emas Security Operations Manager is the S2 Grupo platform that is a step beyond the SIEM for the overall operation of a Security Services Center.
Overall operation of IT / OT security services
Through an integrated environment, emas Security Operations Manager, is structured around a CMDB (ISO 20000 or ITIL compliant) that has security monitoring and collection capabilities, with a flexible orientation towards IT environment surveillance, including the Internet of Things (IoT) and the OT environment in general, advanced intelligence using complex event correlation techniques or the analysis of patterns for the identification of anomalies, and the management of processes linked to the service (Service management including the Incident Handling process, the quality of Service, configuration or knowledge
argos is the Monitoring and Collecting Security Event module within the emas-Security Operations Manager architecture. Its mission is to monitor the security of both the IT and OT environment as well as the collection, modeling and centralization of activity logs for further analysis. Argos has a dual function, on the one hand providing a complete suite of security, performance and availability monitoring tools (intrusion detection systems (IDS / IPS), automatic vulnerability analysis systems, HIDS, detection of rootkits / backdoors, honeypots, etc. On the other hand, argos provides a powerful set of connectors that allow you to obtain the logs or activity logs of any system or device in the IP world.
tritón is the intelligence module of emas-Security Operations Manager that, through the use of complex correlation techniques of events, serves as a basis for the development and parameterization of specialized event correlators for their application in different domains of detection and protection. Triton is distributed equipped with a powerful set of pre-designed correlation rules that are adjusted and extended to suit the particularities of the environment and the threats of the SOC and the entities that it protects and that the user can modify and extend in an accessible language (DSL). The intelligence provided by Triton not only facilitates the detection of complex threats but also allows partial automation of the remediation process, launching action orders to the environment, if applicable (IP blocking, NAC commands, etc.)
carmen is the Advanced Threat Protection module from emas-Security Operations Manager. Its objective is to support the research process (Threat Hunting) for the identification of compromises by APT. Carmen, exerts a mechanism of protection through detection in the intrusion phase (Breach Detection) applying advanced techniques of Sandboxing and static analysis to the incoming traffic. On the other hand, when faced with these kind of threats, it is necessary to work considering that the objective has already been compromised, and under this premise, Carmen focuses on the acquisition, processing and analysis of outgoing and internal network traffic (C&C and exfiltration) of the monitored organization, with the objective of identifying exfiltrations or communications with Command & Control systems as well as habitual mechanisms of persistence maintenance or information theft in the corporate network.
emas is the Service Management module of emas-Security OperationsManager. As a platform management core, emas is the only alert and incident management console that collects all the incidents or automatic alerts generated by the correlation system, or manuals whose origin is the process of support for users or the SOC computer itself. emas supports Incident Handling from its creation to its resolution. To manage the process it is supported by an asset database (CMDB) that collects the assets to be protected, and a definition of the catalog of services with support to ensure a procedural response. The management of the incidents is done by monitoring the frameworks of Service Level Agreements (SLA) and supported by a knowledge database that is fed by the experience gained from the center in the resolution of security incidents.
hera is the Dashboarding module of emas-Security Operations Manager. It analyzes information in real time to compose a dashboard with the key indicators of the functioning of the SOC. Based on Hera, the platform offers different visions of the evolution of the service provided. On the one hand, it offers the SOC the internal vision, both in real time and historically, of the key indicators of efficiency, effectiveness, risk and load. On the other hand, it is able to export to its clients a personalized control panel that allows them to follow in real time the evolution of the service provided.
The usual model of processing of the very large volumes of information that are managed in a SOC is usually centralized, in which there are one or several probes that collect information and a central node that stores the records and in which, on the total volume of Information, the correlation activity is performed.However, these centralized models of event collection and correlation have been shown to have better alternatives because of their limitations in scaling capacities when monitoring a significant number of sources, both by increasing capacity needs at the central node and by consumption of bandwidth between remote sites and the central node. emas-Security Operations Manager has the ability to work with the centralized classic model, but also, as an alternative, supports a distributed correlation model, in which events can be collected and correlated at source, thus downloading the central node significantly, and performing thereof a second level correlation, using only previously correlated alerts to identify threats that affect in a coordinated way to several sources.