ARIC Network Defence System
SIEM – Security Information and Event Management SIEM
in the ARIC NDS ecosystem was created in 2003.
The system, using an intuitive graphical interface, allows you to start working very quickly right after installation.
Threats to business continuity come from many sources and are directed at various goals. Among others:
Network threats
Targeting networks and network infrastructure.
Host threats
Targeted at individual hosts.
External threats
Coming from outside attackers.
Internal threats
Coming from inside attackers.
While the goal of security solutions is to detect and prevent such threats, no network can be completely secure against all of them. For this reason, SIEM itself focuses on mitigating risk, identifying vulnerabilities, detecting threats, and prioritizing responses to threats and vulnerabilities of the highest severity.
Risk mitigation, vulnerability identification and threat detection measures include:
Identifying patterns of events that indicate a possible threat or vulnerability.
Determining the risk of potentially harmful attacks or compromises.
Implementing controls to address reported security vulnerabilities.
Ongoing monitoring and reporting of network and host activities.
Taking action in response to identified attacks.
Risk assessment
To properly secure your infrastructure, first conduct a risk assessment of your assets. Risk assessment helps determine the relative importance of resources in the network, the vulnerability of those resources to specific operational hazards, and the likelihood of incidents related to the security of those resources.
Strong security policies focus on how to best protect your most important and at-risk assets. For example, if a network resource is critical and the likelihood of an attack on it is high, focus your efforts on creating security policies to monitor such attacks and develop plans to respond to them.
Once these analyzes are performed, security policies can be designed in response to the relative asset value and exploitation risk posed by various threats and vulnerabilities. A special environment is industry (OT) and control systems, including I&C (ICS – Industrial Control System). Reference model – IACS (Purdue Model) shows layered dependencies and properly arranged architecture of the industrial environment.
Unfortunately, most industrial environments, already at the level of architecture and technological compatibility of individual products, significantly influence the automatic materialization of reams, which we observe in everyday work and qualify them as faults and failures.
Most threats in OT come from the suppliers themselves and the companies operating the delivered industrial systems. The SIEM system (regardless of the manufacturer) helps in identifying threats, but the input data must be properly prepared and, at the architecture level, the resistance of individual components and their systems to anomalies must be increased.
Correct network architecture significantly reduces environmental vulnerabilities and limits threats. For this reason, DNC series network devices (switches, routers, ZBFW, IDS/IPS, Data Probes, Data LEDs, TAPs, etc.) are integrated with the SIEM system. The use of the entire ecosystem introduces the level of security to an unprecedented level of mantle protection, where there are no areas free from monitoring and reaction functions (defensive and offensive) are able to secure every segment and component in the network.
How ARIC SIEM helps you assess and mitigate risk
SIEM ARIC and DNC appliances enable you to identify key assets and set policies to alert you when these assets have vulnerabilities or are under attack. SIEM ARIC will generate alerts based on the risk associated with any security event recorded on the DNC device.
The significance of a given security incident depends on three factors:
How SIEM helps detect threats and prioritize responses
The following illustration shows the capabilities and related tools that SIEM ARIC provides to help you perform security management tasks in your own environment.
Asset Discovery
– combines core discovery and inventory technologies to provide visibility into the devices on your network. Extras included:
- Active and passive network scanning
- Asset inventory
- Service inventory
Asset discovery and inventory are the first important steps to finding out what systems and devices are on your network. SIEM ARIC combines core discovery and inventory technologies to provide visibility into the devices you want to monitor.
Intrusion detection
— koordynuje reakcję na incydenty i zarządzanie zagrożeniami w całej sieci dzięki wbudowanym technologiom monitorowania bezpieczeństwa, informacjom o pojawiających się zagrożeniach otrzymywanych z AT&T oraz płynnemu przepływowi pracy w zamkniętej pętli umożliwiającemu szybkie usuwanie skutków.
Add-ons in the SIEM system:
- Network IDS (NIDS)
- Host-based IDS (HIDS)
- File Integrity Monitoring (FIM)
Built-in file integrity monitoring in agents installed on servers and other end devices warns about unauthorized modifications to system files, configuration files or content. Monitoring network access using host agent-based detection systems and network data allows you to identify who has attempted to access these systems, files, and content.
