Add to collection(s) Add to saved
  1. Engineering & Technology
  2. Computer Science
  3. Databases

white paper - Click & Decide

advertisement 
WHITE PAPER
Get the value of real Business
Intelligence from your logs
Executive Summary
The security issues exceed the context of the IT department and find their real place. Software
solutions of log analysis offer tools covering the full cycle of incident management: prevent,
detect, contain, investigate, correct and report.
Beyond the correlation of alarms, operational management of security logs should also enable to
ensure the legitimate use of company resources to ensure service quality and regulatory
compliance. Click&DECiDE offers real solutions of secure log management and assists
companies to pass the IT Audit in the context of a process of compliance with international
regulations.
www.clickndecide.com
98, route de la Reine 92100 Boulogne-Billancourt
+33 (0)6 71 99 86 60 sales@clickndecide.com
Table of Contents
1.
Log management solutions? ........................................................................................................................ 4
1.1.
Security log management .................................................................................................................. 4
1.2.
The Regulatory Challenge ................................................................................................................. 4
2.
Click&DECiDE‟s Security Log Management Solution .................................................................................. 5
3.
Click&DECiDE : 4 Key Elements.................................................................................................................. 6
3.1.1.
Centralization and Archiving your logs .......................................................................................... 6
3.1.2.
Reporting in real-time and dashboards .......................................................................................... 6
3.1.3.
Correlation & real-time alertes Remontées d‟alertes en temps réel .............................................. 6
3.1.4.
Forensic Investigation .................................................................................................................... 6
3.2.
Log Lifecycle Management ................................................................................................................ 7
3.3.
Our Three Main Products ................................................................................................................... 7
3.3.1.
Click&DECiDE Network & Security Intelligence Professional Package ........................................ 7
3.3.2.
Click&DECiDE Network & Security Intelligence Package Enterprise ............................................ 7
3.3.3.
Click&DECiDE BAI for NSI ............................................................................................................ 8
3.4.
4.
Key benefits ........................................................................................................................................ 8
3.4.1.
Management of structured and semi-structured Data ................................................................... 8
3.4.2.
Distribution of the information on your desktop ............................................................................. 8
3.4.3.
Distribution of the information via the web portal ........................................................................... 9
3.4.4.
Advanced Analysis, Correlation, Alert, Forensic analysis ............................................................. 9
3.4.5.
Archiving for Regulatory Compliance and Auditing ....................................................................... 9
3.4.6.
Powerful Customization Tool ......................................................................................................... 9
Architecture .................................................................................................................................................. 9
4.1.1.
Step 1: Log Collection .................................................................................................................. 10
4.1.2.
Step 2: Archival ............................................................................................................................ 10
4.1.3.
Step 3: Log Filtering & Data Enhancement ................................................................................. 10
4.1.4.
Step 4: Database Management ................................................................................................... 10
4.1.5.
Step 5: Dashboard Creation ........................................................................................................ 10
4.1.6.
Step 6: Customizing Reports ....................................................................................................... 11
4.1.7.
Step 7: Correlation and Alerting ................................................................................................... 11
4.2.
Easy configuration via Click&DECiDE Configurator ........................................................................ 11
4.3.
Intuitive Administration via Click&DECiDE Management Console .................................................. 11
5.
Devices supported ...................................................................................................................................... 12
6.
Key features ............................................................................................................................................... 13
6.1.
Log Centralization & Archival ........................................................................................................... 13
Key Points .................................................................................................................................................. 13
Key Benefits ............................................................................................................................................... 14
6.2.
2
Dashboard Generation & Reporting ................................................................................................. 14
www.clickndecide.com
sales@clickndecide.com
6.2.1.
Examples of Click&DECiDE Pre-defined Dashboards ................................................................ 14
Firewall/VPN Dashboards .......................................................................................................................... 14
Proxy Dashboards ...................................................................................................................................... 15
Intrusion Detection Dashboards ................................................................................................................. 15
Web Site Statistics Dashboards ................................................................................................................. 15
Content Filtering Dashboards..................................................................................................................... 15
E-mail Statistics Reports ............................................................................................................................ 15
Systems Statistics Reports ......................................................................................................................... 16
Strong Authentication Dashboards ............................................................................................................ 16
6.3.
Easy Dashboard Access via Click&DECiDE Web Portal ................................................................. 16
6.4.
Plan your Dashboard Generation via the Click&DECiDE Task Scheduler ...................................... 17
6.5.
Event Correlation and Alerting ......................................................................................................... 17
6.6.
Alerting & Correlation Console ......................................................................................................... 19
6.7.
Advanced Forensic Analysis & Data Manipulation .......................................................................... 22
6.7.1.
7.
8.
3
Cubes ........................................................................................................................................... 22
System Requirements ................................................................................................................................ 24
7.1.
Systems ............................................................................................................................................ 24
7.2.
Components ..................................................................................................................................... 24
7.3.
Databases ........................................................................................................................................ 24
Conclusion .................................................................................................................................................. 25
www.clickndecide.com
sales@clickndecide.com
1. Log management solutions?
Log management solutions allow automating the collection, consolidation of the events with various types of
network devices. Besides the software guarantees the archive in the data native format and allows the
transformation of the collected data in real decision-making indicators. Advanced functions of correlation and
alerting also guarantee you a pro activity on your information system.
Security events logs are collected, consolidated, normalized and archived. In many cases, these events might
be used: in case of forensic investigation, inquiries or to understand a specific security incident via synthetic
dashboards.
Security log management participates and optimizes in an essential way your Enterprise Risk Management
and allows validating and controlling the security rules of the company.
1.1.
Security log management
Security‟s role in log management is to aim to deliver the following three assurances:



Confidentiality
The assurance and prevention that information is not disclosed to inappropriate and unauthorized
entities or processes. Your enterprise‟s sensitive data is held in confidence and logs are preserved,
analyzed, correlated and reported to ensure that it is limited to an appropriate set of individuals or
organizations.
Integrity
The assurance over the correctness and appropriateness of the content and/or source of a piece of
information, including the prevention of the unauthorized modification of information to ensure that
your data is sound, unimpaired and in perfect condition.
Availability
The ability to access and use a specific resource within a specific time frame as defined within the IT
product specification. This relates to the concern that information objects and other system resources
are accessible when needed and without undue delay.
Today security is enterprise wide and CEO and CFO are held responsible for security violations. IT is a key
stakeholder on the compliance steering committee. The IT Director is a key stakeholder on the compliance
steering committee. According to ISO 17799, the Management should express their commitment, clearly
define and support the direction of the security policy. We can also clearly observe that recent legislation
reflects the dimensions of security at present and over the coming years.
1.2.
The Regulatory Challenge
Proper log management is critical if your organization is affected by laws and regulations that require the
collection and archiving of event logs. Audit and control reviews are held annually and quarterly, if not more
frequently, to uncover violations of organizational policy or separation of duties, as well as breaches in the use
of private or confidential customer or enterprise information
Due to the increasing concerns over the integrity of today‟s business data, new regulations have been
introduced which reinforce the need for stronger internal control mechanisms. In the US, the Sarbanes Oxley
Act has placed the responsibility for establishing rigorous internal control systems and Records Management
procedures among publicly-quoted companies directly on senior executives. The law Sarbanes-Oxley is
mandatory for listed companies in the US stock exchange.
4
www.clickndecide.com
sales@clickndecide.com
This development is not restricted to the US or US-quoted companies. Much of the EU corporate governance
regulations are creating similar Records Management requirements. For example: Basel II (Europe), Loi de
Sécurité Financière (France), the Tabaksblat Code (Netherlands).
Frameworks and standards related to these regulations include: COSO, COBIT and ISO/IEC 27002. Some of
the most common challenges posed by new regulations and which the above frameworks treat in detail
include:







How to introduce better Internal Control mechanisms for new regulations?
How to define “who has access to what” within the organization?
How to report on current access permissions as needed?
How to determine when access permissions were granted and revoked?
How to see how access permissions have changed over time?
How to comply while keeping cost down?
How to comply while supporting current operations?
2. Click&DECiDE’s Security Log Management Solution
Click&DECiDE enables to address the following challenges:



Provide compliance with international regulations
Optimizing Risk management by staying informed and responding in real-time to security threats.
Enhancing the global level of your security intelligence thanks to the management of your security
events.
Our solutions need to meet your overall issues of log management, namely:




Log Centralization & Archival
To meet the legal requirements of logs retention and provide a simple way to reconcile the your
listeners needs as well as regulatory needs. Once collected the raw data need to be archived in case
of future use. The information is also inserted into a database for the generation of dashboards or
investigation purposes.
Reporting
Delivery of dashboards by category of devices with information adapted to different stakeholders
within the company. These dashboards should provide both an overview and a detailed view if
necessary. These data are updated on a daily basis.
Correlation & Alerting
Different mechanisms of correlation and alerting should help you to identify real-time alerts or
inconsistencies thanks to the Alerting and Correlation Console.
Forensic Analysis
The tools should enable you to investigate and manipulate the data to find the causes of malfunctions
or attacks. These tools should also allow you to filter data.
Click&DECiDE transforms huge volumes of disparate event data into actionable knowledge!
5
www.clickndecide.com
sales@clickndecide.com
3. Click&DECiDE : 4 Key Elements
The four key elements of Click&DECiDE‟s solution enable you to meet your challenges:
3.1.1. Centralization and Archiving your logs
Click&DECiDE collects in real-time and continuous if necessary whole set of logs. These logs are stored in
native format for compliancy regulatory rules, archived and inserted in the database for generation of
dashboards and investigation.
3.1.2. Reporting in real-time and dashboards
Click&DECiDE supplies dynamic dashboards to have a global vision of the enterprise infrastructure in realtime which allow using a unique BI tool for all your equipments.
3.1.3. Correlation & real-time alertes Remontées d’alertes en temps réel
Click&DECiDE enables to correlate, identify vulnerabilities and sends in real-time alerts relevant to help your
IT teams and assign a criticality level of alerts through the Alerting and Correlation Console.
3.1.4. Forensic Investigation
Click&DECiDE includes as standard features in its software's advanced forensic analysis and traceability of
events to identify and highlight malfunctions. Archived data can also be replayed at any time in the
Click&DECiDE system for investigations for a longer period of time.
6
www.clickndecide.com
sales@clickndecide.com
3.2.
Log Lifecycle Management
The various solutions proposed by Click&DECiDE enable to accompany the lifecycle of a log.
3.3.
Our Three Main Products
3.3.1. Click&DECiDE Network & Security Intelligence Professional Package
Centralizing all the events at a single point, Click&DECiDE NSI Professional provides advanced dynamic
dashboards on your various standard equipments. These dashboards can be generated in real time or
scheduled from a Web portal. Click&DECIDE NSI Professional also provides dynamic interactive reports or
cubes with multidimensional views allowing you to analyze data from different angles interactively. Reports
are available in all output formats including PDF, Excel, HTML.
Click&DECiDE NSI Professional also incorporates a mechanism for legal archiving of the collected logs.
3.3.2. Click&DECiDE Network & Security Intelligence Package Enterprise
Click&DECiDE NSI Enterprise covers all your needs in terms of operating logs. It provides advanced dynamic
dashboards from your different standard equipments. These dashboards can be generated in real time or
scheduled from a Web portal. Click&DECIDE NSI Professional also provides dynamic interactive reports or
cubes with multidimensional views allowing you to analyze data from different angles interactively. Reports
are available in all output formats including PDF, Excel, HTML. It allows integration in these dashboards of
critical applications of the company related to its business.
Click&DECiDE NSI Enterprise also incorporates a mechanism for legal archiving of the collected logs.
Click&DECiDE NSI Enterprise also allows the management of alarms in real-time, on thresholds on
correlations multi-devices, allowing answers to suspicious activities.
7
www.clickndecide.com
sales@clickndecide.com
Click&DECiDE NSI Enterprise assist you to be compliant with international regulations (Sarbanes-Oxley, Bale
II, HIPAA, LSF …).
Click&DECiDE NSI Enterprise enables you to have dashboards in real-time in Excel format.
3.3.3. Click&DECiDE BAI for NSI
Click&DECiDE BAI, true BI tool, allows you to modify existing reports, create new dashboards and reports and
to adapt the graphic to match your image.
Click&DECiDE BAI can modify existing cubes, create new cubes and put quickly in place new indicators or
investigative tool you need.
Click&DECiDE BAI allows you to create alarms from the reports, dashboards and indicators. To prevent
persons concerned that an abnormal behavior was spotted in them.
Click&DECiDE BAI adds the ability to directly create reports, cubes, dashboards on information contained in
your application databases, to build a real access portal to the company information.
Click&DECiDE BAI allows having real-time information in Excel format with filtering profiles.
3.4.
Key benefits
Software proposed by Click&DECiDE enables you:




Automate log collection, archiving, alerting as well as generating dashboards.
Reduce vulnerabilities of your information system.
Analyse threats.
Reduce risk.
The bottom line... Click&DECiDE Solutions protect your enterprise!
3.4.1. Management of structured and semi-structured Data
Click&DECiDE engine may collect, aggregate and perform maintenance (tasks scheduling and purging) on all
your structured and semi-structured data: RDBMS, flat file, WMI, Syslog, SNMP, Radius, .... It can also collect
data and create cubes, queries and reports, from all sort of sources (Oracle, UDB (DB / 2, SQL DS
AS400/iSeries), ODBC, other data Access (Excel, Analysis Services).
3.4.2. Distribution of the information on your desktop
Click&DECiDE allows you to create and run ad hoc queries, reports, dashboards, or cubes OLAP (data from
multiple databases and Analysis Services). You can send the information you want in the format you wish
(PDF, MS Excel, Word, Access), HTML, XML, TXT, CSV, ... to the right people, thanks to our advanced
management profiles user (Windows, Active Directory, LDAP, RADIUS).
8
www.clickndecide.com
sales@clickndecide.com
3.4.3. Distribution of the information via the web portal
The web portal of Click&DECiDE allows you to run predefined queries or reports ad hoc, OLAP cubes and
interactive dashboards. The information is transmitted to the right person, either real time or on a scheduled
basis according to criteria you set in the proper format. You can choose between HTML, XML, PDF, MS
Excel, Word, Access, TXT, CSV, Mail, RSS, Web Part, Web Query MS Office, SharePoint, or direct access
via shortcuts, ... The information is modeled and filtered through our powerful user profile management
system (Windows, Active Directory, LDAP, RADIUS).
3.4.4. Advanced Analysis, Correlation, Alert, Forensic analysis
You can analyze and investigate a posteriori your data through the analysis of Click&DECiDE OLAP cubes
and correlation of data into interactive reports: through drill-downs on dynamic reports and interactive
dashboards (map, chart, drill-down cube). Decision makers can be alerted in real time through our combined
criteria of alerts based on KPI (Key Performance Indicators) by email, RSS, Web Part, Syslog, SNMP Trap, ...
3.4.5. Archiving for Regulatory Compliance and Auditing
Click&DECiDE allows you to store semi-structured data in their native format with signing, compression and
indexing for compliance. You can also restore and replay of archived data at any time by using the Replay
feature.
3.4.6. Powerful Customization Tool
Easily customize your reports, the theme of your web portal, your dashboards and cubes to respect the
graphic charge of your enterprise. Parse your semi-structured and tabular data with our Universal Parser
(using regular expressions) and our Parser tabular data.
4. Architecture
Let‟s take a closer look at the architecture behind Click&DECiDE‟s solutions.
9
www.clickndecide.com
sales@clickndecide.com
4.1.1. Step 1: Log Collection
From Heterogeneous Devices
Click&DECiDE supports the major device categories of the market: Firewall, Proxy, Servers, IPS (Intrusion
Prevention System), IDS (Intrusion Detection System), Server E-mail, Authentication Server, Anti-Virus,
Server Web.
With a broad Range of Log Formats
The data can be collected either in Syslog*, from flat file or via certain propriety protocols like CheckPoint
LEA, Windows WMI or Radius. The logs depending on the support can be collected in real time or deferred
time. (* Click&DECiDE is itself a Syslog server)
4.1.2. Step 2: Archival
The collected data is then stored via the Click&DECiDE Log Archive module to ensure its integrity over the
long-term. The data includes a digest it is compressed and encrypted before being archived in the Log Vault.
4.1.3. Step 3: Log Filtering & Data Enhancement
The Click&DECiDE ULA (Universal Log Analyser) analyses, standardizes and filters the event data in real
time. The data can be enriched in real time by content information coming from external sources (RDNS,
LDAP Directory, SQL Table, Dictionaries) in order to improve the readability. Each Click&DECiDE Engine
enables you to insert several tens of millions of events in the database per day.
4.1.4. Step 4: Database Management
Click&DECiDE aggregates, consolidates and purges your security event data in the Click&DECiDE database
thanks to its automated Database management tasks. Scheduled aggregation and purge features enable
Click&DECiDE to reduce the size of your database significantly (Coefficient of 25 for equipments like firewalls
and proxy)
4.1.5. Step 5: Dashboard Creation
Dashboard generation is automated and can easily be scheduled (daily, weekly or monthly task). The
dashboards can be generated in real-time. The powerful drill-down features enable the user to go directly to
the detailed information they need. The navigation features enable users to go to the sections they
need and perform historical trending by navigating from day-to-day or month-to-month in a
click.
10
www.clickndecide.com
sales@clickndecide.com
4.1.6. Step 6: Customizing Reports
Our product BAI allows the NSI users of Click&DECiDE to modify dashboards, reports, cubes in order to
customize them, in the visual aspect as in the functional aspect. You can set up new indicators, new graphs
which are asked for and assemble them into new dashboards or by adding them to existing reports.
All output formats are available among PDF, Excel, HTML, XML. Click&DECiDE BAI users can access
information through user‟s customized web portal to generate in real-time, or schedule reports, cubes and
dashboards. The scheduled results can be delivered via email, RSS, Web Parts or SharePoint Web Parts and
Web Queries. Profiles and Models can be used to filter the data distribution, so that each user or user group
can access only the data they are authorized to see. Finally, an intelligent supervision may be applied to the
reports, based on the results of these reports and queries, and alerts can be triggered
4.1.7. Step 7: Correlation and Alerting
Advanced correlation features enable you to rapidly detect in real-time violations and identify vulnerabilities.
Click&DECiDE sends trusted alters to your IT staff in real-time via e-mail, Trap SNMP or via the
Click&DECiDE Alerting & Correlation Console to help them quickly isolate and resolve potential threats and
automate protection.
The alerting & Correlation Console further enables you to manage the level of alerts, filter or acquit them.
4.2.
Easy configuration via Click&DECiDE Configurator
Click&DECiDE Suite of products integrates an easy-to-use Configurator wizard that simplifies the installation
of devices by filling in a guided-specific way the specific information to the database, the local RDNS, the mail
server, the aggregation procedures, purging and archiving of the data. The Management Console is
automatically configured by the Configurator with the appropriated information.
4.3.
Intuitive Administration via Click&DECiDE Management
Console
The Click&DECiDE Management Console enables an advanced configuration of the Agents, Filters and
Parsers. The alerts, rules and fields can be configured as well at that level.
11
www.clickndecide.com
sales@clickndecide.com
5. Devices supported
Click&DECiDE supports over 100 Types of devices. The support of a new device is easily, as Click&DECiDE
delivers by default 2 generic parsers Flat File and Syslog (based on regular expressions) that will enable you
to realize your proper Plug In. Do not hesitate to contact us if certain devices are not present in the list below,
your device has certainly already be integrated by one of our customers.
12
Product
Type of data
ActivIdentity
Aladdin eSafe
Apache
ARKOON Network Security
Blue Coat Secure Web Gateway
Check Point Firewalls
Cisco ASA Series
Cisco Catalyst
Cisco IronPort-C ESA
Cisco IronPort-S WSA
Cisco PIX Series
Cisco Routers Series
Cisco Secure Acs
Cisco Security Modules
Cisco Switch Series
Clavister Security Gateways
Deny All
F5 Web Acceleration
Fortinet Fortigate
IBM ISS Proventia (A-GmM)
IBM Lotus Domino
Juniper Networks NetScreen
Juniper NSM
McAfee IntruShield
McAfee Web Gateway
Microsoft Active Directory
Microsoft Exchange
Microsoft Internet Connection Firewall
Microsoft Internet Information Server (IIS)
Microsoft ISA Server
Microsoft WMI (Windows Management Instrumentation)
MimeSweeper for SMTP
Netapp Net Cache
NETASQ
Netfilter ipchains
Netfilter iptables
Novell Border Manager
Olfeo
Postfix
Radius
Radius Cisco Secure
Radius Telefonica
Radware, Defense Pro
Sendmail
Snort
SonicWall
Sourcefire
Squid
Squid Reverse Proxy
Stonesoft StoneGate
Symantec Gateway Security
Symantec Raptor Firewall
Trend Micro IMSS
Trend Micro IWSS
WatchGuard
Radius, Authentication
E-mail, Content Filtering
Web Site
Firewall, IPS, Proxy
Proxy, Content Filtering
Firewall
Firewall
Firewall
E-mail, Content Filtering
Proxy
Firewall
Router & Switch
Radius, Authentication
Firewall
Router & Switch
Firewall, Proxy
IPS, Web Site
Web Site
Firewall, IPS, Proxy, Content Filtering, UTM
IPS
Web Site
Firewall, IPS
Firewall, IPS
IPS
Proxy, Content Filtering
WMI
E-mail
Firewall
Web Site
Firewall, Proxy
WMI
E-mail, E-mail Content Filtering
Proxy
Firewall, Proxy, IPS
Firewall
Firewall
Proxy
Proxy
E-mail
Radius
Radius
Radius
IPS
E-mail
IPS
Firewall
IPS
Proxy Server
Web Site
Firewall
Firewall, Proxy
Firewall
E-mail, E-mail Content Filtering
Content Filtering, Proxy
Firewall
www.clickndecide.com
sales@clickndecide.com
6. Key features
6.1.
Log Centralization & Archival
The Click&DECiDE Log Archive module enables you to securely store all your logs in raw format or CSV of all
your devices over the long-term.
Click&DECiDE enable you to archive the following major log formats:
 Syslog.
 Flat Files.
 LEA (Check Point).
 Microsoft WMI.
 Radius.
 Or any Proprietary format.
Click&DECiDE Log Archive is made of 2 key components: Log Storage and Log Vault.
 The Log Storage component generates logs in flat file and enriched CSV formats which are then
written in the log storage directory.
 The Log Vault component enable to sign (SHA-A), compress (ZIP) and encrypt the log files (AES)
before they are archived to meet international regulations. Files can be organized by device type or
group and/or date. The compression rate is 90%. Logs can be replayed at any point in time by simply
extracting a copy from the Log Vault.
Key Points





