LiveNet prevents and detects threats by providing security professionals and experts insights and a track record of the activities within their Information Technology environment, mainly by collecting event data from various systems, such as installed devices, network protocol, storage protocols (Syslog), streaming protocols, etc.
LiveNet operates as the interface between the underlying Critical Information Infrastructure (CII) and the CyberSANE platform, combining security information and event management functions, into one security management system.
Developed by S2 Grupo, GLORIA is a comprehensive software suite structured around a CMDB (ISO 20000 or ITIL compliant) which provides security events monitoring and collection capabilities along with a flexible orientation towards network surveillance, covering both IT and OT components.
It provides functionality beyond existing SIEM solutions by detecting the known threats based on event correlation rules derived from already known signatures and patterns, and providing advanced intelligence correlation techniques to face targeted and advanced threats that have not been detected yet, and thus, are not matched by any signature, as well as automation and orchestration mechanisms in order to improve the efficiency and effectiveness of the incident response teams. It provides advances features for:
- Security Incident Handling and Response
- Encrypted Network Analysis
- Attack scenarios representation
- Log data transformation and normalization
- Activity classification and modelling
GLORIA provides LiveNet component various capabilities for normalization of logs, activity classification and modelling and attack scenarios representation, normalization and representation tasks to convert the incident-related information and data, gathered by the cybersecurity sensors from multiple, different and diverse sources, into one unified and convenient format. Based on these functionalities, the collected data will be normalized, cleansed to remove redundant and duplicate information.
The XL-SIEM created by Atos provides event correlation capabilities for the detection of security incidents, integrating sensors from different vendors and providing with real time alerts, reporting and visualization capabilities.
The XL-SIEM capabilities are:
- Generation of alerts and reports about the detected incidents.
- Data Storage (events gathered by the agents and alarms generated by the server)
- Processing of events received from sensors.
- Configuration of different correlation processes
- Risk assessment procedure which takes into consideration the following aspects: Reliability, Priority and Asset relevance.
- Possibility to operate in a fully distributed manner adapting it to the security and performance requirements of the platform, improving resilience and robustness.
- Flexible adaptation to the characteristics of the ICT infrastructure to monitor, tailoring detection capabilities to security requirements
- Decision Support System (DSS) to help the user to analyse the risks detected and select suitable mitigation measures
- Support for deployment.
XL-SIEM can improve other existing open source solutions in different ways. Among these characteristics, one of the more interesting is the enhancement of the performance and scalability, allowing processing of big amounts of data and having the possibility of performing event correlation at different layers with more complex rules.
As CyberSANE targets CIIs the XL-SIEM allows for having an overall status of the system and rise alerts when an attack is detected.
SiVi Tool is a human-interactive visual-based anomaly detection system that is capable of monitoring and promptly detecting several devastating forms of security attacks, including wormhole attacks, selective forwarding attacks, Sybil attacks, hello flood attacks and jamming attacks developed by Sidroco.
The tool’s novelty lies on the development of intuitively visualization graphs capable to offer a quick, reliable, and intuitively overview in the network. In comparison with other tools that offer a simple presentation of the traffic inside the network, SiVi uses pre-trained neural networks that can identify different cyber-attacks.
SiVi implements a series of data visualization techniques, including both standard visualization methods (graph lines, bars, columns, etc.) and advanced visualization graphs (activity gauge, dependency wheels, etc.) aiming at providing the administrator with a complete anomaly detection ecosystem. Tables with detailed information regarding the network status also offer a thorough status of the system.
In addition, it implements a series of Machine Learning algorithms, realizing both supervised and unsupervised techniques in order to create security events and timely inform the CCI operator for security attacks with devasting results. The ML algorithms are periodically updated with new attack taxonomies offering a constantly growing layer of protection.
SiVi constantly monitors the network, capturing and analyzing the transmitted packets while seeking for inconsistencies and anomalies at the tactical and the operational layer of the CII environment.
Its near real-time nature formulates SiVi as a tool capable to be used in everyday activities, since the integration with existing databases of attacks can classify the tool on the tactical level of the enterprise.
SiVi tool will be used in CyberSANE to recognize familiar threats as well as identify threats that have not been experienced before. SiVi Tool’s capabilities will be integrated into LiveNet for (i) near real-time identification of anomalies; (ii) proactive reaction to threats and attacks; (iii) dynamic decision making.