AANVAL SAS TECHNOLOGY BRIEF. An Unparalleled End-to-End SIEM-Based Snort and Suricata IDS Solution

Transcription

1 TACTICAL FLEX, INC. AANVAL SAS TECHNOLOGY BRIEF An Unparalleled End-to-End SIEM-Based Snort and Suricata IDS Solution Aanval is a product of Tactical FLEX, Inc. - Copyright All Rights Reserved

2 Directory» What is Aanval SAS TM?.....3» Highlighted Features» SIEM....4» Situational Awareness TM...4» Offensive Reconnaissance TM 4» Rogue Host Detection....4» False Positive Protection.. 4» Geolocation...4» Why Aanval SAS TM?...5» Aanval SAS TM Product Comparison 6» Aanval Customers...7» Industry Focus. 8» Aanval Wiki and Library... 8» Feature Details» Billions of Events....9» Situational Awareness TM....9» Offensive Reconnaissance TM 9» Rogue Host Detection....9» Solutions for All.. 10» False Positive Protection 10» Network Host Scanning... 10» GeoLocation...10» Advanced Displays. 11» Event Tagging..11» Timeline Browser...11» Storage..12» Event Correlation.12» Live and Real-Time. 12» Syslog Mirroring..12» Advanced Search.12» Charts and Graphs..13» Reporting.. 13» Sensor and Signature Management. 13» Automated Actions 13» Event Details 14» About Tactical FLEX, Inc...14» Aanval SAS TM Licenses and Services...14» Aanval SAS TM Requirements

3 Introducing Aanval SAS The industry s leading Snort, Suricata, and Syslog console just got a whole lot better. Aanval SAS (Situational Awareness System) is the combination of our most advanced SIEM features with our newly released Network Host Scanner, Rogue Host Detection, and Offensive Reconnaissance modules. Aanval SAS provides real-time security intelligence to shore up defenses and help defenders take the offensive on thwarting cyber attacks. As the industry s most comprehensive Security Information and Event Management (SIEM) console on the market today, Aanval supports Snort and Suricata as well as virtually any syslog-sourced data, and is designed specifically to scale from small single-sensor installations to global enterprise deployments. We re not making this up. Government security and defense organizations from more than a half dozen countries, educational institutions from around the world, global financial firms as well as space exploration and military weapons manufacturers rely upon Aanval as part of their security infrastructure. Aanval SAS is designed to raise the bar in situational awareness by providing complete end-toend network visibility across physical and virtual environments. Aanval s primary function is to correlate data from multiple sources, bring together billions of events, and present users with a holistic view of false-positive free, network security situational awareness. 3 Key Contributing Factors to Aanval s Popularity and Global Success Multiple-source event collection, correlation, and archiving Situational Awareness False-positive reducing event validation Searching for a solution with real-time security intelligence? We invite you to download Aanval at Let us help turn your data into actionable and comprehensive insights. 3

4 Proven. The Red Pill. An Unparalleled End-to-End SIEM-Based Snort and Suricata IDS Solution Aanval SAS is the latest evolution in Aanval s 10-year history built with a powerful Situational Awareness System. Combining our advanced indexing, correlation, and reporting technology with Network Host Scanning, Rogue Host Detection, and Offensive Reconnaissance, Aanval provides unparalleled oversight of the networks it protects. Aanval is a complete end-to-end solution, which is time-tested and industry-proven. Highlighted Features SIEM (Security Information and Event Management) Aanval does more than just display event data; it does the work for you. Aanval includes a sophisticated event correlation engine to logically group detected attacks from your Snort, Suricata, and syslog sensors together. It even does it in real-time. Situational Awareness Situational Awareness within Aanval allows analysts to quickly identify which specific devices, services, and approximate areas of the network that are most at risk and which are more likely to be a problem in the future. Offensive Reconnaissance Aanval is no longer a passive bystander in the info-sec arena. Now capable of both manual and automated network host reconnaissance, Aanval will identify host operating systems, services, and up/down states. Rogue Host Detection New and unauthorized devices on private networks are one of the largest threats networks face, especially with the emerging BYOD culture. Aanval now includes an automated rogue host identification system that discovers and alerts when these devices appear. False Positive Protection Aanval s event validation engine automatically tags and filters events to help keep false positives from overpowering true risks, allowing analysts and engineers to focus and get back to protecting the network. Real-Time Geolocation Displays View attack vectors in real-time using Aanval s new wide-range of GeoLocation displays. Know the precise location on this planet from where attacks are being sourced. 4

