Presentation is loading. Please wait.

Presentation is loading. Please wait.

N REPORTER 20130816 Integrated Management of Security incident and Network System Solutions.

Similar presentations


Presentation on theme: "N REPORTER 20130816 Integrated Management of Security incident and Network System Solutions."— Presentation transcript:

1 N REPORTER Integrated Management of Security incident and Network System Solutions

2 Do you really secure the protection after purchasing the equipments of Network Security? Protection from IPS/IDP/UTM/NGFW/WAF. How to make sure the effect of protection of Network Security? Potential inner threatens are not radically eliminated. Blind spot of Network Security Equipments -legal behavior with wrong executor. Who is playing tricks inside the IP dynamic allocated IP environment.

3 What corporations need when facing threatens of Security Incident? Trojans, worms, virus and spy software. websites, fishing websites. Various html injection attack. Threatens from 3G mobile internet.

4 An analyzable report system is necessary of your Network Security

5 What is LOG? Why is there LOG Management? All equipments in network environment have LOG LOG will record the time and events between users. Network Security Equipment IPS, firewall will record the activities of a certain IP with permit / block. Router will record the traffic utilization of a certain IP. Server will record works executed by a certain user from a certain IP. The purpose of LOG management is to returning the original condition back when incident occurred!

6 Blind spots of LOG Management Numerous kinds of equipments. Every kind of complicated LOG should be managed by professionals. How to get the real problem when facing a great huge of LOG? How to store and inquire efficiently? How to conform the laws and regulations?

7 Impacts on corporations from the new version of Personal Information Protection Act!! The new version of Personal Information Protection Act applies to all the corporations and individuals. The maximum indemnity can be up to 2 hundred million dollars for the loss of a single event. When facing the accusation, corporation has to prove for being unintentional and unimpeachable.

8 Centralized control management of all LOGs. LOG Normalization standardized format and inquiring interface. Ability of long-term preservation and to quickly examining history records. Ability for real-time alerts 24 hours non-interruptible protection. Ability to ensure the integrity of LOG. The original LOG is hard to read ! Normalized LOG is able to provide useful information ! LOG management is no more just for audit but for reducing the loss of company!!

9 The original LOG is hard to read ! Normalized LOG is able to provide useful information !

10 If you are looking for... Syslog record – Storing / Audit / Inquiry equipmentsSyslog record – Storing / Audit / Inquiry equipments Flow (Netflow / sFlow) - Analysis systemFlow (Netflow / sFlow) - Analysis system Incidents correlation and risk management platformIncidents correlation and risk management platform Immediately trend analysis for abnormalitiesImmediately trend analysis for abnormalities Chinese reports generate and deliver regularlyChinese reports generate and deliver regularly N-Reporter integrates all the above functions into one machine !

11 Syslog record Storing / Audit / Inquiring equipments Syslog Data storing / inquiry function Simple installation with best performance under Appliance structure. Integrated analysis for all network equipments. The best assistant audit tool to Personal Information Protection Act.

12 All-in-one Appliance Hardware Specification. 19 Inch Standard chassis Intel(R) Xeon(R) CPU E G RAM 1G DOM for OS and AP 2T HD for Syslog 2T/4T/6T HD for Flow Installation complete in 5 minutes. No need for users to purchase extra hardware and operation OS /database. RMA for damage within warranty. Built-in WEB/CLI, easy for managing and troubleshooting. Stay online to the original manufactory to automatically detecting for the latest Firmware Image. Be able to set up for using external NFS disk.

13 Best Analytic Tool for Audit !! Receive all kinds of LOG Security Syslog: IPS/IDS, UTM, WAF Flow: Netflow (v5/v9) / sFlow /Jflow Syslog Traffic: Firewall Server / Application: Web Server(Apache), Database(Oracle, MSSQL), Server(Linux, Mail) Integrating LOGs of all equipments, managers need to cross inquiring no more Perfect combination in hardware providing fast searching and statistic gathering Within 48 seconds to accomplish top 1000 sorting reports of ten million Syslog Data. Within 250 seconds to accomplish inquiry of a hundred million Flow Data. Be able to store 6 hundred million of Syslog Data and to meet the storage requirement for more than 3 years in most of the environment. Be able to store more than 50 hundred million of compressed data. Internet Home RouterFirewall Non-Home PC / ServerNetworkSecurity SwitchIPS N-Reporter

