Increase network security by using a cloud analyzer


    In the view of inexperienced people, the work of the security administrator looks like an exciting anti-hacker duel with evil hackers who are constantly invading the corporate network. And our hero real-time cleverly and quickly introducing teams discourages daring attacks and ultimately emerges as a brilliant winner.
    Right royal musketeer with a keyboard instead of a sword and a musket.

    But in reality, everything looks ordinary, unpretentious, and even, one might say, boring.

    One of the main methods of analysis is still reading event logs. A thorough study on the subject:

    • who was trying to enter from where, to which resource was trying to access, as he proved his rights to access the resource;
    • what were the failures, errors and just suspicious coincidences;
    • who and how tried the system for strength, scanned ports, selected passwords;
    • and so on and so forth...

    Well, what the hell is romance here, God forbid, "don't fall asleep at the wheel."

    So that our experts do not completely lose their love of art, tools are made for them that make life easier. These are all kinds of analyzers (log parsers), monitoring systems with notification of critical events and much more.

    However, if you take a good tool and start screwing it manually to each device, for example, an Internet gateway, it will not be so simple, not so convenient, and in addition you need to have additional knowledge from completely different areas. For example, where to place software for such monitoring? On a physical server, virtual machine, special device? In what form to store data? If a database is used, which one? How to back up and do I need to do it? How to manage? Which interface to use? How to protect the system? What encryption method to use - and much more.

    It is much simpler when there is a certain unified mechanism that takes care of the solution of all these issues, providing the administrator with work strictly within its specifics.

    By tradition, to call the term “cloud” everything that is not located on this host, the Zyxel CNM SecuReporter cloud service allows you to not only solve many problems, but also provides convenient tools

    What is the Zyxel CNM SecuReporter?


    This is an intelligent analytics service with the functions of data collection, statistical analysis (correlation) and reporting for Zyxel equipment of the ZyWALL line and them. It provides the network administrator with a centralized picture of the various activities on the network.
    For example, attackers can try to break into a security system using attack mechanisms such as stealthy, targeted, and persistent . SecuReporter calculates suspicious behavior, which enables the administrator to take the necessary security measures using the ZyWALL configuration.

    Of course, ensuring security is unthinkable without constant data analysis with the issuance of warnings, in real time. You can draw beautiful graphics arbitrarily, but if the administrator is not aware of what is happening ... No, this definitely cannot happen with SecuReporter!

    Some Issues Using SecuReporter


    Analytics

    Proper, analysis of what is happening - this is the core of building information security. By analyzing events, a security specialist can prevent or stop an attack in time, as well as receive detailed information for reconstruction in order to collect evidence.

    What does “cloud architecture” give?

    This service is built on the model of Software as a Service (SaaS), which allows you to simplify scaling using the power of remote servers, distributed storage systems and so on. The use of the cloud model allows us to abstract from hardware and software nuances, throwing all our strength into creating and improving a protection service.
    This allows the user to significantly reduce the cost of purchasing equipment for storage, analysis and access, and there is no need to engage in service surveys, such as backups, updates, failure prevention and so on. It is enough to have a device that supports working with SecuReporter and an appropriate license.

    IMPORTANT! Thanks to the cloud architecture, security administrators can proactively monitor network status anytime, anywhere. This solves the problem, including with holidays, sick leave and so on. Access to equipment, for example, stealing a laptop from which the SecuReporter web interface was accessed, will also not work, provided that its owner did not violate security rules, did not store passwords locally, and so on.

    The cloud management option is well suited for mono-companies located in the same city, as well as for structures with branches. This independence of location is needed in a variety of industries, for example, for service providers, or software developers whose business is distributed across different cities.

    We talk a lot about the possibilities of analysis, but what is meant by this?

    These are various analytics tools, for example, summarizing the frequency of events, lists of the Top-100 main (real and alleged) victims of a certain event, logs indicating specific targets for the attack, and so on. All that helps the administrator identify hidden trends and calculate the suspicious behavior of users or services.

    What about reporting?

    SecuReporter has the ability to customize the report form and then get the result in PDF format. Of course, if you wish, you can embed your logo in the report, the name of the report, help or recommendation. It is possible to create reports at the time of contact or on a schedule, for example, once a day, week or month.

    You can configure alerts to be specific to traffic within the network infrastructure.

    Is it possible to reduce the danger from insiders or just slobs?

    The special User Partially Quotient tool allows the administrator to quickly calculate risk users, without additional effort and taking into account the dependency between different online logs or events.

