Ten Cool Things Logsign SIEM Does

1- Simplicity

Easy deployment, an interface to be used intuitively and easily and a rule-based alert, bucket, dashboard and reports are the factors creating the simplicity mindset behind Logsign, who believes in “Simplicity is the ultimate sophistication”. The user interface used for the SOC teams’ threat and anomaly analysis has been designed in order to be understood easily and simply.

In addition, alert rules which are the basis of incident response have been designed so that it can be configured easily.

2-Log Correlation: The Heart of SIEM

Logsign provides correlation via bucket and alert. By creating an extensive diversity of lists (Statistical, State Tracker, Static, Ldap), specific conditions for scenarios of different types can be provided. In this context, there are many lists and alarms created adjacently for responding to the most complex scenarios. Furthermore, thanks to its multiprocessing operation, Logsign’s Alert Service processes and correlates many recent scenarios and related events, and generates input when the corresponding rules are met.

Dashboard

3- Massive Scalability

Logsign can either be installed on a single cloud and a physical server, or on multiple servers depending on the size of the network it supports. The services used on Logsign, which operates as an active-active cluster, are activated on different servers in order to meet performance requirements and optimization conditions. The cluster structure enables both horizontal and vertical scalability.

4- High Availability

Thanks to the cluster structure of Logsign, the received data clones can be placed on multiple servers. If one or more of the servers are damaged (depending on the quantity of servers working simultaneously as active-active), the rest of the servers and the system keep operating efficiently without any data loss.

5- Advanced Data Analytics and Dashboards

Powered by elastic search, Logsign can output the desired data for any kind of data analysis (real-time or historical) in milliseconds by using a variety of search algorithms. Anomaly and threat analysis can be performed via Drill-down or Roll-up methods. SOC teams can also perform these analyses simply by making use of complex search queries. Moreover, by using detailed dashboards, System and Network teams can perform real-time monitoring.

Rapor Ekran

6- Search and Forensic Investigation

The data searched for on Logsign Search is brought forward in milliseconds. You can make phrase, wildcard, proximity, range, boolean and fuzzy searches with the Search function. In addition, you can search for data in a data pair as a Boosting Term. You can also group the specific data in accordance with different rules and then perform the search.

These functions bring Drill-down and Roll-up analysis functions to Logsign Search. After a security event has been detected, a search can be made on both historical query-based raw data and parsed data, and reports can be generated. In order to find the data on Logsign simply in a judicial case, the data is signed separately in historical, daily and monthly bases, and its hash is stored in an encrypted format.

7- Threat Detection

Logsign instantly collects the threat feeds from different sources which are updated continuously. Collected threat feeds are integrated into list format and categorised. The feeds collected in a variety of types and categories are prioritised for correlation. On the upper layer, these enriched and correlated feed data are used together with the data received from other sources to perform threat and anomaly analysis. Another important module used for threat detection is the alert service. By using the rule-based alerts with threat feeds, a threat detection with a low false positive rate can be enabled. For the threats detected by Logsign, a communication is established with related safety devices to take action automatically. Furthermore, for events, for which action is taken and for alarm triggering events, generating SMS or Mail may support incident response.

8- Incident Response

As soon as a security event occurs, if data related to the specific event is available on Logsign, the duration of the intervention is reduced to minimum within the shortest time. As the events mostly take place at night time, SOC teams are warned as soon as possible to eliminate the security vulnerability and terminate the related traffic.

9- Delegation

SIEM products consist of a platform that is used commonly by large networks incorporating a wide variety of departments including security and system. That is why a delegation should be present among external users as well as network and security teams. Logsign provides a profile based delegation. By creating interface restrictions, dashboard profile, report profile, alert profile and list profile, people and groups can be delegated. Different features can be provided for users with different job descriptions. An extra feature that Logsign adds to delegation is source-based delegation. In source-based delegation, added sources are assigned to different profiles, making those profiles only have access to assigned sources. This feature increases the security level by making advanced level security products only have access to security teams.

10- Compliance Requirements

Logsign supports many standardized compliances. Some of these are the standards such as PCI, HIPAA, ISO, FISMA, SOX, NERC, GLBA, etc.

References:

1- https://lucene.apache.org/core/2_9_4/queryparsersyntax.html

2- https://elasticsearch-benchmarks.elastic.co/index.html#tracks/http-logs/nightly/30d

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s