Friday, July 30, 2010

Review: AccelOps - Part 2

In the first part of the AccelOps review, I gave a quick overview of its many features.

In Part 2, I'd like to dig a bit deeper, and cover information that serves both security and network teams – specifically dashboards, rules, logical business groups, virtual appliance and a quick and simple MARS comparison.

Dashboards
One of the items where AccelOps excels is dashboards, and there are plenty of them. You will find ready-made dashboards for Incidents, applications, security and VMware to name a few – and their display is tied into your login. What this means is that you can have for example, security in one view, performance in another, etc. and pretty easily adjust the views you like- by display type, number of columns, over what time period and how many results.  Some dashboards include topology maps with incident overlays. Elements within dashboards have additional highlight details or support the means to drill down to more relevant information. 
Specialized dashboards exist for availability, performance, security, and biz services and you can build your own. The specialized dashboards are collections of widgets that provide information about specific functions. Any built-in or custom reports or saved searches are available as templates that can be used for dashboard widgets. The widgets in the dashboards offer five different display types: Aggregation View (Pie) - 1, Aggregation View (Bar) - 2, Tabular View - 3, Trend View - 4, and Combo View - 5.

Here you can see examples of top-firewall- reports, and login-failed-reports.
Now remember MARS really concentrates on security logs and monitors netflow, where as AccelOps, also understands many applications as well.

Searches

Accelops has really improved the search function. Searches can be carried out in realtime and historically.  You can conduct a Google-like search and add SQL like expressions, ie, Logon/Logoff AND administrator. In the results there is also a real-time intensity graph, common in most SIEM these days, and all the results have drop down menu selectors, which vastly improves the speed that you can drill down into the information you need.  They also provide a structured search that offers considerably more functionality including the Group By expression to put together useful reports.  Searches can be saved as reports – see Part I regarding reporting.

Rules/Tuning

SIEMs must have a solid rules engine. You can have event-based rules, statistical threshold based rules, time of the day based rules, etc. Better still, you can easily create rule exceptions that wont fire during your maintenance hours, or if your server already has Microsoft patch X that fixes a particular vulnerability.
Rules can be created, from over 300 source attributes, and there is a competent mixture of useful existing performance, availability, change, security and compliance rules built-in (that can be copied and edited).
AccelOps supports simple thresholds analytics to complex nested logic that could describe a variety of scenarios. Rules can be applied to devices, conditions and even services (described below).  The rule language supports multiple sub-patterns (AND, OR, FOLLOWED_BY,..), broad operators (equals, greater than, contains, between,...), etc.
As an example, the DNS Botnet rule, better explained by pictures below, but basically rules can reference other rules. The DNS Botnet Rule, references 3 other rules, and all 3 must match before an Incident is created.

If this pattern occurs, that references the 3 other rules, generate an Incident
 Where as an example one of the rules, is looking at ExcessiveDNS queries by Flow Data or Log Data..
And the source is not a defined DNS application, known DNS Server, and the source is an internal IP…

I think you get the idea, lots more flexibility, and applications, flow data and conditions etc can be referenced.

Services

AccelOps has the notion of a business service that is a smart container of network devices, servers and applications serving a common business purpose.  Within their CMDB, users can create a business service via a wizard that starts with the user selecting an app or device category – let’s say an ecommerce database application.  AccelOps will show all the specific database applications and then specific servers.  By selecting the application server, it will also automatically bring up the layer-3 devices such as switches. Once the specific web server and layer-3 devices are added to the defined service, any rules associated with those monitored devices are inherited by the service.  

This is an intelligent approach to understanding device relationships, tracking services and pinpointing any issues affecting  services.  Every incident is tagged with the affected business service and can be used to prioritize responses..  So you can very quickly identify, if Switch X goes down, what applications and services will be impacted on the network. So beyond severity, AccelOps shows business impact.
Services can be monitored, not only parsing the logs and other sources such as Netflow for stopped and started services or changed configuration, but also by synthetic transaction monitoring tests.  Users can define and monitor simple or nested transactions from the likes of HTTP, LDAP, DNS, FTP, SMTP etc. The results of these tests can determine if a particular service is hung (or slow) and the server thinks it is working but it is not responding.  Rules can also reference synthetic transactions results. 
Appliance/Software vs. Virtual Appliance