    That is, an in-depth analysis of all events and traffic that are associated with users who have shown themselves suspiciously is performed.

    What other points are characteristic for SecuReporter?

    Easy setup for end users (security administrators).

    SecuReporter is activated in the cloud using a simple setup procedure. After that, administrators are immediately given access to all data, analysis and reporting tools.

    Multi-Tenants on a single cloud platform - you can configure your analytics for each client. Again, if you increase your customer base thanks to the cloud architecture, you can easily adapt the control system without sacrificing efficiency.

    Data Protection Laws

    IMPORTANT! Zyxel is very sensitive to international and local laws and other regulations on the protection of personal data, including GDPR and OECD Privacy Principles. Supports the Federal Law “On Personal Data” dated July 27, 2006 No. 152-FZ.

    To ensure compliance, SecuReporter has three built-in privacy options:

    • non-anonymous data - personal data is fully identified in Analyzer, Report and downloaded Archive Logs;
    • partially anonymous - personal data is replaced with their artificial identifiers in Archive Logs;
    • completely anonymous - personal data is completely anonymized in Analyzer, Report and downloadable Archive Logs.

    How to enable the use of SecuReporter on the device?

    Consider the example of a ZyWall device (in this case, we have a ZyWall 1100). We go to the settings section (tab on the right with an icon in the form of two gears). Next, open the Cloud CNM section and select the SecuReporter subkey in it.

    To enable the use of the service, you need to activate the Enable SecuReporter element. Additionally, it is worth using the Include Traffic Log option to collect and analyze traffic logs.


    Figure 1. Enabling SecuReporter.

    The second step is to enable statistics collection. This is done in the Monitoring section (tab on the right with a monitor icon).

    Next, go to the UTM Statistics section, the App Patrol subsection. Here you need to activate the Collect Statistics option.


    Figure 2. Enabling statistics collection.

    Everything, you can connect to the SecuReporter web interface and use the cloud service.

    IMPORTANT! SecuReporter has great PDF documentation. You can download it at this address .

    Description of the SecuReporter Web-Interface Here
    you will not get a detailed description of all the functions that SecuReporter provides to the security administrator - there are a lot of them for one article.

    Therefore, we restrict ourselves to a brief description of the services that the administrator sees and what he works with constantly. So, get to know what the SecuReporter web console consists of.

    Map

    This section displays the registered equipment with the city, device name, IP address. Information is displayed on whether the device is turned on and what status the alerts are. On the Threat Map, you can see the source of the packets used by the attackers and the frequency of attacks.

    Dashboard

    Brief information about the main actions and a concise analytical review for the specified period. You can specify a period of 7 days and up to 1 hour.


    Figure 3. An example of the appearance of the Dashboard section.

    The analyzer

    name speaks for itself. This is the console of the tool of the same name that diagnoses suspicious traffic for a selected period, detects trends in the appearance of threats and collects information about suspicious packets. Analyzer is able to track the most common malicious code, as well as provide additional information regarding security issues.


    Figure 4. An example of the appearance of the Analyzer section.

    Report

    In this section, the user has access to customizable reports with a graphical interface. The required information can be collected and generated in the form of a convenient presentation immediately, or according to a schedule.

    Alerts Alerts

    are configured here. Thresholds and different severity levels can be configured, which simplifies the process of detecting anomalies and potential attacks.

    Setting

    Well, actually, there are settings.

    Additionally, it is worth noting that SecuReporter can support different protection policies when processing personal data.

    Conclusion


    Local methods for analyzing statistics related to security, in principle, have worked well.

    However, the range and severity of threats is increasing day by day. The level of protection that previously suited everyone, after a while, is already becoming rather weak.

    In addition to these problems, the use of local tools requires certain efforts to maintain operability (equipment maintenance, backup, and so on). There is also the problem of remote location - it is not always possible to keep a security administrator in the office 24 hours 7 days a week. Therefore, you need to somehow organize safe access to the local system from the outside and service it on your own.

    Using cloud services allows you to get away from such problems, focusing specifically on maintaining the desired level of security and protection against intrusions, as well as violations of the rules by users.

    SecuReporter is just an example of successful implementation of such a service.

    Stock


    From today, for buyers of firewalls that support Secureporter, a joint promotion of Zyxel and our Gold Partner of X-Com:



    useful links


    [1] Supported devices .
    [2] Description of SecuReporter on the website on the official Zyxel website.
    [3] Documentation for SecuReporter .

    Also popular now: