Logging and SIEM Solutions Intrusion Detection and Prevention System

Logging and SIEM Solutions

From a single microservice to a large, monolithic system, logging is all about monitoring and all the ways it can help ensure accuracy in your system, track what may have gone wrong when problems arise and improve overall functionality.

Log monitoring is defined as the analysis of event records (logs) produced by information systems covering all critical networks and devices according to specified rules. Log management, which consists of steps such as comprehensive collection of logs, merging, storing them in their original form, analyzing and presenting them as text, allows to obtain indicators and evidence of the attack. It also helps forensically investigate attacks and helps to obtain important information such as when and through which channels the attack was carried out, which protocols were used and where the attack started from. Logs should be monitored daily and real-time alarms should be set for high-risk events. Good logging solutions should be able to receive logs from many different environments, hardware and software. When an event occurs, the cause of the event, the computers and servers involved should be identified from the logs received.

SIEM, which is seen as a more advanced system, offers more detailed configuration and reporting options than log analysis. One of the most important features of SIEM is the correlation technique, which helps to detect possible attacks by establishing meaningful connections between seemingly independent events with the help of specified policies and rules.

Professional SIEM products have features such as deduplication, correlation, alarm generation, reporting and fast search in logs.

odit provides services in selecting and positioning the right product by determining the logging and SIEM needs of your organization.

WAF Solution

A web application firewall (WAF) is a firewall that monitors, filters and blocks data packets as they travel to and from a website or web application. Operating as a network appliance, server plug-in or cloud service, the WAF inspects each packet and uses a rule base to analyze Layer 7 web application logic and filter out potentially harmful traffic that could facilitate web vulnerabilities. Through customized controls, a WAF can detect and instantly prevent several of the most dangerous web application vulnerabilities that traditional network firewalls and other intrusion detection systems (IDSs) and intrusion prevention systems (IPSs) cannot.

WAFs are particularly useful for companies that provide products or services over the Internet, such as e-commerce shopping, online banking and other interactions between customers or business partners.

Whitelisting: The whitelisting approach means that the WAF will reject all requests by default and only allow requests that are known to be trustworthy. It provides a list of IP addresses known to be safe. The disadvantage of the whitelisting approach is that it can unintentionally block harmless traffic.

Blacklisting: The blacklisting approach allows packets to pass through by default and uses preset signatures to block malicious web traffic and protect vulnerabilities of websites or web applications. It is a list of rules that specify malicious packets. Blacklisting is more suitable for public websites and web applications, because it allows packets from unknown IP addresses that are not known to be malicious or benign to pass through.

Hybrid security: A hybrid security model uses both blacklisting and whitelisting elements. Regardless of the security model a WAF uses, it ultimately works to analyze HTTP interactions and reduce or ideally eliminate malicious traffic before it reaches a server for processing.

Intrusion Detection and Prevention System

Intrusion detection and prevention are two broad terms that describe application security practices used to mitigate attacks and block new threats. The first is a reactive measure that identifies and mitigates ongoing attacks using an intrusion detection system. It can weed out existing malware (e.g. Trojans, backdoors, rootkits) and detect social engineering (e.g. man-in-the-middle, phishing) attacks that trick users into revealing sensitive information. The second is a proactive security measure that uses an intrusion prevention system to block application attacks in advance. This includes remote file attachments that facilitate malware injections and SQL injections used to access an organization's databases.

What is an intrusion detection system (IDS)?

IDS is a hardware device or software application that uses known intrusion signatures to detect and analyze both inbound and outbound network traffic for anomalous activity. This is done through System file comparisons against malware signatures. Scanning processes that detect signs of malicious patterns. Monitoring user behavior to detect malicious intent. Monitoring system settings and configurations. When it detects a security policy violation, virus or configuration error, an IDS can kick an offending user off the network and send an alert to security personnel. Despite its benefits, including in-depth network traffic analysis and intrusion detection, an IDS has its own drawbacks. Because it uses previously known intrusion signatures to find attacks, newly discovered (i.e. zero-day) threats can go undetected. Also, an IDS only detects attacks in progress, not incoming attacks. An attack prevention system is required to block them.

What is an intrusion prevention system (IPS)?

An IPS complements an IDS configuration by proactively inspecting a system's inbound traffic to weed out malicious requests. A typical IPS configuration uses web application firewalls and traffic filtering solutions to secure applications. An IPS prevents attacks by dropping malicious packets, blocking offending IPs and alerting security personnel to potential threats. Such a system typically uses a pre-existing database for signature recognition and can be programmed to recognize attacks based on traffic and behavioral anomalies. While effective at blocking known attack vectors, some IPS systems come with limitations. These are often caused by over-reliance on predefined rules, making them vulnerable to false positives.

Article 5651 Solution

WHAT IS ARTICLE 5651?

Purpose of Article 5651 of Law No. 5651:

The article aims to control access to the internet. In this way, cybercrimes committed over the internet are significantly prevented, as well as to ensure that the guilty or responsible parties are identified and easily separated from the innocent after any incident involving a criminal element. It is also aimed to protect users from being deceived over the internet by malicious content that is not legal.)

What should be understood about Article 5651?

- Article 5651 does not constitute a recommendation for public institutions, private companies and users. It is mandatory to fulfill the requirements of the relevant article of law. There are legal sanctions for all access providers who do not fulfill these requirements. We can list them as warnings, fines, imprisonment, closures and removal from publication.

- The measures required by the law are entirely in the interests of the users and, if not implemented, may cause financial losses to the user, as well as loss of prestige for public institutions and private companies.

After reviewing the 2 sections summarized above, let us take a look at the details of the principles of the law.

Who has to oblige this article?

It covers all institutions and organizations that provide access services to multiple users, whether paid or free of charge, over one or more internet connections. The article of law is divided into two and their scopes differ.

a) Institutions and organizations that make Internet access available to their employees or visitors for service purposes or to ensure the continuity of their business.

  • Public institutions
  • Private companies
  • Hospitals
  • Schools
  • Institutions such as shopping centers etc.

b) Businesses that offer internet access to users for the purpose of earning profit.

  • Internet Cafes
  • Hotels
  • Businesses such as cafes etc. where paid use is in question.

As stated above, it is required to control the internet access service provided by service or profit-oriented institutions and enterprises to their users within the scope of the law. We can list the general obligations of the access provider regarding the article of the law as follows;

  • Blocking users' access to Web pages that contain illegal content
  • Keeping access logs and records (with Time and Date)
  • Keeping internal IP logs of users connected to networks.
  • If there is a Web page and this Web page is hosted on its own servers, keeping external logs and records of access

Thanks to the technology of internet, users meet many needs such as information sharing, entertainment, communication, service and self-promotion through web pages. The internet environment, which is now among the indispensables of our lives, has brought many threats as well as benefits.

People with malicious intentions steal users' personal information and use it for unjust profit. User’s information is used to defraud users, to gain unfair profits by selling their information, or to hide themselves by masking a crime they have committed as being committed by unaware innocent users.

The article in reference aims to minimize all these harmful acts. For this reason, it requires that users who are completely vulnerable in the internet to be protected by the institutions they receive service from. This is a requirement by the article of law that service providers must implement in order to protect their customers and provide better service.

This article requires the blocking of fake web pages, sites with illegal propaganda, sites that may cause the theft of users' information, all web pages containing criminal elements, and the blocking of users' access to these web pages knowingly or unknowingly.

However, since it is almost impossible to control every web page that is being published every day at, it is required that the records (logs) of all users accessing the web pages be kept and stored with a time and date stamp in order to be able to track possible crimes that may be committed through a web page that has not yet been blacklisted and to know whom it was caused by. It is necessary to keep records of all entries, whether they are legal or not, and these records are required to be kept for a period of 6 months to 2 years.

UTM Solutions

Unified threat management (UTM) means that multiple security features or services on your network are combined into a single device. Using UTM, users of your network are protected by many different features, including antivirus protection, content filtering, email and web filtering, spam prevention and more.)