13
Secure Archival in raw format of event log (in their unaltered and non modified state).
Compression and signature of log files by day and/or by device for internal and external regulatory,
legal and auditing needs.
Post-mortem analysis from archived logs
Archival and viewing of log files by Date/Source/Size or Type of Device
Centralization in one place of all Enterprise activity data.
www.clickndecide.com
sales@clickndecide.com
Key Benefits
Thanks to the Click&DECiDE Log Archive module you can meet the following challenges:
 Ensure forensic analysis.
 Ensure the confidentiality, integrity and availability of your data
 Allow inquiries and investigations.
 Meet regulatory compliance
6.2.
Dashboard Generation & Reporting
Click&DECiDE interprets and presents holistic information, categorized in a clear format: Each dashboard can
be easily adapted to your needs. Dashboards are generated according to the parameters that you select via
the Click&DECiDE Web Portal. Navigation is very intuitive and user-friendly within each Dashboard, the
hyperlinks will bring you to more and more detailed information, and you will benefit from the advanced drilldown features.
The Click&DECiDE Task Scheduler enables you to define and schedule the generation of Dashboards and
their distribution via e-mail to the major stakeholders. Click&DECiDE provide around 200 reports by default.
6.2.1. Examples of Click&DECiDE Pre-defined Dashboards
Click&DECiDE delivers a wide range of pre-defined Dashboards by default, please find a non-exhaustive list
below:
Firewall/VPN Dashboards






