correlog · mechanisms, as well as permitting secure http access. the program includes role-based...

CorreLog®

GSIP - Government Security Information Platform

System Operation Road Map

http://www.correlog.com mailto:[email protected]

CorreLog GSIP PROPINFO, Proprietary to CorreLog Page - 2

CorreLog GSIP – System Operation Road Map This entire manual is considered to be Proprietary Business Confidential Information of CorreLog, Inc. (PROPINFO) None of its contents may be disclosed without the prior written consent of CorreLog, Inc. Copyright © 2008 - 2018, CorreLog, Inc. All rights reserved. No patent liability is assumed with respect to the use of the information contained herein. Although every precaution has been taken in the preparation of this book, the publisher and author assume no responsibilities for errors or omissions. Nor is any liability assumed for damages resulting from the use of this information contained herein.


Table of Contents Section 1: Introduction

………….. 5

Section 2: Documentation Rollout

………….. 13

Section 3: Operational Road Map

………….. 21

Section 4: Example GSIP Use Cases

………….. 33

Appendix A: General Specifications

………….. 45

Appendix B: Technical Specifications

………….. 47

Alphabetical Index

………….. 53


Section 1: Introduction This document provides a detailed description of the CorreLog Government Security Information Platform (herein "GSIP"), which is an especially versioned issue of the CorreLog Server, tailored for security monitoring of government (and potentially other) enterprises. The CorreLog GSIP program contains plug-in components, special features, special configuration files, and other items that make it pertinent for large scale enterprise management requiring FIPS certified encryption, insider threat detection, anomaly detection, and user management. The program is designed to serve as either a stand-alone security manager, or a correlation engine in a larger management strategy, in particular strategies commonly implemented by Federal and State governments. This manual is intended for use by administrators responsible for installing and maintaining the CorreLog system, developers who intend to use the CorreLog system to develop web-based systems, and also end-users who will be using the CorreLog system to access web based information. Note that this manual is intended to be a road map for the complete CorreLog documentation set. The manual makes extensive references to other manuals in the CorreLog suite. Hence, the information herein is intended to supplement, but not necessarily replace, the information contained in the other manuals cited here.


1.1 Identification This manual provides a road map to the installation, configuration, and usage of the CorreLog Server, Government Security Information Server (GSIP) version. This is a specially configured version of the CorreLog Server containing specific elements to support the special requirements of Government enterprises, including embedded FIPS 140-2 validated software implementing Federal data encryption standards. The CorreLog GSIP Server is a commercially available and off-the-shelf (COTS) product that is available to any domestic customer that meets certain criteria and licensing requirements. The product is primarily intended for use by Federal, State, and Local Government entities, but may also be used by other enterprises. The version is not available from CorreLog except by special request, and all copies of the program are specifically tracked, requiring the existence of an enforceable Nondisclosure Agreement (NDA) with CorreLog, Inc. CorreLog undertakes specific validation and authentication processes to ensure that this version will only be provided to authorized personnel, including organization and position verifications.

1.2 Purpose The CorreLog GSIP product is intended to provide a secure platform for managing the internal security of an organization. Although the GSIP version is very similar to the standard version of the CorreLog product, it is not available except by special request, and contains specific and unique elements that should be regarded as business confidential in order to enhance its hardening against vulnerabilities. This document provides supplemental information on this specific version, useful as a starting point for installation, configuration, and usage. Note that much of the information in this manual is also available from the standard documentation set for CorreLog, described herein within later sections of this manual.

1.3 Item Description The CorreLog GSIP version consists of the standard CorreLog Server, with the following special modifications and plug-in components. The system is preconfigured for immediate installation and operation, but will typically require some ancillary and special configuration discussed in later sections. The CorreLog GSIP version includes the following items that are not supplied with the standard CorreLog Server, or are available in the standard server only with a special license.


FIPS 140-2 Certified Encryption. The GSIP version includes FIPS 140-2 Certified Encryption between agent and manager programs, including the ability to exchange keys, perform self-tests, and perform other features required by the Federal Information Processing Standard.

Secure Apache TLS Web Server. The GSIP version includes a secure Apache TLS server that is specifically hardened to work with CorreLog. (This web server can be substituted by the end user, as may be needed for highly secure environments.)

Advanced Windows and UNIX Agents. The GSIP version includes the advanced CorreLog Windows and UNIX Agent programs. This special agent incorporates User Login Monitoring, Storage Path Monitoring, and User Process Monitoring as standard features. This version of the agent employs export restricted FIPS 140-2 certified encryption.

Session Monitor Plug-in. The GSIP version includes the CorreLog Session Monitor plug-in, which tracks user logins, and provides special features to support anomaly detection, tracking of user activity, with special application in insider threat detection.

Association Monitor Plug-in. The GSIP version includes the CorreLog Association Monitor plug-in, which tracks the associations between keywords in messages, such as login locations for users, processes executed by location, source and destination IP traffic, and other items. This plug-in has special application in insider threat detection as well as user behavior profiling.

Global User Alert Monitor. The GSIP version includes the CorreLog Global User Alert Monitor as a standard feature, which allows a user to apply an alarm across all the users of a specific range, useful for anomaly detection.

IPv6 Adapter. The GSIP version includes the CorreLog IPv6 Adapter Gateway program as a standard component, which permits messages to be received from IPv6 devices.

LDAP Tool Set. The GSIP version includes the CorreLog LDAP Tool Set as a standard component, which provides an interface to one or more Active Directory and LDAP servers to support special requirements associated with user monitoring and tracking.

Special Configuration Files. The GSIP version includes special configuration files, scripts, templates, and other software that targets insider threat applications and provides functions commonly required to support large government enterprises.


All of these special items are described in accompanying manuals that comprise the CorreLog end-user documentation set. A description of these manuals is provided in this section, along with specific guidelines and instructions.

1.4 Functional Description CorreLog provides real-time log management, multi-platform security correlation and IT enterprise search. In addition to comprehensive SIEM capabilities, CorreLog goes further by employing automated event management and self-learning algorithms to alert on insider threats. CorreLog enhances oversight of the user enterprise by analyzing data from multiple data, regardless of platform, OS, or location. CorreLog GSIP resides on one or more platforms within an enterprise, and continuously listens for messages. These messages can be native syslog messages, messages from CorreLog Agent programs, or messages generated by various CorreLog adapters. As these messages are received, they are logged, and cataloged into related groups and classes. The operator can search this information, and can take automatic action on correlated messages, such as updating database, sending notification, or running arbitrary user programs and batch files. Within an enterprise, CorreLog can have various possible roles:

Security Monitoring. The CorreLog system collects messages, and permits a wide assortment of message filtering and overrides. The system then provides tools to correlate these messages into significant events on the network, especially related to system security.

Syslog Receiver. The CorreLog system collects Syslog messages. The program transparently supports a variety of different message types. Many sites may use CorreLog simply as a Syslog receiver, whereas other sites may use the program mainly as a security and correlation tool.

Stand Alone Manager. The CorreLog system can operate as a stand-alone management tool, collecting data and providing notifications to users when significant events occur. In particular, CorreLog is highly useful as a specialized manager for enterprise-wide log information.

Front End Other Network Managers. The CorreLog system operates as a front-end for other network managers, and can feed these managers correlated messages, suitable for use with reporting facilities. For example, CorreLog can provide the security-monitoring portion of a larger management strategy.


Data Archiving and Reporting. The CorreLog system can operate as a data archiving program, storing large quantities of message information in compressed format, for auditing and forensic purposes. The CorreLog system also generates, distributes, and archives reports.

Unattended Data Collection. CorreLog can operate in a complete "unattended" manner, collecting data without any requirement on the part of users. The program incorporates features to trim log files, and incorporates an "Auto-learn" function that will automatically adjust thresholds and parameters based upon the data it collects.

The CorreLog system is entirely web-based. It does not rely on a console for operation. All configuration activities (except for initial installation) are performed by authorized users via the web interface. The CorreLog system is intended to be a highly secure way of viewing information, and incorporates various encryption mechanisms, as well as permitting secure HTTP access. The program includes role-based permissions, and allows "admin", "user" and "guest" type logins to be created.

1.5 Functional Scope CorreLog is both an anomaly detection and rule-based COTS solution that provides not only detection capabilities but also the full spectrum of insider threat mitigations. As such, CorreLog’s solution views the threat by recognizing that the insider may be either, or both, an individual, or a group of individuals (i.e., a cell), or any combination of individuals and cells. Regardless, the CorreLog solution has the ability to sense and detect such activities. In doing so, the CorreLog solution can analyze and correlate data regarding users and user groups, and track such activities using various specialized facilities in order to detect changes in patterns of behavior as well as activities that may or should generate rule-based alerts for zero-day attacks. In providing such functionality, CorreLog can be configured to do so through either taking automatic action or issuing alerts for human intervention, or any combination thereof. While CorreLog has comprehensive capabilities, which can implement both CorreLog and third-party solution pre-defined rules, it goes much further by enabling automated event management that employs self-learning algorithms to sense, detect, deny or disrupt adversaries operating from within and provides automatic interfaces to counterintelligence (CI) and law enforcement (LE) solutions, as well as alert on insider threats operating on both structured and unstructured data.


As an Anomaly and Auditing Extraction Module (AAEM) software solution with self-learning capabilities, CorreLog enhances enterprise oversight by analyzing data from identity management (including certificates residing on DoD CAC or PIVII compliant smart cards), DLP, ERP, applications, syslog, and other log files, to provide both more and critical analysis of such information regardless of platform, OS, or location. CorreLog’s third-party solution integration capability could be used, for example, to issue alerts arising out of CorreLog’s interoperation with a Technical Media Analysis Tool (TMAT) that characterizes a cyber attack and attributes the source of such an event, particularly if such attack were to be posed by those who have access to information systems and networks, and operate from within a network; i.e., an insider adversary undertaking such activities. Similarly, CorreLog’s integration capabilities enable interoperation with remediation solutions deployed within the enterprise to manage and publish remediation directives / tasking to appropriate device remediation tools to automatically direct them to correct and resolve the non-compliance issues found. CorreLog could be used to issue alerts when such remediation tools are used either on an unauthorized or anomalous basis suggesting an insider may be attempting to alter enterprise or local configurations in order to defeat security policies.

1.6 Core Functions and Features Given the above overview of functionality, the basic CorreLog server can be explained in terms of core features and subsystems of the product, the most pertinent of which are outlined below:

High Speed Message Reception. The CorreLog Server is suitable to operate as the single Syslog receiver for all devices on the network of large enterprises. CorreLog can process more than 2500 messages per second and can handle burst traffic of more than 10.000 messages. CorreLog physically tracks and catalogs network devices without a hard upper limit. It can receive messages from virtually unlimited numbers of sources without tracking.

Cataloging, Correlation, Reporting Of Information. The CorreLog Server provides a powerful correlation service. This includes implementation of correlation "Threads", "Alerts", "Triggers", and "Actions", and "Catalogs. These functions allow the user to reduce and analyze real-time data, and take action. The correlation features require minimal configuration, and serve as building blocks for larger correlation strategies.


Large Scale Data Aggregation, Archiving, Reporting Ability. The CorreLog Server is designed to have high data aggregation ability. It can collect in excess of 1 Gigabyte worth of data each day, and save this data for up to 500 days online, and for more than 10 years (5,000 days) in offline, compressed format. The archiving function includes MD5 checksums and security codes on data items, to support detailed forensics. Reports are generated daily, in Microsoft Excel format.

Large Scale Data Searching Ability. One of the most important functions of the CorreLog system is its search engine capability. CorreLog employs a high speed, real time index system. This allows quick searches through massive amounts of data. Users can search a terabyte of data for a particular keyword in less than one second.

Automatic Trimming Of Data. CorreLog is intended to be maintenance free. Background programs will remove extraneous files, drop the latest data from the system, archive data to other disks, and allow CorreLog to operate with no periodic maintenance scheduling required. These maintenance parameters are settable via the Web interface. CorreLog can easily operate in an "unattended" mode.

Data Filtering and Reduction. CorreLog filters input data by device, facility, severity, or message keyword, or any combination of these. The CorreLog server additionally provides effective message de-duplication functions. This provides a large degree of control over what programs and facilities can add messages to the CorreLog Server message log. Filtered data can be retained as part of the CorreLog archive of messages, useful for forensics.

Ability To Define New Syslog Facilities. CorreLog allows the user to define new Syslog facility codes. One of the commonly noticed limitations of Syslog protocol has always been that the “Facility” codes (which define the data source) are limited to 24 predefined codes. The CorreLog program removes this restriction, permitting users to define their own facilities, such as “Applications”, and “Devmsgs”, so that data can be better categorized and managed. This important extension to the Syslog protocol opens important new vistas in the practical use of Syslog messages not otherwise available using the standard Syslog specification.

Ability To Override Device, Severity and Facility Info. CorreLog allows the user to assign device names, severities, and facility information to messages based upon message content. One of the commonly noticed limitations of Syslog protocol has always been that, since messages are unsolicited, the user is stuck with whatever message, severity, or facility was originally specified by the message sender. Although this is not necessarily a problem, in some cases the severities or facilities within a


message may be nonsensical. The CorreLog system recognizes this existing limitation and implements a sophisticate “override” technique, which allows users to override the facility, severity, or device name in any message.

Web-Based Configuration, Viewing, and Reporting The CorreLog Server system is entirely web-based. All activities, including the establishment of logins and permissions, are completely achieved without a native console. This means that an administrator does not ordinarily need access to the CorreLog Server platform, except in rare instances to startup or shutdown the process. The location of the CorreLog Server can be strategically placed in a Network Operations Center (NOC) or secure cabinet, which has important implications for security.

Auto-Learn Capability. The CorreLog Server system includes an "Auto-Learn" function, which monitors message reception, and automatically adjusts thresholds and parameters based upon message rates. This allows the program to learn about its environment, and make suitable adjustments to increase the pertinence of cataloging and correlation functions. This powerful and unique function minimizes the amount of tuning needed by operators, and allows the program to run in an "unattended" mode of operation.

Distributed Management Capability. The CorreLog Server can operate as either a single point of data collection, or as a component in a larger management strategy. Each copy of the CorreLog Server can serve as a "collection agent" within the enterprise, feeding this information to a higher-level collection agent. Additionally, each CorreLog provides components that permit the user to search and obtain status information from other CorreLog Servers, permitting multi-tiered implementations that can handle millions of devices and many Terabytes worth of data.

1.7 CorreLog Fast Start The remainder of this manual discusses the CorreLog Server in detail. For those users wishing a quick start, the reader should refer to the first section of the CorreLog User Reference Manual, accessed from the top-level "Home" screen of the web interface. Future sections will describe in detail the various other features, adaptations, customizations, and applications associated with the CorreLog Server.


Section 2: Documentation Rollout This section lists CorreLog documents, which support or constrain the functions of the CorreLog GSIP system. In the event of conflicts between the documents referenced herein and the contents of this manual, the contents of this manual supersedes such other information. CorreLog provides a comprehensive manual set consisting of documentation on all parts of the system's operation, as well as special documentation to support extensions and development efforts. These documents are incorporated directly within the CorreLog Server installation, and may be downloaded from the server via an encrypted HTTP connection without reliance on external connectivity. The principle documents (including this road map herein) can be downloaded in PDF format from the "Home" screen of the CorreLog Server. Additionally, the user may access the "More" menu hyperlink at the upper right of the CorreLog server screen (after login) and access the "User Manual" hyperlink. Documents physically reside on the CorreLog GSIP system within the "s-doc" folder of the root CorreLog directory (by default "C:\CorreLog\s-doc", but possibly residing in some other location, depending upon how the system is installed.) Additionally, users may request the latest documentation directly from CorreLog Support, available in various alternate formats.


2.1 Installation and General Documents CorreLog provides the following specific manuals to assist in the basic installation, planning, and usage of the CorreLog server. These manuals are available from the "Home" screen of CorreLog, and provide the essential starting point of CorreLog operation:

CorreLog System Deployment and Planning Guide. This guide provides information useful for estimating workloads for various types of CorreLog configurations, as a beginning point for small, medium, or large-scale deployments of the system. This information is intended for use by CorreLog administrators, project managers, and personnel responsible for implementing the CorreLog Server software. Reference file: CO-DEPLOY.pdf

CorreLog Server Quick Installation Guide. This guide provides brief information on how to install the main CorreLog Server system on a Microsoft Windows platform. This information can also be found in Section 2 of the "CorreLog Sigma Framework User Manual" and Section 2 of the "CorreLog Server User Reference Manual", both of which can be accessed below. Reference file: CO-INSTALL.pdf

CorreLog Server User Reference Manual. This document is a comprehensive manual on the CorreLog Security Server. The manual includes installation procedures, application notes, and various appendices. This manual will be of interest to operators, as well as network managers and administrators responsible for installing and maintaining the CorreLog system. Reference file: CO-MANUAL.pdf

CorreLog Server Screen Reference Manual. This document provides a comprehensive description of all significant screens of the CorreLog Security Server. The manual includes screenshots of each screen, a description of controls and fields, and a discussion regarding the purpose of each screen. This manual can serve as an essential reference manual for CorreLog operators. Reference file: CO-SCREENS.pdf

CorreLog Advanced Correlation User Guide. This manual provides a guide to the advanced correlation features of the CorreLog Server. The manual provides information on specific features and capabilities of the program related to the higher correlation functions of the system, including operating theory, application notes, and certain features of the system that are intended for advanced users and not documented elsewhere Reference file: CO-ADVANCED.pdf


2.2 CorreLog Agent Manuals CorreLog provides the following specific manuals to document the installation and usage procedures of optional agents that work with CorreLog and other third-party SIEM vendors. These manuals are available from the "Home" screen of CorreLog, and provide the essential starting point of CorreLog operation:

CorreLog Windows Tool Set (WTS) Manual. This document contains installation and application notes regarding the CorreLog Windows Tool Set (WTS), which is a compact set of software tools that can instrument a Windows Vista, Windows 7, XP or 200X series operating system with Syslog Capability. This permits the CorreLog server to effectively manage Windows platforms (in addition to managing UNIX and other type systems.) The Windows Tool Set is a standard part of this installation. Reference file: WT-MANUAL.pdf

CorreLog File Integrity Monitor (FIM) Manual. This document contains installation and application notes regarding the CorreLog File Integrity Monitor (FIM), which operates as an agent on Windows Vista, Windows 7, XP or 200X series operating systems. The FIM continuously checks the integrity of files, reporting when files have been added, deleted, or modified. This special function directly supports PCI-DSS and other compliance regulations. The program is tightly coupled with the CorreLog program, and is a standard part of this installation. Reference file: FI-MANUAL.pdf

CorreLog UNIX Tool Set (UTS) Manual. This document contains installation and application notes regarding the CorreLog UNIX Tool Set (UTS), which is a compact set of optional software tools that instruments Linux, Solaris, and other UNIX operating systems with extra Syslog capability. (If this particular software is not included with the regular distribution of CorreLog, then it is available to licensees and evaluators upon request.) Reference file: UT-MANUAL.pdf

CorreLog CZA Mainframe (z/OS) Agent User Manual. This document provides a description of the CorreLog Mainframe (z/OS) agent software, which instruments Mainframe computers to forward SMF Type 80 (and other) messages to CorreLog or a third-party SIEM platform. This is the full installation and user manual. The actual CorreLog CZA is separately licensed software, available for evaluation on request. The manual provides procedures, discussions, and application notes. Reference file: CO-CZA.pdf


2.3 GSIP Specific Modules and Plug-Ins The following specific manuals are available to support the GSIP version of the CorreLog server. Generally, these manuals are available only on request to qualified prospects and licensees. Contact CorreLog support for assistance in obtaining these manuals:

Apache TLS / Crypto Enhanced Encryption Software Manual. The

"Apache TLS / Crypto Enhanced Software" may be installed at any CorreLog site to add a more secure Apache TLS server that includes additional hardening, support for SSL and TLS, as well as components to allow encryption keys to be managed and uploaded to CorreLog agents. If the user does not supply his or her own certificate, the package can cause misleading warnings when people access the CorreLog server, hence this package is recommended ONLY for people with good understanding of security certificates and managing a secure HTTP sever. Reference file: CO-SECURE.pdf

Session Correlation Monitor Plug-in Reference Manual. The "Session Correlation Monitor" package adds extra capability to CorreLog by creating a "Sessions" tab under the "Correlation" tab of the system. The Session monitor is useful for tracking users that are currently logged onto the system, tracking logon history, and supporting custom alerting. The session monitor comes preconfigured to track logons from the CorreLog Windows and UNIX agents, and can be modified to serve as a general-purpose session monitor. Reference file: CO-SESS.pdf

Association Correlation Monitor Reference Manual. The "Association Correlation Monitor" package adds extra capability to a CorreLog installation by creating an "Associations" tab under the "Correlation" tab of the system. The Association monitor allows the user to configure tracking of any two keywords in any message class. Specifically, this adds the capability of determining such things as what set of computers a user is logging into, what error messages are commonly generated by each computer, what processes are being launched by which users, what mailboxes are each user accessing, etc. The process comes preconfigured to track users and computers from the CorreLog Windows and UNIX agents, and can be configured to serve as a general-purpose association monitor. Reference file: CO-ASSOC.pdf

Global User Alert Plug-in Software Reference Manual. The "Global User Alert Plug-in" is an optional set of files that extend the alerting function of CorreLog to allow global thresholds to be placed across classes of users and messages. The plug-in creates a new "Alert > Users"


tab within CorreLog, which tracks individual users by creating dynamic alert instances when certain messages are received. This component provides additional security monitoring and convenience that may be useful for auditing and detection. Reference file: CO-UALERT..pdf

2.4 Additional Adapter Manuals CorreLog provides the following specific manuals to document the installation and usage procedures of optional adapters that may be installed at a CorreLog site to extend the range of capabilities needed to support special configurations and / or third-party software. These manuals are available from the "More > User Manuals" screen of CorreLog:

IPv6 Adapter Manual. The IPv6 Gateway Software Adapter is an optional background process and tool set that allows CorreLog to receive and display messages sent by IPv6 devices. The IPv6 adapter manual describes how this adapter can be installed at either the CorreLog Server, or at some other device on the network to service as a generic Syslog IPv6 to IPv4 gateway process. Reference file: CO-IPv6.pdf

CorreLog ePolicy Orchestrator (ePO) Adapter Manual. This document provides a detailed description of the CorreLog McAfee ePolicy Orchestrator adapter software, which permits bi-directional communication between CorreLog and ePO. This software is available in all evaluation versions of CorreLog, and is separately licensed software. The manual provides configuration procedures, discussion, and application notes sufficient to activate and use the CorreLog ePO interface. Reference file: CO-EPO.pdf

