT, NOS and forensics teams interaction with organization teams
For every detected incident, a useful guideline is proposed. This guideline describes how to response to incidents and also presents operational instructions for denying a malicious traffic or removing a malware and etc and the SOC analysts could modify response guidelines or add new special cases to them. This feature is not presented in common SIEM products. incident handling guidelines
GUI
Description Feature
Every users can define customized dashboards designed by arbitrary charts of various security events and reports. Security dashboards
Web-based graphical user interface features is provided to manage, configure, search and follow-up process for identifing, analying and handling the incidents. GUI
GUI shows activity status of the registered sensors. Sensor monitor
The system has many predefined useful reports. Each user can define arbitrary reports. The defined reports are generated at scheduled times in pdf, html and exel formats. Various reports
Each user in SOC teams is possible to manage accessibility of various product components such as configuring, monitoring and incident handling. User management
Once a task is assigned to a user, he will be notified via email. Email Notification
The system contains asset discovery and vulnerability assessment tools, for discovering assets and theirs vulnerabilities automatically and adding assets information to knowledge base. In addition it can connect to an external asset discovery and vulnerability assessment tool if exists any in the organization. Asset discovery and vulnerability assessment
Device Management
Description Feature
Send command to active network devices to prevent from attacks by block malicious traffic, disable users and kill processes and etc. Automatic commander
Administrators could define arbitrary actions by create a manual script and use it for reponse to attacks. Custom script
It support different devices and protocols to send commands:

  • Network devices operating systems
  • Unified threat managemtn systems
  • Network layer and application firewalls
  • SFTP
  • Printers
  • Alarm notification systems
  • Operating systems windows, linux, ..
  • SSH, Telnet
Supported Devices
Support Services
Description Feature
support (24*7) relevant to SLA support 24*7
Ticketing system for following-up customers requests. Ticketing system
User guide for the system outputs such as detailed information of attacks and security incidents is given to people working in Security Operations Center enabling to effectively analysis events. User manual
Training for personnel of security operations center will be achieved. Therefore, The trained staff can work with the system autonomously. Training
Updating the knowledge of detecting attacks is fully supported. In addition, special-purpose correlation rules to suit the requirements and policies of the organization in accordance relevant to SLA is also supported. Support of knowledge

Models

Ravin SIEM Models

Log Collector Models

Log Management Models

Correlation Response Engine Models

Deployment scheduling

The following list describes the steps to deploy the Security Operations Center in a middle sized network.

1) Requirements Engineering

  • Identify the network & select the sensors
  • Planning the setup
  • Determine the staff

2) Setup and Customization

  • Setup the infrastructures
  • Configure sensors to send their logs
  • Add necessary security sensors to the network
  • Add required plugins to cover all of the selected sensors
  • Define new required reports
  • Customize knowledge base entries regarding to the operational environment situations & organization security policies

3) Configure and Tune the system

  • Verify initial outputs of the system according to network facts
  • Determine the threshold values of correlation rules according to the initial feedbacks of the system.
  • Determine the verification filters for reducing false positives incidents

4) Training and Delivery

  • train the security operation center staffs
  • deliver the system & its management to SOC staffs

Supported applications and devices

Network Security Devices
Tarigh UTM Firewall/UTM/ WAF/VPN
Tarigh FV
Tarigh WAF
ModeSecurity
Keyhan VPN Server
IPTables
Cisco-PIX
Cisco-ASA
Cisco-FWSM
Juniper-Netscreen
IPFW
Cisco-VPN
Fortigate
Juniper-VPN
TippingPoint
FortiGuard
Sonicwall
ISA-Server
Checkpoint
Astaro
Netasq Alarm
Netasq Connection
Netasq Filter
Symantec Gateway Security
Sonicwall
Cisco ACS Csv
Cisco ACS Syslog
Cisco ACS Csv
Radius
Safeguard
Network Devices
Cisco Switch Router/Switch
Cisco Router
Huawei switch
Huawei Router
Cisco CSS
Nortel Switch
Foundry
Juniper Router
Security monitoring Sensors
RealSecure wgm HIDS/NIDS/ Honeypot
OSSec
Osirix
Juniper IDP
Snort
Suricata
Stongate
SourceFire
Bro IDS
Cisco IPS(SDEE)
Cisco CSA v45
Cisco CSA v60
Cisco CSA v52
Tipping Point
Samhain
TripeWire
Symantec Network Security
McAfee Intercept
McAfee Intrushield
Enterasys Dragon
Amun
HoneyD
Operating Systems
2003 Workstation & Server, XP,Vista,Win7,Win8, Win2008workstation & Server Windows
Pam_unix,sudo,dhcp,usbdev Linux
FreeBSD,NetBSD,OpenBSD BSD
Servers
PureFTP Application servers/Web Proxies
ProFTPD
WuFTP
SSHD
NFS
Apache
IIS
Bind
VSFTP
Squid
Squid Guard
WebShield
WebSense
OpenNMS
DHCP
OpenLdap
Mail Server
Postfix Mail Server
Exchange
Courier
Dovecot
Axigen
Send Mail
Antimalware
Kaspersky Antivirus/AntiSpam
Bitdefender
Avast
Clamav
Sophos
Podvish
Symantec End Point Protection
Norton Antivirus
Spamassasin
Mcafee-Antivirus
Mcafee-Antispam
Database
MySQL Data Base
Oracle
PostgreSQL
Sybase
Scanners
NMap Asset Discovery/ Vulnerability Scanner
Nessus
NTop
Oval
Mcafee FoundStone