Prelude SIEM (Intrusion Detection System)

Prelude SIEM
Original author(s)	Yoann Vandoorselaere
Developer(s)	www.prelude-siem.org
Initial release	1998
Stable release	5.2.0 / September 11, 2020;3 years ago
Repository	www.prelude-siem.org/git/
Written in	Python, C
Operating system	Linux, *NIX
Standard(s)	RFC4765
Available in	French, English, German, Spanish, Italian, Polish, Portuguese, Russian
Type	SIEM
License	Proprietary software and GPLv2
Website	www.prelude-siem.com ; www.prelude-siem.org

Last updated March 12, 2024

Prelude SIEM is a Security information and event management (SIEM).

Prelude SIEM is a tool for driving IT security that collects and centralizes information about the company's IT security to offer a single point of view to manage it. It can create alerts about intrusions and security threats in the network in real-time using logs and flow analyzers. Prelude SIEM provides multiple tools to do forensic reporting on Big Data and Smart Data to identify weak signals and Advanced Persistent Threats (APT). Prelude SIEM also embeds all tools for the exploitation phase to make work easier for operators and help them with risk management.

While a malicious user (or software) may be able to evade the detection of a single intrusion detection system, it becomes exponentially more difficult to get around defenses when there are multiple protection mechanisms. Prelude SIEM comes with a large set of sensors, each of them monitoring different event types. Prelude SIEM permits alert collection to the WAN scale, whether its scope covers a city, a country, a continent or the world.

Prelude SIEM is a SIEM system capable of inter-operating with all the systems available on the market.^[2] It implements natively with the Intrusion Detection Message Exchange Format (IDMEF, RFC 4765) format. In this way, it is natively IDMEF compatible with OpenSource IDS: AuditD, Nepenthes, NuFW, OSSEC, Pam, Samhain, Sancp, Snort, Suricata, Kismet, etc. but anyone can write their own IDS or use any of the third party sensors available, given Prelude SIEM's open APIs and libraries.

Since 2016, with the "Prelude IDMEF Partner Program", Prelude SIEM is now also IDMEF compatible with many commercial IDS.

Prelude SIEM provides all SIEM functions through three modules: ALERT (SEM), ANALYZE and ARCHIVE (SIM) and is so the only one true SIEM alternative on the market. Plus, Prelude SIEM promotes the use of IETF security standards through the SECEF^[3] project and the "Prelude IDMEF Partner Program".

History

1998: Creation of an IDS project by Yoann Vandoorselaere: Prelude IDS
2002: Prelude becomes a Hybrid IDS
2005: Creation of the company Prelude-Technologies
2009: The INL Society acquires Prelude-Technologies
2009: INL become Edenwall Technologies
2011-08-18: Edenwall Technologies is declared for suspended payments, Prelude-IDS software, the company, and the brand are on sale
2011-10-13: CS (Communication & Systems), Edenwall partner, buy Prelude-IDS
2012: Opening of the websites: www.prelude-ids.org and www.prelude-ids.com (Now www.prelude-siem.com)
2012: Release of the new version Prelude OSS 1.1 and Prelude Enterprise 1.1
2014: Release of Prelude Enterprise V2
2014: Prelude IDS becomes Prelude SIEM and Prelude Enterprise becomes Prelude SOC
2015: Prelude SIEM received the award of "France Cybersecurity" (French cybersecurity)
2016: Prelude SIEM launch the "Prelude IDMEF Partner Program"
2016: Prelude SIEM OSS (Community version) received the award of OW2 for its community
2017: Release of Prelude SIEM 4.0, results of two years of research and developments efforts
2017: New packaging of Prelude SIEM available: Machine virtuelle

Functions

Prelude SIEM collects, normalizes, sorts, aggregates, correlates and displays all security events regardless of the types of surveillance equipment. Beyond its capacity for processing of all types of event logs (system logs, syslog, flat files, etc.), it's also natively compatible with many IDS.

