Get best of the week

Max Patrol SIEM. Information Security Event Management System Overview



Introduction


Friends, good afternoon.

I want to devote this article to such a product as Positive Technologies MaxPatrol SIEM company, which has been developing innovative cybersecurity solutions for more than 17 years.

In it, I will try to briefly describe the main tasks and activities that any security officer encounters during his activities and tell me how to solve them using the MaxPatrol SIEM product as an example.

I will also try to describe its platform and licensing scheme.

In addition, I invite everyone to the webinar that will take place on 8.04.2020 and will be dedicated to the Platform 187 product (5 products in 1 server: MaxPatrol SIEM, MaxPatrol 8, PT Network Attack Discovery, PT MultiScanner, PT Departmental Center). Details of the webinar and registration are available at the link -tssolution.ru/events/positive_187_08_04 .

Interested, please tackle.

So, at the beginning of the review, as always, we can not do without a piece of theory and I will start with the famous aphorism of Nathan Mayer Rothschild, which he uttered in June of the distant 1815 when Napoleon was defeated at the Battle of Waterloo, but which is more relevant today than ever: β€œWho has the information β€œHe owns the world.”

In our modern, digital world, information has become the most valuable asset not only of commercial enterprises, but also of states. The simplest example of the criticality of information today is the same money of citizens that are not stored in mattresses and chests in the modern world, but in digital form on bank accounts and are essentially records in one or another database.

A constant increase in the level of telecommunications, when, theoretically, anyone with access to the Internet can access any information that can be located on connected or not connected to the global Internet network systems, contributes to the continuous growth of the β€œarms race” Β»In the field of information security:

  • almost daily vulnerabilities of varying degrees of criticality in various software are discovered, under which vendors try to quickly release patches and fixes, and get rid of them in new releases.
  • technical experts who have taken the β€œdark side” in the use of their knowledge are trying to discover new vectors of attacks on enterprise infrastructures, while developing their own tools that facilitate their tasks for them - in fact, they develop their own software (called malicious), or develop existing ones.
  • technical experts who have embarked on the β€œbright side” develop various products of information protection and enterprise infrastructure in companies (vendors) and implement them in organizations with the help of partners.
  • both of them are united by the fact that they are in continuous training, searching for knowledge, developing and improving their tools.

On the whole, the classic β€œsword and shield” confrontation is obtained, and in the field of information security it is often called the β€œred team vs blue team” confrontation.

IB events


Now, let's move on to more mundane things and consider the typical attack landscape of an attacker - their sword, which they threaten with the infrastructure of enterprises.

Often, an attack on any information system consists of 3 main stages:



In contrast, IS engineers, for their part, build the following protective measures - their shield, with which they protect the infrastructure of enterprises:



Friends, I want to draw your attention right away, that many people confuse 2 such concepts :

  • information security - in fact, it is a conditional state of information, it is either safe or not
  • ensuring information security is a continuous process aimed at providing information of that very security state.

Let's take a look at each step in providing protective measures separately:

  • :
    • β€” - , , . :
      • (-, , , , )
      • , - -
      • (firewall, NGFW, IPS/IDS, , , , - )
      • , , , , ,

    • β€” , , . :
      • β€” , ,
      • ( , , e-mail )
      • , , , , :
        • :
          • , , firewall-
          • HIPS
          • IPS ,
          • ..

        • , ,
  • β€” , , , β€” , , netflow :
    • β€” , ;
    • , ( , )
  • β€” , , :

    • β€” -
    • investigation in the framework of an IS incident - identification of attacking and attacked assets or IS violators, degree of impact and level of violations, etc.
    • upon the fact of the investigation, certain decisions are made:
      • adjust (change) security settings on assets or SRI
      • adjust (change) the security policy of the enterprise and conduct staff training

And as I said earlier about this - all this must be continuous, that is, be carried out constantly and in the 24 * 7 * 365 mode.

This gives rise to 3 such important criteria for any SIEM system:

  • the number of event sources (information systems and vendor equipment) that the SIEM system supports out of the box
  • the number of correlation rules (for myself, I call them siem signatures) that can detect the onset of a critical event in the stream of events and β€œignite” Alarm
  • development tools for both the first and second points - the ability to connect your sources and develop your own correlation rules (for your company and its IS policy)

Platform description


Now let's move on to the MaxPatrol SIEM product from Positive Technologies. I must say right away that the developers of the company set as their goal to build a system that provides the ability to conduct all 3 types of events in one product:

  • Preventive measures:
    • asset management - the product has built-in scanners of network nodes and modules for conducting an inventory and audit of various systems;
    • β€” PT Knowledge Base ( PT KB), (, CVE), (Kaspersky, Group-IB) ;
  • :

