SIEM
Security Information Event Management

Constantly increasing risks and losses

The average cost per compromised data is 127€. On average, 22,242 pieces of data are compromised during an incident (Ponemon Institute – Cost of data breach 2013).
Malicious and criminal attacks are the leading cause of data breaches in France, accounting for 42% of cases (with an average cost per compromised data of €142).
Human negligence, whether by employees or subcontractors, accounts for 31% of data breaches (€116 per compromised data).

8 times out of 10, a hacked company doesn’t know it.

Objectives

Have the practices of its teams monitored by a third party and obtain an objective opinion
Respond to audits, financial and regulatory controls (ISO, RGS, HDS, DMP, HIPAA…) concerning security. Prove to them that everything is done to respect the obligation of means.
Secure extended infrastructures without intrusion and impact

General Principle

The ability to understand and analyze observable events on an information system is essential to ensure its safety. Too often during our audits, centralized log management is an absent component of security measures. The analysis and study of solutions on the SIEM market show that the licensing system, in addition to being relatively expensive, lacks agility in managing event peaks. The integration phase with the customer’s IS is also a component not to be neglected in the implementation of such solutions.

In parallel with its activities of integration of SIEMs of major market players, ITrust has set up an alternative SIEM solution based on the following principles:

Perenniality – open-source solution
Adaptability – flexible and modular architecture
Simplicity – no binding license
Evidence – ensuring the integrity and probative value of newspapers
Installation of services limited to the strict minimum
Disabling remote access. Only a local and physical connection for maintenance is allowed.
Audited accesses
NTP time synchronization for reliable time sources

This solution allows us to offer a lower cost SIEM solution to our customers.

Plus-value ITrust

Integration of the SOC (security operation center) in the customer’s environment
Installing and adapting filters to event source formats and setting up dashboards
ITrust ensures the maintenance of the solution and the support to the user teams.
Possibility of integration of the additional brick archiving probative of the raw logs by ensuring also the security and integrity of these archives
Coupling of the SIEM solution with the vulnerability management solution IKare allowing to have a global vision of the security level of an IS

IKare

The Vision

ITrust is developing in internal R&D a behavioural analysis engine based on IKare and SIEM event feedbacks to identify deviant behaviours and detect anomalies.
The choice of the solution presented here, due to its modularity, allows ITrust to act at all levels of the processing chain and to use the information collected to feed the behavioural analysis engine. In the short term, this integration translates into the introduction of correlation rules business and security rules within the SOC and, in a second phase and according to developments, the introduction of behavioural analysis.

Reveelium

Architecture of the solution

Newspaper collector

The role of this brick is to collect and archive the logs arriving from the datacenter equipment. This brick is based on a linux server hardened by ITrust to meet security constraints (mainly log integrity).

The archives are compressed and signed by strong cryptographic mechanisms ensuring the integrity of the information over time. To ensure log availability, a remote replication mechanism based on the RSync solution is automated to synchronize data every ten minutes.

Acquisition and filtering

Once the raw logs are archived and protected, a copy is sent to the acquisition and filtering brick. This function is provided by a solution that receives the event stream to process and filter them.

Logs are historically in a format that is not easily readable by a human and arrive in large numbers. It is necessary to add meaning to incoming logs to extract information. Filters are able to go far: they can handle multiline, group two events, duplicate, anonymize, geolocalize…
The data extraction mechanism based on regular expressions is very readable and can be quickly adapted to our customers’ specific application logs.

Indexing and search engine

The indexing and search brick is provided by a very fast indexing system.
The real added value of ES lies in its ability to extract meaning from the chaos of large masses of data. Events arriving in the form of JSON-structured documents are indexed to make them quickly usable; all the fields of a line of logs are indexed and can be queried.
The technology implemented allows multiple queries to be performed on all the indices of an index in real time, a performance impossible with conventional SQL databases. By default, all data fields are indexed by the solution. All fields have a dedicated reverse index and, unlike most databases, the system can use all these reverse indices in a single query and provide instant results.

Visualization and investigations

The graphical web frontend allows the analysis and creation of dashboards based on indexed data. This graphical engine allows to :

Doing Research
Find a single event or millions
Visualize trends, peaks and troughs
Create custom dashboards. Dashboards can integrate multiple rankings, graphs, trends… to meet the needs of different users: operators, safety managers, decision-makers…

Interests

The tool suite is mature and has a large reactive community to evolve the tools. Many filters are available to manipulate the input information to make sense of the data and extract relevant information.
There is no license system: the solution is not limited by a number of events per second nor by a daily volume. Flexibility is total since the architecture can work in cluster to support load increases, event volume evolution over time or even high availability.

Get a quote