Security Information and Event Management (SIEM)
– Identify, contain and eliminate threats across your network by prioritizing risk and response. Add-ons in SIEM:
- Log management
- Integrated OTX threat intelligence
- SIEM event correlation
- Responding to incidents
You can automatically correlate log data with actionable security analytics to identify policy violations and receive contextually appropriate and workflow-driven responses. You can also perform forensic analysis of events using digitally signed raw logs. Raw logs can also be used to meet evidence storage requirements. The web-based user interface provides access to all security management features provided by SIEM ARIC. The SIEM ARIC User Guide provides information on how to access and use all SIEM tools and perform specific security management operations from this user interface.
Laboratories
DYNACON Labs is the internal security research team at DYNACON and Alien Labs is the analogous research team at Cybersecurity, consisting of security experts who conduct ongoing research and analysis of emerging global threats and vulnerabilities. This team continuously monitors, analyzes, reverse-engineers and reports on sophisticated zero-day threats, including malware, botnets and phishing campaigns.
The team regularly publishes threat intelligence updates to the ARIC SIEM platform in the form of correlation directives, IDS signatures, vulnerability signatures, asset detection signatures, IP reputation data, data source plug-ins and report templates. The team also provides up-to-date guidance on emerging threats and contextual remediation guidance to speed and simplify threat detection and response.
The DYNACON team also leverages the collective resources of OTX, the world’s largest crowdsourced threat intelligence repository, to provide global visibility into attack trends and malicious actors. Security experts and DYNACON analyze, verify and review global threat intelligence collected by the OTX community. The Security Research team improves the effectiveness of any security monitoring program by providing the threat intelligence necessary to understand and resolve the most critical issues on networks. They perform analysis so you can spend your limited time fixing and mitigating threats rather than investigating them.
Vulnerability assessment
– identifies resources and devices with unpatched software, insecure configurations and other network vulnerabilities.
Extras included:
- Continuous vulnerability monitoring
- Authenticated/Unauthenticated Active Scanning
- Repair verification
Integrated internal vulnerability scanning informs you about vulnerabilities in your network so you can prioritize patching and remediation. Continuous correlation of the dynamic asset inventory with our vulnerability database ensures up-to-date information on your network’s vulnerabilities between scheduled scans.
Behavioral monitoring
– Identifies anomalies and other patterns that signal new, unknown threats on your network, as well as suspicious behavior and policy violations by authorized users and devices.
Add-ons in the SIEM system:
- NetFlow analysis
- Monitoring the availability of services
- Network protocol analysis/packet capture
Integrated behavioral monitoring collects data that helps understand “normal” system and network activity, simplifying incident response when investigating a suspected operational issue or potential security incident. Full packet capture enables complete analysis of network traffic protocols, providing a comprehensive reconstruction of the event that occurred during a potential breach.
Regulatory compliance management in SIEM ARIC
In addition to regular security management operations, SIEM ARIC also provides essential security features to help you achieve regulatory compliance. With built-in asset discovery, vulnerability assessment, intrusion detection, behavior monitoring, log management and file integrity monitoring, SIEM ARIC can help organizations achieve compliance with regulations such as PCI DSS, GLBA, ISO/IEC 27001, FISMA, NERC CIP, FERPA and SOX. SIEM ARIC also generates built-in reports specifically for HIPAA, PCI, GLBA, ISO 27001, FISMA, NERC CIP, GPG13 and SOX.
Additionally, the “Using SIEM ARIC for PCI Compliance” section provides detailed information on using SIEM ARIC to achieve PCI DSS compliance. This information may also be useful for compliance with other standards.
Information about threat intelligence
Threat Intelligence, integrated with ARIC’s SIEM as part of a Threat Intelligence subscription, provides features that set it apart from most other security management solutions on the market today. Threat Intelligence, developed by the AT&T Security Research Team and powered by AT&T Open Threat Exchange® ( OTX™ ), is actionable intelligence about the threats facing your network, including malicious actors, their tools, their infrastructure and its methods. Threat intelligence tells you what the threat is, where it comes from, which assets in your environment are at risk, and how to respond.
OTX
Open Threat Exchange (OTX) is the world’s most trusted open threat intelligence exchange and analysis network. OTX provides open access to a global community of threat researchers and security professionals. It currently has over 100,000 participants worldwide, contributing over 19 million threat indicators every day. It delivers community-generated threat intelligence and OTX pulses, enables collaborative research, and automates the process of updating your security infrastructure with threat intelligence from any source. OTX enables every member of the security community to actively discuss, research, validate and share the latest threat data, trends and techniques, strengthening your security while helping others to do the same.
The OTX community and associated threat intelligence is one of the key data sources used by the DYNACON team to generate threat intelligence. DYNACON leverages the collective resources of OTX by analyzing, verifying and curating global threat data provided by the OTX community.