One complaint I see with standard SIEMs, is that they can be too slow running queries, especially if you are firing in many events. In the case of hardware appliances, when you have bought the hardware, you are pretty much stuck with it. This presents problems once you reach the processor’s limit, or a new feature comes out for a later model or when storage capacity is reached. Now the AccelOps solution is a virtual appliance that uses your hardware running VMWare.  VMware provides advantages for availability and performance, and makes AccelOps very scalable.  If capacity is maxed out or queries get sluggish, simply have VMware reserve more capacity or license and fire up another VM image of the AccelOps virtual appliance.  As part of a cluster, it automatically load balances the processing. AccelOps separated computation functions from storage, so using VMware, you just reference the NAS/SAN storage amount, and configure it to your RAID liking – and add more as required.. All the data is online – no need to restore partial archives.  Maintaining the system, including updates or adding new device parsers, can be achieved with little effort.

Brief Comparison Table

MARS –  Device support is mostly Cisco and a few select third party (no support beyond current devices as per Cisco notification); netflow v5, v9,  SNMP v1, v2, v3;
AccelOps – Cisco devices and growing vendor list – (can updates without a new release), netflow v5, v9, SNMP v1, v2, v3.

MARS – Integration with CSM and Cisco IPS Sensors (pull direct IPS raw packet traces)
AccelOps – Does not support CSM but supports Cisco and all other major IDS/IPS vendors. Also has IDS/IPS false positve tagging to reduce noise regarding invalid incident alerts.

MARS – Basic level of device attributes (hard coded) and modest reporting flexibility (no dashboards)
AccelOps – Extensive device attributes, easy to update with extensive search, reporting and dashboard capabilities

MARS – Topology Graphs are Static
AccelOps – Topology Graphs are dynamic (eg. incident and stat overlays), can be saved, and items moved around!  Very customizable dashboards.

MARS – No CMDB or business service concept
AccelOps – Automated CMDB with config. versioning and business service component grouping

MARS – Case Management
AccelOps – Case Management with incident filtering, auto-suppression rules, exception management and full ticketing.

MARS – Designed for Single Enterprise Users
AccelOps – Designed for Enterprise, and Multi-Tenancy, very suitable for MSSPs.

MARS – Restricted Disk Space by Appliance; weeks to months of data, requires archiving
AccelOps – Hybrid data management; does not have that problem – everything online, long-term

MARS – Very Large Scale Deployments with Global / Local Controller
AccelOps – Yes with virtual appliance dynamic clustering, remote collector virtual appliances and multi-tenancy. Has EPS-elasticity to support peak event/log spikes with dropping data.


To summarize. AccelOps is well suited to support mid to large enterprise and service provider's security and network teams alike.

AccelOps is a SIEM and more than a SIEM.  The product works right out of the box. It is also customizable and as a virtual appliance – pretty simple to expand out. And at the same time, it has the capabilities to reduce multiple tools in the Enterprise. Definitely one to put on your shortlist if you are looking for a new, or to replace your current SIEM / log management solution.

I hope you enjoyed my overview of AccelOps (prior ver. 1.6.4 and more recently ver2.1).  Next, I’m going to look at some more of the Cisco SIEM Deployment Guides, starting with the Cisco Security Application for Splunk.


Tuesday, July 27, 2010

New Cisco SIEM Deployment Guide

Cisco have released, the Security Information Event Management (SIEM) Deployment Guide, as part of the Smart Business Architecture, Borderless Networks for Enterprise Organizations.

Personally this looks like a first step, Cisco is making to work with other SIEM vendors, to handle non Cisco and Cisco devices.

"This guide is for security operations personnel in enterprise organizations who want to understand the benefits of deploying Cisco infrastructure with security information and event management (SIEM) products, and learn how Cisco infra- structure helps deliver those benefits."


"Customers have a major investment in Cisco technology, and they rely on Cisco to provide secure, robust, scalable, and interoperable solutions. Cisco is partnering with best-in-class companies through the Cisco® Developer Network to deliver a security information and event management system that enhances the diverse security and reporting needs of our mutual customers. This integration enables customers to take advantage of Cisco’s infrastructure intelligence using the operational tools that are best suited to their environment."


"If CS-MARS is already deployed for monitoring and correlating events from Cisco devices, organisations can archive data from CS-MARS and import it into third-party SIEM solutions for consolidating events into a single dashboard. In a heterogeneous environment, it is recommended using third-party SIEM solutions."

Well worth a quick read , especially if you are new to SIEM.

Wednesday, July 21, 2010

SIEMLink with MARS

Although not exactly new news, you may not know, that one of the complaints from the security community regarding MARS, and to be honest most SIEMS, is the lack of real session data, or raw packets, for incident response.



