What is ASPEN ?
ASPEN (Advanced Security Processing Engine) is a next-generation cyber security intelligence and data processing solution that has evolved from mature and proven Security Incident and Event Management (SIEM) principles.
ASPEN acts as cyber surveillance system, enabling enterprises to track, detect and stop any security incident, either attack or fraud attempt.
ASPEN is a big data platform, allowing you literally to “see” what is happening inside your systems. It is capable of visual tracking of user activity and detecting attacks that cannot be detected using antivirus, intrusion detection and NG firewalls.
How ASPEN does it? By performing real-time and historical analyses of billions of enterprise IT logs and data, ASPEN is able to detect anomalies in user, system or network behavior, and correlate events and indicators using internal and external data sources. ASPEN is scalable, elastic big data lake platform for cyber security intelligence.
Our major differentiators from other SIEM products available on the market are:
Visual Analyses CapabilityASPEN is only cyber security intelligence solution offering Security Data Visual Analyses. With this feature you will see visually, in real time or retroactively, what your mistrusted account is doing, so you can track him through your systems and network on every action. without any expert knowledge you will be able to see his identity changes, privilege changes, processes started, files accessed...
Also, ASPEN performs statistical analysis and correlation of arbitrary parameters. Analyses can be done against real time data and against historical data. This allows detection of anomalies in behavior of users, systems and network traffic.
On top of it, ASPEN provide modules that allow integration with 3rd party data sources (e.g. list of world wide botnets, list of Tor exit nodes, geolocation data, administrators list, IP white lists and many more).
Big Data Lake PlatformASPEN Is a “Big Data Lake” Platform, allowing searching through billions of logs in few milliseconds. You can search using either structured or non structured data.
Dynamic Data Flow and Distributed ArchitectureDynamic data flow allows different event processing paths to be used depending on customer needs and optimization requirements. This is achieved based on functionality that each processing component is independent of others, and using routing rules we can define different routes for different types of events. For example, we can route specific type of event to multiple correlation engines in order to increase processing performance or splitting long time correlation with short time correlation. Also we can recursively send synthetic correlation event to be processed again against the same correlation engine, allowing higher, abstract level of correlation.
Full text searchFull text search allows most simple model of events searching. We support phrase queries, wild-card queries, proximity queries, word distances, range queries, fielded searching, date-range searching... On top of it, sometimes you don't even need to know what you are searching for - we do auto-complete search helper too!
Real-time indexingReal time indexing is very important for cyber security incident response. It allows immediate search through events that just arrived. This allows cyber security analyst to track attacks in real time and react immediately.
Flexible Data modelFlexible data model gives you capability that any field and any value can be part of event information. Using this we do easier categorization of events and creation of similar fields cross different platform, which allows easy understanding of events and single correlation rule to be applied for multiple event sources.
Event Processing OptimizationsDifferent security events have different importance. One of major challenges is collecting huge number of events that are not needed most of the time, and they are just slowing down monitoring system. Still, in rare situation they are needed for purpose of forensics.
Our architecture allows to define different level of processing depending on the importance of events – most important events will be stored in a log format that is fastest possible, as they need fast correlation and searching. Second level importance events will be stored in a raw log format that is searchable only, therefore it saves a lot of disk space and CPU power for logs processing. Third group is type of log that can be searchable on demand only, therefore it can be stored in archived log format so it saves 99% of disk space and CPU processing, while they are still accessible for forensics/compliance purpose.
Full CustomizationASPEN allows full customization of every ASPEN component – you can integrate your custom event sources (e.g. banking application), define your own parsing rules, custom correlation rules and even custom routing of events inside ASPEN.
Non English Log and Character SupportOur solution is supporting processing logs in any language and character set, including Arabic, Chinese, Russian, Thai... We also have prepared parsing rules for Windows OS logs using non English languages.
This makes us unique on the SIEM market with this capability.
ASPEN in more detail
ASPEN supports unique dynamic architecture - it can consist of one node at the beginning, and then grow to many interconnected nodes, as requirements evolve.
This architecture has benefit of intrinsic High-Availability (Fail-Over and Load-Balancing) operations without any special requirements or configuration. Due to this architecture, it is possible to build the network of ASPEN servers following internal organizational requirements (Head Office, Branches, Departments, …).