5 Given Today s Treacherous Cyber Battlefield, IT Security Managers Can t Afford to Be Blindsided. Need real-time security intelligence? Think Aanval SAS. Your security intelligence solution. For organizations and enterprises with valuable data, this is a new reality. Cyber security attacks against the private and public sectors are continually evolving and targeting more and more organizations of all sizes. IT security professionals need to assess and review their current security technology tools with an eye toward the evolving security threat environment. Knowing exactly what is going on inside the network in real-time is more important than ever. Companies on the frontline of data protection and information security are responding by investing in the Aanval SAS solution because it provides security intelligence and offensive tools that help shore up defenses and turn data into actionable and comprehensive insights to reduce risk. How does Aanval SAS differ from other intrusion detection systems, Snort front-ends/guis, and SIEM products? Aanval SAS (Situational Awareness System) expands the scope of analysis to identify and prioritize security risks in real-time before hackers find them, and to detect and resolve threats faster through network visibility. Aanval SAS s new Rogue Host Detection, Offensive Reconnaissance, and Network Host Scanner modules help defenders take the offensive on thwarting cyber attacks. Aanval SAS scales to far greater volumes of data without the significant storage costs. Tactical FLEX, Inc. also understands that the concept of security intelligence requires gaining visibility of all the data across your security infrastructure. Our Aanval SAS program provides an annual unlimited sensor-capacity license, telephone and remote support, and maintenance, an integral component of a complete IT risk management program, providing patches, bug fixes, minor and major upgrades. We invite you to view our Aanval SAS Comparison section to learn more about our essential program tailored to meet your organization s security needs. 5

6 Aanval SAS Product Comparison Our Great IT Security Advantage: With annual unlimited sensor capacity, companies of all sizes are no longer limited by sensor cost and can monitor every aspect of their environment. Security Intelligence, after all, requires visibility of all the data across your security infrastructure. Aanval Community Aanval SMB Aanval SAS Aanval SAS Enterprise Situational Awareness Offensive Reconnaissance Unavailable Unavailable Rogue Host Detection Unavailable Network Host Scanning Unavailable Unavailable False Positive Protection Billions of Events Limited to 1 million events Live Event Monitor Live GeoLocation Event Correlation Automated Actions Sensor Management Signature Management Event Tagging Reporting Unlimited Snort Limited to 1 sensor Unlimited Suricata Limited to 1 sensor Unlimited Syslog Limited to 1 sensor 8 to 5 Telephone Support Unavailable 24/7 Telephone Support Unavailable Unavailable Unavailable Minor and Major Updates Maintenance and Patches Remote Access Support Unavailable Wiki and Website Support Network Size (Unique IP Addresses/Hosts) N/A (Research & Evaluation) Less than or more More than 250 Annual Pricing FREE $ $2, $5,

7 Aanval Customers With 6,000+ customers protected worldwide, we ve selected a few organizations to represent Aanval s success and wideranging capabilities. Since 2003, Tactical FLEX, Inc. has been successfully adopted into nearly every private, public, and government sector. Our customers, products, and services speak greatly towards our knowledge and experience in deploying security solutions that meet and exceed security, business, and regulatory requirements. A more extensive customer list can also be viewed online by visiting Technology Corporations RSA Sony Lucent Phillips Google Microsoft Texas Instruments HID Global Lexis Nexus Specialized Corporations Mercedes-AMG ACS McKee Foods Corp. AmeriQuest Transportation Accenture Woolworth s Unlimited Internet and Telecom Kayak Software Vonage Expedia Monster Worldwide Verizon Telecom NZ Ltd Health and Biotechnology United BioSource Corp. Covidien Advocate Healthcare Education University of Notre Dame Carnegie Mellon Rice University Mount St. Mary s University Cornell University Brown University Nuclear and Power Basin Electric Power Coop Idaho National Lab Tucson Electric Power 7

8 Government GE Aviation FAA NASA Lockheed Martin IRS AAFES US Naval Academy US Army US Navy US Department of Defense SPAWAR US Air Force New Zealand Defense Force Lockheed Martin General Dynamics US Dept. of Homeland Security Rockwell Collins Israeli Defense Force Finance and Legal Flaherty Sesanbaugh Bonasso Sidley Austin LLP Countrywide Financial Industry Focus The newly launched Industry Focus section was created to provide IT security professionals a more expansive perspective on the security needs and challenges facing their industries. Every organization, regardless of specific industry, is facing similar and ever-increasing network and inter-network related security threats. Our products and services are designed for every organization with a network or Internet connection. Tactical FLEX, Inc. protects more than 6000 organizations within every industry in more than 100 countries throughout the world. Our products and solutions are designed for end-to-end intrusion detection and network security situational awareness; whether your organization has an existing security infrastructure in need of updates and oversight or this is your initial deployment, our offerings are your remedies. Learn how our products and services can aid in securing your valuable assets and information by visiting Aanval Wiki and Library Tactical FLEX, Inc. is also committed to providing its customers and community up-to-date and viable information, so IT security professionals may make informed decisions to secure their networks and valuable data. We invite you to visit our Aanval Library, housing a wealth of industry-focused articles discussing current security studies and their findings, features and definitions, trends, threats, and tools at wiki.aanval.com/wiki/library. Our Aanval library is regularly augmented and updated. 8

