1 | P a g e

1 2 3 4 5 6 7 8 9

10 11 12

13

The information contained in this document is strictly confidential and is intended for the addressee only. The unauthorized use, disclosure, copying, alteration or distribution of this document is strictly prohibited and may be unlawful.

Seceon aiSIEM Technical Document

2 | P a g e

Copyright 1

2

© 2019 Seceon Inc. All Rights Reserved. 3

Legal Notice and Disclaimer 4

Seceon retains ownership of all intellectual property in its software and accompanying 5 documents. The information and material presented in this document are provided as an 6

information source only. 7

While effort has been made to ensure the accuracy and completeness of the information, no 8

guarantee is given nor responsibility taken by Seceon for errors or omissions in the data. 9

Seceon is not liable for any loss or damage that may be suffered or incurred in any way as a 10

result of acting on information in this document. 11

Download of our software indicates acknowledgement of these terms. 12

13

3 | P a g e

1

Contents 2

1. UNDERSTANDING OF REQUIREMENT ...................................................................... 4 3

BACKGROUND ............................................................................................................. 4 4 PROPOSED AISIEM SOLUTION...................................................................................... 4 5

2. SOLUTION DESCRIPTION .......................................................................................... 6 6

OVERALL SOLUTION DIAGRAM ...................................................................................... 6 7 ANALYTICS AND POLICY ENGINE (APE) ......................................................................... 7 8 COLLECTION AND CONTROL ENGINE (CCE) ................................................................... 7 9 DECISION FLOW ARCHITECTURE ................................................................................... 8 10 HIGH LEVEL DIAGRAM .................................................................................................. 8 11 DEPLOYMENT .............................................................................................................. 9 12 KEY CAPABILITIES ..................................................................................................... 11 13 BENEFITS ................................................................................................................. 11 14

15 16

4 | P a g e

1. Understanding of Requirement 1

Background 2

SIEM has been a critical technology part of an organization’s security posture for a long 3

time and does a good job of centralized analysis and reporting by ingesting logs and 4

additional contextual data from different sources. Yet most organizations fail to derive 5

the best value out of SIEM because of its implementation complexity and operational 6

challenges. According to Gartner, no single technology, such as, CLM, UEBA, NTA, 7 SOAR or EDR can replace the entire set of SIEM capabilities. With the adoption of hybrid 8

cloud networks, growing complexity of threat vectors, and a lack of cybersecurity expert 9

talent, businesses today need an improved set of capabilities to complement their SIEM. 10

Furthermore, the volume of security incidents is rapidly growing and has been 11

unmanageable for SOC teams creating a need for end-to-end automation of detection 12

and response. To circumvent the challenges of traditional SIEM, Gartner defines the 13

modern SIEM to work with more than just log data and apply more than simple correlation 14

rules for data analysis. Some of the key capabilities include, large-scale and more robust 15 data collection from cloud and other modern IT data sources, collect & analyse logs and 16

data from networks & endpoints, incorporate threat intelligence feeds for correlation and 17

enrichment, enhanced data analytics beyond rules, fast and scalable search over 18

volumes of raw data and, most importantly, automated response. 19

20

Proposed aiSIEM Solution 21

Seceon® aiSIEM solution is built upon its Open Threat Management (OTM) Platform 22 enables organizations to detect both known signatures based and evolving not-yet-seen 23

cyber threats quickly, and to stop them as they happen, preventing the infliction of 24

extensive corporate damage. The platform is agentless and moves away from pre-defined 25

or static rules-based threat detection (no need to write rules). Instead it uses elastic 26

compute power, dynamic threat models, behavioural analytics, advanced machine 27

learning, AI with actionable intelligence with proprietary feature engineering and anomaly 28

detection algorithms to take clear actionable steps to contain and eliminate threats in 29 real-time. 30

Seceon aiSIEM solution empowers Enterprise and MSSP SOC teams to orchestrate and 31

analyse operational security data, manage threats and vulnerabilities, and respond to 32

security incidents threats in real-time. The solution provides formalized and automated 33

incident response workflows for customized remediation with various security tools like 34

5 | P a g e

APT, Security Analytics/Forensics, EDR, Sandboxes, WAF, IDS/IPS, Mail Security, Web 1

