In the view of inexperienced people, the work of a security administrator looks like an exciting duel between an anti-hacker and evil hackers who intrude into the corporate network every now and then. And our hero in real time, with a deft and quick introduction of commands, beats off daring attacks and, as a result, emerges as a brilliant winner.
Directly royal musketeer with a keyboard instead of a sword and a musket.
But in reality, everything looks ordinary, unpretentious, and even, one might say, boring.
One of the main methods of analysis is still reading event logs. Thorough study on the subject:
- who tried to log in from where, what resource they tried to access, how they proved their rights to access the resource;
- what were the failures, errors and just suspicious coincidences;
- who tested the system and how, scanned ports, guessed passwords;
- And so on and so forthβ¦
Well, what the hell is romance here, God forbid "do not fall asleep at the wheel."
So that our specialists do not completely lose their love for art, tools are invented for them to make life easier. These are all kinds of analyzers (log parsers), monitoring systems with notification of critical events, and much more.
However, if you take a good tool and start screwing it manually to each device, for example, an Internet gateway, it will not be so easy, not so convenient, and, among other things, you need to have additional knowledge from completely different areas. For example, where to place software for such monitoring? On a physical server, virtual machine, special device? In what form is the data stored? If a database is used, which one? How to back up and do I need to do it? How to manage? Which interface to use? How to protect the system? Which encryption method to use - and much more.
It is much easier when there is a single mechanism that takes care of all the above issues, leaving the administrator to work strictly within his specifics.
According to the established tradition, to call the term "cloud" everything that is not located on this host, the Zyxel CNM SecuReporter cloud service allows not only to solve many problems, but also provides convenient tools
What is Zyxel CNM SecuReporter?
This is an intelligent analytics service with data collection, statistical analysis (correlation) and reporting functions for Zyxel equipment of the ZyWALL line and them. It provides the network administrator with a centralized view of various network activities.
For example, attackers may try to break the security system using attack mechanisms such as stealthy, targeted ΠΈ persistent. SecuReporter calculates suspicious behavior, which allows the administrator to take the necessary protective measures using the ZyWALL configuration.
Of course, security is unthinkable without constant data analysis with real-time alerts. You can draw beautiful graphs as much as you like, but if the administrator is not aware of what is happening⦠No, this definitely cannot happen with SecuReporter!
Some questions about using SecuReporter
Analytics
Own, analysis of what is happening - this is the core of building information security. By analyzing events, a security specialist can prevent or stop an attack in time, as well as obtain detailed information for reconstruction in order to collect evidence.
What does "cloud architecture" give?
This service is built on the Software as a Service (SaaS) model, which makes it easy to scale using the power of remote servers, distributed storage systems, and so on. The use of the cloud model allows you to abstract from hardware and software nuances, throwing all your efforts into creating and improving the protection service.
This allows the user to significantly reduce the cost of purchasing equipment for storage, analysis and provision of access, and there is no need to deal with maintenance surveys such as backup, update, failure prevention, and so on. It is enough to have a device that supports working with SecuReporter and the appropriate license.
IMPORTANT! With a cloud-based architecture, security administrators can proactively monitor network status anytime, anywhere. This solves the problem, including vacations, sick days, and so on. Access to equipment, for example, stealing a laptop from which the SecuReporter web interface was accessed, will also not work, provided that its owner did not violate security rules, did not store passwords locally, and so on.
The cloud management option is well suited for both mono-companies located in the same city, and for structures with branches. Such location independence is needed in a wide variety of industries, for example, for service providers, or software developers whose business is distributed in different cities.
Here we talk a lot about the possibilities of analysis, but what is meant by this?
These are various analytics tools, for example, summaries of the frequency of events, lists of the Top 100 main (actual and alleged) victims of a particular event, logs indicating specific targets for an attack, and so on. Anything that helps the administrator identify hidden trends and detect suspicious user or service behavior.
What about reporting?
SecuReporter has the ability to customize the form of reports and then get the result in PDF format. Of course, if you wish, you can embed your logo, the name of the report, references or recommendations into the report. It is possible to create reports at the time of access or according to a schedule, for example, once a day, week or month.
You can configure alerts based on the specifics of traffic within the network infrastructure.
Is it possible to reduce the danger from insiders or just slobs?
A special User Partially Quotient tool allows the administrator to quickly identify users creating risks, without additional effort and taking into account the dependence between different network logs or events.
