SIEM
Security Information Event Management

Constantly increasing risks and losses

  • The average cost per compromised data is 127€. On average, 22,242 pieces of data are compromised during an incident (Ponemon Institute – Cost of data breach 2013).
  • Malicious and criminal attacks are the leading cause of data breaches in France, accounting for 42% of cases (with an average cost per compromised data of €142).
  • Human negligence, whether by employees or subcontractors, accounts for 31% of data breaches (€116 per compromised data).

Objectives

  • Have the practices of its teams monitored by a third party and obtain an objective opinion
  • Respond to audits, financial and regulatory controls (ISO, RGS, HDS, DMP, HIPAA…) concerning security. Prove to them that everything is done to respect the obligation of means.
  • Secure extended infrastructures without intrusion and impact

General Principle

The ability to understand and analyze observable events on an information system is essential to ensure its safety. Too often during our audits, centralized log management is an absent component of security measures. The analysis and study of solutions on the SIEM market show that the licensing system, in addition to being relatively expensive, lacks agility in managing event peaks. The integration phase with the customer’s IS is also a component not to be neglected in the implementation of such solutions.

In parallel with its activities of integration of SIEMs of major market players, ITrust has set up an alternative SIEM solution based on the following principles:

  • Perenniality – open-source solution
  • Adaptability – flexible and modular architecture
  • Simplicity – no binding license
  • Evidence – ensuring the integrity and probative value of newspapers
  • Installation of services limited to the strict minimum
  • Disabling remote access. Only a local and physical connection for maintenance is allowed.
  • Audited accesses
  • NTP time synchronization for reliable time sources

This solution allows us to offer a lower cost SIEM solution to our customers.

Architecture of the solution

SIEM

Newspaper collector

The role of this brick is to collect and archive the logs arriving from the datacenter equipment. This brick is based on a linux server hardened by ITrust to meet security constraints (mainly log integrity).

The archives are compressed and signed by strong cryptographic mechanisms ensuring the integrity of the information over time. To ensure log availability, a remote replication mechanism based on the RSync solution is automated to synchronize data every ten minutes.

Acquisition and filtering

Once the raw logs are archived and protected, a copy is sent to the acquisition and filtering brick. This function is provided by a solution that receives the event stream to process and filter them.

Logs are historically in a format that is not easily readable by a human and arrive in large numbers. It is necessary to add meaning to incoming logs to extract information. Filters are able to go far: they can handle multiline, group two events, duplicate, anonymize, geolocalize…
The data extraction mechanism based on regular expressions is very readable and can be quickly adapted to our customers’ specific application logs.

Graphique SIEM

Indexing and search engine

The indexing and search brick is provided by a very fast indexing system.
The real added value of ES lies in its ability to extract meaning from the chaos of large masses of data. Events arriving in the form of JSON-structured documents are indexed to make them quickly usable; all the fields of a line of logs are indexed and can be queried.
The technology implemented allows multiple queries to be performed on all the indices of an index in real time, a performance impossible with conventional SQL databases. By default, all data fields are indexed by the solution. All fields have a dedicated reverse index and, unlike most databases, the system can use all these reverse indices in a single query and provide instant results.

Graphique SIEM

Visualization and investigations

The graphical web frontend allows the analysis and creation of dashboards based on indexed data. This graphical engine allows to :
  • Doing Research
  • Find a single event or millions
  • Visualize trends, peaks and troughs
  • Create custom dashboards. Dashboards can integrate multiple rankings, graphs, trends… to meet the needs of different users: operators, safety managers, decision-makers…

Interests

The tool suite is mature and has a large reactive community to evolve the tools. Many filters are available to manipulate the input information to make sense of the data and extract relevant information.
There is no license system: the solution is not limited by a number of events per second nor by a daily volume. Flexibility is total since the architecture can work in cluster to support load increases, event volume evolution over time or even high availability.

Get a quote