Security, ADC. 2

In order to comply the requirements posted by the Customer, Bidder has proposed to use 3

different components in aiSIEM solution. Below mentioned is the list of Components 4

offered: 5

Collection and Control Engine: CCE collects input from a variety of sources. It extracts 6

features, enriches the collected logs and flows at runtime, normalizes, classifies, 7

compresses and then forwards the results to the APE. It also contains and eliminates 8

threats in real time, using Auto Remediation as directed by the APE. 9

Analytics and Policy Engine: APE processes high-volume and high-velocity data in 10

real-time using contemporary big/fast data streaming engine. It employs state of the art 11

machine learning and AI along with dynamic threat models to detect & remediate the 12

threats instantly. 13

14

15

6 | P a g e

2. Solution Description 1

Seceon aiSIEM includes the two key architectural components: 2

• Collection and Control Engine (CCE) 3

• Analytics and Policy Engine (APE) 4

aiSIEM will ingest appropriate artefacts such as Logs, Flows, Windows Events, Global 5

Threat Intelligence from variety of sources as described below and will feed them to 6

OTM’s ML and AI based SIEM solution for intelligent decision making. The final decision 7

is then executed as described in the Decision Flow Architecture. 8

Overall Solution Diagram 9

NOTE: The format and semantics of interfaces for each of the systems needs to be 10

provided for Seceon to ensure compatibility for processing and analysis. 11

12

Figure 1: How aiSIEM works? 13

14

Figure 2: aiSIEM Architecture 15

7 | P a g e

The integration with the above-mentioned components will be done after the installation 1 sign-off. 2

Analytics and Policy Engine (APE) 3

The Analytics and Policy Engine (APE) processes high-volume and high-velocity data in 4 real-time (without adding latency) using contemporary big/fast data streaming engine. It 5

employs state of the art machine learning and AI along with dynamic threat models to 6

detect and remediate the threats instantly. 7

The components of APE include, 8

• Big/Fast Data Streaming Engine 9

• Dynamic Threat Model Engine 10

• Machine learning Engine 11

• AI Engine with Actionable Intelligence 12

• Strong Correlation Engine (can manage billions of events per day) 13

o Pre-defined or New rules as part of Dynamic Threat Model 14

o Geo Enrichment 15

o Historical Context Enrichment 16

o Vulnerability Assessment Enrichment 17

o Host Name Enrichment 18

o Threat Intelligence Enrichment 19

o Username Enrichment 20

Collection and Control Engine (CCE) 21

The Collection and Control Engine (CCE) collects input from a variety of sources. This 22

includes log collection from all network assets as well as from assets in all Data Centres. 23

It extracts features, enriches the collected logs and flows at runtime, normalizes, 24

classifies, deduplicates, compresses and then forwards the results to the APE. It also 25

contains and eliminates threats in real time, using Auto Remediation as directed by the 26

APE. With the above logs storage space requirement reduces upto 70% 27

The input to CCE includes, 28

• Raw Network and Metadata Stream such as Netflows and Sflows 29

• Syslog from network devices, such as firewalls 30

• OS Logs - Like Windows, Linux, etc 31

8 | P a g e

• Raw Application Logs from several applications like MS-SQL, MS Exchange, 1

Windows Active Directory, RADIUS, SMTP, FTP, Office365, DNS/DHCP, File 2

Server, Vulnerability Assessment etc. in the network. 3

• Security Related (Meaningful) logs are only sent to APE for Correlation 4

• All Raw logs can be compressed and stored for long term compliance 5

• Threat Intelligence and Enrichment Data – Open Threat Management 6

Platform consumes feeds from its predefined set of threat intelligence sources 7

for enrichment, such as blacklisted URL and domain names. Users can send 8

feeds from their own sources, as well. 9

Decision Flow Architecture 10

APE with the help of ML and AI based alert detection and decision system coordinates 11

with CCE to execute the following data flow. The system supports both automated and 12

single-click manual execution. APE and CCE both utilize micro-services based 13

contemporary architecture using Docker containers and big/fast data frameworks. 14

15

High Level Diagram 16

NOTE: The below diagram is a typical customer environment representation and will be 17 refined based on customer’s environment during the design phase. 18

9 | P a g e

1 2

Deployment 3

Typical CCE and APE deployment in an enterprise environment looks similar to the 4

topology shown below. OTM platform employs the modern state of the art Docker 5

Container technology and Big/Fast data stack to facilitate scalability. Current plan is to 6

install the APE and CCE in the same server using Docker Containers instead of 7

technologies such as VMWare. However, customer deployment will be tailored to its 8

environment during the design and architecture phase. 9

Deployment at each site respectively (1x APE, 2x CCEs) 10

11

10 | P a g e

Overall Customer Deployment for High Availability (2x APE, 4x CCE) 1

2

3

11 | P a g e

Key Capabilities 1

2

Benefits 3

o Reduces Mean-Time-To-Response (MTTR) with Automatic Threat 4

Remediation in Real-time: The platform performs automatic threat containment 5

and elimination in real-time. It also provides clear actionable steps to eliminate 6

