Increase network security by using a cloud analyzer

In the view of inexperienced people, the work of a security administrator looks like an exciting fight between an anti-hacker and evil hackers who invade the corporate network every now and then. And our hero in real-time mode, deft and quick introduction of commands, beats off bold attacks and as a result comes out a brilliant winner.
Straight royal musketeer with a keyboard instead of a sword and a musket.

In fact, everything looks ordinary, plain, and even, one might say, boring.

One of the main methods of analysis is still reading the event logs. Careful examination on the subject:

• who tried to enter where, what resource did they try to gain access to, how did he prove his rights to access the resource;
• what were the failures, errors and just suspicious coincidences;
• who and how tried the system for strength, scanned ports, picked passwords;
• and so on and so forth...

Well, what the hell is romance, God forbid, "do not fall asleep at the wheel."
')
So that our specialists do not finally lose their love for art, tools that make life easier are invented for them. These are various analyzers (log parsers), monitoring systems with notification of critical events and much more.

However, if you take a good tool and start screwing it manually to each device, for example, an Internet gateway, it will not be so easy, not so convenient, and among other things you need to have additional knowledge from completely different areas. For example, where to place software for such monitoring? On a physical server, virtual machine, special device? In what form to store data? If a database is used, which one? How to backup and whether to perform it? How to manage? Which interface to use? How to protect the system? What encryption method to use - and more.

It is much simpler when there is a certain single mechanism that takes care of solving all the listed issues, giving the administrator a job strictly within its specificity.

According to the established tradition, to call the term “cloud” everything that is not located on this host, the cloud service Zyxel CNM SecuReporter allows not only to solve many problems, but also provides convenient tools

What is Zyxel CNM SecuReporter?

It is an intelligent analytics service with data collection, statistical analysis (correlation) and report generation functions for Zyxel equipment of the ZyWALL line and theirs. It provides the network administrator with a centralized picture of various network activities.
For example, attackers can try to break the defense system using attack mechanisms such as stealthy, targeted and persistent . SecuReporter calculates suspicious behavior, which allows the administrator to take the necessary protection measures using the ZyWALL setting.

Of course, security is unthinkable without constant data analysis with alerts, in real time. You can arbitrarily draw beautiful graphics, but if the administrator is not aware of what is happening ... No, this is definitely not the case with SecuReporter!

Some questions about using SecuReporter

Analytics

Own, analysis of what is happening - this is the core of building information security. Analyzing events, a security specialist can prevent or stop an attack in time, as well as get detailed information for reconstruction in order to collect evidence.

What does "cloud architecture" give?

This service is built on the Software as a Service (SaaS) model, which makes it possible to simplify scaling using the power of remote servers, distributed storage systems, and so on. The use of the cloud model allows you to abstract from the hardware and software nuances, leaving all the forces on the creation and improvement of service protection.
This allows the user to significantly reduce the cost of purchasing equipment for storage, analysis and provision of access, and there is no need to engage in service surveys, such as backup, update, crash prevention, and so on. It is enough to have a device that supports work with SecuReporter and the corresponding license.

IMPORTANT! Thanks to the cloud architecture, security administrators can proactively monitor the status of a network anytime, anywhere. This solves the problem, including, with vacations, sick leave and so on. Access to equipment, for example, theft of a laptop from which access to the web interface of SecuReporter was made, will also give nothing, provided that its owner did not violate security rules, did not store passwords locally, and so on.

The cloud management option is well suited for mono-companies located in the same city, as well as for structures with branches. Such location independence is needed in a wide variety of industries, for example, for service providers, or software developers whose business is distributed to different cities.

We are talking a lot about the possibilities of analysis, but what is meant by this?

These are various analytics tools, for example, a summary of the frequency of events, lists of Top-100 main (real and perceived) victims of a particular event, logs with specific targets for an attack, and so on. All that helps the administrator to identify hidden trends and to calculate the suspicious behavior of users or services.

What about reporting?

In SecuReporter it is possible to customize the form of reports and then get the result in PDF format. Of course, you can optionally embed your logo, report name, references or recommendations into the report. Provided for the creation of reports at the time of treatment or on a schedule, for example, once a day, week or month.

You can configure the issuance of alerts based on the specificity of traffic within the network infrastructure.

Is it possible to reduce the danger from insiders or just slobs?

