Welcome to Nextron's Security Center documentation!
The Nextron Security Center is intended to provide multi tenancy support
to single ASGARD installations. It connects to the Analysis Cockpit and synchronizes
data provided in cases within the Analysis Cockpit.
In the following chapters we will describe how the Security Center works,
how to install the required components, and how to use it.
This is an introductory chapter to the Security Center.
Please read this chapter before you start installing or even
configuring your new Security Center.
This chapter contains Hardware Requirements, Licensing and
other topics.
The Nextron Security Center is intended to provide multi tenancy support
to single ASGARD installations. It connects to the Analysis Cockpit and
synchronizes data provided in cases within the Analysis Cockpit.
All assets assigned to a specific tenant within the ASGARD Management
Center will be synchronized to this tenant in the Analysis Cockpit
and finally to the Security Center.
In a service provider setup, a team of analysts would be working on event
analysis and would use the Analysis Cockpit for that. Event analysis is
independent from specific tenants. A case created in the Analysis Cockpit
can affect one or more tenants.
If a case meets pre-defined criteria its content gets synchronized to
the Security Center and leads to the creation of one or more findings
for one or more tenants within the Security Center.
The Security Center provides the option for a second service provider
team that is intended to assist the customers (tenants) with the findings.
Communication between customers and the customer service team can be done
through the “Comments” function within the Security Center.
The following image shows an architecture overview with all products and
their communication relationships.
In the figure above, the Security Center – which consists of the Security
Center Frontend and the Security Center Backend – is shown as a single
functional block. Security Center Frontend and Security Center Backend
can be installed in separate DMZ networks if required. This is optional
however.
The ASGARD components use the ports in the following chapters.
For a detailed and up to date list of our update and licensing
servers, please visit https://www.nextron-systems.com/hosts/.
All proxy systems should be configured to allow access to these URLs without
TLS/SSL interception (ASGARD uses client-side SSL certificates for authentication).
It is possible to configure a proxy server, username and password during the setup
process of the Security Center. Only BASIC authentication is supported (no NTLM
authentication support).
Hint
The Security Center installer requires Internet access during the setup. The
installation process will fail if required packages cannot be loaded from our update
servers (see table above).
All the components need to have a resolvable FQDN.
The Security Center needs to be able to resolve internal and external IP addresses.
Connection to the Analysis Cockpit MUST be done with a resolvable FQDN. IP addresses will not work.
You can do a quick hash check to verify that the download was not corrupted.
We recommend to verify the downloaded ISO's signature as this is the cryptographically sound method.
The hash and signature file are both part of the ZIP archive you download from our portal server.
user@host:~$ wgethttps://www.nextron-systems.com/certs/codesign.pem
user@host:~$ openssldgst-sha256-verifycodesign.pem-signaturenextron-universal-installer.iso.signextron-universal-installer.iso
Verified OK
or in powershell
PS C:\Users\user\Desktop\asgard2-installer>Invoke-WebRequest-Urihttps://www.nextron-systems.com/certs/codesign.pem-OutFilecodesign.pemPS C:\Users\user\Desktop\asgard2-installer>"C:\Program Files\OpenSSL-Win64\bin\openssl.exe"dgst-sha256-verifycodesign.pem-signaturenextron-universal-installer.iso.signextron-universal-installer.isoVerified OK
Note
If openssl is not present on your system you can easily install it using winget: wingetinstallopenssl.
In this manual we are working with one server for both the
Security Center Frontend as well as the Backend. You can however
install the two services on two separate servers. If this is the case
please install a second server.
Create a new VM with your virtualization software. In this case, we will use VMWare ESX managed through a VMWare VCenter.
The new VM must be configured with a Linux base system and Debian GNU/Linux 10 (64 bits) as
target version. It is recommended to upload the ASGARD ISO to an accessible data store
and mount the same to your newly created VM.
Please make sure to select a suitable v-switch or physical interface that reflects
the IP address scheme you are planning to use for the new Security Center.