CorreLog File Transfer Queue Adapter Manual. This document contains installation and application notes regarding the optional CorreLog File Transfer Queue Adapter software, which allows the user to create folders that transfer arbitrary text files to CorreLog. This provides a method of agentless operation, and extends the range of CorreLog to accept arbitrary external text files. (This particular software is available on special request to CorreLog support for all CorreLog licensees.) Reference file: CO-QUEUE.pdf

Ping Message Adapter Manual. The CorreLog Ping Monitor Adapter is an optional set of files and executables added to the CorreLog Server order to expand the role of the CorreLog to include monitoring of device states using ICMP Ping messages. With this software installed, CorreLog will ping selected devices, compare the response time to a threshold, and generate a syslog message to CorreLog if the ICMP message response


time is out of tolerance. Reference file: CO-PING.pdf

SNMP Message Adapter Manual. The CorreLog SNMP Monitor Adapter is an optional set of files and executables added to the CorreLog Server order to expand the role of the CorreLog to include monitoring of SNMP MIB objects. With this software installed, the operator can configure polling of SNMP objects, which are compared against thresholds. The adapter generates a user specified syslog message if the SNMP thresholds are violated. Reference file: CO-SNMP.pdf

WMI Message Adapter Manual. The WMI Message Adapter is an optional set of files and executables added to the CorreLog Server order to expand the role of the CorreLog to allow collection of events using WMI protocol. This provides "Agentless" operational capability to the CorreLog server. (Usage of this adapter requires the WMI interface, which must be configured by the operator, and which may reduce the security of the managed platform.) Reference file: CO-WMI.pdf

SNMP Trap Message Adapter Manual. The "CorreLog SNMP Trap Monitor" is an optional set of files and executables added to the CorreLog Server order to expand the role of the CorreLog to include monitoring of standard SNMP traps. This software allows SNMP traps to be incorporated into the correlation data in a fashion identical to syslog messages. This package was formerly a standard part of CorreLog, but now must be added into CorreLog Version 5.0.0 for new sites. Reference file: CO-SYSTRAP.pdf

SQL Table Monitor Adapter Manual. The "SQL Table Monitor Adapter" is an optional set of files and executables that extend CorreLog's ability to gather messages by permitting these messages to be queried from a relational database table. Various constraints on the table apply, as documented in the user manual. Generally, this adapter is useful for situations where a process is logging data to a database (rather than to a streaming log file.) Reference file: CO-SQLM.pdf

2.5 Developer Manuals CorreLog provides the following specific manuals for developers and advanced users, permitting CorreLog to be extended, customized, or further adapted by programmers and system administrators. These manuals are intended for use by system integrators, developers, or administrators with basic programming


capabilities. The following manuals are available from the "More > User Manuals" link of the CorreLog system:

CorreLog Sigma Framework Users Manual. This document provides a detailed description of the CorreLog Sigma Framework, which is a comprehensive, flexible, and lightweight system for creating web sites and web-based applications. In particular, this framework forms the basis for the CorreLog Security and Log Monitor Server, documented elsewhere. This manual is intended for use by web administrators, software developers, as well as end-users that are interested in maintaining and extending the CorreLog system. Reference file: FW-MANUAL.pdf

CorreLog Language Localization Guide. This document contains instructions on how to localize the CorreLog system, modifying tabs, buttons, and text to be an arbitrary other value. This guide is useful for creating new international versions of the program, supporting different character encodings. The manual documents the functions of the "System > Local" tab of the program, not documented elsewhere. Reference file: CO-LOCAL.pdf

LDAP Interface Toolkit Software. The "LDAP Interface Toolkit Software" is an optional set of files and tools that automatically create an LDIF file from one or more LDAP servers. The resulting LDIF file contents is integrated into the "User Information" screen to permit the operator to drill down to view registered user data. The LDIF file has additional application in configuring large CorreLog Servers, and creating custom alerts. Reference file: CO-LDAP.pdf

RFC 3164, The BSD Syslog Protocol. This document contains the standard and accepted specification for Syslog protocol, used by the CorreLog system for the transmission of event notifications across networks. The document includes a historical discussion of the protocol, as well as technical details for sending, receiving, and configuring message transmission. This document is provided here for general completeness, and is available from multiple other locations. Distribution of this document is unlimited.

CorreLog System Licensing Agreement. This agreement between CorreLog, Inc, and the end user grants specific and limited rights to use the product. Please read the licensing agreement before using the program as either an evaluation program or permanently licensed program. Usage of the software automatically implies agreement with the terms stated here. Note that this license may comprise only a part of your overall licensing agreement with CorreLog, Inc.


2.6 Online Help And Usage Information CorreLog includes a comprehensive, browser based web facility. Context sensitive help is available on any CorreLog screen, accessed by clicking the question mark help link found at the upper right of most web screens. Additionally, most of the manuals described herein are available via the "More" menu in the upper right of the display. The user can click the "More" link, and then select the "User Manuals" link to display a site map showing the online data available in PDF format. From the "site map" screen, the user can click to download or view the various manuals listed herein. Finally, within the CorreLog directory system (by default the C:\CorreLog folder) various README files are available to describe the contents of the directories, and special notes that may be of interest to developers and administrators.


Section 3: Operational Road Map This section provides an operational summary of steps needed to achieve a typical deployment and fulfill standard mission objectives of the software. The information herein provides a brief statement of the various deployment and operational activities necessary to implement the typical functional areas of the program, including citation of other documents listed in Section 2 of this document. A detailed description of CorreLog installation can be found in the "CorreLog Quick Installation Guide", available from the CorreLog website, and included in the standard CorreLog distribution package. Additionally, the CorreLog Server is a part of a stand-alone web framework, the installation of which is described in within the “CorreLog Sigma Web Framework" Users Manual. Finally, detailed information on system usage, including application notes, is available in the "CorreLog User Reference Manual", with detailed help on each CorreLog screen available in the "CorreLog Screen Reference Manual". (These documents are available from the "Home" screen of the CorreLog GSIP web interface after user login.) The information presented in this section provides a basic guide to the assorted steps needed to implement CorreLog within a government enterprise, including different monitoring strategies that leverage program features and modes of operation, all with the specific intention of meeting security and compliance standards, and establishing verifiable security.


3.1 System Installation Road Map CorreLog Server is specifically designed for fast and easy installation. The system does not scatter DLL or other files into system directories. All files reside in the CorreLog root directory, by default the directory C:\CorreLog. The CorreLog Server software is usually delivered as a self-extracting WinZip file, either downloaded from the Internet, or delivered on a CDROM. The installation requirements and procedures, applicable to CorreLog and its components, are documented in various locations, as follows:

General Installation Procedures. The CorreLog GSIP program is installed as per instructions provided in the "CorreLog Quick Installation Guide", which provides brief information on how to install the CorreLog Server system on a Microsoft Windows platform. This information can also be found in Section 2 of the "CorreLog Sigma Web Framework User Manual", and Section 2 of the "CorreLog Security Correlation Server User Reference Manual", both of which are included as part of the standard installation package.

Hardware Requirements. A description of hardware requirements for the CorreLog server is provided in the "CorreLog Deployment Guide", as well as various data sheets. The system can be installed on Windows XP, Vista, Windows 7 as well as Windows NT 200X systems. CorreLog does not require Java, or .NET to be installed on the platform. The CorreLog Server, by itself, has a small footprint of less than 20 Mbytes, but the actual disk space may vary depending upon the particular applications installed (or which might later be installed) as part of the framework.

Windows and UNIX Agent Installation. Optional CorreLog agents are installed separately for both Windows and UNIX platforms. The CorreLog "Windows Tool Set" is usually delivered as a self-extracting WinZip file. The CorreLog "UNIX Tool Set" is usually delivered as a compressed tar file (tarball). The installation of these items is documented in the "Windows Tool Set User Manual" and "UNIX Tool Set User Manual". The actual software and manuals may be downloaded from the internal link of the CorreLog GSIP software, from the "Home" screen of the web interface.

Plug-in And Adapter Installation. CorreLog supports a "plug-in" philosophy, which allows the end-user to install extra components without affecting the existing configuration items of the server. Plug-in component installation procedures (including the LDAP, IPv6, SNMP, ePO items) are documented in the respective manuals for the components, listed in Section 2 of this manual. Components are typically delivered as self-extracting WinZip files, which include installation procedures, notes and additional documentation.


CorreLog components are uninstalled via the standard Windows “Add / Remove” programs screen (or "Program Features" screen on Vista / Windows 7 platforms.). Additionally, if the user stops a CorreLog Syslog Message service, the entire CorreLog directory can be simply dragged and dropped into the Windows “Recycle Bin” and this will effectively discard the entire installation. (However, note that this will still leave the service entry for CorreLog, within the Windows Service Manager, which is normally cleaned up by the Uninstall procedure.) The CorreLog install and uninstall programs are very simple, and require very little explanation. Refer to the above-cited manuals for detailed steps needed to install and uninstall system components, as well as containing application notes that may be useful to system developers and managers.

3.2 Initial System Configuration Road Map The CorreLog GSIP software provides a ready-to-run configuration that furnishes immediate utility for a wide range of security and insider threat use-cases. On installation, the GSIP program begins collecting data, establishing a baseline, and opening tickets. In addition to this baseline configuration, CorreLog provides multiple integration services, configuration items, and customization that can be applied by the administrator. Procedures for establishing an initial system configuration are documented throughout the CorreLog documentation set. Basic configuration steps (including step-by-step procedures) can be found in Section 3 of the "CorreLog User Reference Manual". These steps are summarized below:

Configuring Correlation Threads. One of the main purposes of CorreLog is to organize data into "Threads". This is one type of correlation available to users, and is very simple to implement. CorreLog comes predefined with a variety of useful correlation threads that are generic enough to use without modification. Users can (and typically will) create their own correlation threads, pinning these threads to the top for easy reference, and creating alerts for these threads that open tickets on the system.

Refining and Auditing Correlation Threads. Correlation threads are the first stage of correlation. (Later stages are discussed in Section 4 of the "CorreLog User Reference Manual", and other locations.) The out-of-box correlation threads, and any new threads created by the user, should be audited to see if they contain proper data. It is often the case that small changes may be necessary to a thread, or a new thread needs to be derived from an existing thread with small changes applied.


Configuring Alerts And Tickets. Once a thread is created, the user can optionally add an alert threshold for the thread counter. (The thread counter appears at the right of the thread title on the "Correlation > Threads" screen.) Alerts compare correlation counters to limits, and then send syslog messages (of the user's selection) back to CorreLog. Alerts can also open tickets on the system, assigning these tickets to specific users and groups.

Configuring Notifications and Actions. When a ticket is opened, closed, or modified, it can run an action program such as sending e-mail. Configuration of ticket actions may or may not be an essential activity of an enterprise's security monitoring. Most sites will send e-mail to an administrator when certain tickets, or all tickets, are opened. Prior to configuring any ticket actions, the administrator must first configure the CorreLog SMTP server settings. The administrator can then add "Action" scripts to the "Ticket > Actions" tab of the system.

Reducing Correlation And Message Load. CorreLog can accept 2000 messages or more per second continuously. However, it is often the case that only a small fraction of these messages are actually pertinent or necessary for security compliance. In particular, redirecting all firewall data at CorreLog can quickly make the program difficult to use (because so little data is security event data, pertinent for security management). CorreLog employs a sophisticated filtering capability that permits reduction of data both at agent programs and also at the main CorreLog Server.

