Skip to content

Get Started

CYBERQUEST Overview

CYBERQUEST is an innovative Big Data Security Analytics Platform designed to provide comprehensive auditing and security capabilities for small, medium and enterprise networks. The solution has been designed to function as an agile, scalable business platform that intelligently collects and correlates data in the organization's IT infrastructure and works with it to address any type of present or future threat which a busine0ss could encounter.

CYBERQUEST is highly scalable and can be configured to suit many organization size and use cases and easily integrates with all security solutions on the market, irrespective of their classification. The CYBERQUEST solution is a true aggregator of security data coming from either Security Information and Event Management software (SIEM), firewalls, intrusion prevention and detection platforms, or email security and endpoint security solutions. In addition, CYBERQUEST can collect, correlate, and provide useful insights on heterogeneous data generated by network equipment, servers, databases, and applications, which makes it an invaluable operational management tool for your security and administrative teams.

Core Capabilities

  • Collect: gather all security and relevant data sources from your IT infrastructure;

  • Correlate: add threat intelligence security data for offline or online correlation;

  • Detect: quickly identify the most significant threats to your network;

  • Visualize: monitor accurately within a single point of access and get specific alerts;

  • Respond: Security Orchestration, Automation, and Response (SOAR features) capabilities are embedded in the solution;

  • Vulnerability assessment: with OpenVAS integration.

CYBERQUEST aggregates and monitors all activity in your infrastructure and, with real-time alerts, SOAR features, and vulnerability assessment capabilities, delivers detailed information and fires response for vital changes and activities - as they occur. Instantly know who, what, when, where, why made a change, and then turn that information into intelligent, in-depth forensics, enhanced with additional data from the entire environment, make that information available for auditors and security officers and generate automated actions as response to the risks associated with day-to-day modifications.

Concept and availability

CYBERQUEST can seamlessly be integrated within your existing IT infrastructure and delivers real-time user behavior and data monitoring, threat detection, data analytics and correlations, security information and event management, in a single platform, enabling you to:

  • Have unified and increased infrastructure visibility for security management;

  • Ensure and track regulatory compliance, security audits and policy;

  • Reduce organization threat surface quickly and accurately;

  • Optimize and generate predefined, ready-to-go reports;

  • Improve your existing security and event management solution's response capabilities to incidents.

CYBERQUEST is an appliance type of product (hardware & software) supporting multi-redundant topologies and that can be scaled horizontally by installing any number of processing nodes, or vertically by adding processing resources. Given its deployment flexibility, the solution can be easily architected to meet multi-site deployment challenges. The solution is also available through Software-as-a-Service offering.

Its main functionalities, given by multiple modules, are:

  • Normalizing available information from different systems in its own format through special dedicated connectors;
  • Dashboards module: provides a visual representation of events, aggregated by different criteria;
  • Browser module: provides access to all events and viewing the details;
  • Reporting module: predefined reports for - GDPR, ISO 27001, COBIT, FISMA, HIPPA, PCI/DSS, SOX, technology reports;
  • Alerting module: provides real time alerting for configurable situations with configurable response actions (SOAR features);
  • Investigation module: a visual way of seeking events and investigating situations;
  • Case management module: a case management function for collaborative investigation activities;
  • Administrative module: ensures configuration and management functions for the application;
  • Data Transformation System module: a proprietary module that is responsible with different functionalities of CYBERQUEST such as event enrichment, data anonymization etc.
  • Vulnerability Assessment Module: provided by integration of OpenVAS (https://www.openvas.org/)

Architecture

High-level data flow description

CYBERQUEST is a dedicated Big Data Security Analytics Platform intended to be used by IT security officers. Therefore, CYBERQUEST helps companies to be more secure and also compliant to internal and industry regulations by doing collection of high volumes of disparate data from infrastructure and third-party security solutions, aggregating and enhancing collected data, and presenting security personnel with useful information on possible threats and risks - all in real-time.

Data is collected from various sources using CYBERQUEST's Collecting Agent (WMI, ODBC or file-level gathering etc.), or receiving data flows (syslog, NetFlow etc.). Data is organized in queues, sent to a Data Acquisition Service (DAS), which applies acquisition rules and then sends raw data to a Data Transformation Service (DTS). DTS is responsible for parsing data and generate real-time alerts.

Once parsing rules are applied, transformed data is applied with retention rules. Retention rules will tell if data is stored in the Online Storage or Archive Data Storage. The major difference between the two types of storage is access speed. Online Storage applies indexing on uncompressed data, which makes any information available in term of seconds, with the cost of space. Archive DataStorage is designed for long term retention of data, without imposing a limit to the maximum volume of that data. The archive stores data in compressed and encrypted files; the norm compression ratio is approximately 1:20.

