ProWeb is a web application firewall that protect web applications from attacks, ProWeb can detect all known attacks against web applications and blocks them before they reach customers web applications and has flexible options for logging and reporting. ProWeb uses machine intelligence beside advanced signature-based rule engine to proactively detect known and unknown attacks against web applications. Adaptive leaning of users and applications behavior enables ProWeb to increase detection accuracy in decreasing false positive. ProWeb sends attack alerts to admin by email and SMS and has advanced and detailed reporting with custom search and filtering.

Within this scope, following peculiarities can be taken into account:

• Advanced & custom rule support
• Convenient management
• Better handling of false positive
• Hybrid approached for zero-day attacks & anomaly detection
• Flexible deployment scenarios contains reverse proxy & transparent
• Logging & reporting
• Email & SMS alert
• Preventing known attack including Cross-Site Scripting, SQL & SSL & XPath & LDAP & Command Injection, Directory Indexing, Brute-Force Login, Denial of services
• SSL Offloading & performance improvement

Cloud Security Operation Center is a SOC that receives logs and events from cloud platform (virtual switch mirror port and Zabbix). Sitra agent is customized to receive logs and events from OpenStack platform. New correlation rules have been added to Sitra to detect cloud attacks. Sitra is the name of SOC produced by IRISA.

The following features have been added to Sitra:

• Plug-ins deployed to receive logs from different services of OpenStack
• Snort customization for OpenStack
• Cloud multi-step attack detection & correlation i.e. DoS attack on OpenStack services, botnets on cloud
• Log management, log search & log retention for 90 days
• Incident response
• Alert prioritization
• Multi-user, access control

Within this scope, following services can be taken into account:

• MSSP (Managed Security Provider)
• Reporting
• Network forensics
• Different payment mechanisms for MSSP
• 500-5000 event per second on average
• Supporting different types of security devices (500 security devices)
• Supporting different assets (500-5000 different assets), including:

• Services
• Operating Systems & Applications
• Configuration i.e. Open ports, IPtables

• Attack identification & prediction:

• Single-step attacks
• Multi-step attacks

Distributed attacks

A security operations center (SOC) is a centralized unit that deals with security issues on an organizational and technical level. A SOC within a building or facility is a central location from where staff supervises the site, using data processing technology. The SOC is responsible for monitoring, detecting, and isolating incidents and the management of the organization’s security products, network devices, end-user devices, and systems. This function is performed seven days a week, 24 hours per day. The SOC is the primary location of the staff and the systems dedicated for this function.

Within this scope, following peculiarities can be taken into account:

• Real-time monitoring / management (aggregate logs, aggregate data, coordinate response & remediation)
• Log classification & normalization
• Security event correlation
• Multiple state attack detection
• Incident response with priority policies
• Alert triage & attack response procedure
• Policy management
• Production & exhibition statistics about the network traffic
• Providing the ability to search all information about the detected attack in DB
• Dealing with security issues on an organizational and technical level.

Monitoring, detecting, and isolating incidents and the management of the organization's security products, network devices, end- user devices, and systems.