A Deep-Dive Review of the WADJET System
by Logan G. Harbaugh
Security Information and Event Management (SIEM) tools are a collection of tools used to capture data from multiple security appliances such as firewalls, intrusion detection and intrusion prevention systems, proxy servers, network access control systems and VPN systems across the enterprise, extract and analyze log data and make recommendations or configure the appliances to enhance network security.
The SIEM systems themselves are typically complex, including several types of servers such as web, app, database and analysis engines, and they can also be complex to configure – even with automatic discovery of devices, they need login credentials, configuration of log parsing, event management to determine what to do when problems are discovered, etc.
Due to this complexity, reviewing a SIEM system in a real-world production environment typically requires a large, complex network, and most organizations that have such networks are reluctant to allow outsiders access. For the purposes of this review, I received a system with all the appropriate servers pre-configured, and the database populated with data captured on a real network.
To address the complexity of SIEM systems, WADJET is billed as the first Visualization SIEM, combining visualization of live network traffic with detailed monitoring of security events, correlation and analysis of the data and execution of control measures to remediate security incidents and close security holes.
This visualization system is a real advance over other systems – it allows you to easily identify problems in a large, complex network without having to click through a long set of pop-ups from a dashboard, or parse a long list of events. Instead you can see the entirety of your network on one screen, and still identify potential attacks or issues without having to zoom in and out.
The visualization System includes a drawing mode, showing packets of data in motion or flows of network traffic moving between devices. You can view data by IP address block view, or by a topology view that shows where problematic traffic such as malware inspecting other systems on the network or faulty packets being sent by a corrupted network driver.
Alerts can be visual, with a logo that indicates the type of appliance, and a position that indicates the attack source or destination, with size and rotation speed that show how recent the alert is, and the total number of alerts. Filters can show alerts within a specified time frame, the alert level as specified during configuration, or type of security appliance generating the alert.
Figure 1: The WADJET visual interface
The system is necessarily somewhat complex, supporting an infrastructure usable in an enterprise-wide network monitoring and control network, that is collecting and managing real-time network data from a number of network segments, each with a number of security appliances, switches and other network devices installed. The Management Server manages any number of other WADJET systems. There are one or more Sensor Systems that extract packet header data from network traffic and forward it to the Gate System. The Gate System receives packet data and forwards it to the WADJET data bus in multicast mode. The Alert Collection System extracts character strings from syslogs that are forwarded from security appliances and parses the logs according to the parameters set for each appliance. All the data is saved in the Alert DB. Data is also forwarded to the Analysis System at the same time. The Analysis System analyzes log information from the Alert Collection System and saves the resulting analysis in the Analyze DB. The Actuation System modifies policies on the security appliances based on the data collected.
Once data has been collected, the visual display of the results is what makes WADJET special. Rather than a list of devices with statistics that don’t reveal much to the untrained eye, the WADJET system uses a visual representation of each level of subnet, shown in figure 1 above showing flows of information between devices, and highlighting the severity of each identified action on the network, though list views are also available for
Figure 2: Typical WADJET architecture
While the WADJET system is not intended as a network management system, but as a SIEM security system, it performs some of the same functions, interfacing with and sending commands to a variety of network appliances. The discovery and automation of network functions is crucial to getting SIEM systems to work, and one of the most difficult parts of installing and configuring the system is adding in all the devices to be monitored. The system allows the administrator to identify a problem at the top level of the network, and drill down easily through subnets to the devices with problems.
Figure 3: Devices supported
One of the crucial indicators of how well the auto-discovery and management features will work is the number of security appliances and vendor APIs supported. The WADJET system supports a substantial number of mainstream devices from vendors including: Cisco, FortiNet, Juniper, McAfee and PaloAlto, and, of course, you can also create custom support templates using regular expressions. The support for the structure and verbiage of the log files is also critical, to ensure that syslogs are properly interpreted and that the appropriate actions are taken when issues are identified.
Building rules for detecting problems and taking actions is not supported yet, but it is planned to be simple in either the visually-oriented or the list-oriented interface, allowing administrators to build if-then-else rules as complex as necessary, with context-sensitive help that does a good job of explaining what the options are at each level of control.
The flows of data between devices can be captured, displayed and re-played on command, making it simpler to support decisions after the fact by re-playing the exact behaviors that might have led to a system being isolated or re-configured. Since the actual traffic can be re-created, it can also be used to test configurations of appliances to ensure that they can properly handle recurrences of the same type of problem.
For supported devices, identification of problems does not require the administrator to have deep knowledge of the types of alerts to be created or what the exact commands are that a given appliance would send. The AI system that parses and interprets the log files from various network devices and security appliances automatically configures itself to identify the important commands and what the likely causes and repercussions of the alerts are.
For systems that are not yet supported automatically, defining analysis rules to parse the logs can be done manually, adding the syntax necessary to analyze and interpret the data.
Once alerts have been created, the WADJET system can alert administrators as well as taking automatic action. The alert system is programmable in terms of the severity of alerts, ensuring that admins are not overwhelmed with unnecessary multiple alerts for a single related problem. The levels of information provided in the alerts are also configurable, allowing the system to provide enough detail to resolve problems without overwhelming the system or the administrators with large text files that must be parsed to discover the real problem.
The self-help system is also important – with multiple database servers and potentially multiple instances of different databases, diagnosing connectivity issues between the different components of the system is critical, as are messages that can actually lead administrators to the causes of any problems. The WADJET system is designed with this multi-tier nature in mind, and can find and help the administrator fix problems with the system.
A system that can monitor, control and diagnose problems with an enterprise-wide network, potentially encompassing thousands of devices is not a simple thing to create. Obviously, testing and evaluating such a system is also not simple. Production networks are seldom the homogeneous, single-vendor systems that would make setting up and creating a SIEM system easy or simple. Therefore, the handling of exceptions becomes crucial. The WADJET system makes this process as simple as it can be, finding systems that it doesn’t ‘understand’ and enabling the administrator to create analysis rules to support devices that are not behaving as expected.
For a system intended to be the one system to support security devices from many different vendors, the WADJET system does a good job of finding, evaluating and fixing security problems in a large network. What isn’t supported out of the box can be supported through the addition of custom templates of rules that are tailored for the syslogs and APIs of the additional devices.
Any SIEM system should be tested in your environment to find out how many of your devices are supported out of the box and how many will require customization to support. The WADJET system is relatively simple to install, supports a good variety of security appliances, and should be on the list to evaluate for enterprises with multiple locations and subnets to support. The ability to add additional sensor systems for each subnet or location makes it simple to collect data and send only the important information back to the central management server.