the threats that can either be prompted automatically by the system or manually 7 by the security expert post-analysis. 8

o Reduces Mean-Time-To-Identify (MTTI) with Proactive Threat Detection: 9

The OTM Platform proactively manages threats in real-time without an agent or 10

alert fatigue. It performs threat management across the cloud, on-premises, and 11

hybrid environments for MSSPs and Enterprises. 12

o Continuous Compliance and Monitoring (Security Analytics): The platform 13

provides continuous compliance and scheduled or on-demand reporting for 14 HIPAA, PCI-DSS, GDPR, NIST and many other similar regulations. 15

12 | P a g e

o Comprehensive Visibility of all assets, flows, applications and their 1

interactions: Ingests raw streaming data (Logs, Packets, Flows, Identities), 2

enriches and extracts meaningful features to provide real-time view of all assets 3

(users, hosts, servers, applications, traffic) that are on premise, cloud or hybrid. 4

The solution provides a single pane of glass view for all events and incidents 5 across the organization and provides Real Time Analysis and Reporting. 6

o Flexible and Scalable Deployment in Bare Metal, Cloud or Hybrid: The 7

solution can scale horizontally as the customer grows and can be deployed on-8

premise, in-cloud or hybrid using hardened Operating Systems. 9

o Reduces CAPEX / OPEX as licensing is based on the number of assets / 10

Events Per Second (EPS): Licensing is based on the number of critical and 11

non-critical assets or number of employees or EPS. 12

13

o Eliminates need for silo solutions (such as, UEBA, DLP, IDS, WASF): 14 aiSIEM caters a number of use-cases and eliminates the need of integrating silo 15

solutions to enhance an organization’s security posture. 16

o Threat Intelligence Feed in Airgap Network 17

aiSIEM supports procedures to manually update the OTM (APE) with the Threat 18 Intelligence feed in offline mode in an airgap Network. The Threat Intelligence 19 Feed is from the commercial & government sources such as CERT-IN, CERT-20 ARMY. The Threat Intelligence feed includes Bad Reputation IPs, Domains and 21 URLs. 22

o Multiple event collection options 23

The solution supports many industry standard event collection methods such 24 as syslog, OPSEC, WMI, SDEE, ODBC, JDBC, FTP, SCP, HTTP, text file, 25 CSV, XML file etc. 26

o Threats Detected by aiSIEM Solution 27

The Solution detects both known and unknown threats such as Ransomware, 28 DNS Tunneling, Malware, Spyware, Zero Day Malware, Brute Force Attacks, 29 DDoS Attacks, Web exploits, SQL Injection, X-Site Scripting, Compromised 30 Credentials, Botnet, Insider Threats etc. 31

o Geo Redundancy and Disaster Recovery (GR&DR) 32

aiSIEM supports GR&DR by running two OTMs (APEs) in two different 33 geographical data centres in active and standby mode. The OTMs synchronize 34 their databases daily. The CCEs collecting logs and flows from local devices 35 will send the data to active OTM (APE). 36

37

13 | P a g e

1

2

3

4

5

6

7

8

9

10

11

12

13

o N-SoC taking control over R-SoC 14

aiSIEM allows N-SoC to login to R-SoC OTM as an administrator in the R-SoC 15 Console and de-activating other users to take full control of R-SoC. 16

o Secure as you Grow 17

The solution allows you to start small and grow as the organization grows. This 18 same functionality can also be used for staging and testing in a smaller 19 environment and then take it to production environment. This concept helps in 20 planning and estimating the Network bandwidth requirements and Server 21 specification for both current production environment and future growth. 22

Just as you move from Staging/Testing environment to Production 23 environment, point the Flows and Logs from the new devices to the CCEs and 24 solution will automatically adapt to start consuming logs from new devices and 25 decays the old devices, if no longer sending the Logs/Flows. 26

o Web Based Multi-User Interface 27

The aiSIEM solution has Web based Interface for configuration and view the 28 Security incidents/alerts, reports, dashboards and online help. Dashboards 29 provide single unified view of all the alerts and events in the ecosystem. 30

o Long Term Storage, Indexing and Analysis for Compliance 31

Platform can store raw logs, flows and machine data from all sources for 7 32 years. User can create and save customized query on this stored data. 33

o Risk Assessment 34

Numerous reports and dashboards help assess the security and privacy risks. 35 The controls effectiveness can be measured and assessed on an ongoing basis 36 for design adherence. The critical reports can be scheduled to be delivered to 37 your mail box on a periodic basis for continuous assessment. The reports can 38 be exported in PDF, CSV, excel and other formats. 39

