When we look at the offer of SIEM's market leaders, each of them builds its environment from the element of log analysis and network traffic analysis.
If you want to build this element in your infrastructure, add a behavioral analysis of network traffic to the Energylog server environment.
Flowmon ADS is a perfect choice for that. Analytical rules track network traffic on the basis of Flow protocols or traffic copies automatically generating security incidents. ADS rules as we know is a lot. Embedded rules work on several fields:
- Network errors and misconfiguration detection – ADS will fire an alarm whenever on-RFC traffic is recognized, misconfigured IPv6 are working in the network, strange broadcase packages are detected … and many more
- “Zero day” exploits detection – ADS use network behavior to learn what is typical and what is not in terms of : IP addresses, ports, utylizations, country reputation, applications, flows etc. If we learn what is normal, we can throw an alarm when we see the risk of change
- Unwanted traffic detection – ADS learns about the network and all new application and protocols are a question of security. If one start mail exchanger in Your network, ADS will automaticly initiate Alarm saying where the traffic came from, what is the IP, MAC and VLAN for it.
Data from Flowmon ADS illustrate not so much the number of packets sent from A to B, but they draw our attention to this transmission, which is suspicious in the context of security. Each incident has the rank of threat, placing it on the reports in a place with the right priority.
The value of this approach probably does not need to be convinced.
Let's get a new dimension
Let's combine the dynamic security system with 100% logs of our operating systems and applications, and Flowmon's incidents will gain a new dimension. Network security will be compiled with the operation of the application.
Can it be done?
Flowmon eagerly transmits information about security events to the SIEM system by means of CEF messages sent via syslog.
What will we see in the system:
The potential of this integration.
All fields from the Flowmon analysis are available to us as variables, which allows us to search for any other traces of the infected IP address in our infrastructure. Everything is presented in synchronized time, which additionally suits the observation of the trend and deviations.
Is this information sufficient for our SOC?
Let's see how they react to the presented visualization.
We can easily narrow down the views by selecting fields with the mouse, this makes integration take on additional advantages. At Energylogserver, we have the ability to run correlated alarms. So let's combine events with ADS with the behavior of the application and let the alarm that has been triggered so far passed to the maintenance departments.
In retrospect, we can also run reports, which in the form of PDF files will present us such synchronized data.
So where we are now ?
Elastic gives us large scale for central log management, Flowmon ADS adds dynamic security feed into static log view. We can immediately initiate actions to SOC and Ubrella systems.