14 Internet Home RouterFirewall Non-Home PC / ServerNetworkSecurity SwitchIPS N-Reporter Receive all kinds of LOG Security Syslog: IPS/IDS, UTM, WAF Flow: Netflow (v5/v9) / sFlow /Jflow Syslog Traffic: Firewall Server / Application: Web Server(Apache), Database(Oracle, MSSQL), Server(Linux, Mail) Integrating LOGs of all equipments, managers need to cross inquiring no more Perfect combination in hardware providing fast searching and statistic gathering Within 48 seconds to accomplish top 1000 sorting reports of ten million Syslog Data. Within 250 seconds to accomplish inquiry of a hundred million Flow Data. Be able to store 6 hundred million of Syslog Data and to meet the storage requirement for more than 3 years in most of the environment. Be able to store more than 50 hundred million of compressed data.

15 Assurance of Data Integrity All data will be coded/signed/encrypted stored to ensure the integrity of data SHA-256 signature and DES-256 encryption. Built-in data compression mechanism to substantially increasing the capacity of storage. Certification approved by NIST CAVP FIPS for integral data storing. Data stored completeness Supporting database for daily backup automatically. Supporting external NFS disk. Supporting export of original raw data. Built-in diagrams of data using conditions and estimation of storage dates Diagrams of database condition Percentage of information of all equipments

16 Assurance of Data Integrity All data will be coded/signed/encrypted stored to ensure the integrity of data SHA-256 signature and DES-256 encryption. Built-in data compression mechanism to substantially increasing the capacity of storage. Certification approved by NIST CAVP FIPS for integral data storing. Data stored completeness Supporting database for daily backup automatically. Supporting external NFS disk. Supporting export of original raw data. Built-in diagrams of data using conditions and estimation of storage dates

17 Supporting multiple logical query and operation Supporting using keywords +(or) and !(not) to check on incidents IP filter definition supports also logical operation of +(or) and !(not) keywords multiple query conditions can be made with all kinds of arguments(source equipment / incident type and levels / action responses / port / country / filter of flow) Directly drill down inquiring by Top N report, time-based report and trend analysis

18 Analysis Function of Flow / Traffic Flow Analysis Function Flow analysis and Top N ranking can carry out the comparison of usage between groups. Flow chart drawn by Flow or Traffic data could support long- term monitoring and provide. warning when over the threshold.

19 Quickly lock up abnormal IP by Flow Chart

20 Huge Packet Attack Causing Security Equipments paralyzed Find out the key point by Flow when Security equipments break down Flow of 60M/s is not huge, but packet of 170k per second could cause the paralyzation of Security equipments. After problem being confirmed, going further to lockup key IP and solve the problem. Packet of 170k per second could cause the paralyzation of Information Security equipments.

21 Does it mean a problem when the volume occupied are huge? Ranking of IP usage. Ranking of Protocol usage.

22 Function of Flow Reports Condition of Network Flow Usage List of usage condition of bandwidth in network environment. Draw out the flow chart with in / out / total traffic of certain IP or certain session. Draw out the traffic line chart of certain Application. ( such as Web or Mail) Draw out the flow chart of certain disturbing activities. (such as Bit Torrent or PPStream) or attacks.( SQL Injection or Malicious Program) Draw out the flow chart of Critical / Major Information Security Problem cause by network environment. Top N Flow Ranking Listing bandwidth using ranking of IP or Application. Listing flow usage ranking of certain sessions. (such as comparison between server farm or departments) Listing Security event ranking cause by IP or session.

23 Incidents Correlation and Risk Management Platform Incidents Correlation Analysis Function Integrating data of Flow and Security Events completely Performing complete correlation from L3/L4 to L7

24 N-Reporter provides you full information of network using!! SyslogNetFlowTraffic RouterFirewallServerSecurity Equipments

25 N-Reporter provides you full information of network using!!

26 Message from Syslog provides L7 content. Message from Flow provides traffic usage of L3/L4. SyslogNetFlowTraffic RouterFirewallServerSecurity Equipments

27 Inquiring the correlation of flow of L3/L4 from the content of L7

28 Top N ranking report of Security events. Listing how many bandwidths was occupied for each incident in Top N list. Incidents happened for many times do not mean transmitting huge volume of Packets and Bytes!!! Content of incident. Bandwidth used for this incident.