3.3 System Check-Out / Acceptance Testing CorreLog GSIP provides self-test, and operational test features. Actual acceptance testing can be conducted based upon specific hardware and software requirements of the enterprise, including the following:

FIPS Self Test. As per NIST FIPS requirements, the encryption software executes a power-up self-test, which is logged to the main server. This function is installed as part of the Apache TLS / Advanced Encryption modules, documented in the manual for that feature. Specifically, stopping and restarting any agent program (where FIPS encryption modules are installed) will result in the generation of a test message on startup.

Test Vector Generation. CorreLog provides utilities to send syslog messages, including specific capabilities to identify the location of the message (if other than the sending device.) CorreLog supports its "sendlog" utility on all versions of Windows, as well as Linux, Solaris, AIX, and HPUX platforms. These tools are documented in the WTS and UTS manuals, listed in Section 2 of this document. Using these utilities (as well as other special CorreLog software, available on request) the end-user


can generate arbitrary test vectors using standards-based syslog protocol or SNMP traps.

Ticketing Interface Tests. The "Ticketing Interface" of CorreLog (and associated "Actions" facility) supports multiple test features, including the ability to arbitrarily execute ticket actions and interfaces by manually opening a ticket. A description of the Ticket interface, including test facilities, is documented in the main "CorreLog User Manual", specifically Section 4 of that manual.

Operational Readiness Test. The user can perform a simple operational readiness test of the CorreLog server at any time by simply posting a message to the CorreLog server via the "Post Message" link of the "Messages > Search" screen. This provides a method of testing the operational readiness of the system, as well as testing any arbitrary correlation rule, alert, or ticket action.

In addition to the above functions, CorreLog can execute a health check (depending upon the specific requirements of the site) at periodic intervals via the "Alerts > Custom" facility, which permits the user to add arbitrary programs and alert the standard output of these programs. Specific test guidelines (if necessary) are available from CorreLog support, including checks of process status, disk capacities, and message rates suitable for verifying the health of the CorreLog site. The "Alerts > Custom" facility is documented in the "CorreLog User Manual" and "CorreLog Screen Reference Manual", available from the "Home" screen of the CorreLog server. Note that actual validation and verification of functionality and accuracy depends upon the objectives defined by the organization, and should include CorreLog engineering and support personnel in both planning and execution phases of any testing.

3.4 Data Baselining Considerations As part of the operational road map of CorreLog GSIP, considerations must be made for baselining the data (i.e. allowing CorreLog's anomaly detection software to establish baselines.) Not only is this a necessary part of the anomaly detection, but this process may be necessary to accomplish test objectives as part of operational readiness. CorreLog continuously monitors incoming data and adjusts thresholds for alerts based upon history of information. By default, CorreLog uses a ten-day baseline for establishing thresholds and "normal" behavior of devices. This value can be adjusted upwards or downwards via several different subsystems, listed here.


Note that CorreLog is immediately operable without first creating any baselines. However, certain features will not be available until a historical baseline is created. For those installed sites where auto-learning is disabled (or is not strictly needed due to a rule-based approach to security management) this section may not apply.

Auto-Learning of Counter Thresholds. CorreLog will automatically adjust thresholds upwards or downwards for any "Alert > Counter" configuration item, based upon ticket history and message rates. The auto-learning period is configured in the "Alert > Config > Thresholds" tab, documented in the "CorreLog Screen Reference Manual" as well as other locations.

Auto-Learning of Association Data. CorreLog will automatically suppress notifications of new associations added to the system for a period of time prior to reporting new associations. This permits a baseline of associations to be established and then alerted upon. The suppression interval is configured via the "Correlation > Associations > Advanced" screen as well as within each association "Edit" screen, documented in the "CorreLog Association Monitor User Manual".

Auto-Learning of Association Anomalies. CorreLog will automatically detect and alert upon anomalous associations, such as anomalous numbers of new associations, as well as anomalous association activity. This function is enabled via the "Correlation >Associations > Advanced" screen, documented in the "CorreLog Association Monitor User Manual". Note that this function is similar to, but distinct from, the auto-learning of associations described above.

Auto-Learning of Session Anomalies. CorreLog will automatically detect and alert upon anomalous session activity, such as too many sessions being created or anomalous session activity. This function is enabled via the "Correlation > Sessions > Advanced" screen, documented in the "CorreLog Session Monitor User Manual". This function is similar to the "Auto-Learning of Association Anomalies" described above, but is applied to session data (rather than association data.)

The auto-learning of counter thresholds (first item above) is a standard part of all CorreLog installations, and is documented in various places, including the "Advanced Correlation User Guide". The auto-learning of association and session data is a function of the Association and Session monitor software that is available only in the GSIP version of CorreLog (documented here.) As a guideline, the default values related to auto-learning for all the above items (ten-days) will normally be necessary and sufficient for most deployments, and will not need adjustment by administrators and end-users. However, certain


items may require adjustment depending upon the specific enterprise requirements, and test features outlined in the previous section.

3.5 Detection of Security Risks During Deployment As noted above, CorreLog GSIP achieves a large part of its power by establishing baselines of user and system behavior over the course of time. However, it should be emphasized that, during this auto-learning period, the system has an excellent opportunity to catch existing and chronic security risks (such as existing insider threats, but also other security risks) as the system learns these baselines. The initial deployment of the system can (and often will) provide immediate new visibility to situations that may reveal ongoing or undiscovered security concerns. The investigation of user data, and tickets opened during the learning period, is a critical activity during the deployment phase of CorreLog. The following activities should be given special consideration:

Comparison of User Behavior to Entire Population. After a short period of gathering data, certain users will begin to distinguish themselves as more active than other users. For example, some users may access certain types of data that other users do not. These users may be candidates for further investigation to determine whether they are a possible threat to the organization, or merely more productive than other users. Investigation of these users will generally be required.

Comparison of User Behavior With Historical User Data. When investigating a particular user (during the startup period of auto-learning) it may be useful to inspect the past history of a user via the "Graphs" function, or other facilities, to see whether the user or associated device has changed over the course of time, or whether the user has been consistently more active. (Indications of a user change, or radically inconsistent user activity, might indicate the introduction of some new threatening behavior by the user.) This may require extensive examination of past historical data for the enterprise.

Investigation and Dismissal of Tickets. The main mechanism for detecting security threats during the initial baselining period will be the ticketing mechanism. As the system auto-learns, each day new tickets will be automatically opened and closed. As tickets are dismissed, each ticket should be carefully considered to determine whether this ticket indicates a real security threat, or simply some variation in the user population.


The above activities, which will be a natural part of any CorreLog deployment, will be necessary to detect ongoing security threats that may exist at the time of deployment, such as existing insider threats within an organization.

3.6 Importing Baseline Files (Retrospective Learning) Insider threats may exist prior to the time that CorreLog is installed. In particular, it may be the case where a malicious insider has slowly "ramped up" activities over a long period of time in order to avoid detection. In this case, it may be useful to import historical log data, needed to identify a security risk that may have occurred in the past, or may be ongoing, which might be reflected in a comparison of historic data to real-time ongoing data. This consideration will be especially critical when implementing CorreLog in non-pristine environments, where an inside threat may have already undertaken activities designed to hide or obfuscate his or her presence. CorreLog permits files to be imported from systems such as firewalls, routers, mail servers, web servers, web proxies, print servers, and other data sources. (This type of historical data is often available within an enterprise, and can assist with the forensic activities associated with identifying past security threats.) The CO-import.exe program, available as an add-on to the GSIP program, accepts as input raw log data. The data is passed through correlation rules to configure graphs and reports. Additionally, the CO-import.exe program can be used to create indices for the high-speed search functions, thereby simplifying certain forensic activities. As a caveat to importing files, users should be aware that the import utility (which plays data through the real-time components of CorreLog) may require substantial time to execute. For example, importing six-months of data may require several weeks or more of replay time, depending upon the CPU power available for the import operation. As another caveat, users should be aware that most of the power associated with CorreLog insider threat detection comes from CorreLog agents, which derive log data and threat indicators that will not exist in historical logs. Hence, CorreLog achieves its full power of threat-detection ONLY from the point of time that the program is first installed. The CO-import.exe program and import facility is not a standard part of the CorreLog GSIP server, but can be installed on demand without affecting other configuration items. In particular, it may be useful to import files at a separate "stand-alone" copy of CorreLog (since this operation does not require a live server.)


3.7 Advanced Configuration Road Map CorreLog GSIP contains multiple configuration points, adapters, special applications, as well as components that may be specifically tailored to the enterprise. A highly detailed discussion of the advanced configuration features of the program is outside the scope of this manual. However, the following points are noted as part of the GSIP operational road map.

Enhanced Login Security. CorreLog provides and "Enhanced Login Security" mechanism, which is enabled via the "System > Logins > Advanced" screen. This function is normally not enabled, and can be enabled to selectively permit auto-logouts, enforcement of password policies, user lockout, and other security items. This is documented in a variety of places, including the "CorreLog Screen Reference Manual."

Custom Logins. CorreLog allows the user to create custom logins that limit the visibility to tabs, data sets, and other items. These logins can be used to restrict an operator's view to specific values, excluding items that may not be of interest or should not be available to standard users. This feature is documented in various places, including the "CorreLog User Reference Manual."

Apache TLS Configuration. Depending upon the particular GSIP version and user needs, the HTTP server that comes as a standard component of Apache can be upgraded to the high-security and hardened CorreLog Apache TLS server. This second apache server is a standard part of the CorreLog GSIP version, and includes components to create a self-certificate, and modify encryption keys used by agent programs. This feature is documented in the "CorreLog Apache-TLS / Enhanced Encryption" user manual.

Correlation Actions. CorreLog provides a method of configuring custom correlation actions that are applied to incoming messages. These features may form the basis of certain customized security monitors that may be necessary for a specific site. Correlation Actions are documented in the "CorreLog User Reference Manual."

Ticket Actions. CorreLog provides a method of configuring custom actions that are executed when tickets are opened or closed on the system. Ticket Actions may form the basis of certain customized security monitors and notifications that may be necessary for a specific site. Ticket Actions are documented in the "CorreLog User Reference Manual."

Custom Alerts. All versions of CorreLog include a "Custom Alert" facility, which can be used to extend CorreLog to perform a variety of (1) site


specific correlation; (2) execution of special notifications outside the scope of other tools, and; (3) special monitoring of third-party tools such as NMAP. Custom Alerts are documented in the "CorreLog User Reference Manual".

Global User Alerts. The CorreLog GSIP provides the Global User Alert monitor as a standard item. (This special function is not available in standard versions of CorreLog.) The configuration and usage of the "Alerts > Users" tab is documented in the "CorreLog Global User Alert Software Manual."

HBSS / ePO Configuration. The CorreLog GSIP provides a ready-to-run interface with McAfee HBSS and / or ePO management consoles. This interface furnishes a bi-directional communications with the McAfee site, including the ability to receive and correlate information from HBSS / ePO, and post event information back to HBSS / ePO (where it appears on the McAfee console and / or dashboards.) Configuration of this special interface is documented within the "CorreLog McAfee ePO Installation and Users Manual."

LDAP Interface. CorreLog GSIP should not be made reliant on LDAP (which is a common mistake of many deployments). If possible (given the restrictions of an organization) this includes making the CorreLog web interface authenticate using standard LDAP or active directory. However, CorreLog provides an LDAP Tool Kit that can be used to further monitor LDAP, such as to permit drill down into user LDAP information (from the CorreLog "Messages > Users" screen) to view detailed information) and simple scripting to automatically create user groups based upon LDAP configuration data. This special tool is documented within the "CorreLog LDAP Took Kit Users Manual."