The special tool User Partially Quotient allows the administrator to quickly calculate the users creating risks, without additional efforts and taking into account the dependencies between different network logs or events.

That is, an in-depth analysis of all events and traffic that are associated with users who have shown themselves to be suspicious is made.

What other moments are typical for SecuReporter?

Easy setup for end users (security administrators).

SecuReporter is activated in the cloud using a simple setup procedure. After that, administrators are immediately granted access to all data, analysis and reporting tools.

Multi-Tenants on a single cloud platform - you can customize your analytics for each client. Again, when the client base increases due to the cloud architecture, the control system can be easily adapted without compromising efficiency.

Data Protection Acts

IMPORTANT! Zyxel is very sensitive to international and local laws and other regulations on the protection of personal data, including the GDPR and the OECD Privacy Principles. Supports the Federal Law “On Personal Data” No. 152- dated July 27, 2006.

To ensure compliance, three personal data protection options are built into SecuReporter:

• non-anonymous data - personal data is fully identified in Analyzer, Report and downloadable Archive Logs;
• partially anonymous - personal data is replaced with their artificial identifiers in Archive Logs;
• completely anonymous - personal data is fully anonymized in Analyzer, Report and downloadable Archive Logs.

How to enable the use of SecuReporter on the device?

Consider the example of the device ZyWall (in this case we have a ZyWall 1100). Go to the settings section (tab on the right with the icon in the form of two gears). Next, open the Cloud CNM section and select the SecuReporter subsection in it.

To enable the use of the service, you need to activate the Enable SecuReporter element. Additionally, you should use the Include Traffic Log option to collect and analyze traffic logs.


Figure 1. Enable SecuReporter.

The second step is to enable statistics collection. This is done in the Monitoring section (tab on the right with the icon in the form of a monitor).

Next, go to the section UTM Statistics, subsection App Patrol. Here you need to activate the Collect Statistics option.


Figure 2. Enable statistics collection.

Everything, you can connect to the SecuReporter web-interface and enable the cloud service.

IMPORTANT! SecuReporter has great PDF documentation. You can download it at this address .

Description of the SecuReporter web interface
Bring here a detailed story about all the functions that the SecuReporter provides to the security administrator will not work - there are quite a lot of them for one article.

Therefore, we restrict ourselves to a brief description of the services that the administrator sees and with which he works constantly. So, get acquainted with what the web-console SecuReporter consists of.

Map

This section displays the registered equipment with the city, device name, IP-address. Information about whether the device is turned on, and what status alerts. On the Threat Map you can see the source of the packets used by the attackers and the frequency of the attacks.

Dashboard

Brief information on the main actions and a concise analytical review for the specified period. You can specify a period of 7 days and up to 1 hour.


Figure 3. An example of the appearance of the Dashboard section.

Analyzer

The name speaks for itself. This is a console of the same name tool that diagnoses suspicious traffic for a selected period, identifies trends in threats and collects information about suspicious packets. Analyzer is able to track the most common malicious code, as well as provide additional information regarding security issues.


Figure 4. An example of the appearance of the Analyzer section.

Report

In this section, user-accessible custom reports with a graphical interface. The required information can be collected and formed in the form of a convenient presentation immediately, or according to the established schedule.

Alerts (Warnings)

This is where the alert system is configured. You can set thresholds and different levels of importance, which simplifies the process of identifying anomalies and potential attacks.

Setting

Well, actually, the settings are the settings.

Additionally, it is worth noting that SecuReporter can support different security policies when processing personal data.

Conclusion

Local methods of analyzing statistics related to security, in principle, have proven themselves well.

However, the range and severity of threats are increasing every day. The level of protection, which was previously arranged by everyone, after some time becomes weak.

In addition to these problems, the use of local tools requires some effort to maintain performance (equipment maintenance, backup, and so on). There is also the problem of remote location - it is not always possible to keep the security administrator in the office 24 hours 7 days a week. Therefore, you need to somehow organize secure access to the local system outside and maintain it on your own.

The use of cloud services allows you to get away from such problems, focusing on maintaining the necessary level of security and protection against intrusions, as well as violations of the rules by users.

SecuReporter is just an example of a successful implementation of such a service.

Stock

Starting today, Zyxel and our X-Com Gold Partner have a special offer for customers of firewalls supporting Secureporter:

useful links

[1] Supported devices .
[2] Description SecuReporter on the website on the official Zyxel website.
[3] Documentation for SecuReporter .