What's New

ClearSkies™ NG SIEM Version 6.0

ClearSkies™ NG SIEM Version 6.0

Overview

In keeping with our principle “to fulfil our clients’ needs and exceed their expectations”, we are continuously revamping our platform with new innovative features and enhancements. Such features and enhancements are a testament of our pioneering role in the uncharted territory of Big Data Advanced Security Analytics.

What’s New in v6.0

Several new features are introduced in this ClearSkiesTM SaaS NG SIEM version 6.0:


“Threat Intelligence”

Threat Anticipation

The formula was designed to act as a filter for the different indicators being reported by the “Threat Intelligence” ServiceModule. It operates on a series of variables that were designed and engineered towards capturing the full characteristics of an indicator. Once those variables are derived, the formula evaluates the indicator and assigns it a score. The higher the score, the more important the indicator. Alert generation and incident escalation depend on the score confident level determined by the user.


“Identity & Access”

Identity & Access

This new ServiceModule aggregates, visualizes and monitors the statuses of thousands of user accounts, drastically improving the auditing and insider threat detection capabilities of your organization with minimal effort.

It further integrates with and complements other ClearSkies™ SaaS NG SIEM ServiceModules, such as Advanced Security Analytics (User & Entity Behavior Analysis (UEBA)) and ClearSkies™ NG Endpoint Detection & Response (EDR) agent, for maximal insight generation. It helps to strengthen your security posture against insider threats.

“Identity & Access” ServiceModule empowers security personnel and upper management to effortlessly spot and timely investigate the following:

  • Inactive user accounts
  • Never-logged-on user accounts
  • Soon-to-expire passwords
  • Disabled accounts
  • Accounts of attention
  • Groups by size
  • Nested groups
  • Replication errors
  • Operating systems’ update status
  • Successful and failed logins
  • Which user did what from where and when
  • User account clutter in need of maintenance

To experience the full capabilities of the “Identity & Access” ServiceModule, download the “Identity & Access” Configuration Guide under ToolsDownloads in the ClearSkies™ Secure Web Portal, and then proceed with the guidelines laid out.

Important note: ClearSkies™ NG Endpoint Detection & Response (EDR) Agent v6.2.0 is a prerequisite to “Identity & Access”.

New Supported LogSources

Vendor Product Type of Collection
Dell Dell MXL Switch Syslog
Symantec Symantec Data Loss Prevention Syslog
Symantec Symantec Endpoint Protection Manager Syslog
Check Point Check Point MTA LEA Application
Microsoft Azure Audit Logs Syslog
Oracle Oracle Audit Vault Database Firewall Syslog
UNIS UNIS System ODBC
Cisco Cisco Sip Syslog
Cisco Cisco ACi Syslog
Aruba Aruba WLAN Controller Syslog
Symantec Symantec EDR Syslog
Alcatel Alcatel Switch Syslog
Cisco Cisco Meraki Flows Syslog
Cisco Cisco Meraki Events Syslog
Cisco Cisco Meraki Security Events Syslog
Cisco Cisco Meraki URLs Syslog
IBM ISS Network Protection XGS-Self Managed – Firewall Syslog
IBM ISS Network Protection XGS-Self Managed – System Syslog
F5 F5 APM Syslog
RSA RSA SecureID Authentication Manager (Admin Audit) Syslog
RSA RSA SecureID Authentication Manager (Audit Runtime) Syslog
Cisco Cisco Firepower Management Syslog
Microsoft Windows DHCP ClearSkies NG Endpoint agent
Symantec Symantec DLP Suite System Syslog
Oracle Glassfish Web Server Syslog
Read More

ClearSkies™ SaaS SIEM “Identity & Access” ServiceModule

A Simple yet Powerful Approach to Auditing and Monitoring Users’ Identity and Access Across Enterprise Systems, Data and Application Resources.

See ClearSkies™ SaaS SIEM “Identity & Access” ServiceModule brochure here.

Read More

ClearSkies™ NG SIEM Version 5.9

ClearSkies™ NG SIEM Version 5.9

Overview

In keeping with our principle “to fulfil our clients’ needs and exceed their expectations”, we are continuously revamping our platform with new innovative features and enhancements. Such features and enhancements are a testament of our pioneering role in the uncharted territory of Big Data Advanced Security Analytics.

What’s New in v5.9

Several new features are introduced in this ClearSkiesTM SaaS NG SIEM version 5.9:

Analytics

Big Data Search

The enhanced “Big Data Search” application improves user experience by increasing productivity and effectiveness as follows:

  • A query-based event count timeline helps visualize anomalies with more details on an activity during a selected period. When creating a column-based analysis (filter), a bar chart visualization offers a new perspective. Search queries can be bookmarked for future reference.
  • All search queries are now being validated for convenience, and users are now notified if a query is invalid.
  • The search query window carries an auto-complete filter-as-you-type capability, showing suggested search syntax, bookmarked search queries, examples and operators etc. A filtered query regarding assets can now be created directly from the “Search in” dropdown menu.
  • A comprehensive date/time picker was added for providing to the user the ability to perform more time sensitive queries.
  • The new Indicators Of Compromise (IOCs) dropdown menu enables the user to filter out or perform search queries related to probes identify as malicious; selected IOCs are colored red in the queries results.
  • Integration with “Threat Anticipation” application, which provides a visual representation of events identified as malicious.
  • Two breakdown pie charts were added: “Events by category” and “IOC events” for providing to the user the distribution of log and vent data collected.
  • A pie chart visualization depicting query results is now included, with drilldown capabilities executed automatically upon clicking on a chart segment.

