MONITOR THE SAFETY
OF YOUR INFORMATION SYSTEM

Introduction

Originaly based on Prelude OSS project, Prelude SIEM provides open-source excellence in quality and performance. From this strong base, the Prelude team has designed ergonomic interface and added many features for the most demanding security teams.

Among its many features, Prelude SIEM allows you to:

  • Constantly monitor your security and possible intrusion attempts
  • Quickly and efficiently analyze the cause of an alert in order to act accordingly.
  • Seek, investigate, compare, correlate informations to identify more subtle threats.
  • Keep all traces of your systems in terms of evidence ensuring their integrity.
  • Design and publish multiple formats of technical or functional reports.

 

Prelude SIEM: In-depth detection

To extract the essential information necessary for operators to control the security of the company, the events sent to Prelude go through different stages summarized below. It is this systematic processing of data available that allows the in-depth detection to identify “standard” events but also deviations from normal behavior. To do this, Prelude SIEM combines “classic” detection methods with the latest techniques of behavioral analysis or machine learning, to which are added enrichment techniques (CTI).

The different stages of intrusion detection are:

centraliser icon

Centralization

Prelude centralizes all traces of your information system (syslog, NetFlow, files, etc.) and stores them in a secure database prior to analysis.

icon détecter

Detection

Within these traces, Prelude searches for indication of intrusion attempts by combining multiple detection techniques: classical detection based on the company's monitoring strategy, external detection based on information from the community (CTI) and finally new machine learning-based data analysis techniques to identify deviant behavior. Thus, Prelude implements the principles of In-Depth Intrusion Detection.

Normalization

Prelude SIEM standardizes all the notables or suspicious events to IDMEF standard format (RFC 4765). With this format, events are enriched to facilitate automation and correlation processes but also to provide as much information to the operator (contextualization alerts) to allow it to respond quickly and effectively.

Correlation

Prelude SIEM offers several correlation engines, depending on the needs of each correlation scenario. The user can build its correlation scenario from the HMI in "drag & drop". It is also possible to automate the creation of rules using the meta-language "EasyCorrel" and finally for the most advanced requirements, the operator has the opportunity to develop its rules and processing algorithms directly from Python scripts taking advantage of the richness of the language. Prelude SIEM is the only SIEM to provide multiple correlation techniques to define any type of attack scenario.

agrégation icon

Aggregation

On the interfaces, the operator can aggregate, sort, filter the information to better understand the causes and relationships. The correlated information can be represented in different graphic forms as needed. The calculation of the aggregation and aggregate attributes are made dynamically providing freedom to the operator.

notification icon

Notification

Prelude offers a threat management dashboard displaying an operational classification of alerts. Without leaving this screen, the operator has access to many tools to facilitate the processing of these threats (investigative tools, access to inventory information and vulnerabilities, detailed IDMEF fields, access to the results of behavioral analysis etc.). In addition, Prelude SIEM provides numerous features to alert operators directly on their email or on their mobile phone depending on the severity of alerts, thus avoiding "spam." Prelude SIEM also offers creation / programming of technical or functional reports to the directions of the company (CEO, CIO, etc.)

iPrelude SIEM INTERFACES

Prelude SIEM interfaces were created in collaboration with operators and ergonomists. The look and feel have been designed to facilitate the work of operators by streamlining the handling of alerts as much as possible. Several concepts are inherited from operating platforms, based on ITIL processes for example. In addition, many configuration and customization alternatives are available to adapt to larger numbers of users and operating mode.

Prelude SIEM is usable from a browser on Windows, Linux or Mac. Prelude SIEM uses the latest web technologies to provide maximum ease of use without security problems (no flash, no java, etc).

The interfaces are multilingual, including of course French and English.

The general interface is presented with the “Risk Overview” at the top right that shows synthetically the level of risk on the information system. Under this Risk Overview is the control menu to configure the data that will be displayed in the operating area. In operational mode, it will allow work on the current day or the previous few days up to one week. In forensic mode, you can work on much longer periods (month, quarter, year). Filters (pre-recorded or created on the fly) can also be applied to the displayed data. It is also possible to navigate between entities such as agencies, sites for a large company or clients for MSSPs operator. Finally, we find in the different modules of the application menu: ALERT, ARCHIVE, ANALYZE and ADMIN.

The Prelude SIEM modules

The ALERT Module

The Alert module is the heart of the in-depth detection of Prelude SIEM. This module is responsible for receiving traces, their analysis, standardization in IDMEF, correlation, aggregation and their notification to operators. Monitoring alerts is done in an “alerts tray” that inherits feedback from the Prelude SIEM deployments in many SOCs.

The task of the operator is facilitated by:

  • A clear presentation of information with a division into columns, sortable and configurable IDMEF fields
  • A calculation of the level of threat and risks of each alert materialized by a color and a number
  • A search box allowing quick filters on information
  • Many customizable context menus, allowing the operator to retrieve various information about the alert, the equipment concerned, IDMEF details, etc … without leaving the overall monitoring screen
  • The “one click” action allows to run commands from the interface to investigate the causes of the alert (eg, traceroute, finger, etc. or your own scripts)
  • Other features of the application are available with a single click in the same or in another tab: access to the log behind the alert, the equipment inventory sheet, equipment vulnerabilities, behavioral analysis of the equipment or the user, access to the records of procedures according to the classification of the alert, access the knowledge base, etc

Prelude SIEM is designed to simplify and accelerate the work of operators. In the real time part of detection and when an intrusion attempt scenario is detected, it is sometimes important that the operator can make decisions quickly. The in-depth analysis, construction of long search query, and graphical analysis will come in a second time after the execution of the first system emergency control operations.

The ARCHIVE Module

The Archive module Prelude SIEM’s “Log Management” module. It centralizes, cuts, stores and indexes any data type.

Logs are available as well as Netflows, vulnerabilities and CTI information (Cyber Threat Intelligence). Thanks to this Big Data module, analysts have many sources of clues. Searches are performed with a standard syntax, the construction is facilitated by many contextual menus. The architecture of this module is based on the famous ElasticSearch NoSQL database. Thus the distribution capabilities, support and performance rise are virtually unlimited

The ANALYSIS module

The Analysis module provides many features for working graphically on the data. Several customizable (and exportable) dashboards are available to the design. It is possible to mix conventional and more complex representations of all data stored in Prelude SIEM (alerts, logs, NetFlow, etc.). Prelude SIEM also provides compliance dashboards around PCI DSS and ISO 27002. Several statistical screens are available for the investigation with drill-down features that can be traced back to the given “source” of an anomaly. Prelude SIEM also offers advanced graphics that detect weak signals in large amounts of data (eg Chord, Sankey, parallel coordinates, etc.). Finally, the Analysis module allows the conception and programming of technical reports for the different directions of the company.

 

The ADMIN module

The Prelude Admin module combines two modes of administration. A “GUI” mode for the most common cases, coupled with a “file” mode in which it is possible to configure the entire Prelude. This second mode allows many advanced automation and complete control of your configurations and possibly sending the information you may transfer to us as part of the support. Even if your data will not leave Europe, it is important that you remain in control of it … no blind dump of a closed database!

The end user is completely autonomous to create, modify and customize new correlation rules and consider new devices or new applications. MSSP operators can create configuration profiles to duplicate at each client. A very granular rights management differentiates rights, profiles, functions and areas of data accessible by each user.

 

 

consider

Visit our other pages

Why choose Prelude SIEM?