Ravin<\/strong><\/p>\nToday, in any organization millions of events and alerts are generated by software, hardware, network and security devices daily. \u00a0Big amount of data, variety, different format and languages used in these events, makes it hard and costive to be identified, assessed and analyzed by human and may cause faults and mistakes or even be impossible in some situations.<\/p>\n
Ravin Incident and Event Management Service, makes it possible to monitor all events and alerts in organization\u2019s network continuously. All the alerts and events are collected and beside maintenance and long-term recovery, it has the ability to be monitored and analyzed continuously and immediately in order to detect the main cause of security events and response systematically.<\/p>\n
One of the most important option in Ravin SIEM is its usage in organization\u2019s security operation center (SOC). SOC shows up the state of network security and current flows with continuous monitoring (365*24).<\/p>\n
<\/p>\n
Options and features<\/strong><\/p>\n\n- Using in organization\u2019s security operation center (SOC)<\/li>\n
- Reduce the cost of collecting, identifying and analyzing alerts and events in different part of the organization network<\/li>\n
- Detect cyber-attacks and malwares and suspicious behaviors<\/li>\n
- Immediate security incident detection and network behavioral analyzes<\/li>\n
- Reduce the incident response time.<\/li>\n
- Generate statistical reports from security events, categories and priorities<\/li>\n
- Represents dashboard from immediate events and security incidents monitoring<\/li>\n
- Analyze and monitoring events and security incidents at any time<\/li>\n<\/ul>\n
<\/p>\n
Ravin SIEM components<\/strong><\/p>\n\n\n\n![\"\"](\"http:\/\/payampardaz.com\/en\/wp-content\/uploads\/sites\/2\/2020\/07\/sim.png\") <\/td>\n | Ravin SIEM<\/strong><\/p>\n <\/p>\n Ravin is presented in different models for different hardwires according to event rate (EPS) and alert saving volume<\/p>\n \u00a0<\/strong><\/td>\n<\/tr>\n\n ![\"\"](\"http:\/\/payampardaz.com\/en\/wp-content\/uploads\/sites\/2\/2020\/07\/ntlm.png\") <\/strong><\/p>\n\u00a0<\/strong><\/td>\n| Ravin<\/strong> NTLM<\/strong><\/p>\n <\/p>\n This type is commonly deployed out of line in organization network. Different flows are exported and analyzed and security alerts are sent to managers. The analyze result can also be sent to Ravin SIEM.on the other hand this service is a sensor for Ravin SIEM<\/p>\n \u00a0<\/strong><\/td>\n<\/tr>\n\n![\"\"](\"http:\/\/payampardaz.com\/en\/wp-content\/uploads\/sites\/2\/2020\/07\/ngids-150x150-1.png\") <\/td>\n | Ravin<\/strong> NGIDS<\/strong><\/p>\n <\/p>\n This type is commonly deployed out of line in organization network. traffic contents are assessed and analyzed with the purpose of detecting security and destructive events and the result is sent to Ravin SIEM. This service is categorized as Ravin SIEM network layer sensor<\/p>\n \u00a0<\/strong><\/td>\n<\/tr>\n\n ![\"\"](\"http:\/\/payampardaz.com\/en\/wp-content\/uploads\/sites\/2\/2020\/07\/edr.png\") <\/strong><\/td>\nRavin EDR<\/strong><\/p>\n \u00a0<\/strong><\/p>\nThis type is installed as a software agent in network hosts. Agents export risky security behaviors from hosts and sends to central Ravin service to be analyzed and correlated with other network events. This service is categorized as Ravin host layer sensor<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n \u00a0<\/strong><\/p>\nProperties and Features<\/h2>\n\n \n\n\nNetwork Intrusion Detection System<\/strong><\/td>\n<\/tr>\n\nDescription<\/strong><\/td>\n| Features<\/td>\n<\/tr>\n | \n| Up to 10Gbe<\/td>\n | Throughput <\/span><\/td>\n<\/tr>\n\n| Up to 5 million concurrent sessions without packet loss<\/td>\n | Concurrent sessions<\/span><\/td>\n<\/tr>\n\n| Detects new and unknown attacks using anomaly detection methods based on learning<\/span><\/td>\n | Behavioral anomaly detection<\/span><\/td>\n<\/tr>\n\n| It has more than 18000 predefined attack signatures that can be updated continuously. This set contains different types of attacks such as scan, gain access, data manipulation, propagation, activity of malwares and denial of services.