DB

Kafka

Seceon APE HA Active primary

DB

Kafka

Seceon APE HA Standby Backup

Snapshot Replication

CCE1 CCE2

14 | P a g e

1

o Collector Buffering 2

Collector is capable of storing unsent data in its internal buffer for subsequent 3 delivery to the analytics engine in case of lost connectivity. 4

o Collector rate limiting 5

Collector limits the bandwidth usage and rate limits the feeds to ensure 6 continuous operation with minimal or no stoppage. 7

8

9

o Aggregation and Policy Management 10

Aggregation for important assets are facilitated for management, policy 11 definition and enforcement with flexibility and customization. 12

o Integration with external systems and API 13

The system supports email notification with aggregation and APIs for critical 14 security and non-security events as well as provides syslog interface to 15 integrate with external systems such as ticketing and messaging. 16

o New Integration 17

The platform is micro-services based and has the modular architecture. This 18 allows platform to integrate new data sources quickly without breaking the 19 existing environment. 20

o Support 21

§ Solution upgrades are easily be downloadable from the officially 22 supported Partner Portal 23

§ Delivers the latest product information, patch and upgrade notifications 24 by email and support calls that require immediate attention. 25

o Management 26

The solution has the capability to log (create an audit-trail) for administrator 27 activities, configuration changes, etc. 28

o SOC in a Box 29

The solution is a unique combination of the following under a single licensed 30 product. 31

§ SIEM – Security Information and Event Management 32

§ SOAR – Security Orchestration & Automated Remediation 33

§ NBAD – Network Based Anomaly Detection 34

§ IDS – Intrusion Detection System (400Mbps and more) 35

§ TI – Threat Intelligence 36

§ UEBA – User and Entity Behavior Analytics 37

§ Event Management 38

15 | P a g e

o Multi Tenancy 1

The solution allows has multi-tire multi-tenancy, with clearly defined user-roles 2 and passwords. The platform can be deployed at multiple locations 3 independently and can be monitored through a single dashboard with data 4 stored separately for each of the location. 5

o Online Store, Archive & Restore 6

Online Store can be configured and Automated backup can be scheduled to 7 external storage. The backup files can be restored for forensic analysis. 8

o Customizable Report & Dashboard 9

Solution has a widget to configure dashboard and create customizable reports 10 as per user requirements (regulatory compliance, devices, operational, etc.) 11

o System is designed to be resilient to individual component failures. 12

o System keeps the record of all the activities carried out by the users. 13

o System alert is generated if the communication with the CCE is broken. 14

o Solution guarantees the integrity of the information collected through integrity 15 algorithms SHA-1 and SHA-2 with a robust bit length. 16

o Solution has the ability to collect and label network events (logs) through the 17 use of the SNMP Traps information exchange protocol. 18

o Solution has the capability to customize the notification about the alerts via 19 email notification, Syslog, GUI, SMS text, SNMP, Execution of script, etc. 20

o Solution has a framework which can be extended for a user to add their own 21 custom fields 22

o Solution can overlay the threats / alerts over the visualization of all traffic 23

o Solution has a feedback capability to disable or qualify a raised alert as “Not-24 An-Alert”, thereby empowering the user to fine tune. 25

o Platform is IPv6 ready 26

o Solution has a framework to add custom connectors. 27

o Solution provides tagging of the devices based on their criticality, such as, 28 High Value Asset (HVA), PCI, and so on. 29

o Solution supports the recording and analysis of events defined by the user. 30

o Solution has the ability to collect raw logs, events and records and store them 31 in real-time for periods of time defined by the user for analysis. 32

o Solution can provide preconfigured and customizable reports and views based 33 on Authentication, Connectivity, Application and User activity, Specific 34 Settings, Security, Service monitoring and Executive Summary. 35

o Solution can provide historical traceability of the events detected along with 36 respective timestamps. 37

o Solution provides a provision to add Indicators of Compromise (IoC) for the 38 enrichment and incident detection. 39