From the archive data is extracted and imported into Online DataStorage nodes for investigation and reporting needs. Correlation is performed by a CYBERQUEST Server and resulted information is presented in dashboards and reports.

CYBERQUEST Web Interface is the central module used for both management and utilization of platform. Web Interface uses a web frontend allowing administrators and operators to interact with CYBERQUEST. Depending on the access level allowed, a user will be able to access Reports, Dashboards, Investigations, Browser and Alerts modules and take benefit of the entire set of security analytics.

Services and Components

Data Collection

CYBERQUEST receives data from a wide range of devices. The data collected is of various formats, but mainly separated into sections as it follows: collection of event data, flow data, vulnerability assesment information (VAI), and other data types relevant for security analytics.

Event data collection: events are being collected from data sources that log security-based events, such as: routers, servers, firewalls, intrusion detection systems (IDS) or intrusion prevention systems (IPS), network switches, active directory and other networking equipments.

Flow data collection: network traffic information is collected from IPFIX and Netflow network protocol (versions 5, 9, and 10).

Vulnerability assessment (VAI): relevant security states.

Data Collection is a distributed service, engaged with several components that can reside within the main appliance, or independently to accommodate star or cloud architectures. Once collected, data is encrypted and compressed, then transported by the message queuing sevice to the data aquisition service.

If data cannot be delivered to message queuing service, one of the following agents will perform local caching for later delivery:

  • Windows Agent, capable of storing up to 1 million events.

  • Data Server performs caching behaviour when needed, by creating files on the hosting station in order to capture all events, without any event being lost during the process.

Windows Agent

Windows Agent is a data collection component, interacting directly with event sources. It can be installed on workstations and servers. The minimum operating system version is Windows 7 (on workstations) and Windows Server 2008 ( on servers), and has a listed software dependency on Microsoft .NET Framework 4.8.

The agent uses configuration templates that can be associated to one or multiple data sources. The templates contain settings specific to data sources: credentials, field mapping, event filtering, data processing scripts, database queries and more.

The agent addresses the following data sources by default:

  • Local and remote WMI (Windows Management Instrumentation) collection:

    • Windows Security logs;

    • Windows Application logs;

    • Windows System logs;

    • Other application and services logs in Windows standard format.

  • Local and remote MS SQL collection:

    • Queries for incremental data collection from database tables; containing application logs (minimum version supported is MSSQL Server 2005);

    • SQL Server audit (minimum version supported is MS SQL Server 2008) by default.

  • Local and/or remote Oracle collection:

    • Queries for incremental data collection from database tables containing application logs (minimum version supported is Oracle 9i);

    • Native Oracle instance audit; by default, the solution provides templates for Oracle 9i, 10g, 11g and 12c.

  • Custom data collection (which requires parameters and mappings to be configured in each customized template):

    • Local and/or remote collection for ODBC (open database connectivity) sources supporting 64-bit ODBC drivers;

    • Local and/or remote collection for MySQL, MariaDB, PostgresSQL, MS-SQL sources, including queries for incremental data collection from database tables containing application logs and native platform audit;

    • Local collection of timestamped files in CSV/TSV/JSON format;

    • Local collection of parsable custom files of any file type, for which the agent uses a pre-processing script;

    • HTTPS API-based data;

    • Others.

Data Server

Data server is a distributed service engaged with several components that can reside within the main appliance, or independently to accommodate star or cloud architectures. The service is used to perform data pre-parsing on syslog native format compatible with RFC 5424 and RFC 3164 standards. The system can also receive and process NetFlow data (NetFlow versions 5, 9, 10 and ipfix) and perform NetFlow stiching called Biflow.

Also, Data Server acts as a passive agent for syslog and NetFlow messages received by CYBERQUEST. By default, the service is configured to listen on UDP/TCP 5140 port for syslog events, UDP 2055 for NetFlow packets, TCP 5141 for CEF data, TCP 6514 For Syslog on TLS protocol.

Data-Server and Windows agent employ secured communication to the central CyberQuest server using 2 types of complementary encryption:

1) Native SSL encrypted connection to RabbitMQ on the server on port 5671 (default).

2) Additional AES-256 encryption for all messages (logs). This can be enabled by using the "Encrypt" parameter at agent level.

Data Storage

CyberQuest stores date in 2 parallel places: OpenSearch for immediate investigations, and the Data-Storage service. Data kept in the data-storage service is file system based, includes automatic compression, encryption and employs for data alteration reasons digital signature protection.

The default installation includes a "default" storage under "/data/storage/default". All incoming data is automatically sent to this storage. DataStorage employs a special file which hosts event data: ".ds" file. This file is pgp signed so that any alteration will not validate the signature anymore.

img.png

Encryption keys are automatically generated and MUST have backups. NextGen Software CANNOT recover the data if these are lost. These are stored under:

ls /var/opt/cyberquest/encryption/datastorage