Skip to content Skip to main navigation Skip to footer
Wavecrest Knowledge Base

Tag: Cyfin

Unlock Comprehensive Web Usage Insights with Advanced Categorization

Category: Best Practices

In the realm of cybersecurity, not all categorization lists carry equal weight. Most firewall and web filtering tools come equipped with these lists, primarily aimed at filtering out websites that pose security threats or legal liabilities, aligning with a company’s usage policy.

However, it’s crucial to be discerning when employing these lists for evaluating employee web usage activity. A common shortfall of conventional lists lies in their narrow focus on security and legal liability, often resulting in a lack of comprehensive categorization. Consequently, they may inadequately represent the full spectrum of employee web activity, frequently leading to mis-categorizations, especially in non-security related categories.

In today’s landscape, website categorization is often perceived as a standardized commodity, with many assuming that all lists render uniform information. This assumption holds if the sole purpose is to filter out malicious content or legal liability sites. However, a multitude of companies necessitate extensive employee web usage reports for intricate purposes such as investigations, managerial oversight, and HR monitoring. These reports are pivotal in identifying areas for augmenting productivity and mitigating prospective legal vulnerabilities.

Overlooking the nuanced differences in categorization lists can inadvertently foster inaccurate reporting, culminating in misguided managerial decisions, compromised investigations, and heightened susceptibility to legal complications.

Since 1996, Wavecrest has been at the forefront, cultivating a categorization system emblematic of comprehensiveness and accuracy. Our unwavering commitment is to furnish a holistic view of web usage. In scenarios necessitating nuanced reporting, it becomes indispensable to consider our meticulously crafted products, Cyfin and CyBlock. These tools are instrumental in facilitating informed decisions, fostering enhanced productivity, and safeguarding against legal pitfalls.

Conclusion: Elevate Your Web Usage Insight with Wavecrest

In a digital ecosystem where precision and comprehensiveness are paramount, settling for a generic categorization list is no longer sufficient. The nuanced demands of modern businesses necessitate a tool that stands resilient against the shortcomings of mis-categorization and incomplete web usage portrayal. Wavecrest’s legacy of innovation and meticulous development has fostered products that transcend the conventional, providing a multi-dimensional view of web activity essential for informed decision-making. With Cyfin and CyBlock, embrace a realm of categorization that is robust, nuanced, and tailored to meet the intricate demands of contemporary web usage monitoring. Opt for Wavecrest, and unlock a wealth of insights that empower your organization to thrive securely and efficiently in the digital landscape.

Unlocking Human Insights from Network Logs: The Role of Specialized Analytical Tools

Category: Best Practices

Don't rely on firewall reports for identifying human action

Abstract

Understanding employee web usage is pivotal for organizations aiming to optimize productivity and ensure policy compliance. Network activity logs, while rich in data, are cluttered with automated and miscellaneous activities that cloud the clarity of human actions. This necessitates the employment of advanced tools capable of fine-tuning the analysis to focus on genuine human interactions. Cyfin stands out in this domain, enabling organizations to derive meaningful, actionable insights from network logs, enhancing decision-making and policy enforcement processes.

Introduction

Navigating through network activity logs to decipher actual employee internet usage presents a complex challenge. The logs are a blend of human-initiated actions and automated processes, making it tough to isolate meaningful user activity. A specialized tool is essential for sifting through this data to reveal the actual patterns of internet usage by employees.

The Need for Enhanced Analytical Tools

Traditional tools often struggle to differentiate between human actions and automated processes in network logs. To accurately interpret employee web usage, a more refined tool is required—one that can sift through the complexities and focus on actual human interactions.

Cyfin: Elevating Analytical Precision

Cyfin emerges as a dedicated solution, uniquely crafted to concentrate on human-oriented activities within network logs. Its design focuses on filtering out the noise, spotlighting genuine user interactions, thus providing a more accurate representation of employee internet usage.

Impact of Cyfin’s Advanced Analysis

Utilizing Cyfin’s nuanced analysis provides numerous benefits to organizations. It minimizes the risk of misinterpreting employee activities, thus avoiding unjust accusations and ensuring that organizational policies are adhered to more effectively.

Conclusion

For a nuanced understanding of employee web usage, a tool like Cyfin, which offers a refined approach to network log analysis, is essential. Cyfin provides the necessary clarity and precision, enabling organizations to make informed decisions based on accurate interpretations of employee internet interactions.

Sessions

Category: Manual, Sessions

The Session Settings Screen allows you to customize, run, and analyze your session algorithm against specific log file configurations and defined timespans. Built with adaptability in mind, you can modify session algorithm parameters to better align with the unique requirements of any customer environment.