The installation Process is started by clicking on ASGARD Graphical install.
The installer then loads the additional components from the ISO and lets you select location and language.
Warning
Please make sure to select the correct Country, as this will also set your local timezone!
Note
If DHCP is available, network parameters will be configured automatically.
Without DHCP, ASGARD drops into the manual network configuration dialogue.
The IP address can be changed later, see Changing the IP-Address
The Security Cockpit needs to be able to resolve internal and external IP addresses.
Danger
Important: Make sure that the combination of hostname and domain
creates an FQDN that can be resolved from your Analysis Cockpit.
Connection to ASGARD Analysis Cockpit will rely on the FQDN.
Finally, write your configuration to the disk by selecting "Yes" and clicking "Continue".
If you are using a proxy to access the internet, enter the proxy details
in the next step. Please note, Internet connectivity is required for
the next step.
The base installation is now complete. In the next step we will install
the Frontend and Backend Components. For this step Internet connectivity is required.
Use SSH to connect to the appliance using the user nextron
and the password you specified during the installation. If SSH is
not available, you can perform the next steps via the Console of
your Virtualization Host, though SSH has better capabilities.
There might be a case where the name of the network interface (in this example: ens32) is different.
To verify this you can run ipa and see the name of the network interface.
The new IP can be applied with the command sudosystemctlrestartnetworking.
Make sure to update the A-Records in your local DNS Server to reflect the IP changes.
This chapter will explain how to install the Security Center components
on your server(s). We recommend to start with the Backend, since the
Frontend installation requires the configuration of the Backend.
Please keep in mind that you can install the Frontend and Backend on
two separate servers. For simplicity, we chose to install both services
on the same server. If you wish to install the Frontend and Backend on
two separate servers, please see Installing two seperate servers.
The Nextron Universal Installer is a web based installer
which will guide you through the installation of our
ASGARD products. The Nextron Universal Installer will install
one of the following products on your server (this manual
focuses on the ASGARDSecurityCenter(All-in-one)):
ASGARD Management Center; alternatively if your license permits:
ASGARD Broker
ASGARD Gatekeeper
ASGARD Lobby
Master ASGARD
ASGARD Analysis Cockpit; alternatively:
Elasticsearch Cluster Node for ASGARD Analysis Cockpit
ASGARD Security Center, in the following variants:
ASGARD Security Center (Backend Only)
ASGARD Security Center (Frontend Only)
ASGARD Security Center (All-in-one, unrecommended)
Note
You can only install one product on one server, since the
products are not designed to coexist on the same server.
The exception being the ASGARD Security Center (All-in-one).
The installation takes roughly between 5-15 minutes, depending
on your internet connection and the server you are installing
the product on.
If you encounter problems during your installation, please see
Diagnostic Pack for further instructions.
After the ISO installer is finished with the setup,
you will be greeted at the console login prompt with
the following message:
Follow the instructions and navigate to the webpage
displayed on your console. You will most likely get
a browser warning when you connect the first time to
the page. This is due to the page using a self signed
certificate, since it will only be used to install the
ASGARD Security Center. You can safely ignore this
warning and proceed to the page.
You will be greeted with a small introduction as to what
the Nextron Universal Installer is and what it does. After
you click Next, you will be presented with the landing
page of the Nextron Universal Installer.
Enter the Installation Code from the terminal and click
Next. The Installer will now guide you through the
installation.
The Nextron Universal Installer will try to connect to our
update server in order to download all the necessary packages
once the installation starts. Make sure you can reach the
update servers (see Internet).
Please configure your proxy settings if you are behind a
proxy (see Proxy and NTP Settings).
The Nextron Universal Installer will prompt you to verify the
FQDN which you configured during the installation of the base
system (see Network Configuration). This
is needed in order for your ASGARD Components to communicate via
a HTTPs connection with each other. If there is a mismatch of
FQDNs your components will not be able to communicate with each
other.
