Friday, July 09, 2010

Review: Accelops - Part One

What options have you got, if you are looking to replace or upgrade your MARS appliance or other SIEM/logging solution?

A lot has changed in the SIEM space, since Cisco released the Cisco Monitoring Analysis and Response System, around early 2005.

MARS was one of the first products to collect, normalize and correlate event logs from all the major security vendors, systems and netflow, and run those events against security-based rules to create incidents, producing real time alerts and historical queries and reporting functions.

Times move on and most vendors speak of SIEM 2.0 or second generation, with more intelligent log gathering, useful details, identity information, geo-location databases, more comprehensive windows event collection, etc..

Now you may already know, that the original MARS creators (the Protego folks) have created a new product called AccelOps, and they believe this is a better migration path and alternative to CS-MARS, than any other 2nd generation SIEM.

So what’s so good about AccelOps?

Well a lot, so much, in that I have already decided to do this review in 2 parts, as there is a lot to tell after personally installing and testing the product in my lab.

Given smarter threats within more complex infrastructures, compliance mandate overlaps and the drive for resource efficiencies – security operational requirements have evolved.

Accelops has created a strong SIEM 2.0 comparable product, and then said ok, security events are only one part of the picture.

Lets add not only security devices, but servers, VMs, applications, processes running on those servers, DHCP and DNS information, web servers logs, application response times, Wireless AP logs, FLOW data, and then analyse the whole lot using a highly scalable and cluster capable VM infrastructure.

Now throw in device configs and OS patch information, switch port mappings and grab L2 and L3 topology data across multi-vendor devices.

(So basically I can pull up IP to Port Mappings just as easy from a HP Procurve switch, as I can with a Cisco Catalyst Switch)

And while we are doing that lets collect CPU, disk space, and a whole host of performance and resources stats.   Then you get the picture – literally the whole picture.

AccelOps discovers and monitors the entire infrastructure via agentless receiving or polling using various protocols (SNMP, syslog, Telnet, HTPP, WMI, RPC, JDBC, JMX, VI-SDK).   It also auto detects a device type; if you send it say ASA logs via syslog it will identify and appropriately process the log.  Captured data is parsed and correlated in real-time and can be historically analysed.

The security teams gets the usual SIEM and logging features and will love its NBAD functionality (and the ability to view FLOWS) since it baselines network activity and alerts on anomalous behavior. While network teams will love monitoring traffic, system and application activity, tracking issues and resource consumption, and assessing assets and config. changes.

All the device/system config. data and recent stats get populated in a CMDB (configuration management database), so I always have device details.  I can view my current Palo Alto device config, or do a compare with a DIFF of last weeks working config, a particular users AD group membership, the serial number of my ASA in London, which servers have IIS installed, etc, all from one place.

AccelOps has developed a hybrid data management system that stores unstructured event data in flat file based database (e.g logs, flows and events) and structured data (eg. configs.) in an embedded relational database (PostgreSQL). 

This enables query parallelization, across clusters, and solves slow reporting problems (and storage bloat), encountered with many SIEMS as they grow. There is no database tuning required and all the historical data remains online (no need to restore archives).

This really provides the means to support root-cause analysis, conduct investigations or produce compliance or other reports that much more efficiently. You can more easily determine security issues from non-security issues that much faster, and at the same time support IT collaboration to resolve problems, with a tool everyone can use.

One of the great things in AccelOps is the Identity and Access Monitoring. This feature collates all primary and secondary logins, whether locally on the network, or remote via VPN, or wireless via an access point. Combine with DHCP and AD information, and any IP address can be automatically associated to a specific user, on a specific server/laptop.

This comes in real useful, when you have an incident, and you want to associate, who changed or did what and from where, at that particular time.  Or go back in time to assess access policy, use of terminated accounts, suspicious service account activity, or user/group actions.

Where ever source or destination IP addresses are presented in AccelOps, you can gain further information. If an Internal IP address, the hostname, OS information, version, owner, and if it’s a known server or client machine in the network. If an External IP address, you can do 3rd Party Lookups to dnstuff, SANS, Cisco Senderbase, or a HoneyPot database.

If I had one complaint, it would be that it lacks an on box geo-location database, for country mappings at this present time (I was told – next release).

You would be forgiven if you thought processing all this and other performance data would slow its SIEM like event parsing and analytics. For many solutions it would believe me.

AccelOps marries a virtualization cluster architecture (the system runs on VMware as a turnkey software virtual appliance) to its high-speed event parsing engine (XML based framework) which assures performance. Adding AccelOps VM instances to a cluster offers near-linear performance for event correlation, search and reporting scale (vendor claims).

An XML-based parsing engine and compiler is used to support new devices and applications without a software upgrade – and they already support quite a decent list of mainstream devices.

I actually found this out for myself, when AccelOps created a Tippingpoint parser for me, and I simply copied the provided XML file to the box – took just a couple of days.

In my opinion the google like realtime search, advanced search and historical reporting is superb. You can move fields around, select and filter from over 350 parsable fields, incorporate Boolean and operator logic, and group results in your display. 

The beauty is any of your results can produce on-demand or scheduled reports with charts, tables, etc. And these can be instantly added as dashboard elements. (In fact any of the dashboard fixings can be customized.).   The rule GUI is very similar and powerful, supporting nested rules and attributes to describe alertable scenarios.  For example, certain rules (like different startup from running config) can trigger compliance alerts. Alert notification supports SNMP, SMTP, email, XML and their console (more on rule analytics in part 2).

Reporting wise, AccelOps comes installed with over 800 reports and respective rules, containing security, performance, availability  and compliance with specifics in PCI, COBIT, HIPAA/HITECH, SOXITIL,  which are great for keeping management happy :-)

I found the AccelOps user interface to be very dynamic (it was developed in Adobe Flex) and runs within any browser (no more internet explorer only!), offering anywhere, anytime use.

A word of warning though, is that you may want a large monitor, to get full benefit, of the variety of information presented.

That’s it for Part One.  I will cover rules, dashboards and monitoring of “Business Services”, and compare AccelOps to MARS in Part Two.

I still see organizations making large investments into SIEM alone, and not having the time, or resources to realize its investment.

In my opinion, AccelOps is worth putting on your SIEM/logger shortlist..  They have  intelligently taking bits out of SIEM, Performance Management, Change Management and  Business service management (BSM) and put it all together to create a tool to enable the security and IT teams to work more efficiently.

AccelOps can be deployed on-premise as a virtual appliance or delivered as a Software-as-a-Service.


Anonymous said...

Great review. Waiting for part 2 ! Regards

Anonymous said...

Where is part deux?

Anonymous said...

Great post, I had a demo from these guys, and it looks great

Anonymous said...

how much is that device?