Other Adapters. CorreLog GSIP can be configured with a variety of other adapters listed in Section 2 of this document. Each adapter / plug-in includes its own user manual, installation instructions, and application notes. Popular adapters include (but are not limited to) SNMP Trap, SNMP Polling, Ping, WMI, File Transfer Queue adapters, as well as more specialized plug-ins. Information on these adapters and their applicability to a particular enterprise is available from CorreLog support.

Macro Configuration Data. CorreLog GSIP comes with a series of generic macro definitions for match patterns (used by threads, actions, and other CorreLog subsystems.) These macros permit easy modification and tuning of the correlation system based upon global definitions applied across the entire system. These macro definitions are configured manually, or loaded via the CorreLog "Correlation > Templates" screens,


documented within the "CorreLog User Reference Manual", and other locations.

Blacklists and Whitelists. Blacklists and whitelists (used by the correlation, alerting and reporting subsystems of CorreLog GSIP) comprise an important aspect of the macro facility. Blacklists and Whitelists are defined as macros, and can be applied across a list of different items, documented within the "CorreLog User Reference Manual", and other locations. These lists can be used to match specific users, files, counters, devices, executable programs, and any other class of data.

File Integrity Monitor. CorreLog GSIP comes with a comprehensive file integrity monitor that can be optionally installed on Windows and UNIX platforms to continuously scan (at configured intervals) large numbers of files to detect changes to these files or permissions. This optional software is agent-based. Installation, configuration, and usage of this optional program is documented in the "Windows File Integrity Monitor" and "UNIX Tool Set" User Manuals.

3.8 Program Maintenance Requirements All CorreLog components are designed for unattended operation, and manual intervention will not be needed to trim log files, periodically adjust parameters, or other routine maintenance that may be commonly required of other programs. The following exceptions apply.

License Expiration. Some versions of the GSIP program may have a finite licensing period, requiring renewal of the license file to establish a new expiration date. The expiration date of the system (if any) can be found at the bottom of all CorreLog web interface screens, and indicates the date when the web interface will become inoperable.

Data Backup. CorreLog creates multiple checkpoints of its configuration data, performs a nightly backup of all configuration files, and archives log data to a separate location. However, it may be incumbent on an organization to further backup this data for disaster recovery. Further information on backups is provided in the "CorreLog User Reference Manual", and "CorreLog Backup And Recovery Guide".


Section 4: Example GSIP Use Cases CorreLog GSIP, as a general purpose COTS program, provides a variety of different applications and use cases. The information herein provides a high-level guideline of typical use cases that can be addressed to achieve certain types of security monitoring, including both internal and external threat detection. This section provides an overview of test cases, defined in general terms, needed to understand the basic approach of the security management activity. Details regarding setup are available from CorreLog support personnel, who should be an active member of defining the implementation steps required to secure the organization. Note that the specific use case implementation is not published here, partly as a method of mitigating risks that might otherwise exist if the specific implementation was detailed here. Use cases below (and alternatives) are provided only as an overview to CorreLog GSIP functional capabilities. More detailed procedures may be obtained by contacting CorreLog support as part of any trial, proof of concept, or actual deployment. The information presented in this section furnishes a guide to the capabilities needed to effectively operate within a government enterprise, including different monitoring strategies and alternatives, with the intention of mitigating threats, creating audit trails of user activity with application in forensics, and enhancing security in general.


4.1 Use Case: Suspicious File And Folder Access As one of its principle functions, CorreLog GSIP can monitor user access to files and folders, and watch for suspicious patterns of access. This can be accomplished through multiple techniques including but not limited to the following capabilities:

CorreLog User Handle Monitor. The CorreLog Agent, if installed on a Windows or UNIX platform, monitors user access to files and folders. This is a built-in function of the CorreLog GSIP version, and requires an agent to be running on the managed machine. CorreLog continuously monitors the handles and file paths associated with programs, which can subsequently generate messages to CorreLog Server. The CorreLog Server system can then generate alerts when particular users or groups access specific file paths.

CorreLog File Integrity Monitor (FIM). On Windows and UNIX platforms, the CorreLog "File Integrity Monitor" can determine when specific files are created, deleted or changed. This technique requires the Windows or UNIX FIM program to be installed. (This program performs periodic scans of the system to detect changes to files.) The log messages, generated by the FIM, are subsequently sent to CorreLog Server, which can then set alerts when specific files are created, deleted, or modified.

CorreLog Storage Path Monitor. The CorreLog Agent, if installed on a Windows or UNIX platform, tracks changes to removable media, such as USB devices or micro-SD insertions. This is a built-in function of the CorreLog GSIP version, and requires an agent to be running on the managed machine. In the case of removable media, the CorreLog agent tracks the likely user name (i.e. the user logged into the particular console) as well as the serial number and name of the drive. The CorreLog Server system can then set alerts when particular users or groups access specific file paths.

Windows File Auditing. On Windows platforms, the administrator can configure standard Microsoft "File Auditing" security, which causes the operating system to log messages when any file in a designated folder (or a particular file within a folder) is accessed. The log messages are subsequently sent to CorreLog Server, which can then set alerts when specific files are accessed by particular users or groups. This technique requires either the CorreLog Windows Agent to be installed on the Windows platform, or requires the CorreLog WMI adapter to be installed at the CorreLog Server. (Note that using the CorreLog WMI adapter achieves an "agentless" mode of operation, although certain constraints to security and scalability may apply.)


4.2 Use Case: Suspicious Program Execution As one of its principle functions, CorreLog GSIP can monitor user process execution, and watch for suspicious patterns of access. This can be accomplished through multiple techniques including but not limited to the following capabilities:

CorreLog Process Monitor. The CorreLog Agent, if installed on a Windows or UNIX platform, monitors user execution of processes. This is a built-in function of the CorreLog GSIP version, and requires an agent to be running on the managed machine. CorreLog continuously monitors the execution of programs, compares this against a profile, and generates messages to the CorreLog Server indicating the process name, command line options, and user name. The CorreLog Server system can then set alerts when particular users or groups launch specific files (based upon a blacklist of process names for different groups.)

Windows Process Auditing. On Windows platforms, the administrator can configure standard Microsoft "Process Auditing" security, which causes the operating system to log messages when processes are started or stopped, including failed attempts. These log messages are subsequently sent to CorreLog Server, which can then set alerts when specific files are accessed by particular users or groups. This technique requires either the CorreLog Windows Agent to be installed on the Windows platform, or requires the CorreLog WMI adapter to be installed at the CorreLog Server. (Note that using the CorreLog WMI adapter achieves an "agentless" mode of operation, although certain constraints to security and scalability may apply.)

CorreLog Association Monitor. In all cases, the CorreLog Server can learn the baseline "Associations" between usernames and processes, and record when a new user / process association is established. The "Association Monitor" function provides a listing of users, and what processes they commonly access, as well as the frequency of access. When a new association is added to the system, this sends an internal message back to CorreLog, which can indicate that the user is accessing a program outside of his or her profile. Additionally, the anomaly detection features of the Association Monitor can detect when the number of process associations has rapidly increased, or the association activity is outside of normal.

Black Listing of Processes. In all cases, the operator can establish a list of processes that, if executed by a particular group of users (possibly excluding administrators, or not) an alert is sent to the CorreLog server indicating that a particular user is executing an unauthorized program. This provides a simple method of alerting on unauthorized user activity.


4.3 Use Case: Changes To Security / Tampering As one of its principle functions, CorreLog GSIP can monitor changes to system security that may indicate malicious tampering. This capability includes monitoring for attempts to subvert the security monitoring functions through multiple techniques including but not limited to the following capabilities:

Changes To User Authentication And Permissions. CorreLog monitors changes to LDAP and Active Directory (AD) through logging, using standard Windows and UNIX services. This includes addition and deletion of users, addition and deletion of groups, and escalation of user and group permissions. CorreLog can generate alerts on both local and enterprise changes.

Changes to File Permissions. On Windows and UNIX platforms, the CorreLog "File Integrity Monitor" can determine when file permissions are changed. This technique requires the Windows or UNIX FIM program to be installed. The log messages, generated by the FIM, are subsequently sent to CorreLog Server, which can then generate alerts when file permissions are modified, including the addition of hard links to files and directories.

Changes to LDAP / AD Configuration. In addition to monitoring LDAP / AD through logging, CorreLog provides elements to directly compare LDAP and AD information through periodic downloads of directory information via LDAP protocol, and comparison of this data to established baselines. This function is available via the CorreLog "LDAP Tool Kit" and "Custom Alert" functions of the CorreLog GSIP Server.

Changes to Device and Network Profiles. CorreLog can detect IP spoofing and other changes to the system and network (such as adding new interfaces to managed devices) through periodic and continuous polling of the network devices. This augments the above capabilities by providing an "agentless" mode of operation, which compares devices to a established or expected baseline. Polling can be accomplished via SNMP, ICMP, WMI, execution of NMAP, and other techniques.

Clearing of Audit and Log Information. On Windows and UNIX platforms, CorreLog agents detect clearing of log files, such as in an attempt to destroy audit information.

CorreLog Internal and Self-Audit Functions. CorreLog Server logs all changes to its own configuration, provides a comprehensive audit trail, and can alert when a "locked down" version of CorreLog is modified in any way, including changes to agent configurations.


4.4 Use Case: Multiple or Improper User Sign-on As one of its principle functions, CorreLog GSIP can monitor user access to specific machines. CorreLog incorporates a "User Discovery Monitor" function, which automatically identifies the network users of systems, and tracks any messages related to those users. The basic CorreLog server, with no configuration applied, detects successful and failed logins of users, including the detection of "brute-force" attacks, dictionary attacks, and user lockout. This basic function also includes variations such as multiple invalid logins across different user identifiers and machines. Additionally, the GSIP version provides several special elements not available in the standard version of CorreLog, which are designed to specifically furnish special utility of the type commonly found in Government enterprises, including but not limited to specific capabilities as follows:

Session Monitor. The CorreLog GSIP "Session Monitor" tracks the current state of logged in users, and allows Custom Alerts to generate messages based upon this data, such as detection of (1) a user logged into too many locations; (2) a user that has failed to log out by a certain time; (3) a user that has logged out of a building but failed to log out of a machine; (4) two users simultaneously logged into incompatible machines; and (5) other arbitrary correlation and alerting functions based upon user defined criteria

Association Monitor. The CorreLog GSIP "Association Monitor" tracks locations related to users, and detects when new and unusual login activity occurs that may indicate a malicious user or insider threat. This includes detection of (1) a user logging into a machine that he or she has not previously accessed; (2) a user accessing a file or resource from a particular machine that has not been previously accessed; (3) abnormal attempts to log into a machine based upon other factors, such as the user's group, physical location, employee status. (This latter example may include situations as a new group name being added to the groups of users that typically access a machine.)

Global User Alert Monitor. The CorreLog GSIP "Global User Alert Monitor" tracks messages on a "per-user" basis, augmenting the other correlation and tracking functions, and simplifying the configuration of alerting. Specifically, rather than looking at invalid logins or other message types across a group of users, the "Global User Alert Monitor" function allows alerts to be generated on a per-user basis, including the ability to track multiple occurrences of logon messages, USB insertions, failed logons, and other ubiquitous indicators of user activity.


4.5 Use Case: Data Exfiltration As one of its principle functions, CorreLog GSIP can detect possible data exfiltration. These functions augment any Data Loss Prevention (DLP) system that may exist in the enterprise. (CorreLog works with existing DLP systems to further qualify and detect exfiltration, so the capabilities listed here are in addition to any supervisory role of the DLP system.) Specific capabilities include:

Storage Path Monitoring. The CorreLog Agent, if installed on a Windows or UNIX platform, tracks changes to removable media, such as USB devices or micro-SD insertions. The CorreLog Server system can then set alerts when particular users or groups access specific file paths related to removable media.