If the displayed FQDN is not correct, you can change it by
clicking on the ViewFQDNChangeInstructions button.
This will open a dialog with instructions on how to change
the FQDN of your server. Once you have changed the FQDN,
you can continue with the installation.
If you need to configure a proxy or change the NTP settings
of your system, you can do so by clicking on the Settings
button in the left menu of the Nextron Universal Installer.
If you configured a proxy during the ISO installation, those
settings will be carried over into the Universal Installer.
The settings will also be carried over into your ASGARD
Security Center. The same goes for NTP.
In case of errors or problems during the installation, you can
download a diagnostic pack by navigating to the Diagnostics
tab in the left menu of the Nextron Universal Installer. Click
on the DownloadDiagnosticPack button to download the
diagnostic pack. You can then send the diagnostic pack to our
support team for further analysis.
If you wish to separate the Frontend and Backend of the ASGARD
Security Center, you can do so by installing the Backend on one
server and the Frontend on another server. Simply choose one of
the options during the SelectProduct stage of the Nextron
Universal Installer.
Hint
You have to start with the installation of the Backend, since
the Frontend needs the configuration of the Backend to work
properly.
After the Nextron Universal Installer finished the installation of
the ASGARD Security Center Backend, you have to download the configuration
file from it (model.config). You can do this by connecting to the
server via SSH. The file can be found in the following directory:
/etc/asgard-security-center-backend/model.config
You can now start with the installation of the Frontend.
You can also check if the service of the Backend was installed successfully.
During the installation of the ASGARD Security Center Frontend, you will
be prompted to upload the configuration file of the Backend. Use the file
(model.config) you downloaded earlier from the Backend. Once the installation
is finished, you can check if the service was installed successfully.
This chapter contains the first steps after installing the
Security Center. Please follow along those steps to avoid
issues at further stages. Here we will change the default
credentials, and connect your Security Center with your
existing Analysis Cockpit. Additionally, we will create
your first tenant.
You can log into the Backend with the following default credentials.
The admin user will work for both Frontend and Backend, but for the
initial configuration, we recommend to perform the next steps on
your backend.
After you logged in for the first time, you have to change the
default password before you can continue.
The password has to be at least 12 characters long and contain
at least one lowercase alphabet, uppercase alphabet, digit and
special character.
After you have changed the default password, we advise to set up
the second factor. You can do this by clicking your username in
the top right corner and navigating to UserSettings.
The admin user has access to all tenants. Use this user
only for administrative tasks, as you will have access to all
the sensitive data within the Security Center.
In order to get data from your Analysis Cockpit into
the Security Center, we need to connect both systems
first. This can be done via the Web UI of both systems.
To connect your Analysis Cockpit with your Security Center,
you have to navigate to Settings > AnalysisCockpit.
Click ConnectAnalysisCockpit in the top right corner.
This will generate a One-Time Code which is valid for
two hours. We need this code in our Analysis Cockpit now.
Before you connect your Analysis Cockpit to your Security Center,
decide which cases should be synchronized to the Security Center.
Keep in mind, that once synchronized, data will remain on the
Security Center, even if synchronization criteria are modified.
We recommend to only synchronize cases that contain actionable
information, which is fully analyzed and finally validated.
For that reason, we recommend to only synchronize data with
a case status of Closed. In this situation, Closed means
that the analysis is finished.
It is important to understand that a case with status Closed
will lead to one or more Findings being opened within the
Security Center. The actual remediation is then tracked within
the Security Center.
The Automatic Mode will automatically flag all cases in your
Security Center, which match the criteria from CaseTypes and
CaseStatus.
Important
As with all our products, you have to use a FQDN to connect
the Analysis Cockpit with your Security Center. Make sure
that the Analysis Cockpit can resolve the FQDN of the Security
Center and reach it via the necessary port.
You can have find the needed network ports in the chapter
Analysis Cockpit.
Once you connected your Analysis Cockpit to your Security Center,
you can find the status and some statistics in your Security Center
in Settings > AnalysisCockpit.
