Specifies the execution and configuration for the activity service
Advanced Correlation Rule
Allows you to create a correlation rule that incorporates all of the features of the simple correlation rule, as well as send an event when a set of events has meta-tag values that are different, such as a sensor being inside or outside the firewall. For example, an Advanced Correlation rule can look for events from the same source IP address to the same destination IP address with the same event name that occur both inside and outside a firewall (meaning the attack may have made it through the firewall).
An integrated system with SecurityNexus database of vulnerabilities to provide a cross-reference between real-time events and known vulnerabilities.
An agent is the receptor that collects and normalizes raw events from security devices and programs and outputs normalized events that can be correlated, reported and used for incident response.
There are three levels of Agents, they are:
§Supported Agents (T1)
§Documented Agents (T2)
§Sample Agents (T3)
Agents are made of:
A GUI that allows you to create rules based agents to collect, filter and normalize data from many different sources and securely communicate relevant information to the e-Security Sentinel Server that can be used to monitor traffic.
Processes the template logic for each port. An agent engine runs a corresponding port.
The wizard back-end that manages agents and system status messages.
Aggregation and Event Normalization
Aggregation is the process of taking individual low-relevant data items and combining them, resulting in a data item that could possibly be high importance. The individual parts of event, such as the event name, event date, Source IP, Destination IP, UUID, Sensor Type and so on, by themselves may not have much meaning. However, put them together and an event is created that could be an event of interest that could possibly be an attack on the network resulting in a possible exploit of an asset. Saving an entire event causes the storage of duplicate information. For example, in a non-aggregated system for ten events that are identical, except for event date will store each event resulting in identical data items (event name, Sensor Type, etc...) being saved ten times. Aggregation will store the identical data items just one time and then keep a running account for an hour.
Event data is transformed, summarized and stored into summary tables. Summary reports can then run against the pre-computed summaries, which makes queries less contention on the real-time event tables. The event aggregation engine captures binary event data, transforms it into a normalized event structure and summarizes it based on a set of pre-defined set of summary definitions. The event aggregation engine processes events in a near real-time fashion with minimum overhead to the real-time e-Security system.
In Sentinel Control Center, allows for historical reporting. Historical and vulnerability reports are published on a Crystal® web server, these run directly against the database and they appear on the Analysis and Advisor tabs on the Navigator bar in the Sentinel Control Center.
Purpose behind Asset Management to is to link an event or events to assets and vulnerability information to perform a method to protect the organizationâs assets efficiently. There are two types of assets, physical and soft. Physical Assets is hardware and Soft Assets is services and applications.
Basic Correlation Rule
Allows you to select any of the meta-tags to create a correlation rule that enables you to count the number of times certain conditions are met within a specific timeframe. For example, a Basic Correlation rule can look for the same source IP address reported five times in five minutes, even if the events are reported from different products, such as an intrusion detection system (IDS) and a firewall.
See Mapping Service.
The event identifier of the correlated event generated by the rule that has triggered.
The process of analyzing security events to identify potential relationships between two or more events. Correlation allows quick association of priority attacks based on common elements of event data. Trends or patterns among lower level events that are designed to operate below security thresholds can be more effectively identified using correlation.
e-Security provides you with five types of correlation rules. They are:
§Free Form RuleLg
The Correlation Engine performs analysis of incoming events to find patterns of interest and drill-down on correlation events to determine the details that triggered a rule.
Correlation Engine Process (correlation_engine)
The Correlation Engine (correlation_engine) process receives events from the Wizard Agent Manager and publishes correlated events based on user-defined correlation rules.
Data Access Service Process (DAS)
The Data Access Service (DAS) process is Sentinel Server's persistence service and provides a message bus (iSCALE) interface to the database. It provides data driven access to the backend database. It receives XML request from the different Sentinel processes, converts them to a query against the database, processes the result from the database and converts it that back to an XML reply. It supports requests to retrieve events for Quick Query and Event Drill Down, to retrieve vulnerability information and advisor information and to manipulate configuration information. DAS also handles logging of all events being received from the Wizard Agent Manager and requests to retrieve and store configuration information.
Specifies configuration parameters for the Data Access Service (DAS), a component of e-Security Database.
Specifies configuration parameters for the Data Access Service (DAS), a component of e-Security Database.
Specifies the configuration for the Active Views function within the Sentinel Control Console
See Data Synchronizer Process.
Data Synchronizer Process (Data Controller)
The Data Synchronizer (data_synchronizer) process manages the modification of configuration data by multiple users. When a user requests to modify data through the Sentinel Control Center, the data record is locked by the data_synchronizer. The details of who locked the data are published to the other active Sentinel Control Centers, and no other users may modify that data. If a Sentinel Control Center is closed before it unlocks any data that it has locked, the locks will timeout.