14
Information on the Services.
Information on the traffic.
Most used Firewall rules.
Bandwidth for the Top N Users.
Connections per day/per hour.
Address sources by status…
www.clickndecide.com
sales@clickndecide.com
Proxy Dashboards





Most Visited Domains by Visits.
Top N Users/IP Addresses by Hits.
Top N Users/IP Addresses by Session Length.
Statistics on Proxy Status, File Types,
Search Engines, Keywords …
Most Visited Country, OS, Browser …
Intrusion Detection Dashboards






Top N messages classed by Hits.
Alert destination by level.
Attack Sources by level.
Alert Messages by Source.
Alert Messages by Destination.
Top N attacks …
Web Site Statistics Dashboards








General Information on Web Pages‟ status.
Most active sources classed by visit.
Hits by month, day of the month, hour and so on …
Visits by month, day of the month, hour and so on …
Information on Search Engines.
Information on Referees.
Information on Browsers.
Information on countries …
Content Filtering Dashboards







General information on the Viruses.
Viruses received and sent by day.
General information on e-mails.
Incoming Viruses for Internal Addresses.
Outgoing Viruses by Internal Senders.
Volume of Incoming Mails by POP Server.
Volume of Outgoing mails by SMTP Server…
E-mail Statistics Reports







15
General E-mail Statistics, hourly/daily E-mail traffic.
E-mail Address Statistics.
Most Active E-mail Users.
E-mail Messaging Flows, Inbound, Internal, Outbound
E-mail Statistics.
Top External Sender/Recipient Company.
Total number of Encrypted E-mails…
www.clickndecide.com
sales@clickndecide.com
Systems Statistics Reports







WMI Filtered traffic, hourly/daily activity.
Log activity for the Top n users.
Top n failed/successful logons and successful logoffs by user.
Security log, Security system event, Security Privilege Use Activity.
Security Account Management Activity.
File and Directory Access statistics by user.
Event types of the day …
Strong Authentication Dashboards