Open your browser and connect to the Security Center
Backend. After logging in with your administrative credentials,
navigate to Tenants and click AddTenant in the top
right corner.
Choose a Name for the tenant and the AssetLabels
associated with this tenant. The labels are used to assign
assets from the Analysis Cockpit to a tenant. An asset will
be assigned to a tenant, if it has at least one of the labels
selected.
You can always modify the labels for a tenant by clicking the
Edit button in the Actions column.
Danger
It is important to understand that an asset is assigned to
a specific tenant the moment it first shows up with a label
that fits to this specific tenant. Changing the label at a
later point will NOT cause the asset to be assigned to
another tenant.
Hint
To automatically assign assets to the correct tenant,
service providers can create a tenant specific agent installer
(on the ASGARD Management Center) with a preset and unique
label for every tenant. This agent installer can be provieded
to the specific tenant for installation.
You can create an optional User User Group for the
Security Center. This can be used to assign to non-administrative
users of the Security Center. Individual Users will be assigned
to a tenant with those permissions.
To do this, navigate to Settings > Roles and click
AddRole in the top right corner.
You can find all the users in Settings > Users. Here you
can create new users for your tenants. You will also find the admin
user, which is assigned to AllTenants. Create a new user
by clicking AddUser in the top right corner.
Make sure to use the correct role and tenant for this user, as this
will determine what the user can access.
Hint
Currently you can only create normal user accounts for a tenant.
In future version you will be able to create tenant-specific
administrative accounts, which will be able to create users
for their own tenant.
The tenant users should use the Security Center Frontend
to access their data. See Customer Access.
In this chapter we will explain how to work with the
Security Center. We will explain how to manage findings,
how to work with your assets and how to manage tenants.
For simplicity's sake, let's consider a scenario
where a service provider scans all endpoints of
all connected tenants on a weekly basis. In our
scenario, the tenants are named EMEA, USA, Customer_XYZ,
and ASIA_CORP.
The service provider has a team of analysts (Analyst Team),
which is working on the AnalysisCockpit and is
providing tenant independent valuation of events by
building cases. A second team of security specialists
(Customer Service Team), which is more focused on the
individual tenants/customers, is working on the SecurityCenter. They provide guidance to individual customers
where needed.
Asset data contains endpoint related data like operating
system version, IP addresses, hostname, local users (windows only)
and installed software (windows only).
An endpoint is assigned to a particular tenant based on
the label set in the ASGARD Management Center. It is
recommended to prepare custom agent installers for every tenant
with a built-in label. Please see the ASGARD MC manual for details.
This is to ensure an endpoint is automatically assigned to the
correct tenant and human error cannot lead to an endpoint being
assigned to the wrong customer. The mapping between tenant and label
can be found in the chapter Setting up your first Tenant.
An asset will be assigned to a tenant in the very first moment an
asset shows up with a mappable label. Once mapped to a tenant, the
asset will remain with this tenant forever – even if an asset's label
is changed to another mappable label.
Event data synchronization is defined in the Analysis Cockpit
(see Configure your Analysis Cockpit).
Once a case with the defined type has been set to the defined
status, the case data will be synchronized to the Security Center
and a Finding will be opened for all assets within this case –
regardless of the affected tenant.
As it is recommended to only synchronize events that are actionable
AND fully analyzed, the default criteria for synchronization are
"Incident", "Suspicious" and "Vulnerability" in regards the case type.
By default, only cases with status "Closed" – which stands for "Analysis
is finalized" – are synchronized. However, the service provider is free
to configure this according to their needs and processes.
Important
It is not uncommon that a single case triggers multiple findings for
multiple assets and multiple tenants. As case data will be copied to
every finding regardless of the tenant, the analysts must avoid storing
tenant specific information into the cases' assessment fields, summary
fields and customrecommendation fields.