9 Billions and Billions Aanval is built upon a sophisticated and time-tested data storage mechanism that allows for event storage that is only limited by disk space resources. Store billions of Snort, Suricata, and syslog events locally or remotely without adversely affecting performance. Situational Awareness Aanval includes our unique Situational Awareness engine that provides an in-depth analysis of the current network security state. Situational awareness within Aanval allows analysts to quickly identify which specific devices, services, and approximate areas of the network that are most at risk and which are more likely to be a problem in the future. Analysts can configure networks, devices, IP addresses, services, and ports within Aanval that allow our Situational Awareness engine to quickly summarize network event information and provide analysts with the resources they need to identify actual risks and make critical decisions. Offensive Reconnaissance Aanval takes advantage of Nmap, the industry s most well-known and accomplished port scanning utility to perform both automated and on-request network reconnaissance. Network host availability, port, and service scanning, as well as OS fingerprinting are now available directly within Aanval. Rogue Host Detection Automated rogue host detection and alerting capabilities are now built in to Aanval to help security analysts and network administrators stay on top of these pesky little devices. 9

10 Aanval keeps full logs of network hosts and reconnaissance results and uses this information within its correlation engine to better represent valid events and limits false positives. Solutions for All. Sweet. Regardless of your budget or event capacity requirements, Aanval is the answer to your intrusion detection needs. Fully integrated with Snort, Suricata, and syslog-sourced data, Aanval is the only interface/gui on the market in its class. False Positive Protection Aanval includes a powerful event validation engine that performs real-time analyses of events against customizable network, device, and service definitions. False positives are the number one reason intrusion analysis systems fail to provide accurate and timely results. Even small numbers of false positives are costing organizations significant amounts of time, resources, and allocated budgets to manage. Aanval SAS s event validation engine automatically tags and filters events to help keep positives from overpowering true risks, allowing analysts and engineers to focus and get back to protecting the network. Network Host Scanning To facilitate many of Aanval s powerful event validation, correlation, and alerting mechanisms, the console includes a network host-scanning module that scans local networks and builds device and network profiles automatically. Hosts, operating systems, services, interfaces, and network addresses are automatically recorded to prevent analysts from wasting precious time. Host scanning is essential in uptime performance monitoring as well as a critical component in Aanval s Rogue Host Detection System. Live GeoLocation Display Aanval has the ability to view real-time IP GeoLocation data. Aanval provides live and interactive IP GeoLocation displays to aid analysts in quickly identifying the global location of offending traffic. IP addresses of intrusion events are plotted on a fully interactive global map in both real-time and static forms. Additionally, these advanced displays help define patterns of attacks that might otherwise go unnoticed. 10

11 Advanced Displays Aanval SAS offers dozens of displays designed to provide analysts with near limitless viewing angles on attack data and correlated events. Events sorted and graphed by risk, signature statistics, and interactive timelines are only a few of the powerful new features in this release of Aanval. Additionally, Aanval includes powerful IP GeoLocation details to allow analysts to quickly identify attack proximity for complete situational awareness. Event Tagging Aanval SAS brings the addition of a very powerful event tagging system that allows individual users as well as teams to tag events with an unlimited number of keywords that may define various characteristics of an intrusion event. Default tags are provided, and each user can create their own set of custom tags; they can be added to events individually as needed or through the automated action systems as events are imported and normalized. Searching and reporting by tags is supported and statistics displays are included as well. Timeline Browser An analyst s brain is very much tied to a timeline of events when mitigating an ongoing attack or investigating historical event results. Aanval includes advanced new timeline-based charts and graphs, in addition to our standard sets. This graphing ability allows an analyst to see data from new angles and identify patterns that may have previously gone unnoticed. Charts and graphs are JavaScript based, enabling them to work on all desktop and mobile platforms. 11