Go to Settings – Reports – Sessions. The Session screen is displayed

Session Analyzer

  1. To manually run the session algorithm go to the Session Analyzer section
  2. Select Log File Configuration: Use the dropdown to select the log files you’d like to include in your analysis.
  3. Define Your Timespan: Using the calendar tool, select your desired start and end dates and times.
  4. Press the button labeled ‘Analyze’ on the screen to initiate the session algorithm.

Session Analyzer Configuration

If you’re familiar with the specifics of the session algorithm and wish to fine-tune it, use the input boxes to adjust the default parameters. If unsure, it’s recommended to consult the definition below or contact our support team for assistance.

  1. To override the system defaults use the below input boxes to adjust the default parameters.
  2. Press the button labeled ‘Update Configuration’ to apply Session algorithm parameter changes.

Session Parameter Definitions

  • Minimum Duration (minutes): The least amount of continuous Web activity to a particular Application/Site required to constitute a session.
  • Inactivity Cutoff (minutes): The amount of time since the last activity to an Application/Site for a session to be considered complete. Future activity will start a new Session.
  • Minimum Session Hit Count: The minimum amount of Web activity (log hits) required to each Application/Site for the activity to constitute a Session.
  • Maximum Session Duration(hours): A hard limit in hours for acitvity to single Application/Site.
  • Required Browser User-Agent: When enabled Log records containing known browser types will be analyzed.
    • Notes:
      • Keeping the checkbox enabled allows for a more refined and relevant session analysis by focusing on known browser types.
      • Users who wish to view all log records, regardless of browser type, should disable the checkbox. However, please note that disabling this option will affect the accuracy of the session analysis.
      • Disabling this checkbox might be necessary if SSL inspection is not enabled on your firewall. Without SSL inspection, the session analysis may not only be inaccurate but could also return without any results because the user agent field would be empty.

SSL Inspection with Firewalls: Challenges and Effective Solutions

Category: Best Practices, SSL Inspection

Strain on Firewall Performance

In our ever-evolving digital landscape, the focus on cybersecurity and data integrity has never been higher. SSL inspection, which is the process of decrypting and inspecting HTTPS traffic to monitor and regulate web content, is one way organizations aim to boost their cybersecurity posture. Many businesses trust their firewalls to undertake this task, but as technology advances, this approach presents several challenges:

1. Strain on Firewall Performance

The computational load required to perform SSL inspection can be demanding, and this additional burden may affect a firewall’s core functions. If a firewall is overtaxed with decrypting and inspecting traffic, its primary responsibility—shielding your network from threats—may suffer.

2. Limited SSL Inspection Capabilities

Not all firewalls are created equal. While some might possess robust SSL inspection capabilities, others might offer limited functionality or none at all. If you’re relying on a firewall without the necessary capabilities, your organization’s web traffic remains largely unseen.

3. Emerging Encryption Technologies

With encrypted DNS (DoH) and Encrypted Client Hello becoming increasingly popular, firewalls will find it increasingly challenging to intercept and examine traffic. These encryption advancements can limit the efficacy of even the most sophisticated firewalls, rendering them less effective for SSL inspection.

Given these challenges, many experts suggest looking beyond firewalls for SSL inspection.

Proxy-Based Solutions: The Way Forward

For environments seeking comprehensive SSL inspection without overloading their firewall, proxy-based solutions are often the ideal answer. These solutions are specifically crafted to execute SSL inspection tasks, offering detailed monitoring and reporting on employee web activity.

One of the trusted names in this arena is Wavecrest Computing. With nearly three decades in the field, Wavecrest has designed tools like Cyfin and CyBlock to address the specific challenges of SSL inspection.

CyBlock stands out as a premium choice for those in need. Not only does it offer the extensive monitoring and reporting features found in Cyfin, but it can also filter web access in real-time if desired. For businesses solely seeking SSL inspection, monitoring, and reporting, CyBlock fits the bill perfectly.