An event is an action or occurrence detected by a security device (external event) or process (internal). Events can be security-related, performance-related or information related. For example, an external event could be an attack detected by an Intrusion Detection System (IDS), a successful login detected by an operating system or a customer-defined situation such as a user accessing a file. Information related events are internal events. Internal events indicate a change in state of a process. For example the stopping of a port.
Event configuration (Part of Mapping Service) allows you to:
§Enable Regulatory Compliance monitoring
§Enable Policy compliance
§Enable response prioritization
§Enable security data to be analyzed related business operations
Event configuration is the assigning of names to existing labels. For example, renaming Ct2 to City. Changes propagate to filters and correlation rules.
event ID number
A number assigned to an event.
Event Router performs the event mapping transformation and filtering.
Event Real Time
Ability to monitor events as they are happening and perform queries on these events. You can monitor them in a table form or though a 3-D graphical representation.
See Mapping Service.
See Event Performance Process.
e-Security filters allows processing of data based on a specific criteria for both events coming into the system and users of the system. There are multiple levels of filtering:
§agent - done through the script using the agent builder
§global filter - Applied equally to all events generated by all Wizards in the system. Only events that go past the Global Filters are sent to all Sentinel processes.
§security filter - Applied to active Users. These filters restrict the events that an active user can observe. These filters are assigned by the Administrator.
§display filter - Applied to interface views. These filters let the user define their event windows for real time analysis. These filters are applied by each user.
There are two types of filters:
§public - Public filters are system-owned. Public filters can be used as security filters or display filters. Security filters are based on user permissions. Display filters determine which events are depicted in the real time event tables, charts and graphs.
§private - Private filters are user-owned. Private filters are display filters and are shareable if you have the View Private Filters permission.
See Event Performance Process.
A grouping a set of events together as a whole representing something of interest (group of similar events or set of different events that indicate a pattern of interest such an attack).
See System Events.
The Message Bus provides a Java Message Service (JMS) framework for inter-process communication. Processes communicate through a broker, which is responsible for routing and buffering messages. Multiple brokers can communicate with each other in order to traverse firewalls and for load balancing.
The following processes communicate with each other through the Message Bus.
§Event Performance (Filter Engine)
§Event Counts Over Time (Statistics Engine)
§Data Synchronizer (Data Controller)
§RuleLg Checker (Correlation Rule Checker)
§Data Access Service (DAS)
iTRAC involves the automation of procedures, the ability to respond to incidents. e-Security provides a workflow management system that provides procedural automation of the SANS Incident Handling process. The main parts iTRAC are:
§Worklist Handler â application used to move from one activity to another.
§Activity Builder â application used to create your own custom iTRAC
§Process Monitor â Monitors the activities (steps) taken to complete a process.
For Agents, Lookup files are optional tables (.lkp files) against which received values are compared to determine what actions, if any, to take in response to security events. Lookup files contain match clauses, which are used to compare individual strings. Based on the match clauses in a specific lookup file and the data received from sensors, the LOOKUP Command will determine whether the search string is found or is not found.
Optionally, parsing commands may be associated with the match string. The parsing commands are executed if a match is found.
For Agents, Mapping files are optional files (.csv) that allow for fast lookup of key entries. The csv file is a relative path from an agentâs script directory. The editing of these files is currently not within Agent Builder, but the files can be edited using Excel.
e-Security's Mapping Service enables immediate, actionable notification of attacks on vulnerable systems. It provides a real-time link between events and vulnerability scan results, so that users are notified automatically and immediately when an attack is attempting to exploit a vulnerable system. This enhances the efficiency and effectiveness of incident response, resulting in increased availability of critical systems and highly cost-effective security.
Message Oriented Middleware
Meta-data is information about data, pre-defined variable names for meta data. For example, the source IP of an attack is stored in the SourceIP meta-tag. Product names are stored in the ProductName meta-tag. Data used to populate meta-tags is either extracted from event data or is set as part of the agent processing.
Meta-tags store meta data.
For Agents, Parameter files (.par files) are tables used to define parameter names on the associated run script files. They are used when referenced in the parsing code. Parameters are the equivalent of variables. Parameters are stored as strings. Any numeric value needs to be converted into a string for manipulation. When new values for parameters are entered, they take effect after you build your script. They are merged with the template file when creating a script.
Run script file names are displayed in the first row of the table and the parameter names or labels are displayed in the first column of the table. The second row of the table is used to define the icons that appear in the Agentâs tree. The remaining row defines the variables or parameter values to be used for parameter as it relates to the particular script.
