CARMEN, Centre of Log Analysis and Mining of Events, is a tool developed by the National Cryptologic Centre and the company S2Grupo to identify compromises by advanced persistent threats (APTs), and is the first tool based on Spanish technology and know-how.
CARMEN is a tool that collects, processes and analyzes information to generate intelligence mainly from the network traffic. It is made up of agents that compile traffic flows (collection elements), a database engine where information is inserted and a web application that allows representing and checking the collected information so that analysts can work on it and make decisions based on the results provided by the tool.
The data sources which CARMEN is able to work with are listed below:
· Proxy logs
· Passive HTTP
· Passive DNS
· Passive SMTP
· Monitoring and storage of IPC data
CARMEN allows applying predefined rules to every data source to detect undue use and, particularly, to detect significant anomalies (statistics, text chains, temporary series and based on knowledge) that may indicate that the organization has been compromised, and to define and integrate know-how in the tool, ranging from IOC to conditions of the anomaly.
CARMEN intends to identify external movement (C&C servers and ex filtration servers) and lateral movements of an advanced persistent threat. The collection and analysis capabilities of the tool cover the main external communication channels of these threats (web navigation, DNS consultation and email), and different mechanisms of internal communication of the compromised network.
In addition to the persistence stage, CARMEN provides capabilities to detect the threat at the intrusion stage, mainly anomaly conditions to detect common mechanisms of entry, such as watering hole or exploit kits, and deployment and integration of sandboxing capabilities to detect spear phishing.
La operación con garantías de CARMEN requiere disponer de una certificación de empresa en aquellos organismos públicos en los que CARMEN se distribuye libre de costes de licencias, como soluciones desarrolladas por el CCN-CERT para el sector Público. Para obtener la certificación de partner de CARMEN, una empresa debe tener un número de profesionales certificados en cada una de las áreas de especialización en función del número de clientes.
El programa da acceso a los servicios de soporte de nivel 1 y nivel 2 son proporcionados por el fabricante (S2 Grupo)
Las empresas con certificación de empresa o en vías de certificación para operar CARMEN en el sector Público libre de costes de licencias, como soluciones desarrolladas por el CCN-CERT:
| Nombre | Razón social | Web | Estado de certificación |
|---|---|---|---|
| CSA | Centro Regional de Servicios Avanzados, S.A. | www.csa.es |
CERTIFICADA |
| Govertis | GOVERTIS ADVISORY SERVICES S.L. | www.govertis.com |
CERTIFICADA |
| Grupo ICA | ICA SISTEMAS Y SEGURIDAD S.L. | grupoica.com |
CERTIFICADA |
| Innotec Security, a Part of Accenture | InnoTec System, S.L.U. | Innotec.security |
CERTIFICADA |
| S2 Grupo | S2 Grupo de Innovación en Procesos Organizativos, S.L | s2grupo.es |
CERTIFICADA |
More information
Contact: 
PGP Key Download
FINGERPRINT CCFE 30F5 2D0D 60BB 6C8C F1E4 CC65 C901 8DE2 B669