In Conclusion

Relying solely on a firewall for SSL inspection can lead to potential vulnerabilities and performance issues. As encrypted web traffic becomes the norm and emerging encryption technologies come into play, the challenges will only increase. Solutions like Cyfin and CyBlock from Wavecrest Computing can help businesses rise to these challenges, ensuring robust cybersecurity while providing detailed insights into web activity. If your current setup falls short or you’re aiming to optimize SSL inspection without taxing your firewall, Wavecrest offers the specialized solutions you need.

v9.6.5 Release Notes for Cyfin

Category: Administration, Data Manager, Release Notes

Enhancements

  • Health
    • Added new Health status page to display the current state of different components in the product through Health Modules. These modules can be configured to trigger notification alert emails when an error is detected. The following modules are currently available:
      • License Expiration – Checks the number of days left on the license and can trigger warning and error notifications based on days left.
      • Syslog Inactivity – Checks active syslog ports for data being sent and triggers alert when no data is received in a configurable time period. Module also checks for valid data being received instead of just any data and triggers different error alert accordingly.
  • Reporting
    • Dashboard
      • Visualizer
        • Added an extensive library of preconfigured charts for users to select when creating new panels.
  • Library
    • Updated product to use most recent MySQL library (8.0.33).

Corrections

  • Dashboard
    • Removed “AVG Daily Usage” and “AVG Daily Ingestion” tiles because metric is not useful when combined with metric data removal as it is currently. Results include large possible negative numbers. 

v9.6.4.b Release Notes for Cyfin

Category: Release Notes

Enhancements

  • Visualizer
    • Added support for Microsoft defender reporting.

Corrections

    • Data Management
      • Syslog
        • Corrected issue that could cause direct syslog imports to stop working upon a service restart. The file writer continued to work, just the metric server stop receiving the data directly. This was caused by the syslog server attempting to start before the importer had been initialized.
    • Visualizer
      • Corrected aggregation on nested fields

Defender Data Source Field Definitions

Category: Visualizer

An incident in Microsoft 365 Defender is a collection of correlated alerts and associated data that make up the story of an attack.

Microsoft 365 services and apps create alerts when they detect a suspicious or malicious event or activity. Individual alerts provide valuable clues about a completed or ongoing attack. However, attacks typically employ various techniques against different types of entities, such as devices, users, and mailboxes. The result is multiple alerts for multiple entities in your tenant.

Because piecing the individual alerts together to gain insight into an attack can be challenging and time-consuming, Microsoft 365 Defender automatically aggregates the alerts and their associated information into an incident.