Now one of the hottest products around, in this arena is NetWitness.

"NetWitness Investigator is the award-winning interactive threat analysis application of the NetWitness NextGen product suite. Investigator provides security operations staff, auditors, and fraud and forensics investigators the power to perform unprecedented free-form contextual analysis of raw network data."

NetWitness has a product called SIEMLink, that can be used with your NetWitness setup to interface with MARS.

Simply install the SIEMLink product, and browse the MARS interface. Anywhere where we see ip address information, ie, in an incident, you can highlight the ip, and send to the NetWitness product, and reconstruct the traffic.


I actually did a demonstration of this a few months ago in London, as apart of an ASA Botnet Demo you can see the process here.





I should also mention, you can do this with not only MARS. I have personally done this with Palo Alto, QRadar, and Lancope.


NetWitness also provide a free edition to the community, I would seriously recommend to check this out, if its of Interest to you.

You can see some YouTube videos here on NetWitness in action, well worth 5 minutes of your time.

Further news on the upcoming NetWitness v9.5 have just been released, if you are interested......

One of the most compelling areas they have been working on is in content extraction, for the extraction and analysis of malware, and collection of certain types of content, such as executables, PDF Files etc..

And for enterprise customers, NetWitness Visualize, is a great new feature of Informer 2.0

A YouTube video of the new version is here, and a demonstration site of the cool new Virtualize features can be accessed here.





Friday, July 09, 2010

Review: Accelops - Part One




What options have you got, if you are looking to replace or upgrade your MARS appliance or other SIEM/logging solution?

A lot has changed in the SIEM space, since Cisco released the Cisco Monitoring Analysis and Response System, around early 2005.

MARS was one of the first products to collect, normalize and correlate event logs from all the major security vendors, systems and netflow, and run those events against security-based rules to create incidents, producing real time alerts and historical queries and reporting functions.

Times move on and most vendors speak of SIEM 2.0 or second generation, with more intelligent log gathering, useful details, identity information, geo-location databases, more comprehensive windows event collection, etc..

Now you may already know, that the original MARS creators (the Protego folks) have created a new product called AccelOps, and they believe this is a better migration path and alternative to CS-MARS, than any other 2nd generation SIEM.

So what’s so good about AccelOps?

Well a lot, so much, in that I have already decided to do this review in 2 parts, as there is a lot to tell after personally installing and testing the product in my lab.

Given smarter threats within more complex infrastructures, compliance mandate overlaps and the drive for resource efficiencies – security operational requirements have evolved.

Accelops has created a strong SIEM 2.0 comparable product, and then said ok, security events are only one part of the picture.

Lets add not only security devices, but servers, VMs, applications, processes running on those servers, DHCP and DNS information, web servers logs, application response times, Wireless AP logs, FLOW data, and then analyse the whole lot using a highly scalable and cluster capable VM infrastructure.

Now throw in device configs and OS patch information, switch port mappings and grab L2 and L3 topology data across multi-vendor devices.

(So basically I can pull up IP to Port Mappings just as easy from a HP Procurve switch, as I can with a Cisco Catalyst Switch)


And while we are doing that lets collect CPU, disk space, and a whole host of performance and resources stats.   Then you get the picture – literally the whole picture.


AccelOps discovers and monitors the entire infrastructure via agentless receiving or polling using various protocols (SNMP, syslog, Telnet, HTPP, WMI, RPC, JDBC, JMX, VI-SDK).   It also auto detects a device type; if you send it say ASA logs via syslog it will identify and appropriately process the log.  Captured data is parsed and correlated in real-time and can be historically analysed.

The security teams gets the usual SIEM and logging features and will love its NBAD functionality (and the ability to view FLOWS) since it baselines network activity and alerts on anomalous behavior. While network teams will love monitoring traffic, system and application activity, tracking issues and resource consumption, and assessing assets and config. changes.


All the device/system config. data and recent stats get populated in a CMDB (configuration management database), so I always have device details.  I can view my current Palo Alto device config, or do a compare with a DIFF of last weeks working config, a particular users AD group membership, the serial number of my ASA in London, which servers have IIS installed, etc, all from one place.

AccelOps has developed a hybrid data management system that stores unstructured event data in flat file based database (e.g logs, flows and events) and structured data (eg. configs.) in an embedded relational database (PostgreSQL). 

