V2-SIEM Information Security Concentration Monitoring System 

INTRODUCTION

V2-SIEM Information Security Concentration Monitoring System is a solution to help detect and prevent attacks without affecting system performance. For attack detection, the system allows passive monitoring of the network connection using a dedicated data extraction device (Network-Tab) or using the Span port on the Switch (these require partial sharing). Switch resources). The system also provides other important functions such as behavioral attack detection; the ability to store system logs offline, allowing the system to store logs for a long period of time, depending on hardware capacity, and allow recovery when needed; ability to send system logs to other central monitoring system (SIEM) and some other features.

SYSTEM FUNCTION

1. Real-time log collection and management

• The system allows to collect logs from different sources:
  • Network devices, security devices such as Router, Switch, Firewall/IPS/IDS, Sandbox, WAF, Network APT...
  • System servers (both physical and virtual) on different platforms: Windows, Linux, Unix, ...;
  • Applications: Applications serving system operations: DHCP, DNS, NTP, VPN, Proxy Server…; Applications providing services: Web, Mail, FPT, TFTP and database management systems Oracle, SQL, MySQL, ...;
  • Terminal devices: User computer, printer, fax machine, IP Phone, IP Camera, ...;
  •  point on the line: The edge monitoring point at the connection interface of the edge router with external networks; monitoring points in each network area of the system.
•  Automatically normalize log
  • Automatically normalize log types received from devices and applications.
  • Automatically update new log formats from the Cloud.

2. Network attack detection

• Network attack detection relies on analysis of Web application access logs.
• Malicious domain query detection based on DNS query log analysis.
• Detect connections to malicious IP addresses based on analysis of connection logs of devices and operating systems.
• Automatic updates from the Cloud for web application attack detection, list of malicious domains and addresses.

3. Processing, correlation analysis - Behavior Detection

• Allows setting up rules to automatically correlate multiple log sources to detect network attacks.
• Detect anomalous behavior to accurately detect attackers and attack targets based on the ability to automatically analyze warnings received from the system.
• Allows the administrator to set up a set of rules to detect anomalous user behavior and abnormal network connections on the system.
• Set up available rule sets to detect the following behaviors:
  • Hacker's network scanning behavior
  • Attack behavior from a source address when performing different types of network attacks to the protected system
  • Web application attack behavior
  • Acts of attack malicious code, malware

4. Threat Intelligence Integration

• Integrated Threat Intelligence function.
• Update Threat Intelligence data from the Cloud.
• Automatically update BlackList (IP, Domain, Hash) for SIEM from Threat Intelligence data.
• Allows information to be shared with other Threat Intelligence systems.

5. Vulnerability Management Integration

• Integrated information security vulnerability management function.
• Automatically warn when detecting information security weaknesses in the system.
• Allows setting virtual patch policy to protect the system.
• Integrate the function of looking up information about vulnerabilities and weaknesses.

6. Alerts and automatically prevents attacks

• Automated attack alerts via SMS, Email...
• The system provides interoperability with network devices (Cisco Router – Juniper, Fireall Cisco PIX – ASA, Firewall Check-Point, Firewall Fortinet...), Security devices (Firewall, NAC, IDS, IPS) and operating systems (Windows Server 2008, 2012, Linux Centos, Fedora, Ubuntu, Debian, Linux Transparent Firewall ...) to perform network attack prevention.
• This capability allows the system to prevent network attacks without affecting the operation and performance of the system and does not require installing Agents on devices or servers.

7. Incident investigation and analysis

• Allow correlation rules writing
• Allow detection and investigation of attacks and incidents.
• Enables in-depth Log Analysis for each information field.
• Enables incident analysis and investigation through an intuitive interface.

8. System Administration Function

• The Dashboard function allows administrators to have an overview of the system, including:
  • System status (CPU, RAM, HDD, NETWORK...)
  • Statistics of the number of attacks over time
  • Statistics list of attack source IP addresses
  • Statistical list of hacked destination IP addresses
  • Information about detected attacks on the system
• The Event Map function allows real-time visualization of network attacks.
• The report generation function allows administrators to create customized reports according to specific conditions in different formats.
• System Settings Management
• Manage system administrator accounts (User management)
• Manage system software updates from the Cloud (IPS Update)
• System Status Information
• Manage activity logs on the system (Local logs)
• System administration through Console and SSH

SERVICE PACKAGES