Port Access Monitoring. CorreLog can log FTP, Telnet, HTTP, SMTP, POP3, and other e-mail activity via standard firewall functions, including failed attempts to access service ports. This capability exists in addition to any logging and monitoring of services described elsewhere. This requires that CorreLog GSIP monitor firewall logs for the department or division.

Route / Interface Monitoring. CorreLog can detect re-routing of data, changes to interface cards, or other network changes via SNMP polling or execution of command line programs. This function prevents (or limits) the ability of a sophisticated user to re-route network pathways to subvert security measures, or install unknown hardware and software on a compromised system.

Automatic Port Scan Execution. CorreLog can execute port scans on devices and device groups, at operator-scheduled intervals, to detect whether a malicious user has created backdoors, or has established any disallowed communication channels including VPN connections, FTP servers, HTTP servers, or other unauthorized network programs.

Printer / Print Job Monitoring. CorreLog can monitor printers through a variety of techniques, including recording all print jobs and the user executing these jobs, and alerting if excessive print jobs are executed, or if printing occurs at a particular time of day, or if a user executes a non-authorized print job. Furthermore, print jobs can set CorreLog "Triggers" that can record additional user behavior (such as file access) or work with the CorreLog "Patterns" facility to identify a malicious pattern of data access.

Keylogging. CorreLog can work with standard keylogging software to detect certain combinations of events, such as "Print Screen" functions, or command line execution of certain blacklisted programs or command line arguments.


4.6 Use Case: Suspicious / Improper E-Mail Activity As one of its principle functions, CorreLog can monitor SMTP and e-mail traffic of Microsoft Exchange and UNIX based servers. The actual technique for monitoring e-mail (and the associated granularity available) depends upon the capabilities of the organization. Monitoring functions include:

Blacklisted E-Mail Sites. CorreLog can access e-mail address destinations through either direct logging of SMTP server files, or monitoring of certain firewall traffic. In each case, the destination of the e-mail message can be compared to blacklisted addresses (by region, site, or specific user, depending upon the type of e-mail monitoring.) This provides a simple technique for detecting suspicious activity of a user based upon their e-mail habits. In many cases, the CorreLog "Anomaly Detection" software can handle this activity without requiring the explicit configuration of any specific rules (by seeing when new e-mail associations are added to a user's profile.)

Detection of Improper Mailbox Access. CorreLog can uniquely test to see if the e-mail associations of an administrator (or user) include persons that they have no known business with, such as an administrator checking the mailbox of a superior or officer of the organization.

Over-limit E-Mail Access. CorreLog employs the "Global User Alert" facility to assess whether the number of e-mailings for a user is over a specified limit, possibly indicating data exfiltration. This type of monitoring can be applied to various aspects of the e-mail process, such as alerting on an abnormal number of e-mail destinations, abnormal numbers of attachments, etc. (Actual types of monitoring depend upon the type of log feed available from the SMTP process.)

E-Mail Keyword Scanning. Depending upon the type of e-mail feed, CorreLog can scan e-mail documents for specific keywords that may indicate transfer of classified or sensitive data. (In most instances, this will require cooperation with a third-party Data Loss Prevention (DLP) solution, which is not directly part of CorreLog, but instead an external application that sends CorreLog specific event information to alert upon.) CorreLog can perform these activity using source filters, without necessarily logging all e-mail content to the CorreLog server.

Mailer Anomalies. CorreLog detects mailer anomalies via standard syslog messages from Windows and UNIX platforms. Such anomalies include failures of SMTP servers and MTA programs, improper access to server devices, inordinate device resource usage (disk or CPU or network) and other suspicious performance indications.


4.7 Use Case: Suspicious / Improper HTTP Access As one of its main functions, CorreLog can monitor Web access, given proper instrumentation of proxy HTTP servers, stateful firewalls, and / or web gateways within the organization. The actual technique for monitoring HTTP (and the associated granularity available) depends upon the capabilities of the organization. Monitoring functions include:

Blacklisted Websites. CorreLog can alert when users access blacklisted websites. The destination URL can be compared to blacklisted destinations, depending upon the granularity of the logging (by region, site, or specific user.) This provides a simple technique for detecting suspicious activity of a user based upon their web browsing habits. In many cases, the CorreLog "Anomaly Detection" software can handle this activity without requiring the explicit configuration of any specific rules (by seeing when new URL associations are added to a user's profile.)

Blacklisted Uploads and Downloads. CorreLog can alert when users perform certain upload or download operations. The HTTP method and destination URL can be compared to blacklisted destinations. CorreLog can generate alerts when certain file types are stored on the local computer, or posted to a network device. This can operate in conjunction with or independent of Anti Virus programs that may exist on the local computer.

Over-limit HTTP Access. CorreLog employs the "Global User Alert" facility to assess whether the activity of a user is over a specified limit, possibly indicating data exfiltration, or suspicious behavior. This type of monitoring can be applied to various aspects of the HTTP process, such as alerting on an abnormal number of destinations, abnormal numbers of associations, etc. (Actual types of monitoring depend upon the type of log feed available from the HTTP process.)

Keyword Scanning. Depending upon the type of HTTP feed, CorreLog can scan accessed documents for specific keywords that may indicate transfer of classified or sensitive data. (In most instances, this will require cooperation with a third-party Data Loss Prevention program.) CorreLog can perform these activity using source filters, without necessarily logging all accessed content to the CorreLog server.

Browsing Anomalies. CorreLog detects HTTP anomalies via standard syslog messages from Windows and UNIX platforms. Such anomalies include failures of HTTP servers, 500 type errors, improper access to server devices, and other indications that may (in aggregate) contribute to security awareness.


4.8 Use Case: Suspicious And Conspiratorial Behavior An important part of CorreLog is devoted to determining associations between users (or possibly devices) indicating cooperating between malicious users. The Correlog "Associations" facility creates connections between users and devices, users and USB drives, users and specific files. This records relationships that directly support analysis and determination of conspiratorial behavior among users. Examples of this conspiratorial behavior include the following:

Connections To Shared Web Destinations. The CorreLog "Association Monitor" allows the operator to determine and alert upon situations where more than one user may be connected to a suspicious web site or e-mail address, possibly indicating that they are both communicating with each other (or a third party) using an external e-mail address.

Connections To Shared Malware. The CorreLog "Association Monitor" allows the operator to determine what users are associated with the same malware. If a few users are installing the same new program, it may be that the users are cooperating to install a botnet or other subversive item. This can be detected either with or without a blacklist or signature analysis of the program. (See note below.)

Connections to Shared Anomalous Behavior. The CorreLog "Association Monitor" can look at anomalous behavior associated with a user by associating internal alert messages generated by CorreLog. In this case, the associations are made between CorreLog alerts, which are dependent on other messages. This goes beyond simple user alerting, and addresses the case where multiple users are generating the same type of alert, based upon (possibly weakly related) lower-level messages.

Numerous other examples of association monitoring exist as a determinant of conspiracy, such as shared associations of USB and SDK card serial numbers, shared drives, and file access. Note that the association monitor, in addition to working with "signature-based" elements (or "blacklisted" elements) can also operate independent of any particular rule, simply by looking at the rate of associations created by separate users. Specifically, two users that simultaneously create new associations to the same website, e-mail location, or other tracked item is potentially suspicious. For example, if several users (out of a large population) are suddenly installing the same new software for the first time, it may be that this software is a malicious botnet or virus. This can be determined without a signature or blacklist, by virtue of the fact that it is anomalous for a user to install new software, and highly anomalous for only one or two users to install the same software in a narrow time window.


4.9 Other Irregularities and Anomalies In addition to the specific Use Cases presented in this section, CorreLog GSIP is intended to be a general purpose security management system that provides arbitrary and varied interfaces to different types of systems and services, the nature of which are beyond the scope of this document. Other types of monitoring, not mentioned previously, include:

After Hours Activity. CorreLog permits the operator to add a range of hours as criteria for event threading, such as to collect all the logins that occur after normal shift hours. This allows CorreLog to easily alert end users when events occur at unexpected times, indicating possible malicious behavior.

Strange New Associations. CorreLog permits the operator to be notified when specific types of new associations are generated, indicating that a user, machine, process, or other abstraction is outside its normal operating scope. This includes situations such as a new error code being generated by a platform that has not been previously seen, a user in a particular group executing a process that has not been executed before, a device in a particular sector that has a new destination address, and any other arbitrary abstract association.

Suspicious Collaboration. CorreLog provides elements to detect collaboration between users or groups of users that may be cooperating to exfiltrate information or act with malicious intent. This is accomplished by monitoring self-generated alerts for common associations (i.e. feeding alert information into the association monitor.) This permits detection of situations where two or more users are accessing anomalous servers, accessing blacklisted websites, or any other suspicious behavior detected by CorreLog.

Anti-Virus Events. CorreLog provides elements to manage events from Anti-Virus systems, in particular McAfee AV, possibly in conjunction with user sessions, or system associations. This provides added power for detecting the deployment and spread of computer viruses.

Firewall Events. CorreLog provides elements to manage events from firewalls, including Denial of Service attacks, changes to system routes, anomalous numbers of messages, anomalous source and destination addresses, as well as other common firewall indicators. CorreLog includes a log analyzer (via the "Pivot" facility) that graphically depicts the number and types of messages using a normalized message template created by the user.


Complex Patterns / Context Sensitive Events. CorreLog includes several facilities to track events based upon previous event information. The system incorporates a "trigger" facility (which can classify messages based upon previous messages, such as "Startup Errors" as opposed to "Errors".) This "trigger" facility is extended by a "pattern" facility, where combinations of triggers may indicate a sequence of unfolding events that may be detectable during an attack.

Performance Anomalies. CorreLog permits multiple ways to monitor system (and user) performance, including CPU usage, Disk Usage, network usage, and other common performance indications. This is accomplished using the Windows Performance Manager to generate system events, or using SNMP for UNIX and Windows platforms.

Custom Alerts. CorreLog includes a custom alert facility that allows the administrator to configure any command line program to be launched at periodic intervals, and the output of the command line program to generate alerts (via match patterns). This facility extends CorreLog to include a wide range of applications, such as remote registry checks, execution of port scans and vulnerability assessment programs, periodic execution of local and remote tests.


Appendix A: General Specifications This section provides a discussion of generic specifications with regard to regulatory requirements of a nature typically applicable to government installations. A series of common requirements is presented, with a description of how the CorreLog GSIP version satisfies these requirements with specific features and options. A.1 Encryption

CorreLog encrypts data-in-transit between agents the CorreLog server with a NIST FIPS 140-2 certified encryption module. CorreLog uses a FIPS certified encryption module for communications between client and agent platforms. The cryptographic module is capable of being substituted or augmented with another module, including NSA Type 1-approved modules. Refer to the "Apache TLS / Crypto Enhanced Encryption Software Manual", identified in Section 2, for a complete description of capabilities.

A.2 Confidentiality Of Data Transport Layer

CorreLog Server is completely web-based, relying on established and verifiable HTTPS to transfer content. CorreLog provides a selection of different HTTP servers, including special FIPS enabled version of the Apache server, which is available only to US Government customers, or registered domestic partners of CorreLog. The HTTP server component is swappable and may be substituted by the customer.


A.3 File Integrity Monitoring CorreLog provides cryptographically strong methods of assuring file integrity checks of its executables, configuration files, and reports. The OpenSSL library is swappable and may be replaced by some other cryptographic module preferred by the customer.