Values within a parameter file are:
§Meta-tags, information and comments â there are over 200 available meta-tags, 100 are user configurable and the rest are reserved.
§Rule â set file names appear in the header row of the table, while parameters themselves appear in the first column in the table
§Bitmap â second row of the table, defines the bitmap used for that file. The bitmap will appear in the Agents list.
In Wizard, a high-level scripting interface that allows manipulation of data. Parsing is the process of breaking an event down into its components.
In Wizard, ports enable an Agent to locate the security event data on the network by providing the IP address and other information about the source (security device [router, IDS, switch, etcâ¦]). Each row in the Port Configuration table runs one agent script to one event source.
Query Manager Process (query_manager)
The query manager (query_manager) receives quick query and drill down requests from Sentinel Control Center and forwards them to the database through DAS. The requests from Sentinel Control Center define the events needed via a criteria or a filter. If a filter is used, the Query Manager retrieves the filter definition and converts the filter to an xml criterion. Query Manager then sends the request to the database. Not all filters can be completely converted to xml. If the filter is fully converted, the Query Manager instructs DAS to send the reply directly to the Sentinel Control Center. If the filter contains regular expressions that cannot be converted to xml the query manager converts what it can and generates a conservative xml criterion that returns a superset of the required events. In that case, Query Manager instructs DAS to return the result to the Query Manager. When the reply comes back to the Query Manager it filters it in memory and sends those events that pass the filter to the Sentinel Control Center.
See Query Manager.
Part of Agent Manager, default size is 50,000 events. The receive buffer is an editable parameter. Minimum size is 5,000.
Rx Buffer Pointer
The Receive Buffer pointer points to data bytes in the Receive Buffer. Prior to each evaluated decide string, the Receive Buffer pointer is reset to its held value (normally zero).
RuleLg Checker Process (rulelg_checker)
The RuleLg Checker (rulelg_checker) process validates filter and correlation rule expressions. The Sentinel Control Center uses these results to determine if a filter or a correlation rule can be saved.
In Wizard, a compiled file (*.asd) that is made up of the agent template file, parameter file, lookup file and mapping file.
Sentinel Control Center is the central management console to view summary displays, historical reports, filter real-time events and create incidents. Sentinel Control Center provides real-time display of events, system overview of changes in activity triggered by settings set in agents, administration of filters, reporting, correlated rules and global filters and security event management through incidents.
Sentinel Server receives normalized event information collected by Agents from Wizard Agent Manager. The Sentinel Server correlates these events to find patterns and identify threats and reports on real-time data and historical information that can be viewed on the Sentinel Control Center.
Sequences (startup and backout)
Startup and backout sequences are assigned to a port, which executes the series of scripts that it contains when it is started or stopped. A script must be included in a startup or backout sequence in order to be used by a port. Ports enable an agent to locate Wizard hosts on the network by providing the IP address or file name about the host. They also provide Sentinel with information on the location of sensors and the agent that is used to manage data for those sensors. The following options are configurable for ports:
§Input/output file names
See Event Counts Over Time Process.
Internal or System Events is a means to report on the status and status change of the system. There are two types of events generated by the system, they are:
Internal events are informational and describe a single state or change of state in the system. They report when a user logs in or fails to authenticate, when a process is started or a correlated rule is activated. Performance events are generated on a periodic basis and describe average resources used by different parts of the system.
For Agents, you can create, add states to, edit and delete templates. Templates determine how records will be processed. Most of the decisions about templates revolve around what types of records you are working with and their format. There is an equivalent template file with a .tem extension.
Template files are based on states. A state is a decision point within the logical flow or path of a template. Each point (state) contains information indicating the next processing to perform. States include parameters when the template is merged with a parameter file, specific values replace the parameters. When the parameters are replaced by specific values, one or more script files are created.
As a state is inserted into a template, it is assigned a number that remains with it no matter where it is moved in the template.
A graphical representation of real-time event data against vulnerable systems and is available on an event for current and event time vulnerability.
Watchdog is a Sentinel Process that manages all other Sentinel Processes. If a process other than Watchdog stops, Watchdog will restart that process.
Watchlist Correlation Rule
Allows you to specify a text string that the Correlation Engine will watch for in every meta-tag for every incoming event. For example, a Watchlist rule can look for a specific source IP address of a hacker and notify you anytime that IP address is seen in any event message.
The Agent Builder and Agent Manager.
Any machine that has the Agent Manager software installed.
Specifies the configuration for the workflow (iTRAC) service.