This enables query parallelization, across clusters, and solves slow reporting problems (and storage bloat), encountered with many SIEMS as they grow. There is no database tuning required and all the historical data remains online (no need to restore archives).

This really provides the means to support root-cause analysis, conduct investigations or produce compliance or other reports that much more efficiently. You can more easily determine security issues from non-security issues that much faster, and at the same time support IT collaboration to resolve problems, with a tool everyone can use.

One of the great things in AccelOps is the Identity and Access Monitoring. This feature collates all primary and secondary logins, whether locally on the network, or remote via VPN, or wireless via an access point. Combine with DHCP and AD information, and any IP address can be automatically associated to a specific user, on a specific server/laptop.


This comes in real useful, when you have an incident, and you want to associate, who changed or did what and from where, at that particular time.  Or go back in time to assess access policy, use of terminated accounts, suspicious service account activity, or user/group actions.

Where ever source or destination IP addresses are presented in AccelOps, you can gain further information. If an Internal IP address, the hostname, OS information, version, owner, and if it’s a known server or client machine in the network. If an External IP address, you can do 3rd Party Lookups to dnstuff, SANS, Cisco Senderbase, or a HoneyPot database.

If I had one complaint, it would be that it lacks an on box geo-location database, for country mappings at this present time (I was told – next release).

You would be forgiven if you thought processing all this and other performance data would slow its SIEM like event parsing and analytics. For many solutions it would believe me.

AccelOps marries a virtualization cluster architecture (the system runs on VMware as a turnkey software virtual appliance) to its high-speed event parsing engine (XML based framework) which assures performance. Adding AccelOps VM instances to a cluster offers near-linear performance for event correlation, search and reporting scale (vendor claims).


An XML-based parsing engine and compiler is used to support new devices and applications without a software upgrade – and they already support quite a decent list of mainstream devices.

I actually found this out for myself, when AccelOps created a Tippingpoint parser for me, and I simply copied the provided XML file to the box – took just a couple of days.

In my opinion the google like realtime search, advanced search and historical reporting is superb. You can move fields around, select and filter from over 350 parsable fields, incorporate Boolean and operator logic, and group results in your display. 



The beauty is any of your results can produce on-demand or scheduled reports with charts, tables, etc. And these can be instantly added as dashboard elements. (In fact any of the dashboard fixings can be customized.).   The rule GUI is very similar and powerful, supporting nested rules and attributes to describe alertable scenarios.  For example, certain rules (like different startup from running config) can trigger compliance alerts. Alert notification supports SNMP, SMTP, email, XML and their console (more on rule analytics in part 2).

Reporting wise, AccelOps comes installed with over 800 reports and respective rules, containing security, performance, availability  and compliance with specifics in PCI, COBIT, HIPAA/HITECH, SOXITIL,  which are great for keeping management happy :-)


I found the AccelOps user interface to be very dynamic (it was developed in Adobe Flex) and runs within any browser (no more internet explorer only!), offering anywhere, anytime use.

A word of warning though, is that you may want a large monitor, to get full benefit, of the variety of information presented.

That’s it for Part One.  I will cover rules, dashboards and monitoring of “Business Services”, and compare AccelOps to MARS in Part Two.

I still see organizations making large investments into SIEM alone, and not having the time, or resources to realize its investment.

In my opinion, AccelOps is worth putting on your SIEM/logger shortlist..  They have  intelligently taking bits out of SIEM, Performance Management, Change Management and  Business service management (BSM) and put it all together to create a tool to enable the security and IT teams to work more efficiently.

AccelOps can be deployed on-premise as a virtual appliance or delivered as a Software-as-a-Service.

Thursday, July 08, 2010

MARS Blog Update

You may of noticed that  Gartner left Cisco MARS out of the SIEM Magic Quadrant for 2010 this year. 

And although hard to find, Cisco did come out and say MARS will in future will concentrate on Cisco only devices, and critical host OS. (And then recently released 6.07 with support for Windows 2008)

Cisco have also recently announced Cisco Security Agent has gone End of Sale, but there have been NO similar notices for MARS. It is very much still alive.

But if you are NOT a pure Cisco network, you may be looking at the market, to replace MARS, with another product that can handle your 3rd party applications and devices.

In my next few articles, I am going to review a couple of alternatives, if you are looking to change, and make the most of your network.

But I am, (as always) on the look out for "Guest Articles", on making the most of your MARS deployment. So come on get involved!

Or as I think the direction that the blog may take, Monitoring and Analysis, of your Routers and Switches. (or Monitoring of Applications, Resources and Security.)