Skip to content Skip to main navigation Skip to footer

Tag: Cyfin

SSL Inspection with Firewalls: Challenges and Effective Solutions

Strain on Firewall Performance

In our ever-evolving digital landscape, the focus on cybersecurity and data integrity has never been higher. SSL inspection, which is the process of decrypting and inspecting HTTPS traffic to monitor and regulate web content, is one way organizations aim to boost their cybersecurity posture. Many businesses trust their firewalls to undertake this task, but as technology advances, this approach presents several challenges:

1. Strain on Firewall Performance

The computational load required to perform SSL inspection can be demanding, and this additional burden may affect a firewall’s core functions. If a firewall is overtaxed with decrypting and inspecting traffic, its primary responsibility—shielding your network from threats—may suffer.

2. Limited SSL Inspection Capabilities

Not all firewalls are created equal. While some might possess robust SSL inspection capabilities, others might offer limited functionality or none at all. If you’re relying on a firewall without the necessary capabilities, your organization’s web traffic remains largely unseen.

3. Emerging Encryption Technologies

With encrypted DNS (DoH) and Encrypted Client Hello becoming increasingly popular, firewalls will find it increasingly challenging to intercept and examine traffic. These encryption advancements can limit the efficacy of even the most sophisticated firewalls, rendering them less effective for SSL inspection.

Given these challenges, many experts suggest looking beyond firewalls for SSL inspection.

Proxy-Based Solutions: The Way Forward

For environments seeking comprehensive SSL inspection without overloading their firewall, proxy-based solutions are often the ideal answer. These solutions are specifically crafted to execute SSL inspection tasks, offering detailed monitoring and reporting on employee web activity.

One of the trusted names in this arena is Wavecrest Computing. With nearly three decades in the field, Wavecrest has designed tools like Cyfin and CyBlock to address the specific challenges of SSL inspection.

CyBlock stands out as a premium choice for those in need. Not only does it offer the extensive monitoring and reporting features found in Cyfin, but it can also filter web access in real-time if desired. For businesses solely seeking SSL inspection, monitoring, and reporting, CyBlock fits the bill perfectly.

In Conclusion

Relying solely on a firewall for SSL inspection can lead to potential vulnerabilities and performance issues. As encrypted web traffic becomes the norm and emerging encryption technologies come into play, the challenges will only increase. Solutions like Cyfin and CyBlock from Wavecrest Computing can help businesses rise to these challenges, ensuring robust cybersecurity while providing detailed insights into web activity. If your current setup falls short or you’re aiming to optimize SSL inspection without taxing your firewall, Wavecrest offers the specialized solutions you need.

v9.6.5 Release Notes for Cyfin

Enhancements

  • Health
    • Added new Health status page to display the current state of different components in the product through Health Modules. These modules can be configured to trigger notification alert emails when an error is detected. The following modules are currently available:
      • License Expiration – Checks the number of days left on the license and can trigger warning and error notifications based on days left.
      • Syslog Inactivity – Checks active syslog ports for data being sent and triggers alert when no data is received in a configurable time period. Module also checks for valid data being received instead of just any data and triggers different error alert accordingly.
  • Reporting
    • Dashboard
      • Visualizer
        • Added an extensive library of preconfigured charts for users to select when creating new panels.
  • Library
    • Updated product to use most recent MySQL library (8.0.33).

Corrections

  • Dashboard
    • Removed “AVG Daily Usage” and “AVG Daily Ingestion” tiles because metric is not useful when combined with metric data removal as it is currently. Results include large possible negative numbers. 

v9.6.4.b Release Notes for Cyfin

Enhancements

  • Visualizer
    • Added support for Microsoft defender reporting.

Corrections

    • Data Management
      • Syslog
        • Corrected issue that could cause direct syslog imports to stop working upon a service restart. The file writer continued to work, just the metric server stop receiving the data directly. This was caused by the syslog server attempting to start before the importer had been initialized.
    • Visualizer
      • Corrected aggregation on nested fields

Defender Data Source Field Definitions

An incident in Microsoft 365 Defender is a collection of correlated alerts and associated data that make up the story of an attack.