A.4 Security Technical Implementation Guidelines (STIG)

CorreLog fully supports Security Technical Implementation Guidelines. An analysis and discussion of these guidelines is available from CorreLog on request.

A.5 Section 508 of the Rehabilitation Act

CorreLog operates as a 100% web-based system, and achieves compliance to Section 508 requirements through the use of a compliant web browser (including MS Explorer, Firefox, Chrome, Safari and others.)

A.6 National Information Assurance Partnership (NIAP) Certification CorreLog meets and exceeds the requirements stated in CC v3.1/CEM v3.1. A NIAP certification would be considered on customer request per current NIAP rules and any applicable protection profiles. As of the date of this publication, there does not appear to be any current or pending protection profile that covers the specific type of product/functionality CorreLog offers regarding insider threat detection and alerting.

A.7 Standard Protocols and Services

CorreLog uses a small set of standard ports, standards-based protocols, and services. All TCP and UDP service ports required by the product's implementation are completely reconfigurable by the end-user. CorreLog includes its own optional tunneling software, and can make use of standard browser proxy functions.

A.8 DoD 8570 Compliance

CorreLog, Inc. makes use of certified technical partners to comply with DoD 8570. CorreLog provides experienced teaming partners to fulfill security requirements of Federal Agencies. More information is available on request.

A.9 Secure Delivery and Non-Repudiation.

CorreLog provides assured delivery to government customers with appropriate support for confidentiality and non-repudiation. As a Florida-based corporation, CorreLog has no FOCI issues or relationships in terms of ownership or operation.


Appendix B: Technical Specifications This section provides a discussion of operational characteristics and specifications related to the general usage of CorreLog, with emphasis on the administration, configuration, and centralized management of the system in both stand-alone and multi-tier deployments. The section presents a list of common requirements, with a description of the specific features and options that meet these requirements. B.1 Automated Configuration

CorreLog provides a documented API that permits programmatic generation of whitelists, blacklists and configuration data including but not limited to: (1) user tracking based upon data fetched automatically from PKI, LDAP, or Active Directory; (2) device and hardware tracking based upon data retrieved from an asset management system or auto-discovered from network devices via FTP or ping sweeps or other techniques; and (3) reduction of false positives based upon ticket rates. CorreLog includes a template facility to permit configurations to be loaded and saved without interrupting operation.

B.2 E-Mail Alerting

CorreLog provides various types of alert notifications and includes a comprehensive SMTP interface to route email to multiple users or groups based upon content, severity, or other items. Email can be sent real-time or aggregated and deferred for a specific time, or emailed at midnight or weekly, or monthly. Email notifications can make use of multiple SMTP servers. Alerts can also run external programs for special requirements (such as to use HTTP rather than SMTP, or creating a dial-out connection


to another network to send email via phone lines.) CorreLog also has the ability to automate actions to be taken for various alerts removing the need for human intervention.

B.3 Non-intrusive Operation

CorreLog operates in a stealthy mode, and can be configured to use minimal CPU and resources. CorreLog does not require Java, .NET, or third party software, and does not require any replacement of DLLs or system executables on the target platform.

B.4 Operation in a Low Bandwidth Environment

CorreLog provides both source and destination filters that can limit the amount of bandwidth used for both host-to-server communications, as well as server-to-server communications in a multi-tiered environment. CorreLog bandwidth needs are configurable operate in low-bandwidth or degraded networks. A tactical implementation of CorreLog can securely retain the data on the server, on the host system, or on a centralized server, allowing efficient use of bandwidth by reducing the amount of data that must be transmitted across the network. CorreLog further provides support software such as encrypted TCP tunneling processes and buffering to ensure delivery in a high-latency or high-loss environment.

B.5 Operation in a Low Disk Capacity Environment

CorreLog provides a variety of techniques for reducing storage requirements, including but not limited to: (1) compression of archived data; (2) distribution of data across multiple platforms; (3) roll-up of data to shared disks; and (4) automatic purging of certain types of data (such as filtered data.) These options are completely adjustable by the administrator. CorreLog can also operate in “the cloud” as part of data storage management controls.

B.6 Support Roll-based Permissions

CorreLog supports role-based permissions based upon user logins. This includes several pre-defined standard roles, as well as custom defined roles. CorreLog supports remote configuration via a secure web interface. CorreLog supports PKI for authentication via extensions to the Apache server. CorreLog can be implemented with any enterprise identity management system or LDAP system to track users regardless of naming convention, thus enabling tracking of multiple logons by same user regardless of location.

B.7 Complex and Compound Rule Creation

CorreLog supports complex rule creation a variety of ways, including but not limited to: (1) creation of complex expressions consisting of multiple rules joined by logical expressions; (2) creation of "macros" that represent these complex expressions; and (3) joining of macros by logical operators


to create one large rule set. From another perspective, CorreLog permits rule sets to be loaded in either a "replace" or "merge" mode, which joins several rule sets into one rule set.

B.8 Customizable Dashboards and Web Interface

CorreLog includes an ergonomic web interface containing multiple UI features. The UI provides "click-drill down" groupings of alert information by nodes, groups of nodes, networks, groups of networks, alerts, groups of alerts, categories of alerts, categories of nodes, categories of groups. CorreLog includes a highly customizable dashboard facility that allows users to drill down into other dashboards or the detailed information contained in a dashboard gadget. A full explanation of how CorreLog satisfies this requirement is found in the "CorreLog Screen Reference" manual. CorreLog’s GUIs and APIs enable integration to Common Operating Pictures and secure configuration management solutions for enhanced situational awareness and compliance monitoring and reporting.

B.9 Support for PKI Authentication

CorreLog supports PKI through standard extensions to the Apache server. Additionally, CorreLog Server runs on a variety of platform types (as opposed to an appliance based approach.) permitting the actual server platform to be standard PKI compliant hardware of the customer's selection. For additional hardening, CorreLog can be configured to require the “two man” rule for any solution modifications or configuration changes.

B.10 Multi-tenant / Restricted Operation

CorreLog supports "multi-tenant" operation (to permit different private views of data) in several different ways. The administrator can restrict an operator's view to: (1) a set of specific screens; (2) set of specific items on each screen; (3) a single type of ticket; (4) a single type of dashboard; (5) a single type of report. Alert actions (such as sending email) can be restricted to particular device groups, user groups, or other groups. Device and user

B.11 Remote And Silent Updates

CorreLog Server and Agent programs can be installed and configured from an MSI package or from a remote command line. CorreLog does not require the machine to be rebooted after an installation. Detailed information on remote and silent information is available in the CorreLog "Windows Tool Set" and "Unix Tool Set" manuals.

B.12 Auditing, Monitoring and Analysis Functions

CorreLog supports auditing, monitoring, reporting, and analysis using a variety of different features. The program includes: (1) a comprehensive internal audit facility; (2) device and user discovery; (3) device and user auditing; (4) high speed indexed search; (4) a query interface; and (5) an


ODBC interface. Additionally, CorreLog provides a variety of analytical tools including a general-purpose log file analyzer, and a SQL query tool. CorreLog includes a variety of reports and supports third-party reporting tools. CorreLog can also hand-off alerts to forensic analytic solutions, including automatic implementation of action tools to take immediate mitigation steps where critical violations or behavioral anomalies are detected.

B.13 Support for McAfee ePO Framework

CorreLog, Inc. is a McAfee certified Security Innovation Alliance (SIA) partner and directly supports ePolicy Orchestrator (ePO) in bi-directional communications between CorreLog and ePO using the McAfee agent functions. CorreLog supports several different integration techniques. More information is found in the "CorreLog McAfee EPO User Manual".

B.14 SIEM Interoperability

CorreLog is a standards-based system that makes use of standard protocols such as Syslog, SNMP, HTTP, SSL, ODBC, XML, and other interfaces that permit easy integration to third party software including multiple ODBC data sources. CorreLog integrates with third-party SIEM vendors. CorreLog employs multiple techniques for sending data to other SIEM products, including McAfee ePO, but also any Syslog capable vendor or SNMP network manager.

B.15 Roll-up to Higher Level Applications

Each CorreLog server can act as a security agent for a larger management strategy, or as an agent for another security system, or other CorreLog server. CorreLog rolls up user information, preserving data such as the user’s source device name, address, message time, etc. CorreLog supports arbitrarily complex N-tiered management strategies including highly vertical, highly horizontal, virtualized, or a combination of these.

B.16 Support For Scalable and Multi-Tier Operation The system architecture supports multiple copies of CorreLog that perform data collection and correlation services for specific regional divisions, or for specific applications or device types. The system scales horizontally, from a few dozen servers to potentially 1 million servers or more, accessible (given proper credentials) to a single group at a centralized management console.

B.17 Reduction of False Positives CorreLog provides a number of auto-learning algorithms to dynamically generate alert instances for users. The alerts generated, based upon anomaly detection, can be used to tune both the type and amount of events being triggered. CorreLog employs multiple algorithms that can be


used in various combinations to limit false-positives using statistical methods.

B.18 Command And Control

CorreLog provides user roles that permit modification to rules and configuration items (given proper PKI authentication.) These changes can be applied while CorreLog runs, without re-installing the software. Changes can be pushed from the central console to agent programs or other copies of CorreLog. The entire operation is logged, including success or failure of the operation, and the cause of any failure (such as an authentication error or a misconfiguration of the system.)

B.19 General and Technical Support

CorreLog includes multiple software features to facilitate easy support and maintenance, including well-documented customer service screens and debug options (to assist support technicians) and an architecture that permits easy installation of service packs and upgrades. CorreLog includes a "plug-in" capability that allows installation of special features that may be specific to an organization. With regard to human technical support, CorreLog employs a trained staff of engineers and technicians, offers 24 X 7 technical support options, and maintains technical partnerships with various worldwide organizations, including system integrators that have DoD-cleared engineers and technicians.

B.20 Support For Best Practices

CorreLog comes ready-to-run with a set of generic configuration rules and reports. As needed, these configuration items can be replicated and refined to provide highly specific anomaly detection and alerting based upon the user's requirements. CorreLog can be configured to initiate alerts based upon user-defined severity associated with events, or patterns of events.

B.21 Training

CorreLog includes extensive documentation, context-sensitive help, training videos, and 24 X 7 support options. To assist in easy operation, the program includes multiple setup wizards that guide new users through the process of creating threads, alerts, triggers, and other items, as well as non-wizard based configuration for more advanced users. CorreLog provides optional onsite training through its professional services department.


For Additional Information… Detailed specifications regarding the CorreLog Server, add-on components, and resources are available from our corporate website. Test software may be downloaded for immediate evaluation. Additionally, CorreLog is pleased to support proof-of-concepts, and provide technology proposals and demonstrations on request. CorreLog, Inc., a privately held corporation, has produced software and framework components used successfully by hundreds of government and private operations worldwide. We deliver security information and event management (SIEM) software, combined with deep correlation functions, and advanced security solutions. CorreLog markets its solutions directly and through partners. We are committed to advancing and redefining the state-of-art of system management, using open and standards-based protocols and methods. Visit our website today for more information.