16 | P a g e

o Solution has in-built templates for creating multi-level data views and reports 1 for operations and executive knowledgebase for decision-making. 2

o Solution can perform trend analysis of the events over a length of time and 3 generate user specific views and reports. 4

o Solution has the ability to correlate information from large number of devices 5 from different manufacturers. 6

o Solution can generate alerts based on the observed anomalies and behavioral 7 changes in the data network activity (network flows). 8

o Solution can raise alerts in compliance with established policies. 9

o Solution has a custom report generation engine that can generate specific 10 reports as per user requirements on hourly, daily, weekly or monthly basis. 11

o Solution reduces the alert fatigue by surfacing real threats and significantly 12 lowers the noise by limiting the surfacing of multiple similar alerts. 13

o Solution can correlate events from the information on the third-party security 14 products (for e.g., mapping of known botnets, bad IP addresses, etc.) which 15 are automatically updated. 16

o Solution can correlate data over a period of time. 17

o Solution detects anomalous activities in your ecosystem based on established 18 baselines. 19

o Solution has a framework to allow "tuning" of the rules. The system can group 20 similar correlation input values (static or dynamic groups) which can be used 21 by many rules across the board. For example, the system user can define a 22 group of prohibited ports that can be used by multiple correlation rules that 23 monitor inappropriate activity on the network. 24

o Solution ingests threat intelligence subscribing to 30+ honeypots for reputation 25 for IPs, security updates, latest vulnerabilities detected, and alerts. 26

o Solution detects the applications running in the ecosystem besides being 27 identified by generic protocol and port. 28

o Solution can identify the packets of potentially dangerous applications. 29

o The correlation engine supports filtering, recognizing patterns and correlating 30 across multiple types of devices and events. 31

o Solution has the ability to correlate events from users of multiple domains 32 limiting Events Per Second (EPS) for each domain, allowing the IPs of different 33 domains to match without generating conflicts. 34

o Correlation engine allows disabling of rules for fine-tuning prior to deployment. 35

o Correlation engine has fully customizable notification templates that are sent 36 according to the type of alert and criticality. 37

o Solution has a subscription service to 30+ honeypots to gather threat 38 intelligence, which allows the download of; rules for detecting suspicious 39

17 | P a g e

events or attacks in a 24x7 window, alerts, components of a new tool, 1 correlation rules and blacklist IPs. 2

o The subscription service includes intelligence service against new threats and 3 any other type of contextual information from security communities, such as, 4 NIST, SANS, SRI International, Internet Storm Center, ShadowServer, etc. 5

o Solution has a Content Management System which provides information on 6 threats from Industry leading brand intelligence centers and Intelligence 7 centers of the security community throughout the world. 8

o Threat intelligence sources include the content of Command and Control (C&C) 9 Activity, ATP, Black lists of IPs, domains and countries, Suspicious and 10 malicious networks, Malware, etc. 11

o Solution has a common taxonomy for events. 12

o Solution stores and preserves both raw and standardized logs, events, and 13 flow data for forensic purposes. 14

o Solution normalizes the global event fields. 15

o Solution normalizes the event timestamps across multiple time zones. 16

o Solution has a framework to support case, incident, and risk management 17 modules, which can be customized. Case and incident management includes, 18 Registration, classification, Critical Level, Prioritization, Response, Closure 19 and Knowledge Base Registration. Risk management includes, Identification, 20 analysis, evaluation and treatment of risks. Also, allows the institution's 21 incident and risk management methodologies to be loaded as per international 22 standards (ISO / NIST). 23

o Solution documents the processes of the institution and operators. 24

o Solution can ingest packets through varying interfaces, such as, 10/100/1000 25 Mbps and 10 Gbps interfaces. 26

o Solution can categorize the sources of events automatically 27

o Solution automatically prioritizes security events (critical, major, minor) 28 according to the relative importance of the asset (i.e., criticality of the device), 29 importance of the event (i.e., type of event), vulnerabilities, protocol, and 30 application. 31

o Solution has port mirror capability. 32

o Solutions supports all features on-premise and in remote locations without a 33 need to purchase respective licenses. 34

o Solution has the capability to optimize system resources (such as, the 35 distribution of storage, processing, management of bandwidth, memory, etc.) 36

o Solution has one central engine for correlation of all data (logs, flows, events, 37 identities) from different locations in a distributed ecosystem. 38

o Solution is compatible with the standard methods and protocols for collecting 39 events (logs). 40

18 | P a g e

o Solution allows personalized labeling (tagging) of the events, as well as, 1 adding, classifying, filtering and analyzing data via all distributed components. 2

o Solution has the ability to exchange threat intelligence through industry 3 standard protocols and mechanisms. During implementation, this threat 4 intelligence will be ingested from an external system in Seceon data center. 5

o Solution has a provision to allow the addition of indicators of compromise 6 (IoCs) which in effect enhances the performance of the solution. 7

o Solution has the ability to generate communication profiles "from" or "to" by 8 geographical regions in real time. 9

o Solution can normalize common fields of events (such as, user names, IP 10 addresses, host names and login, source device) from different device types 11 in a multi-vendor ecosystem. 12