<\/span><\/td>\n | comprehensive set of attack signatures<\/span><\/td>\n<\/tr>\n\n| Web based graphical user interface<\/td>\n | GUI<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/div>\n\n \n\n\nNetwork traffic analysis sensor<\/strong><\/td>\n<\/tr>\n\nDescription<\/strong><\/td>\n| Features<\/td>\n<\/tr>\n | \n| application-layer detecting of more than 170 protocols, regardless of the port being used. This means that it is possible to both detect known protocols on non-standard ports (e.g. detect http on ports other than 80), and also the opposite (e.g. detect Skype traffic on port 80). This is because nowadays the concept of port=application no longer holds.<\/span><\/td>\n | Auto detect application-layer protocols <\/span><\/td>\n<\/tr>\n\n| defines charts of packet rate, flow rate and volume usage in various time periods for different application layer protocols and add them to dashboards.<\/span><\/td>\n | Network traffic monitoring<\/span><\/td>\n<\/tr>\n\n| Receives and processes netflow reports<\/span><\/td>\n | Support netflow<\/span><\/td>\n<\/tr>\n\n| analyzes the traffic flow information and extracts new attack evidences. It learn behavior of services and users and detect abnormal manners.<\/span><\/td>\n | Traffic flow analysis<\/span><\/td>\n<\/tr>\n\n| Up to 10Gbe<\/td>\n | Throughput<\/span><\/td>\n<\/tr>\n\n| Detect malicious behaviors of attackers and automative malwares by comply network traffic flow with security policies. Administrators cloud define arbitrary rules per each security policy.<\/span><\/td>\n | Compliance Checking<\/span><\/td>\n<\/tr>\n\n| Signature based sensors problem is the lack of predefined signatures existance for detecting Zero-day attacks and malwares. Most of this attacks could cause effect on the network traffic flows.Analyzing these effects as the evidences of malicious activities, helps detecting zero-day attacks.<\/span><\/td>\n | Detect Zero-day attacks<\/span><\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/div>\n\n \n\n\nLog collector<\/strong><\/td>\n<\/tr>\n\n| Description<\/td>\n | Features<\/td>\n<\/tr>\n | \n| Supports adding new organization\u2019s applications to receive their logs.<\/span><\/td>\n | Customizable for supporting various sensors.<\/span><\/td>\n<\/tr>\n\n| To be able to process Up to 20 thousands event per second on one appliance and scalable for higher rates.<\/span><\/td>\n | Throuput<\/span><\/td>\n<\/tr>\n\n| Unlimited sensor numbers<\/span><\/td>\n | Number of supported Sensors<\/span><\/td>\n<\/tr>\n\n| it is possible to define arbitrary filters for eliminating unusable logs or preventing entrance of some logs according to organization security policies.<\/span><\/td>\n | Event filters<\/span><\/td>\n<\/tr>\n\n| For reducing required bandwidth for transmitting logs through network from log collector to log manager, the log is compressed by 10:1 rate.<\/span><\/td>\n | Compression rate<\/span><\/td>\n<\/tr>\n\n| The security of the data is fulfiled by providing confidentiality and integrity of connections between modules.<\/span><\/td>\n | Secure transmit<\/span><\/td>\n<\/tr>\n\n| useing a cache for retaining received logs temporarily to prevent data loss in network disconnection.<\/td>\n | Reliable transmit <\/span><\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/div>\n\n \n\n\nLog management and Archive<\/strong><\/td>\n<\/tr>\n\nDescription<\/strong><\/td>\nFeature<\/strong><\/td>\n<\/tr>\n\n| Receive and store up to 50,000 EPS<\/span><\/td>\n | Event Per Second <\/span><\/td>\n<\/tr>\n\n| Depends on storage resource volume, retention of logs is possible for three, six and 12 months.<\/span><\/td>\n | Long Retention period<\/span><\/td>\n<\/tr>\n\n| Encrypts stored data in archive to prevent unauthorized access to data.<\/span><\/td>\n | Data encryption<\/span><\/td>\n<\/tr>\n\n| Compress raw and normalized logs by at least 10:1 rate.<\/span><\/td>\n | Compression<\/span><\/td>\n<\/tr>\n\n| IDMEF and IODEF formats are used to exchange message of events and incidents between security operation center components.<\/span><\/td>\n | Message Exchange Format<\/span><\/td>\n<\/tr>\n\n| For analysts of security operations center, facilities has been provided for searching and real-time retrieval of archived data based on various parameters.