CorreLog, Inc. http://www.CorreLog.com mailto:[email protected]


Alphabetical Index A

Acceptance / 24 Access / 34 38 39 40 Access, Suspicious File And Folder / 34 Action / 24 Actions / 10 24 25 29 Active / 7 36 45 Activity / 39 41 Actual / 24 Adapter / 7 17 18 22 Adapter, 2 4 Additional Manuals / 17 Adapters / 30 Advanced / 7 14 24 26 28 Advanced, 3 7 Configuration Road Map / 28 Agencies / 44 Agent / 7 8 15 22 28 34 35 38 47 Agentless / 18 Agents / 7 Aggregation / 11 Agreement / 6 19 Alert / 7 16 26 29 36 37 39 40 47 Alerting / 45 Alerts / 10 24 25 29 37 42 45 Alliance / 48 Alone / 8 Alphabetical Index / 51


Analysis / 10 47 Anomalies / 26 39 40 41 42 Anomaly / 10 39 40 Anti / 40 Anti-virus / 41 Apache / 7 16 24 29 43 46 47 Apache-tls / 29 Apis / 47 Applications / 11 48 Archiving / 9 11 Association / 7 16 26 35 37 Associations / 16 26 35 41 Assurance / 44 Audit / 36 Auditing / 10 23 34 35 47 Authentication / 36 47 Auto- / 12 Auto-learn / 9 12 Auto-learning / 26 Automated / 45 Automatic / 11 38 B Background / 11 Backup / 31 Bandwidth / 46 Baseline / 28 Baseline, 3 6 Importing Files / 28 Baselining / 25 Baselining, 3 4 Data Considerations / 25 Basic / 23 Behavior / 27 Best / 49 Black / 35 Blacklisted / 39 40 Blacklists / 30 Browsing / 40 C Capability / 12 15 Capacity / 46 Case / 34 35 36 37 38 39 40 Cases / 33 41 Cases, Example GSIP Use / 33


Cataloging / 10 Catalogs / 10 Cdrom / 22 Center / 12 Certification / 44 Certified / 7 Changes / 36 49 Check-out / 24 Chrome / 44 Clearing / 36 Co-advancedpdf / 14 Co-assocpdf / 16 Co-czapdf / 15 Co-deploypdf / 14 Co-epopdf / 17 Co-importexe / 28 Co-installpdf / 14 Co-ipv6pdf / 17 Co-ldappdf / 19 Co-localpdf / 19 Co-manualpdf / 14 Co-pingpdf / 18 Co-queuepdf / 17 Co-screenspdf / 14 Co-securepdf / 16 Co-sesspdf / 16 Co-snmppdf / 18 Co-sqlmpdf / 18 Co-systrappdf / 18 Co-ualertpdf / 17 Co-wmipdf / 18 Collaboration / 41 Collection / 9 Command / 49 Common / 47 Comparison / 27 Complex / 42 46 Compliance / 44 Components / 22 Compound / 46 Confidentiality / 43 Config / 26 Configuration / 7 12 23 24 28 29 30 36 45 Configuration, 3 2 Initial System Road Map / 23 Configuration, 3 7 Advanced Road Map / 28 Configuring / 23 24


Considerations / 25 Considerations, 3 4 Data Baselining / 25 Context / 20 42 Core / 10 CorreLog, 1 7 Fast Start / 12 Correlation / 10 14 16 22 23 24 26 29 30 Cots / 9 33 Counter / 26 Creation / 46 Crypto / 16 43 Custom / 25 29 36 37 42 Customizable / 47 D Dashboards / 47 Data / 9 11 25 26 27 30 31 38 39 40 43 Data, 3 4 Baselining Considerations / 25 Data Exfiltration / 38 Define / 11 Delivery / 44 Denial / 41 Depending / 29 39 40 Deployment / 14 22 27 Description / 6 8 Description, 1 3 Item / 6 Description, 1 4 Functional / 8 Detailed / 47 50 Details / 33 Detection / 27 39 40 Developer / 18 Developer, 2 5 Manuals / 18 Device / 11 36 47 Devmsgs / 11 Directory / 7 36 Discovery / 37 Disk / 42 46 Dismissal / 27 Distributed / 12 Distribution / 19 Dlls / 46 Documentation / 13 Documentation Rollout / 13 Documents / 13 14 Dod-cleared / 49 Downloads / 40


E E-mail / 39 45 Email / 45 Encryption / 7 16 24 29 43 Enhanced / 16 28 29 43 Entire / 27 Environment / 46 Errors / 42 Events / 41 42 Example / 33 Example GSIP Use Cases / 33 Excel / 11 Exchange / 39 Execution / 35 38 Execution, Suspicious Program / 35 Exfiltration / 38 Exfiltration, Data / 38 Expiration / 31 Explorer / 44 Extraction / 10 F Facilities / 11 Facility / 11 False / 48 Fast / 12 Fast, 1 7 CorreLog Start / 12 Features / 10 23 Federal / 5 6 7 44 Fi-manualpdf / 15 File / 15 17 30 31 34 36 44 File, Suspicious And Folder Access / 34 Files / 7 28 Files, 3 6 Importing Baseline / 28 Filtered / 11 Filtering / 11 Fips / 5 6 7 24 43 Firefox / 44 Firewall / 41 Florida- / 44 Foci / 44 Folder / 34 Folder, Suspicious File And Access / 34


Framework / 14 19 21 22 48 Front / 8 Functional / 8 9 Functional, 1 4 Description / 8 Functional, 1 5 Scope / 9 Functions / 10 36 47 Furthermore / 38 Future / 12 Fw-manualpdf / 19 G GSIP, Example Use Cases / 33 Gateway / 7 17 General Specifications / 43 Generation / 24 Gigabyte / 11 Global / 7 16 29 37 39 40 Government / 5 6 37 43 Graphs / 27 Guide / 14 19 21 22 26 31 Guidelines / 44 Guis / 47 H Handle / 34 Hardware / 22 Hbss / 29 Help / 20 High / 10 Higher / 48 Historical / 27 Home / 12 13 14 15 21 22 25 Hours / 41 Hpux / 24 Https / 43 I Icmp / 17 36 Identification / 6 Implementation / 44 Importing / 28 Importing, 3 6 Baseline Files / 28 Improper / 37 39 40


Index / 51 Index, Alphabetical / 51 Info / 11 Information / 5 6 7 10 19 20 30 36 44 Information… / 50 Innovation / 48 Installation / 14 21 22 30 Integrity / 15 30 31 34 36 44 Interface / 19 25 30 38 47 Internal / 36 Internet / 22 Interoperability / 48 Introduction / 5 5 Investigation / 27 Ipv4 / 17 Ipv6 / 7 17 22 Irregularities / 41 Item / 6 Item, 1 3 Description / 6 J Java / 22 46 K Keylogging / 38 Keyword / 39 40 L Language / 19 Large / 11 Layer / 43 Ldap / 7 19 22 30 36 45 46 Ldif / 19 Learn / 12 Level / 48 License / 31 Licensing / 19 Linux / 15 24 Listing / 35 Load / 24 Local / 6 19 Localization / 19 Logins / 28 29


Loss / 38 39 40 M Macro / 30 Mailbox / 39 Mailer / 39 Mainframe / 15 Maintenance / 31 Maintenance, 3 8 Program Requirements / 31 Management / 12 Manager / 8 23 42 Managers / 8 Manuals / 15 17 18 19 20 31 Manuals, 2 4 Additional Adapter / 17 Manuals, 2 5 Developer / 18 Mcafee / 17 29 30 41 48 Media / 10 Message / 10 17 18 23 24 25 Messages / 25 30 Module / 10 Modules / 16 Monitoring / 7 8 38 39 40 44 47 Multi-tenant / 47 Multi-tier / 48 N N-tiered / 48 National / 44 Niap / 44 Nist / 24 43 Nmap / 29 36 Non-intrusive / 46 Non-repudiation / 44 Nondisclosure / 6 Notifications / 24 O Odbc / 48 Online / 20 Openssl / 44 Operating / 47 Operation / 46 47 48 Operational / 21 25


Operational Road Map / 21 Operations / 12 Orchestrator / 17 48 Over-limit / 39 40 Override / 11 P Page / 51 Partnership / 44 Path / 7 34 38 Patterns / 38 42 Pci-dss / 15 Permissions / 36 46 Pictures / 47 Ping / 17 30 Pivii / 10 Pivot / 41 Planning / 14 Platform / 5 Please / 19 Plug-in / 7 16 22 Plug-ins / 16 Polling / 30 36 Pop3 / 38 Popular / 30 Population / 27 Port / 38 Positives / 48 Post / 25 Practices / 49 Prevention / 38 39 40 Print / 38 Printer / 38 Procedures / 22 23 Process / 7 35 Processes / 35 Processing / 7 Profiles / 36 Program / 23 31 35 Program, 3 8 Maintenance Requirements / 31 Program, Suspicious Execution / 35 Propinfo / 51 Proprietary / 51 Protocol / 19 Protocols / 44


Purpose / 6 Purpose, 1 2 / 6 Q Queue / 17 30 Quick / 14 21 22 R Readiness / 25 Readme / 20 Receiver / 8 Reception / 10 Recovery / 31 Recycle / 23 Reducing / 24 Reduction / 11 48 Refining / 23 Regardless / 9 Rehabilitation / 44 Remote / 47 Reporting / 9 10 11 12 Reports / 11 Requirements / 22 31 Requirements, 3 8 Program Maintenance / 31 Restricted / 47 Risks / 27 Road / 21 22 23 28 Road, 3 2 Initial System Configuration Map / 23 Road, 3 7 Advanced Configuration Map / 28 Road, Operational Map / 21 Roll-based / 46 Roll-up / 48 Rollout / 13 Rollout, Documentation / 13 Route / 38 Rule / 46 S Safari / 44 Scalable / 48 Scale / 11 Scanning / 39 40 Scope / 9


Scope, 1 5 Functional / 9 Search / 25 Searching / 11 Secure / 7 44 Security / 5 6 8 14 19 22 27 28 36 44 48 Self / 24 Self-audit / 36 Sensitive / 42 Servers / 12 19 Service / 23 41 Services / 44 Session / 7 16 26 37 Sessions / 16 26 Severity / 11 Siem / 8 15 48 Sigma / 14 19 21 22 Sign-on / 37 Silent / 47 Sites / 39 Smtp / 24 38 39 45 Software / 16 17 19 29 43 Solaris / 15 24 Specifications / 43 45 Specifications, General / 43 Specifications, Technical / 45 Speed / 10 Stand / 8 Standard / 7 44 Start / 12 Start, 1 7 CorreLog Fast / 12 Startup / 42 State / 5 6 Storage / 7 34 38 Strange / 41 Support / 13 46 47 48 49 Suspicious / 34 35 39 40 41 Suspicious File And Folder Access / 34 Suspicious Program Execution / 35 Syslog / 8 10 11 15 17 19 23 48 System / 14 19 22 23 24 28 System, 3 2 Initial Configuration Road Map / 23 T Table / 18 Tampering / 36


Technical / 10 44 45 49 Technical Specifications / 45 Telnet / 38 Templates / 30 Terabytes / 12 Testing / 24 Tests / 25 Threads / 10 23 24 Thresholds / 26 Ticket / 24 25 29 Ticketing / 25 Tickets / 24 27 Took / 30 Tool / 7 10 15 22 30 31 36 47 Toolkit / 19 Training / 49 Transfer / 17 30 Transport / 43 Trap / 18 30 Triggers / 10 38 Trimming / 11 U Unattended / 9 Uninstall / 23 Updates / 47 Uploads / 40 Usage / 19 20 42 Users / 11 16 19 21 23 29 30 Ut-manualpdf / 15 V Vector / 24 Version / 18 Viewing / 12 Virus / 40 Visit / 50 Vista / 15 22 23 W Web-based / 12 Websites / 40 Whitelists / 30


Winzip / 22