Prelude SIEM's main characteristics are the following:

Built on an open-source core (Python, C), light web client 2.0
"Agent-less" operation
Compliant with Intrusion Detection Message Exchange Format (IDMEF, RFC 4765), Incident Object Description Exchange Format (IODEF, RFC 5070), HTTP, XML, SSL standards
Smart Data: Smart correlation of security events
Big Data: Collection, storage and indexing of logs
Modular, flexible and resilient
Hierarchical and decentralized architecture

Prelude SIEM Community version

Prelude SIEM OSS has been designed in a scalable way to simply adapt to any environment. it is a free, public and open-source version (GPLV2) for small IT Infrastructures, tests and educational purposes.

The open-source version is composed of the following main modules:

Manager: which receives and stores alerts into the database
LibPrelude: connect each IDMEF agents to Prelude SIEM
LibPreludeDB: high-speed database insertion module
Correlator: event correlation module
LML (Log Management Lackey): detect and normalize important logs
Prewikka: web Graphical User Interface (GUI)

These modules are the base of the ALERT module in the commercial version. The commercial version also adds many functionalities to these modules and scale up the performances and architecture possibilities.

Prelude SIEM and Prelude SOC

Prelude SIEM (commercial version) is a scalable, professionally usable and high-performance version of Prelude, for real-world environments. Prelude SOC is fully scaled version, mainly for SOC (Security Operations Center) usage.

The commercial versions are organized as follows:

Prelude SIEM: SIEM for enterprise with modules: ALERT, ANALYSE, and ARCHIVE
- ALERT: Storage, Detection, Normalization, Correlation, Aggregation, Real-time Notification
- ANALYSE: Analyze, Reporting and Compliance
- ARCHIVE: Storage, Indexation of logs and flows for forensic
Prelude SOC: also to Prelude SIEM, it is possible to add more operational security modules to build a Security Operation Center (SOC)
- MAP: Real-time cartography of the IT parc with security indicators. It is possible to drill down and made physical, logical or risk management representations
- VULN: Vulnerability scanner based on OpenVAS. It is possible to use it inside the correlator to make cross-correlation
- ASSET: Asset management based on GLPi (assets, tickets, workflow, etc.)
- REPORT: Business Intelligence reporting

Related Research Articles

An intrusion detection system is a device or software application that monitors a network or systems for malicious activity or policy violations. Any intrusion activity or violation is typically either reported to an administrator or collected centrally using a security information and event management (SIEM) system. A SIEM system combines outputs from multiple sources and uses alarm filtering techniques to distinguish malicious activity from false alarms.

A host-based intrusion detection system (HIDS) is an intrusion detection system that is capable of monitoring and analyzing the internals of a computing system as well as the network packets on its network interfaces, similar to the way a network-based intrusion detection system (NIDS) operates. Compared to NIDS, HIDS is superior in its fine granularity and its ability to detect internal attacks. This was the first type of intrusion detection software to have been designed, with the original target system being the mainframe computer where outside interaction was infrequent.

Enterprise software, also known as enterprise application software (EAS), is computer software used to satisfy the needs of an organization rather than its individual users. Enterprise software is an integral part of a computer-based information system, handling a number of business operations, for example to enhance business and management reporting tasks, or support production operations and back office functions. Enterprise systems must process information at a relatively high speed.

Tripwire, Inc. is a software company based in Portland, Oregon, that focuses on security and compliance automation. It is a subsidiary of technology company Fortra.

OSSIM (Open Source Security Information Management) is an open source security information and event management system, integrating a selection of tools designed to aid network administrators in computer security, intrusion detection and prevention.

Event correlation is a technique for making sense of a large number of events and pinpointing the few events that are really important in that mass of information. This is accomplished by looking for and analyzing relationships between events.

Log management is the process for generating, transmitting, storing, accessing, and disposing of log data. A log data is composed of entries (records), and each entry contains information related to a specific event that occur within an organization’s computing assets, including physical and virtual platforms, networks, services, and cloud environments.

TriGeo Network Security is a United States–based provider of security information and event management (SIEM) technology. The company helps midmarket organizations proactively, protects networks and data from internal and external threats, with a SIEM appliance that provides real-time log management and automated network defense - from the perimeter to the endpoint.

Security information and event management (SIEM) is a field within the field of computer security, where software products and services combine security information management (SIM) and security event management (SEM). SIEM is the core component of any typical Security Operations Center (SOC), which is the centralized response team addressing security issues within an organization.

An information security operations center is a facility where enterprise information systems are monitored, assessed, and defended.

