Discover Prelude SIEM

MONITOR THE SECURITY

OF YOUR INFORMATION SYSTEM

Introduction

Based on open-source core, Prelude SIEM offers excellence in terms of performance and functionality. From this robust base, the Prelude team has designed interfaces and functionalities for the most demanding security teams.

Among its many features, Prelude allows you to:

  • constantly monitor your security level and possible intrusion attempts.
  • quickly and effectively analyze the cause of an alert in order to act accordingly
  • research, investigate, compare, correlate in order to identify more discreet threats
  • keep all traces of your systems for proof purposes by ensuring their integrity
  • design and publish multiple technical or functional report formats

Prelude SIEM : Depth detection

In order to extract the essential information needed by operators to manage the company's security, the events sent to Prelude go through different steps summarized below. This systematic treatment on the available data allows in-depth detection capable of detecting "standards" events but also deviations from normal behaviors through the use of new behavioral analysis techniques or machine learning.

The different steps of an intrusion detection are as follows:

Centralization

Prelude centralizes all traces of your information system (syslog, netflow, files, etc.) and stires this data in a secure database before analysis.

Detection

Within the traces, Prelude searches for signs of intrusion attempts by combining several detection techniques: classical detection based on the company's security policy, external detection based on security community information (CTI) and new techniques for analyzing data based on machine learning to identify deviant behavior. Prelude DID engine thus implements the principles of Deep Intrusion Detection.

Normalization

Prelude standardizes all significant or suspicious events with the standard IDMEF format (RFC 4765). Thanks to this format, events are enriched in order to facilitate automation and correlation processes. It also provides maximum information to the operator (contextualization of alerts) in order to allow him to react quickly and efficiently.

Correlation

Prelude offers several correlation engines according to the needs of each correlation scenario. The user can build his correlation scenario from the GUI using  "drag & drop" technics. It is also possible to automate rule creation using the "EasyCorrel" meta-language and finally, for the most advanced needs, the operator has the possibility to develop his rules and processing algorithms directly from Python scripts, thus benefiting from all the richness of this language.

Aggregation

At the interface level, the operator can aggregate, sort and filter information to better understand its causes and relationships. The correlated information can be represented in different graphical forms depending on the needs. The aggregation calculation as well as the aggregated attributes are calculated dynamically, thus giving the operator complete freedom.

Notification

Prelude SIEM offers a threat management board presenting an operational classification of the threats. Various tools to facilitate the processing of these threats (investigation tools, access to inventory and vulnerability information, details of IDMEF fields, direct access to behavioural analysis results, etc.) are also available. In addition, for smaller teams, Prelude SIEM offers numerous filtering functions that allow operators to be alerted  directly on their email or mobile phone according to severity of the threats. Prelude also offers all the technical and management reports programming features.

 

Prelude SIEM interfaces

Prelude SIEM graphical interfaces have been created in collaboration with operators and ergonomists. The look & feel has been designed to facilitate the work of operators by streamlining threat handling as much as possible. Several concepts are inherited from proven operating platforms based on ITIL processes, for example. In addition, many configuration and customization options are available to adapt to the largest number of users and operating modes.

Prelude SIEM can be fully operated from a browser in a Windows or Linux environment. Prelude SIEM uses the latest web technologies to offer maximum user comfort but avoid any technologies that could create security problems (flash, java, etc).

The interfaces are multilingual, naturally including French and English.

The interface is presented with its "Risk Overview" in the upper left corner. The Risk Overviwe summarizes the level of risk on the information system. Underneath this Risk Overview is the control menu that allows you to configure the data that will be displayed in the operating area. In operational mode one will work on the day, a few days and up to a week, in forensic mode one can work on much longer periods (months, quarters, year). Filters (pre-saved or created on the fly) can also be applied to the displayed data. It is also possible to navigate between entities such as agencies or sites for a large company or customers for an MSSP operator. Finally, on the top left of the screen  are the menus corresponding to the different modules of the application: ALERT, ARCHIVE, ANALYZE and ADMIN.

Prelude SIEM module

ALERT module

The Alert module is the heart of Prelude SIEM's in depth detection. This module is in charge of receiving traces, analyzing them, standardizing them into IDMEF, correlating them, aggregating them and notifying operators. Alert tracking is done within an "Alert Table" that inherits the features and facilities of Prelude deployments on many SOCs.

The operator's task is facilitated by:

  • A clear presentation of the information with a sortable and configurable column breakdown of the IDMEF fields.
  • A level of threat and risk of each alert materialized by a color and a number
  • A search area allowing quick filters on datas and attributs
  • Many configurable context menus allowing the operator to retrieve various information on the alert, the equipment concerned, the IDMEF detail, etc... without leaving the global monitoring screen.
  • The "one click" action allows you to launch commands from the interface to investigate the causes of the alerts (e. g. traceroute, finger, etc. or your own scripts).
  • The other features of the application are also available with a single click in the same or another tab: access to the log at the origin of the alert, the equipment inventory sheet, the equipment vulnerabilities, the behavioral analysis of the equipment or the user, access to the procedure sheets according to the classification of the alert, access to the knowledge base, etc.

Prelude SIEM is designed to simplify and accelerate the work of operators. On the real-time part of the detection and when an intrusion attempt scenario is detected it is sometimes very important that the operator can make decisions quickly. In-depth analysis, the construction of long search requests, graphical analysis will come in a second phase after having conducted the first operations of system security.

ARCHIVE Module

The Archive module is Prelude SIEM log management module. It allows you to split, store and index any type of data.

Logs are available as well as netflows and vulnerabilities, CTI information, etc. Thanks to this large BigData module, analysts have access to many sources of indices. Searches are facilitated by a standard syntax whose construction is facilitated by many contextual menus. The architecture of this module is based on the famous ElasticSearh database, so the distribution, scalability and performance capabilities are almost unlimited.

ANALYZE module

The Analyze module offers many features to work graphically on the data.

Several customizable (and exportable) dashboards are available for design. It is possible to mix classic and more complex representations on all the data stored in Prelude (alerts, logs, netflow, etc.). Prelude SIEM also offers compliance dashboards around PCI DSS and ISO 27002. Several statistical screens are available for the investigation with "drill down" features that allow to go back to the "source" data of the graphs. Prelude SIEM also offers original advanced mathematics graphics that allow you to detect weak signals within large amounts of data (e. g. Chord, Sankey, Parallel Coordinates, etc.) Finally, the Analysis module allows you to design and program technical or business reports for the various company departments as well as ompliance reports (PCI DSS, ISO 27000, etc.)

ADMIN module

The Admin module combines two modes of administration. An "GUI" mode for the most common cases, combined with a "file" mode in which it is possible to configure the entire Prelude SIEM. This second advanced mode allows for a lot of automation as well as complete control of your configurations and possibly the information you send us as part of the support. It is important that you stay put... no blind dumping of a closed database!

The end user is completely autonomous to create/modify/customize new correlation rules as well as take into account new equipment or applications. MSSP operators can create configuration profiles to be duplicated for different customers. A very granular rights management allows to differentiate rights, profiles, functions and data perimeters accessible by each operator.

"Why choose Prelude SIEM?"