    • . MaxPatrol SIEM :

      • Syslog β€” Syslog;
      • Windows Event Log β€” Windows Event log;
      • Windows File log β€” Microsoft Windows;
      • Windows WMI log β€” Windows Event log WMI;
      • NetFlow β€” NetFlow;
      • ODBC Log β€” c ;
      • SSH File Log β€” SSH;
      • CheckPoint LEA β€” Check Point OPSEC;
      • SNMP Traps β€” SNMP.
    • C , JSON XML.
    • . «» .
    • β€” .
    • β€” .
    • β€” .
    • 3- , , :

      • β€” 300 ( 1300 ).
      • β€” 21.1.3058 270 . Positive Technologies . , , MaxPatrol SIEM.
      • β€” MaxPatrol SIEM ( , ) . SDK, . PTKB MaxPatrol SIEM. , .
    • :

      • β€” MaxPatrol SIEM -, ( ), β€” .
      • β€” , , .

    :

    • MP Core β€” . RabbitMQ, . , , , WEB UI ( ) .
    • MP SIEM Server β€” , ( ). , , , , .
    • MP Storage β€” . elasticsearch. , .
    • PT KB β€” , , , , . , Core.
    • PT UCS (PT Update and Configuration Service) β€” . PT KB.

    , :



    (), . , EPS ( ) .

    (All-in-one)


    .



    -


    MP Agent ( , ) .



    -







    -






    , , .


    MaxPatrol SIEM , β€” , , - . β€” , , .

    MaxPatrol SIEM 2 :

    • β€” . . : PT-MPSIEM-Base-HNNNNN, NNNNN – c , . :

      • PT-SIEM-BASE-H1000 β€” 1000
      • PT-SIEM-BASE-H1000 β€” 2000
      • PT-SIEM-BASE-H1000 β€” 5000
      • PT-SIEM-BASE-H1000 β€” 10000
      • ..
    • β€” MaxPatrol SIEM. MaxPatrol SIEM PT-MPSIEM-XXX, XXX – . :

      • PT-MPSIEM-SRV β€” SIEM (MP Core,+MAXPATROL SIEM+ MP Storage + PTKB + PT UCS ). SIEM .
      • PT-MPSIEM-AGT β€” Agent- . , - .
      • PT-MPSIEM-NS β€” Network Attack Discovery , 1 Gb/s.
      • ..


    , :

    1. . – . : , , . , , , . , 1000 , 1000.
    2. – , , , . ( 30-50%).
    3. MaxPatrol SIEM , , .
    4. PT-MPSIEM-BASE-H1000, PT-MPSIEM-SRV PT-MPSIEM-AGT.

    MaxPatrol SIEM, :


    . β€” Β«-EXTΒ» , , PT-MPSIEM-AGT-EXT MAXPATROL SIEM Agent. .

    MaxPatrol SIEM AIO (All-In-One)


    All-in-one:

    • MaxPatrol SIEM AIO (All-In-One) – - , () , .
    • ( ) - 1000 .
    • MaxPatrol SIEM AIO MaxPatrol SIEM.
    • MaxPatrol SIEM AIO PT-MPSIEM-SRV PT-MPSIEM-AGT 1 . .
    • NAD Sensor, M-Scan SIP MaxPatrol SIEM AIO .

    , MaxPatrol SIEM AIO :

    • 250
    • 500
    • 1000

    – . :

    • 250 –> 500
    • 250 –> 1000
    • 500 –> 1000 .

    MaxPatrol SIEM AIO β€” MaxPatrol SIEM.


    , . , :

    • MaxPatrol SIEM
    • , MaxPatrol SIEM , , :


    , .


    Positive Technologies MaxPatrol SIEM , - ( ).

    , MaxPatrol SIEM 5 .

    MaxPatrol SIEM .

    :

    • , ;
    • , ;
    • , ;
    • ( );
    • support.ptsecurity.com . β€” .
    • ;

    , telegram β€” t.me/MPSIEMChat, .

    support.ptsecurity.com , Positive Technologies, . . , , .

    , . 9:00 19:00 UTC+3.

    .

    , , . :




    :

    1. , . , - , β€” Β« Β» . , . , .
    2. SIEM . , SIEM , . , , , , () , , . . :

      • VPN , .
      • , .
      • TeamViewer AnyDesk , , .
      • .

    3. , MaxPatrol SIEM. , , . , Positive Technologies, .
    4. - β€” , . SIEM , . , , ( ). SIEM .

    , . , «», :

More articles:


All Articles