Aanval is a commercial SIEM product designed specifically for use with Snort, Suricata, and Syslog data. Aanval has been in active development since 2003 and remains one of the longest running Snort capable SIEM products in the industry. Aanval is Dutch for "attack".

ACARM-ng is an open source IDS/IPS system. ACARM-ng is an alert correlation software which can significantly facilitate analyses of traffic in computer networks. It is responsible for collection and correlation of alerts sent by network and host sensors, also referred to as NIDS and HIDS respectively. Correlation process aims to reduce the total number of messages that need to be viewed by a system administrator to as few as possible by merging similar events into groups representing logical pieces of malicious activity.

ACARM is an open source intrusion detection system. It was developed as a part of POSITIF project between 2004 and 2007. It was written as a practical proof of concept, presented in the article.

Used as part of computer security, IDMEF is a data format used to exchange information between software enabling intrusion detection, intrusion prevention, security information collection and management systems that may need to interact with them. IDMEF messages are designed to be processed automatically. The details of the format are described in the RFC 4765. This RFC presents an implementation of the XML data model and the associated DTD. The requirements for this format are described in RFC 4766, and the recommended transport protocol (IDXP) is documented in RFC 4767

LogRhythm, Inc. is a global security intelligence company that specializes in Security Information and Event Management (SIEM), log management, network monitoring, user behavior and security analytics. Headquartered in Boulder, Colorado, LogRhythm operates in North and South America, Europe, India, the Middle East, Turkey, Africa, and the Asia Pacific region.

Sagan is an open source (GNU/GPLv2) multi-threaded, high performance, real-time log analysis & correlation engine developed by Quadrant Information Security that runs on Unix operating systems. It is written in C and uses a multi-threaded architecture to deliver high performance log & event analysis. Sagan's structure and rules work similarly to the Sourcefire Snort IDS/IPS engine. This allows Sagan to be compatible with Snort or Suricata rule management softwares and give Sagan the ability to correlate with Snort IDS/IPS data.

Threat Intelligence Platform (TIP) is an emerging technology discipline that helps organizations aggregate, correlate, and analyze threat data from multiple sources in real time to support defensive actions. TIPs have evolved to address the growing amount of data generated by a variety of internal and external resources (such as system logs and threat intelligence feeds) and help security teams identify the threats that are relevant to their organization. By importing threat data from multiple sources and formats, correlating that data, and then exporting it into an organization’s existing security systems or ticketing systems, a TIP automates proactive threat management and mitigation. A true TIP differs from typical enterprise security products in that it is a system that can be programmed by outside developers, in particular, users of the platform. TIPs can also use APIs to gather data to generate configuration analysis, Whois information, reverse IP lookup, website content analysis, name servers, and SSL certificates.

The Co-Managed IT security service model entails security monitoring, event correlation, incident response, system tuning, and compliance support across an organization's entire IT environment. Co-Management allows organizations to collaborate with their managed security service providers by blending security expertise of the provider with the contextual knowledge of the customer to optimise security posture.

Used for computer security, IODEF is a data format which is used to describe computer security information for the purpose of exchange between Computer Security Incident Response Teams (CSIRTs).

NXLog is a multi-platform log management solution that allows to collect logs from various sources, filter log events, transform log data and route (forward) it to different destinations. It's available both as a free-of-charge NXLog Community Edition and as a commercial NXLog Enterprise Edition with enhanced capabilities, including agent management.

References

↑ "Files - PRELUDE SIEM - UNITY 360". prelude-siem.org. Retrieved 2021-04-24.
↑ "PreludeLml - PRELUDE SIEM". www.prelude-siem.org. Retrieved 2017-11-12.
↑ "SECEF". SECEF (in French). Retrieved 2017-11-12.

External links

This page is based on this Wikipedia article
Text is available under the CC BY-SA 4.0 license; additional terms may apply.
Images, videos and audio are available under their respective licenses.

[1] "Files - PRELUDE SIEM - UNITY 360". prelude-siem.org. Retrieved 2021-04-24.

[2] "PreludeLml - PRELUDE SIEM". www.prelude-siem.org. Retrieved 2017-11-12.

[3] "SECEF". SECEF (in French). Retrieved 2017-11-12.

[1]

[2]

[3]