Applied Watch Command Center
The Industry StandardThe Applied Watch Command Center is a robust management platform for the open source SNORT® IDP and other open source security applications relied upon in the enterprise. The Command Center comprises three components in its architecture that make it the most flexible and powerful management framework for managing open source in the enterprise.
The three components include:
- Applied Watch Agent:Virtual "worker bees" that are installed on remote Snort® sensors looking for new alerts to send to the Applied Watch Server. The Agent manages the Snort process and performs policy downloads.
- Applied Watch Server:Central database system where all alerts are sent from remote Agents and management is performed by Dashboard users.
- Applied Watch Dashboard:Graphical user interface to the entire Command Center. This is the Console where the user performs all monitoring and response to detected threats.
Applied Watch Feature List
SNORT® IDS Support
The Applied Watch Command Center allows the customer to install and manage any version of the Snort® IDS from www.snort.org. Because Applied Watch does not modify and redistribute Snort®, Applied Watch customers are able to go directly to www.snort.org and download and install the new release and have it immediately be managed and controled from the Applied Watch Command Center.
Snort-Inline Support
Applied Watch is the first commercial SIM solution to support Snort-Inline. With the recent integration of the Snort-Inline codebase in to the snort.org Snort® project, both versions of Snort® in inline (IPS) mode is supported by the Command Center. Users can create inline policies and configure particular Applied Watch Agents as inline-enabled. Events from inline-enabled Agents that have rules set to drop will show as dropped in the Action Taken column of the Applied Watch Dashboard.
Cisco Pix Firewall Support
Utilizing support through Syslog-NG, users can point any number of Cisco Pix firewalls at an Applied Watch Agent and have those Cisco Pix firewall alerts aggregated and normalized by the Applied Watch Command Center for correlation with Snort® IDS events.
Manage Snort® Rulesets and Configurations
Rulesets and snort.conf settings can all be managed from within the Applied Watch Policy Manager, a unique approach to managing hundreds or thousands of different Snort® rules and settings from a single view. All components and settings of the snort.conf file have been broken up in to individual GUI fields. Everything from Snort® preprocessors to output settings can be managed and created from the Applied Watch Policy Manager. In an effort to cater to expert Intrusion Analysts who do not wish to use the Policy Manager's Graphical User Interface (GUI) to create and edit rules can use the Advanced Editor window in every Snort® signature screen to copy/paste Snort® signatures from third party sources, mailing lists, or for creating Snort® signatures from scratch.
Event Aggregation
As events are sent to the Applied Watch Server from remote disparate Agents, the Applied Watch Server normalizes the events, breaks the packet up by individual layers and aggregates them in to the backend PostgreSQL database. This provides an aggregated alert view from within the Applied Watch Dashboard. Instead of the user having to filter through hundreds of the same event from within the Dashboard, a single alert is shown aggregated by the Snort® Signature ID (SSID).
Separated Event Severity Views
Unlike other Snort® management solutions that are browser based, the Applied Watch Command Center Dashboard is written purely in Java allowing a browserless desktop where event windows can be separated in to their own individual alert views. Other solutions that rely on the web browser shovel all events in to a single alert table that creates a colored mess of different event criticality levels. Using the Applied Watch Command Center, administrators can close the Medium and Low alert view windows and concentrate only on the High alerts table. Each column offers collapsable pivot tables that allows the administrator to pick up a column and move it around to another location of the event window.
Email Alerting
Using the Applied Watch Policy Manager, administrators can "right-click" on any Snort® signature and create a notification for that rule. Applied Watch has pushed the envelope on email alerts by going above and beyond simple alerting by offering more grainular settings for how, when, and why email alerts are sent on an event. Thresholding capabilities have been added to the email alerts that allows the administrator to specify how many emails are sent, what the body of the email should say, and additionally, goes beyond the alerting capabilities of the signature itself by allowing the administrator to specify the source and destination IP addresses of the attack in order for the email alert to fire.
Strong-arm Encryption
Using the latest encryption standards from NIST, the Applied Watch Command Center encapsulates ALL traffic between remote Dashboard users and Agents in an AES-256 bit encrypted tunnel. Absolutely no data is passed in clear text between the individual components of the Command Center.
Auto-update of Snort® Signatures
Unlike competing solutions, the Applied Watch Command Center allows administrators two separate options in updating their Snort® rules. Several methods exist that include an auto-update feature, which goes through all rulesets in all Snort® policies and updates every single signature without confirmation. A second option unique to Applied Watch allows the administrator to review the signature that was downloaded through a wizard-style multi-view screen. This prevents unauthorized signature updates and change control currently unmatched by other Snort® management systems.