The default progresses for findings are New, InProgress,
Remediated and Closed. They can be amended or changed
under Settings > ProgressList to meet the organization's needs.
The Priority has to be a unique value between 1 and 127.
The progress with the highest priority will be treated as Open,
the progress with the lowest priority will be treated as Closed.
A tenant's security analyst opens a particular finding. Now all
affected assets are shown in the sidebar. They set the status to
InProgress for one or multiple assets within the finding,
as they are now working on this issue.
Now the organization works on remediating the finding. Once remediated,
the status should be changed to Remediated.
Step 3:
Ideally the remediation should be confirmed by waiting for the next scan –
in our working model this is one week as a maximum. If the finding is not
detected anymore, the StillDetected flag changes to No. Now the
finding`s status can be changed to Closed. Once the finding is set to
Closed for all endpoints within the finding, the finding`s status will
automatically change to Closed.
Alternatively, it is possible to start from an asset-based view and start
working on potentially multiple findings on this endpoint. The figure
below shows two different findings on the system windows06-pg01. The findings
can now be selected, and their status can be changed and/or they can be set
to legitimate.
Sometimes the same finding represents an incident for one customer while
another customer finds the same thing to be legitimate – or at least
legitimate for this particular endpoint. For this reason, a finding that
is not intended to be remediated can also be flagged Legitimate. This
can be done by clicking on the finding and selecting the AffectedAssets
tab. One can now select one or multiple assets and change their status or
set the finding to legitimate.
Let's consider a situation where a finding has been closed but the next
scan finds the very same issue on one endpoint within the finding. In
this case the entire case will be flagged with CallforAction. The
picture below shows a finding that has been set to closed, but we find
it highlighted and the CallforAction column states Yes.
However, if a finding has been flagged to be legitimate the CallforAction
flag will not be set. The picture below shows a finding regarding Laudanum
that was detected on two endpoints.
As we can see, the finding is closed and not highlighted, although it is
still detected on the second asset. The reason for this is that it has
been set to Legitimate.
Comments are intended to be used for communication between a tenant's
employees and the service providers' customer care team. Comments can
be assigned to an asset or to a case.
Service Providers can use the Security Center by logging into the
administrative backend system on port 8443 and setting the desired
tenant in the upper right corner of the overview tab.
Now the sections Assets, Findings, and Comments only show
information related to this tenant. The picture below shows allocation
to the tenant USA.
You can customize the corresponding tenant view, i.e. if you have
selected a tenant, only the information about this tenant will be
displayed (Findings, Assets ...). If you switch to AllTenants
you will see all information. This applies to the entire navigation
tree.
In this chapter we will walk through some administrative
tasks you might need when working with your Security Center.
You will need access to the command line, the Web UI, or both
to perform those tasks, so make sure you have access before
continuing.
Since the Security Center does not contains an
"Update" menu in your Web UI, you need to update
the verions via the command line.
To do this, connect to your Security Center Frontend
and Backend via SSH. If you are running the Frontend
and Backend on the same server, you only need to perform
the next step once.
We run the following command to update the minor version
of your Security Center:
In this chapter we will explain how to upgrade your
Security Center v1 to the newest version. Since we
mainly focus on the new Version 2 of the Security
Center in this document, we want to help you through
the upgrade process from your older Version 1 of
Security Center the newest one, so you can make use
of the newest features.
If you are running your Security Center Frontend and
Backend on two separate servers, you will have to
do the steps below for both servers. You can
upgrade them at the same time to reduce downtime.
We are using a new update server for the new versions
of the Security Center. Please make sure the following
server is reachable by both your Frontend and Backend
server:
Description
Port
Source
Destination
Product Updates
443/tcp
Security Center Frontend & Backend
update-301.nextron-systems.com
Please make sure your local firewall allows the connection
to the new update server, otherwise the upgrade will not
work.
To prepare for the upgrade, make sure that you have
an up to date backup of both your Security Center backend
(sometimes referred to as "model") and the frontend.
We advise to take a snapshot of the VMs with your
hypervisor.
