Real-time Attack Monitoring

Real-time Attack Monitoring (RAM) is the organizations flagship offering in the security monitoring space. The RAM module includes the active attacker detection engine, that is extensively used in production and research environments. Enterprises, Internet facing portals, exchanges, financial services benefit from the rich feature set delivered by the RAM module. Real-time attack monitoring as the name suggests detects attacks in real-time, analyzes activities and reports attacks also adhering to individual enterprise processes for incident handling.

What does RAM deliver

  • Real-time identification of active attackers as against false positives, malicious scanning using a number of different technologies that independently examine the network traffic flow
  • Central collection and analysis of event log across the organization
  • Correlated intelligence feed from the CNAM umbrella network, and relevant open source security feeds from collaborating research organizations
  • Precautionary / Enforced advisories that provide directed information on the security threat landscape and relief mechanisms to contain / recover / prevent attacks
  • Strategic security consulting that helps customers improve implemented security standards
  • Event collection and archival creates a central repository to collect, analyze and archive security events
  • Intrusion analyst toolkit is an interface with relevant operational tools for analyzing the security posture of the organization

Operational Details: How does RAM integrate

The real-time attack monitoring module deploys an Integrated Detection Device (IDD) that detects attacks using heterogeneous detection systems and a Network Aggregator (NAG) that collects, translates, normalizes and stores events. Each NAG stores all local events, and processes them using intelligence provided by the CNAM Umbrella Network that is connected to the NAG over an encrypted SSL tunnel. Events once processed are re-examined by advanced correlation modules that identify false positives and draw out a list of suspicious attackers. This information is summarized and relayed on to the analysts console via the enterprise risk manager.

The NAG fetches logs from devices such as server, router, firewall, IDS etc. using agent based and agent less configurations, CNAM is compatible with standard / encrypted syslog, and other common logging technologies. These logs are translated into prioritized events and stored along with the original messages in the NAG.

What can you monitor using RAM

RAM processes available event information to produce alerts of that need immediate attention. It employs a layered correlation system that refines the correlation criteria to achieve accuracy. Following are the commonly used events that are processed by the RAM module:

  • Incoming / Outgoing Internet traffic
  • Multi-Zone Firewall
  • Access Concentrators
  • Intrusion Detection / Prevention Systems
  • Centralized Anti-Virus
  • Operating Systems
  • Web Servers
  • Database Servers
  • Standard / Non Standard Application Servers
  • Transaction Logs

Detection: The Key

Accuracy in attacker detection is completely dependent upon the quality of information that originates from the IDS, IPS, Anomaly Engines etc. First, the detection engines deployed have to be tuned well according to the topology of the network and the applications, and second, having multiple types of detection engines improves the overall accuracy of the output. The CNAM Security Suite provides end-to-end control over the detection process, it provides an elaborate set of detection tools for every single customer network. The CNAM Security Suite concentrates on delivering quality implementing the best security technologies and tuning them to perfection.

Key Benefits of Real-time Attack Monitoring

  • Active Attacker Detection identifies real attackers that perform malicious activities on the enterprise infrastructure
  • Real-time Operation distributed detection techniques reduce the time to notification and alert the monitoring teams as the attack is in progress
  • Collaborative Intelligence allows customers to validate their attacks / attackers with a common intelligence pool, without sharing any operational data
  • Single View Dashboard provides a quick / detailed view of the entire enterprise that may span across geographies
  • False Positive Reduction delivers a massive improvement in detection and logically reducing false positives
  • Asset Risk Prioritization analyzes and prioritizes attacks / threats / vulnerabilities based on organizational view of assets

 

Quick Links

Resources

Benefits of using CNAM
A short write-up on the benefits of the CNAM Security Suite

Quick Intro to CNAM
Brief 4 slider introduction to CNAM

Effective Detection Strategies
Drives through most available options in the detection space.