Microsoft 365 services and apps create alerts when they detect a suspicious or malicious event or activity. Individual alerts provide valuable clues about a completed or ongoing attack. However, attacks typically employ various techniques against different types of entities, such as devices, users, and mailboxes. The result is multiple alerts for multiple entities in your tenant.

Because piecing the individual alerts together to gain insight into an attack can be challenging and time-consuming, Microsoft 365 Defender automatically aggregates the alerts and their associated information into an incident.

Field NameDefinition
incidentIdUnique identifier to represent the incident
redirectIncidentIdOnly populated in case an incident is being grouped together with another incident, as part of the incident processing logic.
incidentNameString value available for every incident.
createdTimeTime when incident was first created.
lastUpdateTimeTime when the incident was last updated on the backend.This field can be used when you’re setting the request parameter for the range of time that incidents are retrieved.
assignedToOwner of the incident, or null if no owner is assigned.
classificationThe specification for the incident. The property values are: Unknown, FalsePositive, TruePositive
determinationSpecifies the determination of the incident. The property values are: NotAvailable, Apt, Malware, SecurityPersonnel, SecurityTesting, UnwantedSoftware, Other
detectionSourceSpecifies source of detection.
statusCategorize incidents (as Active, or Resolved). It can help you organize and manage your response to incidents.
severityIndicates the possible impact on assets. The higher the severity the bigger the impact. Typically higher severity items require the most immediate attention.One of the following values: Informational, Low, *Medium, and High.
tagsArray of custom tags associated with an incident, for example to flag a group of incidents with a common characteristic.
commentsArray of comments created by secops when managing the incident, for example additional information about the classification selection.
alertsArray containing all of the alerts related to the incident, plus other information, such as severity, entities that were involved in the alert, and the source of the alerts.
alertIdUnique identifier to represent the alert
incidentIdUnique identifier to represent the incident this alert is associated with
serviceSourceService that the alert originates from, such as Microsoft Defender for Endpoint, Microsoft Defender for Cloud Apps, Microsoft Defender for Identity, or Microsoft Defender for Office 365.
creationTimeTime when alert was first created.
lastUpdatedTimeTime when alert was last updated at the backend.
resolvedTimeTime when alert was resolved.
firstActivityTime when alert first reported that activity was updated at the backend.
titleBrief identifying string value available for each alert.
descriptionString value describing each alert.
categoryVisual and numeric view of how far the attack has progressed along the kill chain. Aligned to the MITRE ATT&CK™ framework.
statusCategorize alerts (as New, Active, or Resolved). It can help you organize and manage your response to alerts.
severityIndicates the possible impact on assets. The higher the severity the bigger the impact. Typically higher severity items require the most immediate attention.
One of the following values: Informational, Low, Medium, and High.
investigationIdThe automated investigation ID triggered by this alert.
