WHAT IS AUTOMATED SYSLOG BREACH DETECTION?
Evolve Security Automation makes it easy for organizations and security teams to orchestrate a wide range of scalable and high-availability security infrastructure, with automated integration of Cyber Threat Intelligence for immediate proactive threat detection and prevention.
The Evolve “Automated Syslog Breach Detection” solution enables any organisation to seamlessly enhance their security architecture to quickly and easily detect threats, attacks and security breaches with the latest intelligence.
Evolve introduces the ability to orchestrate on-demand high-availability Syslog Collectors that can immediately start ingesting your security logs and automatically integrate with over 350 Cyber Threat Intelligence feeds from the Evolve Marketplace to detect security breaches. This allows your organisation to automatically stay on top of the latest threats to prevent access to malicious websites whilst also proactively blocking malware from locating their Command & Control systems.
The Evolve Automated Syslog Breach Detection solution natively integrates with the Evolve Automated Incident Response workflows. When chained together, Evolve delivers automated detection of security breaches, automated collection and analysis of evidence, and automated response to contain security breaches within minutes.
Evolve enables your organisation to automatically stay on top of the latest threats, attacks and security breaches relevant to your business and automatically respond to critical threats to help ensure your business remains safe.
Automated Syslog Breach Detection is available in the Evolve Marketplace. Simply import this automation workflow into your Evolve Account with flexible monthly subscriptions to maximize your security budgets MORE
Orchestrated Syslog Infrastructure
Automated Cyber Threat Intelligence Integration
High-Availability Syslog Solution
Globally Distributed Syslog Solution Options
Remote Syslog Collector Orchestration
High-Performance Syslog Solution
Orchestrated Trusted SSL Syslog Endpoints
Automated Internal IP Identification
Automated Incident Response Integration
Evolve Agent Integration
Automated Syslog Caching
Automated Malicious Activity Notification
Regular Cyber Threat Intelligence Updates
Automated Evolve Dashboard Integration
Automated Slack Integration
FLEXIBLE SUBSCRIPTION PRICING
Evolve enables you to maximize your security budget by providing flexible monthly subscriptions with no lock in contracts. Simply import the Automated Syslog Breach Detection capability from the Evolve Marketplace to begin your subscription.
Monthly Subscriptions. No lock in contracts.
OPTIMISE YOUR COSTS WITH USAGE-BASED BILLING
Importing workflows and modules from the Evolve Marketplace has once-off usage charges per import to orchestrate your new capabilities
SECURITY ZONE USAGE
Evolve transparently optimizes usage charges related to the scaling of Security Zone infrastructure and storage in real-time
Evolve Workflow usage occurs when launching new workflows to orchestrate and chain your security automation modules and data
Evolve Modules are stored and executed on-demand and in real-time that incur usage. Optimize usage by reduced module executions
Evolve Agents allow distributed orchestration of modules on premise and in the cloud. Optimize usage by reducing the polling frequency
When storing and transferring data within Evolve Containers, usage charges can be optimized by compressing or expiring data
Generating and storing Evolve Dashboards incur usage to enable populating chart data from within Evolve Containers
Evolve Event usage enables you to keep track of all of the security automation actions and events within your accounts
FREQUENTLY ASKED QUESTIONS
WHAT IS AUTOMATED SYSLOG BREACH DETECTION?
Evolve Automated Syslog Breach Detection allows you to orchestrate high-availability Syslog Collectors with automated Cyber Threat Intelligence integration to detect security breaches.
Within minutes, you can automatically detect attempts to access unwanted or malicious websites using the latest malicious domains or connections from malware to their Command & Control systems for automated security breach detection.
Simply point your organization’s Syslog settings to the Evolve Syslog Collector Endpoints for immediate scalable log collection and automated breach detection capabilities.
HOW DO I GET STARTED?
The first step is to register for an Evolve Account. You will then have access to the Evolve Marketplace where you can subscribe to the Automated Syslog Breach Detection solution. Simply import this automation workflow into your Evolve Account.
You can follow the Getting Started Guide to then launch your first Automated Syslog Breach Detection workflow instance. The results will automatically be displayed in the corresponding Evolve Dashboard.
DOES THE EVOLVE SYSLOG BREACH DETECTION MEET MY BUSINESS NEEDS?
Evolve Automated Syslog Breach Detection solution caters for all businesses, ranging from small businesses with limited budgets, through to enterprises requiring high-throughput highly-available globally-distributed syslog collectors with a central management console.