That is, an in-depth analysis of all events and traffic that is associated with users who have shown themselves suspicious is carried out.
What other points are typical for SecuReporter?
Easy setup for end users (security administrators).
Activating SecuReporter in the cloud is done with a simple setup procedure. After that, administrators immediately have access to all data, analysis and reporting tools.
Multi-Tenants on a single cloud platform - you can set up your own analytics for each client. Again, as the customer base grows, thanks to the cloud architecture, the control system can be easily adapted without sacrificing efficiency.
Data protection laws
IMPORTANT! Zyxel is very sensitive to international and local laws and other privacy regulations, including the GDPR and OECD Privacy Principles. Supports the Federal Law "On Personal Data" dated July 27.07.2006, 152 No. XNUMX-FZ.
To ensure compliance, SecuReporter has three privacy protection options built in:
- non-anonymous data - personal data is fully identified in the Analyzer, Report and downloadable Archive Logs;
- partially anonymous - personal data is replaced with their artificial identifiers in Archive Logs;
- completely anonymous - personal data is completely anonymized in the Analyzer, Report and downloadable Archive Logs.
How to enable the use of SecuReporter on the device?
Consider the example of a ZyWall device (in this case, we have a ZyWall 1100). We go to the settings section (tab on the right with an icon in the form of two gears). Next, open the Cloud CNM section and select the SecuReporter subsection in it.
To enable the use of the service, you need to activate the Enable SecuReporter element. Additionally, it is worth using the Include Traffic Log option to collect and analyze traffic logs.
Figure 1. Enabling SecuReporter.
The second step is to enable the collection of statistics. This is done in the Monitoring section (tab on the right with an icon in the form of a monitor).
Next, go to the UTM Statistics section, App Patrol subsection. Here you need to activate the Collect Statistics option.
Figure 2. Enabling statistics collection.
That's it, you can connect to the SecuReporter web interface and use the cloud service.
IMPORTANT! SecuReporter has excellent PDF documentation. You can download it from .
Description of the SecuReporter web interface
It will not be possible to give here a detailed story about all the functions that SecuReporter provides to the security administrator - there are enough of them for one article.
Therefore, we restrict ourselves to a brief description of the services that the administrator sees and with which he works constantly. So, get acquainted with what the SecuReporter web-console consists of.
Map (Map)
This section displays registered equipment with city, device name, IP address. Displays information about whether the device is on and what the alert status is. On the Threat Map, you can see the source of the packets used by the attackers and the frequency of the attacks.
Dashboard
Brief information on the main actions and a concise analytical overview for the specified period. You can specify a period of 7 days and up to 1 hour.
Figure 3. An example of the appearance of the Dashboard section.
Analyzer
The name speaks for itself. This is the console of the tool of the same name, which diagnoses suspicious traffic for the selected period, identifies trends in the appearance of threats and collects information about suspicious packets. Analyzer is able to track down the most frequently encountered malicious code, as well as provide additional information regarding security issues.
Figure 4. An example of the appearance of the Analyzer section.
Report
In this section, customizable reports with a graphical interface are available to the user. The required information can be collected and formed into a convenient presentation immediately, or according to a scheduled schedule.
Alerts
Here you can configure the alert system. Thresholds and severity levels can be configured to simplify the process of identifying anomalies and potential attacks.
Setting
Well, actually, settings are settings.
Additionally, it is worth noting that SecuReporter can support different security policies when processing personal data.
Conclusion
Local methods for analyzing security-related statistics have, in principle, performed well.
However, the range and severity of the threats are increasing day by day. The level of protection that previously suited everyone becomes rather weak after a while.
In addition to these problems, the use of local tools requires some effort to maintain operability (hardware maintenance, backup, and so on). There is also the problem of remote location - it is not always possible to keep the security administrator in the office 24 hours 7 days a week. Therefore, you need to somehow organize secure access to the local system from the outside and serve it on your own.
The use of cloud services allows you to get away from such problems, focusing on maintaining the required level of security and protection against intrusions, as well as violations of the rules by users.
SecuReporter is just an example of a successful implementation of such a service.
Promotion
Starting today, for buyers of firewalls that support Secureporter, there is a joint promotion of Zyxel and our Gold Partner X-Com:
Useful links
[1] .
[2] on the website on the official Zyxel website.
[3] .
Source: habr.com