investigationStateInformation on the investigation’s current status. One of the following values: Unknown, Terminated, SuccessfullyRemediated, Benign, Failed, PartiallyRemediated, Running, PendingApproval, PendingResource, PartiallyInvestigated, TerminatedByUser, TerminatedBySystem, Queued, InnerFailure, PreexistingAlert, UnsupportedOs, UnsupportedAlertType, SuppressedAlert.
classificationThe specification for the incident. The property values are: Unknown, FalsePositive, TruePositive, or null
determinationSpecifies the determination of the incident. The property values are: NotAvailable, Apt, Malware, SecurityPersonnel, SecurityTesting, UnwantedSoftware, Other or null
assignedToOwner of the incident, or null if no owner is assigned.
actorNameThe activity group, if any, the associated with this alert.
threatFamilyNameThreat family associated with this alert.
mitreTechniquesThe attack techniques, as aligned with the MITRE ATT&CK™ framework.
devicesAll devices where alerts related to the incident were sent.
DeviceIdThe device ID as designated in Microsoft Defender for Endpoint.
aadDeviceIdThe device ID as designated in Azure Active Directory. Only available for domain-joined devices.
deviceDnsNameThe fully qualified domain name for the device.
osPlatformThe OS platform the device is running.
osBuildThe build version for the OS the device is running.
rbacGroupNameThe role-based access control (RBAC) group associated with the device.
firstSeenTime when device was first seen.
healthStatusThe health state of the device.
riskScoreThe risk score for the device.
entitiesAll entities that have been identified to be part of, or related to, a given alert.
entityTypeEntities that have been identified to be part of, or related to, a given alert.
The properties values are: User, Ip, Url, File, Process, MailBox, MailMessage, MailCluster, Registry
sha1Available if entityType is File.
The file hash for alerts associated with a file or process.
sha256Available if entityType is File.
The file hash for alerts associated with a file or process.
fileNameAvailable if entityType is File.
The file name for alerts associated with a file or process
filePathAvailable if entityType is File.
The file path for alerts associated with a file or process
processIdAvailable if entityType is Process.
processCommandLineAvailable if entityType is Process.
processCreationTimeAvailable if entityType is Process.
parentProcessIdAvailable if entityType is Process.
parentProcessCreationTimeAvailable if entityType is Process.
ipAddressAvailable if entityType is Ip.
IP address for alerts associated with network events, such as Communication to a malicious network destination.
urlAvailable if entityType is Url.
Url for alerts associated to network events, such as, Communication to a malicious network destination.
accountNameAvailable if entityType is User.
domainNameAvailable if entityType is User.
userSidAvailable if entityType is User.
aadUserIdAvailable if entityType is User.
userPrincipalNameAvailable if entityType is User/MailBox/MailMessage.
mailboxDisplayNameAvailable if entityType is MailBox.
mailboxAddressAvailable if entityType is User/MailBox/MailMessage.
clusterByAvailable if entityType is MailCluster.
senderAvailable if entityType is User/MailBox/MailMessage.
recipientAvailable if entityType is MailMessage.
subjectAvailable if entityType is MailMessage.
deliveryActionAvailable if entityType is MailMessage.
securityGroupIdAvailable if entityType is SecurityGroup.
securityGroupNameAvailable if entityType is SecurityGroup.
registryHiveAvailable if entityType is Registry.
registryKeyAvailable if entityType is Registry.
registryValueTypeAvailable if entityType is Registry.
registryValueAvailable if entityType is Registry.
deviceIdThe ID, if any, of the device related to the entity.