12 Storage Significant research and intense development of Aanval SAS brings about the ability to store nearly an unlimited number of events within the console. As long as disk space is available, event storage continues without affecting performance. Aanval further provides tools to trim the oldest events from the disc, ensuring available space. Deployed installations with more than 100 million, 500 million, and even 1+billion events are not uncommon. Data can be stored locally or remotely and remains easily accessible for searching, reporting, and viewing statistics. Event Correlation Big features in a competitively priced product are exactly how Aanval has made its mark in the industry. Aanval includes real-time Snort, Suricata, and syslog event correlation--normalizing and effectively merging various event engine types into a single meaningful display. Aanval is the only competitively priced, feature rich, Snort as well as Suricata GUI on the market with a feature list this accomplished. Live and Real-Time Not only does Aanval process incoming data and make it available in real-time, Aanval provides multiple advanced real-time event and statistic displays to help users grasp current security and situational awareness. Aanval SAS includes significant updates and enhancements to our popular and well-known Live Event Monitor. View and respond to events in real-time Syslog Mirroring Output a stream of Aanval-imported events as user-defined UDP packets to a specific device and port, allowing you to monitor Aanval activity and/or duplicate or store Aanval log data. Advanced Search Search results and correlation displays, in addition to being extremely powerful, are quick, simple, and efficient. Find targeted events using specific meta-data criteria as well as perform full clear text searches of all event fields including payload data for Snort, Suricata, and syslog. Additionally, Aanval supports a wide range of custom search keywords to locate events based upon time periods, risk level, relation to one another, and more. 12

13 Charts and Graphs We all know charts and graphs can be both useful and unnecessary eye candy; however, Aanval provides a great balance between raw event data and graphical representation. Charts and graphs, static, interactive and real-time animated views are available in searches, summaries, reports, and dedicate displays. Our charting and graphing capabilities are based on industry-standard JavaScript technology, ensuring they display equally as impressively on all desktop and mobile devices. Reporting Aanval s reporting system utilizes the same advanced core search engine as the primary console. Reporting on select searches has never been easier and more efficient. Reports may be displayed, scheduled, managed, and ed all from a simple-to-use, yet powerful interface. Reports are available in PDF, HTML, XML, TEXT, and native console formats. Sensor and Signature Management Aanval supports Snort and Suricata signatures from any current source including signatures created and deployed by Sourcefire as well as Emerging Threats. Aanval users may create and manage Snort signature policies that can be deployed manually or automatically across single- and multiple-sensor architectures. Aanval allows users to download signature packs directly from snort.org as well as any of the widely available custom signature packs on the Internet. Additionally, Aanval supports full sensor management functionality including manual and automated stopping and starting of Snort and Suricata; alerts if IDS engines fails, and more. Automated Actions Aanval includes a sophisticated criteria-based event action system that reacts to incoming events in realtime. Our sophisticated actions modules is capable of sending s, generating audio alerts, performing maintenance, and even executing customized shell scripts to do just about anything. Many clients build and deploy advanced action scripts to update firewall rules, generate custom statistics, and even trigger remote operations. 13

14 Event Details Aanval provides a consistent layout for all event details regardless of source (Snort, Suricata and/ or syslog data). Aanval displays appropriate network layer details, protocols, fully encoded/ decoded payload, as well as the signature that triggered the event. External network address lookups can be done with a single click, as well as tagging events and adding notes are among the various features of the event details display. About Tactical FLEX, Inc. Tactical FLEX, Inc. is a privately owned software development firm based in Seattle, specializing in information security research, engineering, technology design, and production. With the technological development of Aanval, Tactical FLEX, Inc. has become a global provider of information security vulnerability and risk management software solutions that protect businesses and organizations. The firm also provides IT consulting and professional services. Aanval SAS Product Licenses and Services Aanval products and services can be purchased online. Visit for pricing or contact sales at (800) for assistance. Aanval SAS Requirements and Aanval Wiki Aanval is supported on all current flavors of Linux, UNIX, and Mac OS X. It requires up-to-date installations of MYSQL, Apache, PHP, and Perl to operate. Aanval is designed to work with every version of Snort and Suricata available and can process syslog data from any device capable of external logging. Aanval is not supported on any Microsoft platforms at this time. Please see for more information on system compatibility and operation requirements. An entire range of product manuals, documentations, and how-tos are also available by visiting the Aanval Wiki at Copyright 2012 Aanval is a product of Tactical FLEX, Inc. All rights Reserved. All logo, trademarks, and images are property and copyright of their respective owners. This site and its products are in no way endorsed by or related to any outside entity unless specifically noted. Corporate Headquarters Smokey Point Blvd, Suite #302 Arlington, WA T (800) F (501) support.group@tacticalflex.com sales.group@tacticalflex.com 14