 

User & Entity Behavior Analysis (UEBA)

The introduction of an unsupervised machine learning model that keeps track of human-driven network/system activities in order to create a baseline of users’ work days and time shifts.

For any user, the model yields one of three results:

  • The actual working hours
  • Whether it is a shift operation
  • There is not enough data

“Threat Intelligence”

Attack Probes

  • This new application provides a visualization representation of attacks happening in near real-time against your organization.

 

Threat Anticipation

  • With a user-friendly design, this new application anticipates which type of threats targeting your organization might affect the confidentiality, integrity and availability of your information assets. Threats are categorized into different Indicators Of Compromise (IOCs) types, such us Malware, Trojan, ToR Exit Node, Reconnaissance activity etc.
  • The ‘network map’ helps users visualize the entire activity, including which assets detected this activity, devices/application/network targeted, action taken by these assets, direction of the activity, type, count, classification of the attack and much more.
  • This powerful ‘network map’ provides the associations of IOCs with users, driven by the “User & Entity Behavior Analysis” (UEBA) application, additionally providing a summary with what was observed.
  • Further analysis on each threat allows the user to jump into the “Big Data Search” application and view related log and event data.
  • Unsupervised machine learning model for detecting phishing and malware delivery domains/sites (DNS fast flux): Utilizing a machine learning model to detect outbound connectivity to malicious domains/sites by analyzing DNS log data.

 

Heat Maps

  • This new application presents the density and frequency of attacks by country. It provides a further drilldown of attacks by selecting a desired country on the map. Upon selecting a threat, the application redirects to the “Threat Anticipation” application for a further graphical representation of the threat.

“Preferences”

Network Manager

A new tab named “Asset Clustering” was added, which enables the user to perform the following actions:

  • Manage Clusters, Update and delete an asset’s clustering.
  • Set Name, Description and Type (High Availability, Load Balancing).
  • Add and/or remove Assets in/from Cluster.

“Endpoint”

Behavior Analysis

ClearSkies™ NG EDR Agent v6.1 is a comprehensive Endpoint Detection & Response solution, fully integrated with ClearSkies™ SaaS NG SIEM. It complements the detection and prevention of never-before-seen targeted attacks and insider threats with the use of Behavioral Monitoring and Analysis (BMA) and by leveraging Advanced Security Analytics complemented by Threat Intelligence and signature-based detection. Several new features are included:

  • Next-Gen Behavioral Monitoring and Analysis
  • Integrated Threat Intelligence
  • Application Control
  • Automated Response Actions

For more information, refer to the ClearSkies™ NG Endpoint Detection & Response (EDR) Agent v6.1 Release Notes.

 

iCollector High Availability

All physical iCollectors now support a high-availability option where a second iCollector acts as a fail-over system in case the primary iCollector goes down. They both share a virtual IP where all traffic from the in-scope assets is forwarded, ensuring minimum data loss and continuation of all operations as normal. In terms of the collecting applications, they too are taken care of, as they resume the collection from the secondary iCollector. All the rest (Correlation Engine, Reports, Big Data Search, Dashboard et al.) then work as expected, this way creating an invisible layer between the iCollector and the ClearSkies™ Secure Web Portal.

ServiceNow Ticketing integration

ServiceNow Security Incidents has now been integrated into ClearSkies™ Big Data Advanced Security Analytics Platform. This enables your organization to further extend the capabilities of the ClearSkies™ “Incidents” application for a more creative use of ServiceNow. With this integration, you can maintain your internal workflow while being able to assign ServiceNow Security Incidents beyond ClearSkies™ users. Once an Incident is raised in ClearSkies™, an Incident is also raised in ServiceNow, complete with bi-directional synchronization in terms of the Incident status and comments added on either side. Refer to “ServiceNow (v. Kingston) Security Incidents Integration” document found on the ClearSkies™ Secure Web Portal.

Microsoft Edge compatibility

Microsoft Edge web browser is now supported.

Enhanced Minimum Resolution

The minimum resolution supported is now 1600 x 900.

Azure Active Directory and Office365 Audit

ClearSkies™ now supports log and event data from Office365 and Azure Active Directory. The following content types are supported: Azure Active Directory, Exchange, SharePoint, General Audit and DLP events.

Enhancements

“ServiceModules”

Event Management

  • Correlation
  • The Correlation Rule Templates are now filtered based on the Asset groups a user is associated with. A template is only visible to a user if all associated LogSources are viewable by a specific user.
  • Alerts
  • Upon Custom Alert creation, the LogSource field is now disabled. Upon selecting an asset, the LogSource field is enabled and the relevant Assets are shown in alphabetical order based on User/Asset permissions. In addition, fields are enhanced with a filter-as-you-type capability.
  • The icons