Prelude SIEM at Paris Open Source Summit

CS will be present on December 5 and 6, 2018 at the Paris Open Source Summit on stand B4.

On this occasion CS will present :

- Prelude SIEM, its cybersecurity monitoring solution

- Vigilo NMS, its performance monitoring solution

CS will also present its new convergence solution for performance and security: Unity 360This exhibition will also be the occasion to launch phase 2 of the SECEF (Security Exchange Format) project. Project who will be present by Gilles Lehmann at his conference in :

Salle Cygal

Thursday, December 6

from 11.30 am

 

Power of the IDMEF format

The power of a SIEM rests largely on the richness and the relevance of the format on which it bases itself. In this domain, Prelude uses the most powerful and most standard format available today.

 

Prelude implements the IDMEF format for handling alerts. IDMEF (Intrustion Detection Message Exchange Format) is a format defined by the IETF RFC 4765 and in 4766. It was the subject of an IETF working group for several years. The IDWG Working Group (Intrusion Detection Work Group) consisted of members such as IBM, MIT, Cisco, Nokia, the Mitre and the Prelude Team.

The primary objective of defining the size IDMEF was to improve the processing capabilities automation of the probes and the SIEMs to increase these tools detection capabilities, particularly through the correlation and to simplify the work of the operators.

In 2015, as part of www.secef.net project, a project supported by the DGA to promote and improve IDMEF and IODEF alert formats, the SSIR CentraleSupelec team conducted a comparative study of the main alert formats available on the market.

The summary of the study is presented in the table below:

 

Format IDMEF CEF LEEF CIM CEE CADF
Fields number 166 117 50 58 56 48
Normalized fields number 259 84 49 48 49 76
Translatable fields number 259 65 20 29 39 72
Untranslatable but relevant fields number 0 15 11 11 5 3
Untranslatable and slightly relevant fields number 0 4 18 8 5 1
Relevant fields number 248 80 31 40 44 75
Coverage of the IDMEF format 100 % 25 % 8% 11 % 15 % 28 %
Relative richness compared to IDMEF 100 % 32 % 13 % 16 % 18 % 30 %

Format IDMEF CEF LEEF CIM CEE CADF
Origin IETF-RFC 4765 HP-ArcSight IBM-QRadar DMTF Mitre Open Group
Expressiveness +++ ++ + +? ++
Structuration +++ + ++

This study highlights two features of IDMEF compared to its proprietary competitors:

 

  1. A greater expressiveness than its competitors. Combined with the power of the correlator and Prelude filter modules, that high content can more effectively handle alerts thereby improve detection capabilities. This transfer processing to the tool the analyst can be use 24/7 by non-experts of first level teams.
  2. A structuring better than its competitors. With this structure, the alerts and threats information displayed in Prelude interfaces reflects more the network reality. The progress between the different probes and manager, for example, is very easily represented and enables a simpler and better treatment and more compartmentalized for medium to large-sized information systems.

 

As part of the SECEF project, the IDMEF format has been proposed for developments and enrichments that will strengthen its superiority over its competitors.

What’s new in Prelude NG

Prelude NG is the first version of the R&D project supported by the Ministry of Defence and ANSSI (French Security Agency). The work of the PIA project focuses on improving the Graphical User Interface, exploitability and new features as well as the Prelude performances.

GUI and Ergonomics

Complete new GUI: GUI Prelude NG now use the latest technology for the development of applications in "rich client" (Bootstrap, Ajax, HTML5, etc.) making them modern interfaces, dynamic and responsives.

 

Widgets: Pelude NG relies on "widgets" technology for display windows, avoiding navigation tabs. The concentration of the operators is improved.

 

Tooltips: The operator now has contextual information as tooltips in operating interfaces. It is no longer necessary to change the window to access this information, which facilitates handling alerts.

 

New graphical visualization library: Abandon of old FusionCharts graphs in Flash for a new recent and dynamic library in HTML5 (better compatibility with newer browsers and better security). The display is more ergonomic and more fluid. In addition, several new features are available on the graphs: dynamic change of representation, dynamic aggregation portions graphs, backups opportunities lines in image format of a graph, etc.

 

Customizable Dashboard: With a few clicks, you can build a dashboard from the many views available. All Prelude views are available, one can thus combine statistics, but also forensic graphn, timeline and alerts tray.

Operations and Deployment

 

Simplified Alert board: Sleek alerts tray is available for Level 1 operators. The'advanced' board remains available for analysts and experienced operators.

 

Control menu: The control menu has been completely redesigned and rewritten to facilitate the work of operators. The menu is readily available and has new shortcuts for the operation. The use of latest components (calendar, time slider, etc.) reduces the entry work for operators.

 

New configuration selection and correlation rules interfaces: Ergonomic mechanisms have been added to create correlation rules by drag & drop. The design of correlation and selection criteria is done in WYSIWYG mode. With full configuration interfaces rearrangement of correlation rules and selection, it is no longer necessary to edit programming files to manage different rules.

 

Rules deployment: All these operations are done through the deployment interfaces. It is no longer necessary to edit the configuration files and access to online commands to enable the rules of correlation and selection.

 

Development of a new Archive Module: The Archive module (Big Data storage and indexing of logs) has been completely redesigned to improve usability and efficiency. The search interface presents a graphical view of the results and research can be built in a few clicks. An input box "expert" is available for advanced users. In addition, the Archive module GUI is compatible with external log management software.

 

Plugins multi-archive: To meet the needs of customers who already have a log manager, Prelude NG can integrate with leading solutions on the market. Specific plugins are available for Splunk, ELK, Graylog and ELSA.

 

Compliance Management PCI DSS and ISO 27002: New graphs of compliance meeting the PCI DSS and ISO 27002 are now available. They are editable in office format or directly in the web interface.

 

Forensic: Prelude NG offers several advanced graphics to help operators identify abnormal behavior leading to possible APTs. These charts offer new perspectives and original performances conducive to forensic analysis.

 

Enclosures Administration: The administration and configuration of the appliance is done today through onboard interfaces. Interfaces are available for configuring networks and systems, for maintenance and fault analysis.

 

Knowledge Base: Prelude NG embeds a knowledge base and procedure notes that assist operators in resolving incidents.

 

Monitoring housings: A new monitoring module enables the monitoring of the state of Prelude NG housing (disk space, CPU, network interfaces, ...). Exceeding certain thresholds will be subject to an alert.

 

New probes: A native connector IDMEF was implemented in new detection probes: Application Firewall (WAF): mod-security, anti-virus ClamAV, Spam: SpamAssassin Proxy: Squid CrawlProtect (WAF PHP )

 

Apps: All code operating interfaces is organized as Apps. This architecture offers fine facilities for configuration interfaces, and also gives the possibility to third parties to develop new plugins for specific needs.

 

IODEF Interface: Prelude NG offers a first IODEF interface. This interface allows you to create an incident IODEF format from a Prelude incident and send by email. IODEF (Object Exchange Incident Definition Format) is the standard format of a security incident resolution that meets the requirements of reporting incidents of businesses.

Enrichment default configurations:

Selection: 100 device

 

Correlation: 80 rules

 

Views: 20 new views

Performances

Search speed and alerts display in the GUI: 10 x
Improved search and selection of performance alerts based on optimization of selection queries, multiplication speed up the search for a factor x10.

 

Insertion speed based x2
Improved gross alerts processing performance and correlations increase in insertion speeds by a factor of x2, which raises the theoretical number of possible alerts housings at 16 million a day.