Every node in ASPEN network can perform partial processing and then filter or forward data for final processing at the central ASPEN server.
Situation awareness and log management are independent features of the system. This means that one can be used with or without the other. Further more, each feature can be turned on or off or replaced with another product at any time, without impacting operations of the other features.
Distributed Indexing and Searching
Search engine embedded in our solution is state-of-the-art, distributed, scalable, highly elastic,
cloud-technology-based indexing and searching solution. What this means is that ASPEN can start with
one or two nodes (for High Availability) and, as amount of data to be processed increases, ASPEN can
grow to hundreds of servers, without any downtime or reconfiguration.
Search engine is optimized to use this distributed nature maximally. All queries are split and executed in parallel on multiple nodes.
User interface to this search engine consists of high-performance, full-featured text searching API. Some of the supported features are:
- many powerful query types: phrase queries, wild-card queries, proximity queries, range queries and more;
- fielded searching;
- date-range searching.
Indexing has near-real-time guarantee on index data availability. This means, that, depending on the system load,
indexed data might take up to a few seconds to appear in search results. Under normal load, this delay is not noticeable (well below 1 second).
Indexed data is partitioned in chunks containing fixed length period of data (10 days by default). This provides us with predictability and control of indexing and search performance.
Performance of the query depends only on selected search period and amount of data in that period, not the total amount of data in entire system. For example, if user limits his search to a period of few days, performance will be near-real-time, even if entire ASPEN contains years of data stored.
This also reflects on data retention. Total amount of data that can be stored in the system depends on available system resources (disk space and memory) and prolonged data retention periods have minimal impact on system performance. In other words, there are no hard limits on data retention, it entirely depends on available resources and licensing limitations.
ASPEN features it's own agent software to be deployed on all end-points. Agent supports multiple platforms
(Windows, Linux, …) and is capable of reliable delivery of configured systems/application logs. The Agent fully
supports off-line operations by locally buffering all logs until connectivity with the server is re-established.
All local data is stored and transfered securely in an encrypted format.
Entire communication with the server is secured:
- cryptographic key exchange protocol is used to establish temporary, unique session keys;
- communication itself is encrypted using AES encryption;
The agent is written with performance and low system requirements in mind. On Windows, it supports Windows XP and above without any additional software/patching requirements.
Advanced Event Processing
Our solution fully supports advanced processing capabilities on all received events - filtering,
forwarding, triggering internal scripts or external programs and many others.
Due to architecture of the system, we support both log management and SIEM principles of data management. Log management feature of the system is only concerned with indexing all received logs and providing search interface to this data. SIEM features support parsing and key-value pairs assignments. You don't think about this - just type what you are searching for, and you will get it in milliseconds.
Extendable Notifications Engine
Different parts of the system can generate notifications and send to notifications engine.
The engine will, according to it's configuration, deliver notifications to appropriate recipients
using supported channels (e-mail, SMS, voice phone call, …).
Since generation of notifications is separate from delivery, this provides for high level of flexibility. Standard usage scenario example is to send notifications during working hours Operations Team, but outside of working hours, high severity notifications will be delivered to operative on call via SMS.
One additional benefit of Advanced Security Processing Engine solution is it's advanced correlation engine allowing anomalies detection. It is based on statistical modeling of values supplied by correlation scripts for variable time frame lengths, from hourly to yearly. Correlation scripts then perform real time comparison of current to historical values and detect any anomaly.
Suspicious Behavior Tracking
ASPEN is using its data maps for tracking in time any suspicious behavior. When suspicious action is detected, either based on anomaly, policy or threshold violation, ASPEN remembers key users/hosts related to it and classify them as suspicious for specific amount of time. Any future “normal” event will go through additional checks against observed suspicious elements. Based on this accumulative analyses approach, ASPEN is capable to detect even events that usually would go “under radar”.
Malicious Situation Awareness
Different Internet sites provides information on bad IPs, infected hosts and vulnerable applications. ASPEN collects this information and blocks any activity related to these malicious hosts. This allows to pro-actively prevent any intrusion attempt as a part of mass scale attacks.