General statistics by method and Group of Activities
Status of connections.
Mode of connexions.
Events per day
Authentication method
Information on the blocked or accepted users.
Information on the non used devices.
Information per user, etc.
6.3.
Easy Dashboard Access via Click&DECiDE Web Portal
Click&DECiDE provides a secure Web Portal, accessed using a direct authentication with AD, for the
consultation of your reports or for the generation of real time reports. Depending on the user profile,
Click&DECiDE directly provides a pre-defined report or through a multi-criteria selection allows you to
generate a report adapted to your needs. This real-time dynamic request feature makes it possible to analyze
and generate reports with increasingly precise criteria.
16
www.clickndecide.com
sales@clickndecide.com
6.4.
Plan your Dashboard Generation via the Click&DECiDE Task
Scheduler
Click&DECiDE enables you to schedule easily reports via the Click&DECiDE Web Portal. The Click&DECiDE
Task Scheduler makes the generation of static reports, simple and efficient. The Click&DECiDE Task
Scheduler will be able to perform the following:
 Define your parameters by the type of report.
 Select the output format of your reports (Adobe Acrobat PDF).
 Define or arrange the availability of your reports.
 Create a mailing distribution list to send the reports as attachments.
 Choose the frequency of the generation of your reports.
Moreover, the use of the Click&DECiDE Web Portal enables you to benefit from its user profile management
system thus enabling you to define the users who are allowed to schedule or consult reports.
6.5.
Event Correlation and Alerting
Click&DECiDE delivers alerts and examples of correlation by default and simple alerts in multi-device
combination. The alerts are sent to a Web Console Alert or by e-mail, SNMP Trap and/or Syslog.
Administrators can easily use advanced function to create customized alerts and actions
The Web Console enables you to easily manage real-time alerts. Administrators can easily use advanced
function to create customized alerts and customized actions.
17
www.clickndecide.com
sales@clickndecide.com
Click&DECiDE correlate events from a wide range of network devices to provide faster decision making and
greater enterprise security. Click&DECiDE provide an easy way to define the pattern of events, rules and
corresponding actions to simplify the monitoring of network events. Click&DECiDE provides four possible
correlation methods to correlate security events from different devices to identify security incidents and send
trusted alerts:
1. Generate an alert when a fixed pattern is met.
2. Generate an alert when a threshold is met with a pre-defined session timeout (Memory Counter).
3. Generate an alert if either of the two above actions are identified, and correlated with information in a
database, LDAP or a dictionary.
4. Generate an alert when the result of a query in the database meets certain criteria defined in the rule.
This query can be scheduled. This method enables analysis over long periods of time such as port
scans
There are many benefits of event correlation. The correlation allows you to have a more efficient use of IT
staff time and skills, optimization of “Business Continuity” as well as the prevention of revenue loss resulting
from downtime is a major benefit. Click&DECiDE collects, archives and analyzes huge volumes of data for
your Enterprise. These data need to be analyzed in real-time and are useful in many security scenarios.
18
www.clickndecide.com
sales@clickndecide.com
According to the pre-defined set of actions, several types of alerts or tasks can be executed:
 Publish the alert on the Alert and Correlation Console.
 Write in the database.
 Send an e-mail.
 Generate a SNMP TRAP.
 Launch a script.
The Alert and Correlation Console can manage the priority level of alerts, warnings pay with comments for
better traceability.
6.6.
Alerting & Correlation Console
Click&DECiDE provides a real-time HTTP Alerting & Correlation Console (ACC) for dynamic alert filtering and
alert management. The Console is multi-user with advanced secure user profile management. The four tabs:
Alert Summary, Information, Resolved and Search ; enable your IT Staff to quickly identify, isolate, filter and
mitigate threats:
 Alert Summary:
displays alerts that are either to be acknowledged or either in progress. Alerts can easily be managed
by clicking the “In Progress” or “To be Acknowledged” icons in the Status column.
 Information:
displays Information type alerts.
 Resolved:
displays the alerts that have been treated and resolved.
 Search:
displays all the alerts, clicking any of the icons or hyperlinks enables you to filter and group alerts. For
example, filter events through an IP Address.
19
www.clickndecide.com
sales@clickndecide.com
The Console enables you to display up to sixteen fields:
Alert Date,
Type,
Destination,
Dependency,
Due Date/ In Progress,
Application,
Number,
Last Comment
Level,
Device,
Event ID,
Company,
Risk,
Source,
Description,
Last User.
A user-friendly interface with intuitive graphs highlight the priority of alerts and the management due dates.
Hyperlinks enable you to navigate between the tabs and access alert relevant links online.
The Console centralizes and manages the status of your aggregated alerts via the Management, History
and Extra Information tabs:
 Management: this tab enables you to consult the details concerning the aggregated alert and the
alert status. You can easily modify the status, due date and priority and if needed forward the alert by
SNMP, E-mail or Syslog..
 History: this tab enables you to track alert mitigation by user profile and follow previous Alert
Management modifications made to the Alert, along with the date, user profile and comments made.
 Extra Information: this tab contents additional information, displayed according to the parameters
selected. Possibility to generate daily, weekly and monthly OLAP cubes for IP Source and or IP
Destination.
20
www.clickndecide.com
sales@clickndecide.com
Advanced Configuration Panel
The Alerting & Correlation Console Configuration Panel enables you to manage User Profiles, Filtering Rules
and column display features in real-time.
 Column Display: enables the user to select the columns they want to be displayed in the Alerting &
Correlation Console.
 Filtering Rules: enables the user to add and modify filtering rules according defined criteria.

21
User Profiles: enables Administrators to define, edit and delete user profiles and assign permissions.
www.clickndecide.com
sales@clickndecide.com
6.7.
Advanced Forensic Analysis & Data Manipulation
Click&DECiDE enables you to store your data and so on preserving an Audit Trail and make an analysis in
depth on this data. An Audit Trail is a set of logs and records maintained in chronological order which is used
to provide evidence during an incident. These logs and records can be used a posteriori to detect and identify
intruders. In the case of advanced searches, traceability and forensic analysis, Click&DECiDE proposes the
following methods:



Cubes
Traceability Reports multi-equipment, multi-sources
Report Generator – Click&DECiDE Builder
6.7.1. Cubes
The OLAP cubes allow you to manipulate huge volumes of data and easily perform Forensic Investigation.
Thanks to the Cubes, your IT staff can quickly gain answers to the „who‟, „what‟ and „why‟ based on a large set
of data. The OLAP Cubes are based on dimensions and measures. Dimensions represent the objects of
analysis. For example in a network intrusion log, dimensions could be source IP address, destination IP
address, attack signature and time. Measures represent the numeric data that you analyze across
dimensions. For example, in the same network intrusion log, the number of instances of connections between
a particular pair of IP addresses would be a measure. The slice and dice feature of Click&DECiDE Cubes
makes these queries intuitive and easy to use. The following questions could therefore be answered by a
Click&DECiDE Cube based on the above example:



How many of a specific attack can be seen to be attacking or originating from a specific IP address?
How many specific attacks are common over the day, week, month or year?
Which specific IP addresses are attractive to attackers over time?
Dimensions can be structured hierarchically. Our Cubes‟ drill-down feature allows you to examine data at
various levels depending on the analysis in question. The dimensions and measures forms the data cube that
the analyst manipulates to access various views of the data.
The power that Click&DECiDE Cubes brings to a database full of logs is impressive. The utility of Cubes can
be leveraged further by the richness of your logs and the variety of queries entered. To use Cubes you need
to install “Microsoft Office 2003 Web components”, as is the case for Pivot Cross Tables, except that
Click&DECiDE Cubes can be used without any size restrictions.
22
www.clickndecide.com
sales@clickndecide.com
23