29 Inquiring the correlation of flow of L3/L4 from the content of L7 Top N ranking report of Security events. Listing how many bandwidths was occupied for each incident in Top N list. Incidents happened for many times do not mean transmitting huge volume of Packets and Bytes!!! Content of incident. Bandwidth used for this incident.

30 Long-Term Monitoring – Time-based Reports Providing 24 hours non-interrupted monitoring ! Placing any long-term monitoring wanted, reports that sending warnings with abnormalities. For example, Send out Yellow notification when the traffic usage of servers are over 20M/s or Send out Red warning when the times of Telnet Login Fail are over 500 times per minute. Top N ranking report of Security events. Lights displayed according to the setting of Threshold.

31 Abnormal Actions Trend Analysis Realtime abnormalities trend analyzing function Automatically building Threshold Base Line by learning history. Immediate warning with increasing abnormalities of Syslog incident / Huge Flow Traffic. Blocking IP source with increased abnormalities in batches.

32 Trend Analysis: Actively Giving Warnings of Sudden Increased Incidents and IP Automatically getting incidents / source IP / Destination IP that cause increasing of abnormalities by instant information comparison and the value of Base line calculated based on history records. List of items most being cared. Discover sudden increased abnormality within 1-3 minutes. Convenient for users to control the abnormalities inside the environment. No more than just a Reporter, it is an Analyzer for real-time analysis of network abnormalities with artificial intelligence.

33 Trend Analysis: Actively Giving Warnings of Sudden Increased Incidents and IP Automatically getting incidents / source IP / Destination IP that cause increasing of abnormalities by instant information comparison and the value of Base line calculated based on history records. List of items most being cared. Discover sudden increased abnormality within 1-3 minutes. Convenient for users to control the abnormalities inside the environment. No more than just a Reporter, it is an Analyzer for real-time analysis of network abnormalities with artificial intelligence.

34 Analysis of Flow Abnormality Automatically filtering 14 kinds of abnormalities by flow traffic, such as IP/Port Scan, DDoS, and etc…. Guessing of account name and password is a sign of invasion, IP/Port Scan is the first step of successful invasion. Instantly lockup abnormalities of certain IP or certain mainframes are under attack.

35 Analysis of Flow Abnormality Automatically filtering 14 kinds of abnormalities by flow traffic, such as IP/Port Scan, DDoS, and etc…. Guessing of account name and password is a sign of invasion, IP/Port Scan is the first step of successful invasion. Instantly lockup abnormalities of certain IP or certain mainframes are under attack.

36 Execute Blocking When Abnormality Occurs N-Reporter Router FirewallSwitchIPSL7 Syslog Device LogAlertBLOCK Incidents and flow statistics found by Syslog / Flow system are outputted to N-Reporter. N-Reporter builds rational Base-line based on Syslog/Flow Data. Instant warnings when abnormalities increase. Giving orders to block attacks after users receive increased abnormal warnings. Attacks come from outside network will be blocked by IPS/FW. Unusual actions from inside network will be blocked by inner switch. Step: 1 Step: 2 Step: 3 Step: 4

37 Chinese reports generating Chinese reports generatingand delivering regularly Function of Chinese Reports Various arguments setting producing reports for requirements. Generating and delivering Off-line reports automatically. Sopporting the IP Name mapping, easier to find out the real identity of IP.

38 Automatically Producing All-Chinese Reports Reports delivery periodically and automatically Able to set working time and dates Daily/ weekly/ bi-weekly/ monthly/ quarterly/ half-year/ annually reports History reports storage and inquiry Various output format supported - PDF/CSV/XML

39 Automatically Producing All-Chinese Reports Reports delivery periodically and automatically Able to set working time and dates Daily/ weekly/ bi-weekly/ monthly/ quarterly/ half-year/ annually reports History reports storage and inquiry Various output format supported-PDF/CSV/XML

40 Friendly User Operation Interface Supporting IP Name mapping, easier to understand the real identity of IP in reports. Quickly skilled and easy to use. Click directly to get detailed information. Showing values by supporting mouse pointer. User name displayed.