<\/span><\/td>\n | Realtime Data Retrieval<\/span><\/td>\n<\/tr>\n\n| Supports the storing of data for long term archive on a external storage such as SAN and NAS.<\/span><\/td>\n | External Storage<\/span><\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/div>\n\n \n\n\nCorrelation & Response Engine<\/strong><\/td>\n<\/tr>\n\nDescription<\/strong><\/td>\n| Feature<\/td>\n<\/tr>\n<\/thead>\n | \n\n| Upon completion of the attacks symptoms, the incident will be reported to stop the progress of the attack.<\/span><\/td>\n | Realtime Analysis<\/td>\n<\/tr>\n | \n| Some attacks create the necessary conditions for achieving desired goal over long periods of time. For proactiving detection of their stages, different stages of the attack is related and as a result, the final goal of the attacker will be understood. <\/span><\/td>\n | Multisage correlation<\/td>\n<\/tr>\n | \n| In order to complete symptoms of the reported incidents and reduce false positive alarms, logs of network services and devices is analyzed and correlated with alerts of security softwares and devices.<\/span><\/td>\n | Cross-Device Correlation<\/td>\n<\/tr>\n | \n| Detect and eliminate false positive alerts if corresponding vulnerabilities is not exist in attack targets.<\/span><\/td>\n | verification based on assets vulnerabilities<\/td>\n<\/tr>\n | \n| the correlation engine does not miss attacks while reduces very high percent of reported events.<\/span><\/td>\n | Efficient correlation engine<\/span><\/td>\n<\/tr>\n\n| Generalized correlation rules is selected and existed in the system. These predefined rules can be customized for organization situations. In addition, analysts of security operation center can inject special purpose correlation rules to the correlation engine.<\/span><\/td>\n | Predefined and customizable correlation rules<\/span><\/td>\n<\/tr>\n\n| Detect abnormal events by statistical analysis of log producted by profiles of assets.<\/span><\/td>\n | behavioral abnormal analysis<\/span><\/td>\n<\/tr>\n\n| Unlimited<\/td>\n | The number of supported rules<\/span><\/td>\n<\/tr>\n\n| Up to 5000 EPS for an appliance and more throughputs can also be achieved by replicating multiple of them.<\/span><\/td>\n | Event per second throughput<\/span><\/td>\n<\/tr>\n\n| At the end of event analysis, attack graph will be displayed for better visually understanding of incident.<\/span><\/td>\n | Visual attack graph<\/span><\/td>\n<\/tr>\n\n| uses central knowledge management engine to handle processes of creating and updating of knowledge and guarantees integrity of knowledge. knowledge base contains information about security policies and priorities of organization, vulnerabilities of assets and etc.<\/span><\/td>\n | Integrated knowledge base<\/span><\/td>\n<\/tr>\n\n| In addition to integrated ticketing system for task tracking, neccessary automatic instruments are implemented based on a standard incident handling process. This feature is not presented in common SIEM products.<\/span><\/td>\n | Incident handling process<\/span><\/td>\n<\/tr>\n\n| supports interaction with CERT, NOS and forensics teams <\/span><\/td>\n | interaction with organization teams<\/span><\/td>\n<\/tr>\n\n| For every detected incident, a useful guideline is proposed. This guideline describes how to response to incidents and also presents operational instructions for denying a malicious traffic or removing a malware and etc and the SOC analysts could modify response guidelines or add new special cases to them. This feature is not presented in common SIEM products.<\/span><\/td>\n | incident handling guidelines<\/span><\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/div>\n\n \n\n\nCorrelation & Response Engine<\/strong><\/td>\n<\/tr>\n\nDescription<\/strong><\/td>\n| Feature<\/td>\n<\/tr>\n<\/thead>\n | \n\n| Upon completion of the attacks symptoms, the incident will be reported to stop the progress of the attack.