Multi-device, multi-source Traceability Reports on the activity of an IP Address over a pre-defined
period, which traces events a posteriori.
- Date
- Origin
- Action
- Source IP
- Destination IP
- Rule/Attack/Results
- Source Area
- Destination Area

Report Generator – Click&DECiDE Builder: For the generation of customized reports
Click&DECiDE Builder allows you to create specific reports, customized for your company‟s look and
feel and according to your needs. Click&DECiDE Builder allows you to modify the pre-defined reports
that you can consult as well on line on the Click&DECiDE Web Portal. In addition, Click&DECiDE
Builder enables you to create reports “from scratch” for all your needs of Business Intelligence. It thus
meets all the specific needs of each department of your company.
www.clickndecide.com
sales@clickndecide.com
7. System Requirements
Required Configuration for Click&DECiDE
7.1.
Systems
For demo or light evaluation (less than 1 Million of event per day)
o Windows XP SP3 or greater
o Windows Vista SP3 or greater
o Windows 7 (32 and 64 bits)
For production
o Windows 2003 SP2 or greater (32 and 64 bits)
o Windows 2008 SP1 or greater (32 and 64 bits)
Minimum RAM: 2Gb for demo or light evaluation, 4Gb for production
Minimum Hard disk:
Programs : 1,5Gb without logs
Logs: o Cannot exceed 4Gb, if you are using SQL Server express edition.
o Otherwise, please read our Click&DECiDE NSI Volume Estimation Guide
7.2.
Components
• Microsoft Web Components 11 (version 12)
• SQL Server Native Client 2005 SP3 or greater
• Microsoft .NET Framework 3.5 SP1 or greater
• IIS (default version from system version)
7.3.
Databases
• SQL Server 2005 (Express for demo or light evaluation only, Standard or Enterprise for production) SP3 or
greater
• SQL Server 2008 (Express for demo or light evaluation only, Standard or Enterprise for production) SP1 or
greater (32 and 64 bits)
Note: if you have installed Microsoft IIS (Interne Information Services) after installing the Microsoft .NET
Framework 3.5 SP1, don‟t forget to enable the Microsoft.NET framework in IIS as below:
1. Select Start> All Programs> Accessories> Command Prompt.
2. Go to the following directory where the Microsoft framework was installed:
C:\Windows\Microsoft.NET\Framework\v2.0.50727 (by default).
3. Run the following command: aspnet_regiis –i
24
www.clickndecide.com
sales@clickndecide.com
8. Conclusion
Succeed with Click&DECiDE:



Quickly identify hidden threats while meeting audit, regulatory and legal requirements such as
Sarbanes-Oxley with centralized log and event consolidation in a centralized or distributed
architecture.
Improve system availability, service assurance and protect intellectual property with real-time intrusion
detection.
Identify real incidents from amongst event noise and false positive alerts to gain meaningful and realtime security information
Here are just a few of the reasons why our customers choose Click&DECiDE:










Centralize logs from any network device.
Transform your raw data into key indicators
Reduce security costs through automation
Generate added-value to your investments.
Analyse activity by user and department.
Optimize network capacity planning management.
Improve IT staff efficiency.
Identify the attacks by Source and Type
Reduce the “Business Risk” by answering in real-time to the security incidents
Get compliant with international regulations.
Click&DECiDE offers a complete, integrated solution that allows at the same time:
Collect and archive logs.




Centralization and archiving of the logs in the raw format
Delivery of dashboards on the majority of your equipments.
Real-time rise of the correlated alerts.
Forensic analysis and data manipulation.
With Click&DECiDE your IT team now has the ability to proactively discover, detect and prevent
intrusive activities and provide up-to-the minute dashboard reports for the management.
If you want more information about Click&DECiDE solutions, please visit our website:
www.clickndecide.com where you can find product sheets, corporate presentations, and you can download
the free evaluation license.
If you want an online demo, please contact our sales team: sales@clickndecide.com
25
www.clickndecide.com
sales@clickndecide.com
Related documents
A framework for the measurement and monitoring of safety
A framework for the measurement and monitoring of safety
Arm your sales people with the information they need to
Arm your sales people with the information they need to
IT Service Desk
IT Service Desk
Power Point - vrsummit.org
Power Point - vrsummit.org
Education Portal
Education Portal
InfoCaptor - Amazon Web Services
InfoCaptor - Amazon Web Services
How to Setup Search Based Alerts for Daily or - Ronna
How to Setup Search Based Alerts for Daily or - Ronna
OBIEE Core - Answers Dashboards and Delivers 11g
OBIEE Core - Answers Dashboards and Delivers 11g
Download
advertisement