UTM enables an organization to consolidate IT security services into a single device, potentially simplifying the protection of the network. As a result, your business can monitor all threats and security-related activities from a single window. This way, you get complete, simplified visibility into all elements of your security or wireless architecture. Desirable Features of a Unified Threat Manager There are some features that an ideal UTM solution should have.

Antivirus

A UTM comes with antivirus software that can monitor your network, then detect viruses and stop them from damaging your system or its connected devices. This is done by using information from signature databases, which are repositories containing virus profiles, to check if any are active on your system or trying to gain access. Some threats that antivirus software in a UTM can stop infected files, Trojan horses, worms, spyware and other malware.

Anti-malware Unified Threat Management protects your network against malware by detecting and then responding. A UTM can be pre-configured to detect known malware, filter it from your data streams and prevent it from entering your system. A UTM can also be configured to detect new malware threats using heuristic analysis, which involves rules that analyse the behaviour and characteristics of files. For example, if a programme is designed to prevent a computer's camera from working properly, a heuristic approach could flag it as malware. UTM can also use sandboxing as an anti-malware measure. With sandboxing, a cell inside the computer is delimited by a sandbox that captures the suspicious file. Although the malware is allowed to run, the sandbox prevents it from interacting with other programmes on the computer.

Firewall

The firewall has the ability to scan incoming and outgoing traffic for viruses, malware, phishing attacks, spam, network intrusion attempts and other cyber security threats. Because UTM firewalls examine data both entering and leaving your network, they can also prevent devices on your network from being used to spread malware to other networks that are connected to it.

Intrusion Prevention

A UTM system can provide an organisation with intrusion prevention capability that detects and then prevents attacks. This functionality is often referred to as an intrusion detection system (IDS) or intrusion prevention system (IPS). To identify threats, an IPS analyses data packets, looking for patterns known to exist in threats. When one of these patterns is recognised, the IPS stops the attack. In some cases, an IDS only detects the dangerous data packet for the IT team tol et them choose how they want to handle the threat. The steps taken to stop the attack can be performed automatically or manually. UTM also logs the malicious event. These logs can then be analysed and used to prevent further attacks in the future.

Virtual Private Network (VPN)

The virtual private network (VPN) features that come with a UTM device work in a similar way to regular VPN infrastructure. A VPN creates a private network that tunnels through a public network, allowing users to send and receive data over the public network without others seeing their data. All transmissions are encrypted, so even if someone intercepts the data, it will be useless to them.)

Web Filtering

The web filtering feature of a UTM can prevent users from seeing certain websites or Uniform Resource Locators (URLs).

This is done by stopping users' browsers from loading pages from these sites onto their devices. You can configure web filters to target specific sites based on what your organisation aims to achieve. For example, if you want to prevent employees from being distracted by certain social media sites, you can stop these sites from loading on their devices while they are connected to your network.

Data loss prevention

The data loss prevention you achieve with a UTM appliance allows you to detect and then prevent data breaches and breaching attempts. To do this, the data loss prevention system monitors sensitive data and when it detects an attempt by a malicious act, it blocks the attempt, thus protecting the data.

Solutions
Services
Corporate
Social Media

© 2024 Codit Technology - All right reserved.

Çerezler Hakkında BilgilendirmeDeneyiminizi geliştirmek ve hizmetlerimizden en iyi şekilde faydalanabilmeniz için yasal mevzuata uygun çerezler kullanılır. codit.com.tr'yi kullanarak bu çerezleri kabul etmiş olursunuz.
Help
Communication

Contact our sales team or business consultants to assist your business.

Contact Us
Support Center

If you're looking for further assistance, create a support ticket. Our support request is available 24x7.

Create Request
77x24 Phone Support
  • Turkey - Kocaeli+90 (262) 404 00 22
  • Turkey - İstanbul+90 (216) 888 08 18
  • Turkey - Bursa+90 (224) 334 16 41
  • Turkey - Ankara+90 (262) 404 00 22
  • Turkey - Kırklareli+90 (262) 404 00 22
  • Germany+49 234 545 725 85
  • England+49 234 545 725 85
  • Bulgaria+49 234 545 725 85
  • United States+49 234 545 725 85