Microsoft Defender Data Source Settings

To configure access for Cyfin to Microsoft 365 Defender you will have to create a new Azure Application registration, this will again return Oauth tokens with access to the Microsoft 365 Defender API

The procedure to create an application is found on the below link:

Create a new Azure Application

When giving the application the API permissions described in the documentation (Incident.Read.All) it will only grant access to read Incidents from 365 Defender and nothing else in the Azure Domain.

After the application has been created, it should contain 3 values that you need to apply to the module configuration.

These values are:

  • Client ID
  • Tenant ID
  • Client Secret

In Cyfin go to Data Management -> Setup and select Microsoft Defender

Now input the 3 values gathered from the previous steps

v9.6.4 Release Notes for Cyfin

Enhancements

  • Reporting
    • Firewall Reporting
      • Palo Alto Firewall reporting now available in addition to Web data. Both types of data can be seamlessly imported and reported on in the Visualizer which has been updated to include pre-configured Firewall dashboards. * Firewall Reporting requires an upgraded license, but evaluation periods are available.
  • Data Management
    • Log Data Setup
      • Updated the location of the wizard buttons for clarity and optimized flow.
    • Log Date Types
      • Updated Sonicwall VPN to include ability to parse NetExtender VPN data.

Web Data Source Field Definitions

Field NameDefinition
appsiteFriendly name for a Website or Application
authtype
blockedThis occurs because the user is not authorized to access the site, that is, his access has been “blocked.” However, it can also be caused by technical anomalies, for example, “page not found by server.”
bytesNumber of total bytes (transmit and receive) for the session.
categoryDescribes the content of a Web page that was visited.
classificationUser defined classification for the website content that was visited. Values could be any of the following: Acceptable, Unacceptable and Neutral
clientin
clientout
contenttypeRefers to an HTTP header field that specifies the type of data contained in the body of an HTTP request or response. Values could be any of the following: jpeg, mpeg, pdf, html, css, etc.
datetimeDate time stamp associated with each recrod hit
domainA fully qualified domain name (FQDN) is a complete and unambiguous domain name that specifies the exact location of a specific resource on the internet.
groupOrganizational groups are structured in a hierarchical manner, forming a tree-like structure.
hitNumber of records (represents a record count)
identity
ipSource IP Address
network
outboundipDestination IP Address
proxyport
refererdomainHTTP header field that indicates the URL or domain from which a user navigated to the current page.
resultcodeHTTP status codes that are used to indicate the result or status of an HTTP request made to a web server. Some commonly encountered codes are: 200 OK, 404 Not Found, etc.
searchtermsSearch query or keyword, refers to the specific words or phrases that a user enters into a search engine to find information on a particular topic.
serverin
serverout
source
timeonlineAn approximation of the time that a user spends on the Internet. Wavecrest’s Smart Engine algorithms can produce the most accurate time online measurement.
userField refers to the information recorded about the user associated with a specific network connection or traffic event.
useragentHTTP header field sent by a web browser or other client software when making a request to a web server. It identifies the client’s software, version, and other relevant information to help the server understand the capabilities and requirements of the client.
visitA click action for the purpose of visiting a Web site. One click equals one request for a Web page.

Palo Alto Data Source Field Definitions

Field NameDefinition
actionAction taken for the session; values are alert, allow, deny, drop, drop-all-packets, reset-client, reset-server, reset-both, block-url.
action_sourceSpecifies whether the action taken to allow or block an application was defined in the application or in policy. The actions can be allow, deny, drop, reset- server, reset-client or reset-both for the session.
applicationApplication associated with the session.
application_categoryThe application category specified in the application configuration properties.
application_riskRisk level associated with the application (1=lowest to 5=highest).
application_saasDisplays yes if a SaaS application or no if not a SaaS application.
application_subcategoryThe application subcategory specified in the application configuration properties.
application_technologyThe application technology specified in the application configuration properties.
bytesNumber of total bytes (transmit and receive) for the session.
categoryDescribes the content of a Web page that was visited.
contenttypeRefers to an HTTP header field that specifies the type of data contained in the body of an HTTP request or response. Values could be any of the following: jpeg, mpeg, pdf, html, css, etc.
datetimeDate time stamp associated with each recrod hit
dest_countryDestination country or Internal region for private addresses.
dest_ipOriginal session destination IP address.
dest_zoneZone the session was destined to.
deviceLogType
directionIndicates the direction of the attack, client-to-server or server-to-client
groupOrganizational groups are structured in a hierarchical manner, forming a tree-like structure.
hitNumber of records (represents a record count)
http2_connectionIdentifies if traffic used an HTTP/2 Connection or not
identity
ipOriginal session source IP address.
ip_protocolIP protocol associated with the session.
portDestination port utilized by the session.
recordName
referrer
results
ruleName of the rule that the session matched.
severity
source
source_zoneZone the session was sourced from.
threat_categoryDescribes threat categories used to classify different types of threat signatures.
Threat_contenttypeSubtype of the threat and traffic log
threat_idPalo Alto Networks identifier for known and custom threats.
typeSpecifies the type of log;
url
userField refers to the information recorded about the user associated with a specific network connection or traffic event.
useragentHTTP header field sent by a web browser or other client software when making a request to a web server. It identifies the client’s software, version, and other relevant information to help the server understand the capabilities and requirements of the client.

v9.6.3 Release Notes for Cyfin

Enhancements

  • Data Managements
    • Log Data Setup
      • Added Microsoft Defender as a configuration option. This feature only available for Cyfin in VM environment.
  • Reporting
    • Dashboard
      • Visualizer
        • Added Dashboard level filters. This allows a filter to be applied to all panels with matching data source on the configured dashboard.
  • Usage statistics
    • Added periodic anonymous usage statistics gathering to improve customer experience.

Corrections

  • Data Management
    • Import
      • Disabled auto importing of syslog enabled log configurations because stream is already automatically imported.

v9.6.2.a Release Notes for Cyfin

Enhancements

  • Logon Accounts
    • Added ability to add additional group permissions to imported logon accounts from Active Directory. 
  • Reporting
    • Visit Filter
      • Updated algorithm for determining hit versus visit to include additional portions of URL.