The Evolve Automated Syslog Breach Detection solution can be configured for high-throughput by simply increasing the size of your Evolve Security Zone. The larger the Security Zone, the larger the throughput, and the greater number of Cyber Threat Intelligence feeds that can be integrated.
The Evolve Automated Syslog Breach Detection solution automatically optimizes your usage costs by automatically scaling up and down as the number of log events being collected increase and decrease. This means that spikes in log throughput are automatically handled to help ensure that the busy periods for your business are supported.
Evolve Automated Security Infrastructure solutions natively and transparently include high-availability. This means that in the very rare situation where a syslog collector stops responding, a new syslog collector will automatically be launched in its place within seconds to minutes to ensure your business keeps running securely.
GETTING STARTED WITH
AUTOMATED SYSLOG BREACH DETECTION
STEP 1: REGISTER AN EVOLVE ACCOUNT
Congratulations for deciding to mature and streamline your security capabilities and maximize your security budgets. Your first step is to simply Register an Evolve Account using the Register button on the Evolve website.
STEP 2: LOGIN TO YOUR EVOLVE ACCOUNT
Now that you have an Evolve Account, login using the Sign-In button on the Evolve website. This will take you to the Evolve welcome screen.
STEP 3: SETUP YOUR EVOLVE BILLING
Evolve subscriptions and usage-based bills are charged via credit card.
- Setup your payment method via the Billing feature located under your Profile Menu towards the top right-hand corner of your Evolve Account.
- Select the “Add Payment Method” button that will load the Evolve Secure Payment Gateway page where you can add your credit card details.
- As part of our fraud-prevention controls, your credit card will be charged a nominal amount that you need to enter to verify your credit card before it can be used for payments.
Your Evolve Account is now setup and you are ready to mature your security.
STEP 4: SELECT YOUR EVOLVE REGION
Evolve is a specialist security automation cloud, which means that it has globally distributed infrastructure enabling geographic security controls allowing you to keep your data and processing within the geographical regions aligned to your business needs.
- Select your Evolve Region in the top right-hand corner of your Evolve Account.
Any actions you take will occur within your selected Evolve Region.
STEP 5: IMPORT WORKFLOW FROM THE EVOLVE MARKETPLACE
The Evolve Automated Syslog Breach Detection workflow is available in the Evolve Marketplace. Simply import the workflow into your Evolve Account with the following steps.
- To get to the Evolve Marketplace, navigate to the Marketplace side-menu.
- Whilst in the Evolve Marketplace, locate these services by either selecting the “Security Infrastructure” category and browsing through the available workflows and services, or by searching for the keyword “syslog”.
- Click on the corresponding marketplace item to review the overview of the service, service usage and subscription pricing information.
- Click the Import button and step through the import steps.
- You will then be redirected to the Imports page.
- You may need to use the Reload button to see your newly imported service.
Once the import status changes from “Pending” to “Available” you have successfully imported this security automation workflow and added this specialist security capability to your business.
STEP 6: LAUNCH YOUR SECURITY ZONES
Evolve Security Zones are isolated environments that provide scalable compute and storage to execute your Evolve Workflows. Security Zones can be launched in different configurations for different purposes.
Since we are launching a high-availability workflow we are going to launch the following types of Security Zones:
- Scalable Security Zone to deliver the scalable syslog collector endpoints.
- Scalable Security Zone to provide us with a generic scalable security zone for processing arbitrary modules, such as Cyber Threat Intelligence collection and transformation, as well as log processing and Dashboard chart generation.
We will start with the Scalable Syslog Collector Security Zone:
- Select the Security Zones side menu item and click the New Security Zone button.
- Set a useful name for your Security Zone, such as “Syslog_Collector_Security_Zone”.
- Click the Next button, which will take you to the Security Zone Size page.
- Select a “Medium” sized Security Zone for our use-case, which should be sufficient for most use cases. The size of your Security Zone will actually be defined by your log throughput. For larger organizations then a Large or Extra Large Security Zone may be selected.
- Click the Next button to go through to the Configuration page where it allows you to specify the settings of your Security Zone.
- Leave the Volume Size as the default value for our use-case, which should be sufficient for most use cases. The Volume Size is the size of your Security Zone cluster nodes’ disks used to temporarily store your module data during processing. This volume size needs to be sufficient to store your logs for between 5 to 15 minutes for caching. Larger log throughput may wish to increase the Volume Size to 50 GB or 100 GB for assurance purposes.