<\/span><\/td>\n | Realtime Analysis<\/td>\n<\/tr>\n | \n| Some attacks create the necessary conditions for achieving desired goal over long periods of time. For proactiving detection of their stages, different stages of the attack is related and as a result, the final goal of the attacker will be understood. <\/span><\/td>\n | Multisage correlation<\/td>\n<\/tr>\n | \n| In order to complete symptoms of the reported incidents and reduce false positive alarms, logs of network services and devices is analyzed and correlated with alerts of security softwares and devices.<\/span><\/td>\n | Cross-Device Correlation<\/td>\n<\/tr>\n | \n| Detect and eliminate false positive alerts if corresponding vulnerabilities is not exist in attack targets.<\/span><\/td>\n | verification based on assets vulnerabilities<\/td>\n<\/tr>\n | \n| the correlation engine does not miss attacks while reduces very high percent of reported events.<\/span><\/td>\n | Efficient correlation engine<\/span><\/td>\n<\/tr>\n\n| Generalized correlation rules is selected and existed in the system. These predefined rules can be customized for organization situations. In addition, analysts of security operation center can inject special purpose correlation rules to the correlation engine.<\/span><\/td>\n | Predefined and customizable correlation rules<\/span><\/td>\n<\/tr>\n\n| Detect abnormal events by statistical analysis of log producted by profiles of assets.<\/span><\/td>\n | behavioral abnormal analysis<\/span><\/td>\n<\/tr>\n\n| Unlimited<\/td>\n | The number of supported rules<\/span><\/td>\n<\/tr>\n\n| Up to 5000 EPS for an appliance and more throughputs can also be achieved by replicating multiple of them.<\/span><\/td>\n | Event per second throughput<\/span><\/td>\n<\/tr>\n\n| At the end of event analysis, attack graph will be displayed for better visually understanding of incident.<\/span><\/td>\n | Visual attack graph<\/span><\/td>\n<\/tr>\n\n| uses central knowledge management engine to handle processes of creating and updating of knowledge and guarantees integrity of knowledge. knowledge base contains information about security policies and priorities of organization, vulnerabilities of assets and etc.<\/span><\/td>\n | Integrated knowledge base<\/span><\/td>\n<\/tr>\n\n| In addition to integrated ticketing system for task tracking, neccessary automatic instruments are implemented based on a standard incident handling process. This feature is not presented in common SIEM products.<\/span><\/td>\n | Incident handling process<\/span><\/td>\n<\/tr>\n\n| supports interaction with CERT, NOS and forensics teams <\/span><\/td>\n | interaction with organization teams<\/span><\/td>\n<\/tr>\n\n| For every detected incident, a useful guideline is proposed. This guideline describes how to response to incidents and also presents operational instructions for denying a malicious traffic or removing a malware and etc and the SOC analysts could modify response guidelines or add new special cases to them. This feature is not presented in common SIEM products.<\/span><\/td>\n | incident handling guidelines<\/span><\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/div>\n\n \n\n\nGUI<\/strong><\/td>\n<\/tr>\n\nDescription<\/strong><\/td>\n| Feature<\/td>\n<\/tr>\n<\/thead>\n | \n\n| Every users can define customized dashboards designed by arbitrary charts of various security events and reports.<\/td>\n | Security dashboards<\/span><\/td>\n<\/tr>\n\n| Web-based graphical user interface features is provided to manage, configure, search and follow-up process for identifing, analying and handling the incidents.<\/span><\/td>\n | GUI<\/td>\n<\/tr>\n | \n| GUI shows activity status of the registered sensors.<\/td>\n | Sensor monitor<\/td>\n<\/tr>\n | \n| The system has many predefined useful reports. Each user can define arbitrary reports. The defined reports are generated at scheduled times in pdf, html and exel formats.<\/span><\/td>\n | Various reports<\/td>\n<\/tr>\n | \n| Each user in SOC teams is possible to manage accessibility of various product components such as configuring, monitoring and incident handling.<\/span><\/td>\n | User management<\/span><\/td>\n<\/tr>\n\n| Once a task is assigned to a user, he will be notified via email.<\/span><\/td>\n | Email Notification<\/span><\/td>\n<\/tr>\n\n | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | |
![\"\"](\"http:\/\/payampardaz.com\/wp-content\/uploads\/2018\/11\/info-Ravin.0.0.png\")
<\/h3>\n