41 Friendly User Operation Interface Supporting IP Name mapping, easier to understand the real identity of IP in reports. Quickly skilled and easy to use. Showing values by supporting mouse pointer. User name displayed. Click directly to get detailed information.

42 Value Added Reports Analysis Value Added Reports Analysis Value Added Reports Analysis Analyzing data by a specific user. Regulations audit reports. Abnormal Audit analysis.

43 Dynamic DHCP IP Environment – Windows AD Integration RouterFirewallL7 Syslog DeviceWindows AD Server Network Equipments Incidents and flow statistics discovered by Syslog / Flow system continually outputted to N-Reporter. Windows Domain Users AD Server will deliver the log in audit record of domain user to N-Reporter. Provide Variety of User Reports Inquiring history events or flows by users. (Diagnosing correctly even under the condition of dynamic IP) Find out real problem-making user according to sorting. Build IP and User Name Mapping N-Reporter converts the IP to user name to solve the tough problem of the incapability of tracing incidents through IP under the DHCP environment. N-Reporter

44 Security Reports Sorting the ranking of daily security events, calculating the traffic usages and the number of induced immediate trend at the same time. Calculating the security events, flows, immediate trend induced and flow abnormalities by user name or IP.

45 Security Reports Assist with graphic charts to view audit condition of server clearly Meet the requirements of compliance report of Personal Information Protection Act Audit of Server/ Application Recording the times of successful log in and log out, failure log in and incorrect account login. Audit of Database Oracle, MSSQL Server, MvSOL, PostqreSOL Windows file sharing Recording the times of file read, file updated, file deleted, incorrect acccess

46 Audit Reports of Mainframe Quickly locating source of problem and abnormalities. Sorting by user IP and user account. Password guessing in certain time. Which password of account was guessed. Which IP is making problem when failing to log in many times. Which mainframe got great quantity of failure login.

47 Analyzing mainframe audit LOG, automatically searching out abnormal items Analyzing abnormalities which should be taken care for users Guessing of account name and password Suspicious IP login successfully Changing Log in IP Analysis of Abnormal Audit

48 Could Solution Could Solution N-Reporter Cloud Solution Hierarchical Management High Availability Structure Big Data Collection

49 N-Reporter Cloud Solution Hierarchical Decentralized Management Departments in corporation see the information of their own department only, just like having a N-Reporter independently. Operators and administrators can check up the information of corporation globally. High Flexibility of Structure Apply to centralized and distributed construction. Constructing N-Center and N-Receiver as required in every regional branch. Head corporation can check up the information of all branches. Supporting High Availability(HA) Structure N-Center / N-Receiver support backup function for non interrupting service. Big Data Environment Support up to 300 thousand EPS. High Flexibility of Expansion Flexible expansion of N-Cloud for future data collection and increase of users.

50 Internet N-Cloud Router Network Device Security Product Syslog Flow Traffic County Network Center TIP: Block mailicious out of the IPS in front of Firewall or Internet Gateway. Central officeNorth officeSouth office Syslog Flow Traffic Syslog Flow Traffic Syslog Flow Traffic N-Reporter Cloud Solution

51 We Offer You More Than just LOG Management !!

52 Integrating all kinds of LOG to help forensic corporate collections Centralized management of LOG to meet audit requirements. Fetch complete history records with high speed searching. Guarantee for data integrity. Best tool for corporations to conform Personal Information Protection Act.

53 Provide analysis with plentiful reports TOP N reports providing list of max security incidents in your network. Time-based reports providing continuous monitoring plan for network security 24 hours a day. Trend reports automatically analyzing the trends most being watched Producing daily/weekly/monthly/quarterly/annually reports for policies making. Full protection with instantly monitoring!!!

54 Cross analysis with security flows Find network conditions lively with Flow Module. Analyzing mainframe abnormalities with Server Module. Quickly remove internet errors with Action Module.

55 Successful Cases

56

57

58


Download ppt "N REPORTER 20130816 Integrated Management of Security incident and Network System Solutions."

Similar presentations


Ads by Google