- Select the Scalable setting. The Scalable setting configures the Security Zone to automatically scale up and down to optimize processing and usage costs.
- The NAT Gateway can be left as blank since we don’t need a static outbound public IP address.
- The VPN Gateway can be left as blank since this workflow does not need to access your organization’s internal systems.
- Click the Next button.
- Review your settings
- Click the Create button.
This will automatically orchestrate your Security Zone with the configurations specified and will take around five minutes. You should wait for the Security Zone state to change from “Pending” to “Available”.
Once available, you should then repeat these Scalable Security Zone steps again to launch your generic “Automation Security Zone”.
STEP 7: LAUNCH A WORKFLOW INSTANCE
You have imported the Automated Syslog Breach Detection workflow and have setup your Evolve Security Zones. You now need to launch a Workflow Instance to orchestrate your Syslog Collectors with automated Cyber Threat Intelligence collection and integration.
- Select the Workflows side menu item to list your available workflows.
- Locate the “Create Instance” button alongside your Automated Syslog Breach Detection Workflow.
- Set a useful name for your workflow instance.
- Click the Next button, which will take you to the Parameters page where you provide your workflow settings.
Enter the following information within the parameters that will be used to orchestrate your Automated Syslog Breach Detection solution:
- Set the “Source CIDR” to be your organization’s IP address ranges in CIDR format. This setting allows you to restrict access to your Syslog Collector Endpoint from only your corporate IP address ranges. You don’t want to open these to the internet since they will be abused by attackers and will cause usage charges.
- Leave the “Output Container” not selected since Evolve will orchestrate this automatically.
- Leave the “Agent” not selected since Evolve will orchestrate this automatically.
- Set the “Syslog Security Zone” to be the “Syslog Collector Security Zone” that you created for this workflow.
- Click the Next button to go to the Configuration page where you select the default location for your generic modules will be executed.
- Select the “Automation Security Zone” that you created for this workflow.
- Leave the Agent and Agent Device not selected since we do not want this workflow to to be orchestrated via an Evolve Agent.
- Click the Next button
- Review your settings
- Click the Create button.
This will automatically orchestrate your Automated Syslog Breach Detection workflow instance, including all Module Instances and Containers, using the settings that you specified for your solution.
You should wait for the Workflow Instance state to change from “Pending” to “Available”.
STEP 8: CONFIGURE YOUR SYSLOG SETTINGS
Your scalable Syslog Collector is now up and running. The Cyber Threat Intelligence feeds may take up to 90 minutes to begin importing.
As a part of launching the Syslog Collector, Evolve orchestrates a scalable syslog endpoint configured with a trusted SSL certificate. This endpoint can be accessed via your unique Evolve domain name that was generated specifically for your syslog collector endpoint.
You can locate your Evolve endpoint domain name using the following steps:
- Expand the Modules side menu and click the “Instances” menu item.
- In the Search box enter the word “syslog”, which will reveal the Syslog Collector Infrastructure Module Instance.
- Select the Syslog Collector module instance.
- Click the “Configuration” tab to reveal your “TCP Domain Name”. This is the location of your syslog collector endpoint.
You now need to configure your organization’s syslog settings to send syslogs to this domain name on port 514/TCP over SSL.
Systems that you should consider sending logs to Evolve include web proxy logs to identify employees accessing unwanted or malicious websites that appear in the Cyber Threat Intelligence feeds, and firewall logs to identify outbound connections to malware Command & Control IP addresses.
STEP 9: REVIEW YOUR EVOLVE DASHBOARD
Once a malicious domain or IP address has been requested that is matched by one of your Cyber Threat Intelligence feeds, then the results will automatically be displayed in the Evolve Dashboard. Detailed automation activities can be viewed via the Events page that can be accessed via the Events side menu item.
A quick access menu for every Evolve Dashboard can be found under the Automation side menu. You may find that you need to refresh your web browser page for your new dashboards to appear in this list.
Select your Evolve Syslog Breach Detection Dashboard to view the results. Any spinning charts indicate that no results have been detected at this stage.
Review this dashboard on a regular basis to gain insights into the latest threats and security breaches for your organization.
More advanced users may also want to be notified when your penetration test is complete by importing the Evolve SlackBot from the Evolve Marketplace and chaining it off your Results Output Container for real-time ChatOps notifications.