User and Group Management
Different role-based user accounts can be created allowing the Administrator to create unprivileged Dashboard accounts for analysts who are prevented from doing any other tasks besides event monitoring. This allows for strict privilege separation and role-based user access. Additionally, groups can be created where analysts can be assigned to IDSs. Users removed from the Global group and assigned to individual other groups prevents those users from seeing IDS alerts from sensors that are not a part of their group.
Analyst Event Journals
The Applied Watch Command Center was the first to market with event journal capabilities allowing administrators to create journals and manage reports when investigating events. Events can be marked as false positives preventing other analysts from wasting time investigating events that have already been reviewed.
Custom Queries
Custom query searches can be run on the database of events, which includes custom query searches on source and destination IP addresses, Snort® Signature IDs, source and destination port numbers, as well as queries per individual Agents or groups of Agents.
3-D Reporting
Unsurpassed by the reporting capabilities of other solutions, the Applied Watch Command Center offers over 20 different report templates, both Exeecutive for management and technical for engineers. All reports can be individually drilled down in to for further HEX and payload analysis. Each report offers rich 3D graphs that can be clicked on for further event details. Several output formats exist for reports including Adobe PDF and CSV.
Nessus Support
As of Version 3.0 Guardian, the Applied Watch Command Center provides fully integrated support for the open source Nessus vulnerability scanner. Administrators can browse all Nessus plugins via a graphical user interface from within the Applied Watch Dashboard, review attack plugin descriptions, enable/disable plugins, compare old scans with new, create custom Nessus scans, store addresses in to a virtual Nessus addressbook, mark findings are false positives, identify which vulnerabilities have been fixed since the last scan performed, schedule scans to run at particular times, as well as identify newly added and removed systems since the last Nessus scan performed.
LaBrea Tarpit Support
Applied Watch is continuously adding new support for popular open source projects and commercial products. Included in this is LaBrea Tarpit, a "sticky honeypot". LaBrea Tarpit works be impersonating unused IP addresses by responding to these illegitimate requests. Requests to IP addresses that are unused are more oft than not bad traffic, worm propogation attempts, or malicious in nature. LaBrea works to stave off these attempts as well as worm propogation attempts by trapping worms inside the honeypot. This is accomplished by responding to connection attempts with a window size in the packet of "0". The Applied Watch Command Center offers full support for LaBrea providing analysts a clear view of events trapped by LaBrea with an Action Taken column label of "Tarpitted". Analysts to see these types of events can notify firewall administrators or take other courses of action to prevent this IP address from further access to the protected network.
Windows Event Logs
The Command Center provides support for aggregation of Windows Event Logs sent from Windows workstations and servers. Using the free Snare Syslog client for Windows, users can point an unlimited number of Windows hosts at an Applied Watch Agent, make the Agent enabled for Syslog-NG, and immediately begin aggregating and correlating events from remote Windows hosts with events from their Snort® IDSs and other supported devices.
IDS DoS Attack Suppression
Unique to the Command Center, admins can quickly suppress detected Denial of Service (DoS) attacks against their IDS sensors by using the "Ignore Events" feature built in to the Dashboard. This quickly silences particular SIDs from firing within the system or ALL SIDs until the policies can be tuned or appropriate action can be taken against the events.
Multi-tabbed Web Viewer to Attack Databases
Additional vulnerability and IDS signature information can be gleaned with the single click of a mouse from within the Policy Manager when managing Snort® IDS signatures. Link windows to the CVE, Snort.org, Nessus, and McAfee databases exist for the admin to quickly read more information on a signature when tuning policies. Additionally, a custom tab is available that allows the admin to reference custom URLs added to a Snort® signature or create a custom URL to an intranet portal or web site of choice.
Backup and Restore Snort® Policies
Oft-times, administrators will use manual backup procedures for backing up Snort® rules that can quickly become cumbersome across multiple sensors. Through a unique policy backup and restore system, administrators can quickly recover from failed rule download attempts or rules with illegal syntaxes that have brought down remote Snort® sensors with a single click of the mouse and have them all up in running in seconds.
Netscreen Firewall Support
In addition to support for Cisco Pix firewalls, users can also cross-correlate and manage alerts from remote Netscreen firewalls using the Applied Watch Command Center.
ClamAV Open Source Antivirus Support
As the first-ever enterprise open source security management suite, the Applied Watch Command Center also provides native support for the ClamAV preprocessor. This unique feature allows for the elimination of viruses at the perimeter, relieving a majority of burden from end-point antivirus solutions.