RIMICI “ONE Source” Security Operations Center compiles more than 15 open source security programs providing all the technology levels to cover the full Security Management cycle.
RIMICI “ONE Source” Security Operations Center makes a complex but powerful system as it adds the capacities of much consolidated security programs and network monitors built for next generation secure cloud.
RIMICI “ONE Source” Security Operations Center focused on integrating enterprise grade cloud security software and trying to make it work together. For this purpose we have developed a Collector, a Correlation Engine, and several Reporting and Management Tools that allow gathering, normalizing and processing information from a single console.
All this tools together make possible a tight control of big networks deploying low cost sensors and managing the information from a central point. There are already very large networks, with
hundreds of sensors, deployed in telecom, financial or governmental organizations.
Abstraction
RIMICI “ONE Source” Security Operations Center purpose is not only to collect this deep and detailed information that Intrusion Detection System (IDS)/Intrusion Prevention System (IPS) or passive
monitors can provide, but also implement an abstraction process in which millions of technical small events become dozens of more human-understandable alarms.
A main part of the Abstraction is mainly produced by the Correlation Engine, which lets the administrator to create Correlation Directives or patterns to join different small events producing higher level conclusions.
A typical correlation example would be a “Worm Detected” after locating a number of abnormal connections. We could also correlate some of this Worm Detected Alarms to produce a higher level “Plague Alarm”.
RIMICI “ONE Source” Security Operations Center abstraction is also provided by the Security Metrics and RiskMetrics Dashboards, one allowing an administrator to create specific Security Metrics (usually with a compliance goal in mind), the other providing aggregated visualization of the risk situation of each host and network.
False-Positives Filtering
An important objective of correlating security events is to fight against the enormous volume of false-positives created by IDS and security devices in general. Organizations receive millions of them per day making impossible for an administrator to check all.
RIMICI “ONE Source” Security Operations Center correlation directives check this events by looking for evidences to make sure if they are or not real attacks. By default we give a low value to the “Reliability”
parameter of most events, which will only grow as far as the checks provided by the correlation engine result positive.
As an example, a correlation directive will check, after a possible trojan or exploit attempt, if any attack response signature is produced by the attacked host, it will also check if the channel persists in terms of time or transmitted data, and even if the attacked machine behaves anomalously during the next hours. Each of this checks which become positive will lead us to believe more and more on the real undergoing of an attack.
Correlation directives are managed by what we call the “Logical Correlation” process.
But there are two other correlation methods which are efficient false-positive killers: “Inventory Correlation” and “Cross Correlation”.
Inventory Correlation checks if the attack affects a certain Service and Operating System Type and Version, and also checks if the attacked host has that OS/Service active, discarding the event if not.
Cross Correlation “crosses” information from IDS’s and Vulnerability Scanners, prioritizing or deprioritizing the event in case we are vulnerable or not to this attack.
Risk Management
RIMICI “ONE Source” Security Operations Center operates, reports and launches responses using risk parameters. Risk is calculated and stored for each single collected event.
RIMICI “ONE Source” Security Operations Center the full Security Management Process is driven by this assessment; triggering automatic responses, alarm reporting and aggregated measures of the risk situation of networks. Administration, Tuning and Forensic procedures should be also driven by this measure.