After you created a backup/snapshot, we need to update
both frontend and backend servers to the newest version.
If you have the frontend and backend installed on the same
system, you need to run the next commands only once. If you
have two separate servers, repeat the next steps for each
of them.
Connect to your Security Center v1 via SSH. Update your
current Security Center v1 to the newest version:
nextron@seccenter:~$ sudoaptupdate&&sudoaptdist-upgrade
[...]Do you want to continue? [Y/n] y
Please confirm the linux upgrade by pressing y and enter.
This will not upgrade your Security Center, only the underlying
linux operating system.
After we prepared the system(s) for the update, we can run
the following command to install the version 2 of the Security
Center. Please note that this step can not be reversed, and your
Security Center will be running with the newest version after
the update has finished.
nextron@seccenter:~$ start-asgard-update
Created symlink /etc/systemd/system/multi-user.target.wants/asgard-updater.service → /lib/systemd/system/asgard-updater.service.Successfully started the ASGARD update process.To monitor the update progress and view log files, you can use the following command:sudo tail -f /var/log/asgard-updater/update.log
Warning
Your server will restart multiple times during the upgrade process.
Do not restart the server manually. You can log into the
server and run the following command to monitor the progress:
Since the password for the admin user is stored only on the Backend,
you have to reset the password via console. To reset the password for
the admin user on the Security Center Backend, run the following
command via console:
nextron@sc-back:~$ sudoasgard-security-center-backendset-password
Please enter password for user `admin`:Please re-enter password for user `admin`:nextron@sc-back:~$
There is currently a rare issue where the backend is not starting
after upgrading to v2. This is due to insufficient permissions for
the MySQL Trigger.
If you upgraded your Security Center to version 2 and everything
seems to be working fine, you can ignore this advisory.
We are currently working on a more robust upgrade process to prevent
this from happening in the future.
After a successful upgrade to version 2 ("Upgrade finished" message can be
seen, see Performing the Upgrade), you might encounter
the following error message in /var/log/asgard-security-center-backend/server.log:
{"level":"FATAL","time":"2024-04-03T18:49:16+02:00","message":"failed to init database schema","error":"Error 1142 (42000): TRIGGER command denied to user 'securitycenter-model'@'localhost' for table `asgard-security-center-backend`.`assets`"}
To fix this problem, run the following commands on your backend.
Drop the MySQL trigger (no data will be lost):
nextron@backend:~$ sudomysqlasgard-security-center-backend-e"DROP TRIGGER IF EXISTS assets_updated_fields;"
Restart the backend service. This will recreate the trigger with the correct permissions
automatically:
This release refactored the architecture between tenant-based UI, administrative UI
and the servers. This also implies a full refactor of the API.
If you have installed the Security Center and the Security Center Model
on same servers, you can upgrade those components without any implications
If you have installed the Security Center and the Security Center Model
on different servers, the following things will change for you:
The administrative UI is no more available from the Security Center server, the administrative UI
will be instead served on the Security Center Model server.
The administrative UI can no longer use the same https TLS certificate as the tenant-based UI,
you will have to generate a new certificate for the admin UI in the administrative UI settings section.
The license has to be re-imported in the administrative UI
Type
Description
Feature
All sections are now cross tenant.
Feature
Added a new 'ASGARD Query' search bar to most tables to support more complex searches
Feature
Added 'Change History' for assets and findings
Feature
Added charts in overview page for assets/findings per status, assets per day, ...
Feature
Automatically close all findings that are 'Legitimate Anomaly' or 'False Positive'
Feature
Automatically delete and close findings on case deletion or if an asset has been removed from a case
Feature
Light Mode
Feature
Manage frontend TLS certificate and backend TLS certificate separately
Feature
Create users that do not have to change their password
Change
Moved administrative UI from the Security Center server to the Security Center Model server
Change
Removed 'Call for Action' for findings in 'False Positive' or 'Legitimate Anomaly' state