Field NameDefinition
incidentIdUnique identifier to represent the incident
redirectIncidentIdOnly populated in case an incident is being grouped together with another incident, as part of the incident processing logic.
incidentNameString value available for every incident.
createdTimeTime when incident was first created.
lastUpdateTimeTime when the incident was last updated on the backend.This field can be used when you’re setting the request parameter for the range of time that incidents are retrieved.
assignedToOwner of the incident, or null if no owner is assigned.
classificationThe specification for the incident. The property values are: Unknown, FalsePositive, TruePositive
determinationSpecifies the determination of the incident. The property values are: NotAvailable, Apt, Malware, SecurityPersonnel, SecurityTesting, UnwantedSoftware, Other
detectionSourceSpecifies source of detection.
statusCategorize incidents (as Active, or Resolved). It can help you organize and manage your response to incidents.
severityIndicates the possible impact on assets. The higher the severity the bigger the impact. Typically higher severity items require the most immediate attention.One of the following values: Informational, Low, *Medium, and High.
tagsArray of custom tags associated with an incident, for example to flag a group of incidents with a common characteristic.
commentsArray of comments created by secops when managing the incident, for example additional information about the classification selection.
alertsArray containing all of the alerts related to the incident, plus other information, such as severity, entities that were involved in the alert, and the source of the alerts.
alertIdUnique identifier to represent the alert
incidentIdUnique identifier to represent the incident this alert is associated with
serviceSourceService that the alert originates from, such as Microsoft Defender for Endpoint, Microsoft Defender for Cloud Apps, Microsoft Defender for Identity, or Microsoft Defender for Office 365.
creationTimeTime when alert was first created.
lastUpdatedTimeTime when alert was last updated at the backend.
resolvedTimeTime when alert was resolved.
firstActivityTime when alert first reported that activity was updated at the backend.
titleBrief identifying string value available for each alert.
descriptionString value describing each alert.
categoryVisual and numeric view of how far the attack has progressed along the kill chain. Aligned to the MITRE ATT&CK™ framework.
statusCategorize alerts (as New, Active, or Resolved). It can help you organize and manage your response to alerts.
severityIndicates the possible impact on assets. The higher the severity the bigger the impact. Typically higher severity items require the most immediate attention.
One of the following values: Informational, Low, Medium, and High.
investigationIdThe automated investigation ID triggered by this alert.
investigationStateInformation on the investigation’s current status. One of the following values: Unknown, Terminated, SuccessfullyRemediated, Benign, Failed, PartiallyRemediated, Running, PendingApproval, PendingResource, PartiallyInvestigated, TerminatedByUser, TerminatedBySystem, Queued, InnerFailure, PreexistingAlert, UnsupportedOs, UnsupportedAlertType, SuppressedAlert.
classificationThe specification for the incident. The property values are: Unknown, FalsePositive, TruePositive, or null
determinationSpecifies the determination of the incident. The property values are: NotAvailable, Apt, Malware, SecurityPersonnel, SecurityTesting, UnwantedSoftware, Other or null
assignedToOwner of the incident, or null if no owner is assigned.
actorNameThe activity group, if any, the associated with this alert.
threatFamilyNameThreat family associated with this alert.
mitreTechniquesThe attack techniques, as aligned with the MITRE ATT&CK™ framework.
devicesAll devices where alerts related to the incident were sent.
DeviceIdThe device ID as designated in Microsoft Defender for Endpoint.
aadDeviceIdThe device ID as designated in Azure Active Directory. Only available for domain-joined devices.
deviceDnsNameThe fully qualified domain name for the device.
osPlatformThe OS platform the device is running.
osBuildThe build version for the OS the device is running.
rbacGroupNameThe role-based access control (RBAC) group associated with the device.
firstSeenTime when device was first seen.
healthStatusThe health state of the device.
riskScoreThe risk score for the device.
entitiesAll entities that have been identified to be part of, or related to, a given alert.
entityTypeEntities that have been identified to be part of, or related to, a given alert.
The properties values are: User, Ip, Url, File, Process, MailBox, MailMessage, MailCluster, Registry
sha1Available if entityType is File.
The file hash for alerts associated with a file or process.
sha256Available if entityType is File.
The file hash for alerts associated with a file or process.
fileNameAvailable if entityType is File.
The file name for alerts associated with a file or process
filePathAvailable if entityType is File.
The file path for alerts associated with a file or process
processIdAvailable if entityType is Process.
processCommandLineAvailable if entityType is Process.
processCreationTimeAvailable if entityType is Process.
parentProcessIdAvailable if entityType is Process.
parentProcessCreationTimeAvailable if entityType is Process.
ipAddressAvailable if entityType is Ip.
IP address for alerts associated with network events, such as Communication to a malicious network destination.
urlAvailable if entityType is Url.
Url for alerts associated to network events, such as, Communication to a malicious network destination.
accountNameAvailable if entityType is User.
domainNameAvailable if entityType is User.
userSidAvailable if entityType is User.
aadUserIdAvailable if entityType is User.
userPrincipalNameAvailable if entityType is User/MailBox/MailMessage.
mailboxDisplayNameAvailable if entityType is MailBox.
mailboxAddressAvailable if entityType is User/MailBox/MailMessage.
clusterByAvailable if entityType is MailCluster.
senderAvailable if entityType is User/MailBox/MailMessage.
recipientAvailable if entityType is MailMessage.
subjectAvailable if entityType is MailMessage.
deliveryActionAvailable if entityType is MailMessage.
securityGroupIdAvailable if entityType is SecurityGroup.
securityGroupNameAvailable if entityType is SecurityGroup.
registryHiveAvailable if entityType is Registry.
registryKeyAvailable if entityType is Registry.
registryValueTypeAvailable if entityType is Registry.
registryValueAvailable if entityType is Registry.
deviceIdThe ID, if any, of the device related to the entity.

Microsoft Defender Data Source Settings

Category: Administration, Data Manager, Reporting

To configure access for Cyfin to Microsoft 365 Defender you will have to create a new Azure Application registration, this will again return Oauth tokens with access to the Microsoft 365 Defender API

The procedure to create an application is found on the below link:

Create a new Azure Application

When giving the application the API permissions described in the documentation (Incident.Read.All) it will only grant access to read Incidents from 365 Defender and nothing else in the Azure Domain.

After the application has been created, it should contain 3 values that you need to apply to the module configuration.

These values are:

  • Client ID
  • Tenant ID
  • Client Secret

In Cyfin go to Data Management -> Setup and select Microsoft Defender

Now input the 3 values gathered from the previous steps

v9.6.4 Release Notes for Cyfin

Category: Release Notes

Enhancements

  • Reporting
    • Firewall Reporting
      • Palo Alto Firewall reporting now available in addition to Web data. Both types of data can be seamlessly imported and reported on in the Visualizer which has been updated to include pre-configured Firewall dashboards. * Firewall Reporting requires an upgraded license, but evaluation periods are available.
  • Data Management
    • Log Data Setup
      • Updated the location of the wizard buttons for clarity and optimized flow.
    • Log Date Types
      • Updated Sonicwall VPN to include ability to parse NetExtender VPN data.