All decisions in OSSIM are driven by Risk parameters, in fact Risk is calculated for every single event received by OSSIM using the asset, threat, and reliability parameters.
There is also a RiskMetrics Score Dashboard that consolidates the Risk parameter for each object of the network producing an aggregated visualization of the risk situation of each host and network.
Whenever a Risk situation is produced automatic or manual responses are generated to contain it.
Once we receive a confirmed Alarm of an attack happening, we can trigger automatic responses in order to mitigate this attack.
Responses raise predefined Actions such as sending an email, blocking the connection at firewall level or disabling a switch port.
After defining a set of generic actions we establish a policy for action firing, with a set of predefined variables such as source ip, date, plugin or any other log field being substituted in realtime by actual values.
The Incident Manager allows to create tickets from most of the OSSIM reporting tools such as the Alarm Panel, the Forensic Console or the RiskMetrics Score Dashboard.
Incident flow can tracked here within and individual incidents assigned to different users while commiting any change to a list of subscribers.
Finally, accurate reports can be generated in order to measure response time and effectiveness.
OSSIM includes an Incident Manager which controls the assignment of tasks to be accomplished as a result of all the actions generated by security events.
A Central Policy Manager defines how each single event in each element of a large network should behave related to the following actions:
|
|
|
Allowing to create a hierarchical organization of Servers and Sensor, and different levels of Correlation and Storage points. Tunning is implemented in a graphical a flexible manner. |
Inventory Management is done in 4 different ways in OSSIM:
|
|
Inventory data can be used to correlate events discarding or priorizing them.