Simplify and Automate Cybersecurity Monitoring

Alert triage - filtering, prioritization, validation

Alertflex implements security events management functions for a distributed grid of security sensors ( Suricata NIDS, Wazuh HIDS, Falco CRS , ModSecurity WAF, AWS WAF, Amazon Network Firewall). It is based on the next levels: Collection (Alertflex collector), Streaming (ActiveMQ), Analysis (Alertflex controller), Storage (MySQL), Access (Alertflex controller and management console).

  • Alertflex Collector (Altprobe) receives security events through the Redis or directly from log files of Suricata NIDS, Wazuh HIDS, Falco CRS , ModSecurity WAF, AWS WAF, Amazon Network Firewall.

  • The Collector makes normalization and applies filter policies for every security event. Based on policies, the Collector extracts certain events, makes aggregation for them, also can omit an event if it is marked as suppressed in the filtering policy. It allows to simplify the management of alerts, reduces noise from minor events.

  • After pre-processing, the Collector sends events (alerts) to the central node.

  • The Collector can retrieve from security sensors additional data such as NetFlow, vulnerabilities and misconfigurations reports that normally consist of plenty of JSON records. For implementing the “Anti-flooding” algorithm that prevents large bursts of events on the central node, the Collector pre-accumulates and compresses large-size data blocks before sends them to the Controller.

  • After receiving security events on the Central node side through the ActiveMQ message broker, the Controller takes care of processing these events. The Controller tries to match every alert with the existing Response profile and make prioritization of alert according to user manageable configurations table. Finally, the Controller saves the alert in the Alertflex database (MySQL). Also, The Controller can redirect alerts and Netflow to Log management platforms OpenSearch, ElasticStack, Graylog and implement a REST API and STIX-Shifter interface for external access to alerts.

  • In case the security alert is matched to a certain Response profile, the Controller sends the alert context to the Management console to perform a Response action such as user notification or/and invoke of automation playbook.

  • The response for detected threats can be a running Playbook with predefined security operations. Integration Alertflex with the OpenSearch Anomaly Detection feature (Random Cut Forest AI algorithm) makes it possible to configure automated response not only for discrete events but for an anomaly rate of events as well.

  • The Management console provides various reports and web-forms for visualization alerts, cyber threats, vulnerabilities, and misconfigurations. Additionally, it allows remote management of Collectors' filtering policies and IDS sensors rules.

  • Additionally, for Web visualization of analytics can be used external systems: Grafana connected to Alertflex Database (MySQL), Kibana from OpenSearch/ElasticStack, Graylog.

  • Every alert in the database of Alertflex can be sent to external Incident and Notification services such as JIRA or TheHive.

Detection threats, misconfigurations, vulnerabilities

For Threat Detection, Alertflex uses the integration with the Cyber Threat Intelligence platform MISP. For finding vulnerabilities and asset misconfigurations, Alertflex performs a comprehensive analysis of different reports from sensors and remote vulnerability scanners.

  • Based on the MISP IOC database, the Alertlex performs a real-time reputation check for IP addresses, DNS records, MD5, SHA1 hashes of files. Creates an alert, in case of suspicious data has been found.

  • Performs analysis of different reports for packages, endpoints, containers, cloud, networks that are sent from the third-party tools: Amazon Inspector, OWASP Dependency-check, Docker-bench, Kube-bench, Kube-hunter, OWASP ZAP, Nmap, Snyk, SonarQube, Trivy, Wazuh Vulnerability-detector. Alertflex generates an alert if a new vulnerability or misconfiguration has been found.

Integrated analysis for containers, endpoints, network

Putting together security events from different sources at a union timeline makes possible an integrated analysis of cloud, network, containers, and endpoints.

  • Most of the alerts from security sensors are tagged by labels MITRE Techniques. Alertflex web-forms MITRE Matrix and Timeline allows visualizing alerts according to vectors attack defined by MITRE methodology.

  • The Alertflex Collector can manage Wazuh agents and Docker containers via local API, retrieve a list of agents, containers and match it with the defined hosts and network segments.

Security operations automation and response

Alertflex works as an orchestrator for several third-party applications and performs automation for security operations. Most of the automation operations can be implemented as a Playbook, a set of jobs running by Alertflex according to the Flow ID of the job. Every Playbook may be run automatically through a time interval or as a response to the security alert. At this moment Alertflex playbooks support the next jobs:

  • Active Response - call of remote operations as a response to the alert. It can be Wazuh active response, IP address Deny operation for Suricata IPS, Docker API request (stop or pause container), AWS Network ACLs API request to block an IP address or call AWS Lambda server-less function.

  • Scan of suspicious files in Malware Analysis Sandbox (Cuckoo, Hybrid Analysis, VMRay).

  • Runs of Ansible playbook or remote script via SSH protocol.

  • Copies or moves of remote files via SFTP protocol.

  • Automatically run third-party tools for finding vulnerabilities and misconfigurations.

  • Scheduled email reports generation of Alertflex monitoring statistics.