Log Management for compliance and user access reporting augmenting Cisco MARS

Download a SenSage for Cisco MARS case study

Security professionals require a set of security information and event management (SIEM) tools to address end-to-end security monitoring, log management, audit and compliance.

Cisco Security Monitoring, Analysis and Response System (MARS) is an example of a product with excellent real-time collection and automated threat response aimed at network monitoring through its interaction with routers, firewalls and other network devices (i.e., “security monitoring”). However, MARS does not easily lend itself to working at the operating system, database, or application levels. In addition, because MARS was designed to focus on managing real-time threats to the network, its data store was designed for short-term storage. For compliance reporting today, organizations require the ability to analyze event logs over much longer periods of time, months or often years – driving a substantial data management aspect to SIEM implementations.

Working with dozens of Cisco MARS implementations, SenSage has developed a complementary log management solution for MARS that provides a comprehensive event data warehouse to support a broader footprint of source types (including applications and databases), substantially improved data retention, and greatly enhanced data analytics for compliance reporting and user-access monitoring.

Audit Requirements for Compliance Bring New Challenges

Log management is now required to insure regulatory compliance. Industry analysts, auditors and security experts agree that long-term data retention is a primary requirement in SIEM implementations. Reasons include:

• A lack of guidance on what needs to be captured for passing audits creating the need to collect, store and search more log data
• Several regulations require the need to store the data for years 
• The usefulness of detailed and historical log data analysis for breach investigation and general forensics

Many organizations are realizing that collecting and storing log data has become a complex and expensive task that quickly overwhelm SIEM systems. A typical enterprise can collect gigabytes of log data per day, quickly exploding into terabytes over weeks and months. Analyzing log data and executing useful reports to meet auditor requirements can take days or weeks depending on data volume and the complexity of the search. Very often, these technical challenges require several FTEs to maintain and the implementation of Cisco MARS archiving.

Introducing SenSage for Cisco MARS

SenSage provides unique and patented solutions to provide comprehensive event data warehousing for log management and compliance. SenSage has developed a turnkey log management and compliance solution that easily collects data from MARS and correlates the data with hundreds of other sources to provide a compliance reporting solution that maps directly to auditor requirements.

SenSage for Cisco MARS works with and improves Cisco MARS

• SenSage adds user and access-oriented compliance monitoring correlation to Cisco MARS events. Now network events from MARS can be automatically correlated with user access events and changes for a complete description of security incidents.
• Heterogeneous Data Support. Larger enterprises with heterogeneous network device data source requirements and those that require flexible analysis of host-based event logs and user activity analysis for compliance will find syslog data insufficient for those specific needs. SenSage augments syslog event data with event data from multiple sources including relational databases, commercial applications and proprietary applications.
• Online Data retention. While MARS offers an archiving function to store raw data after it is overwritten by MARS, accessing this data requires DBA support and an additional MARS appliance. SenSage completely replaces the MARS archival function by placing MARS event data, correlated with other data sources, into an online data storage area that is available for compliance reporting and forensic queries.
• Compliance Reporting. Right out of the box, SenSage delivers reports that map exactly to the regulations that affect organizations today including, SOX, HIPAA, PCI, DCID, FISMA, etc. Give your auditors access to SenSage compliance reporting so they can easily verify security compliance.

SenSage Differentiators: The most versatile security information management (SIM) solution on the market. Here’s why:

• Data Source Collection – Syslog is OK but not everything supports it. SenSage offers agentless, automated collection with over, 200 products supported out-of-the-box. And with full log capture, you don’t have to make choices about which sources to monitor and what data to collect. Batch and streaming collection, from the business application to the mainframe, field-level collection of custom sources; SenSage supports it all.
• Custom Source Data Collection – Do you have a custom data source not supported out-of-the-box, such as that critical business application? SenSage has not met a log source that it did not like. SenSage supports custom sources with its Intellischema™ technology that allows for full field-level reporting, analysis, and investigations. SenSage automatically maps all data fields, unlike other products that only allow a small number of fields.
• Storage and Retention – Patented, purpose-built, columnar database for event data, 90% compression, clustered technology scales from one to hundreds of GBs per day, minimum 1 year of data online and queryable, extended storage integration is also fully queryable (no archiving), secure, self-tuning, data redundant and fault tolerant. Best of all, no DBA required. Do you have longer retention requirements?  Either add additional nodes to the repository cluster, or take advantage of SenSage integration with storage vendors like EMC®, HDS® and NetApp®. That enables multiple years’ worth of data online, still fully queryable. SenSage’s patented technology allows organizations to query multiple years of data, over 25 terabytes, in minutes.
• Analytics and Forensics – Features such as: pre-defined reports mapped specifically to the regulatory standards, real-time event correlation, graphs and table views, dashboards, policy exception analysis, forensic investigations, report scheduling, electronic delivery options.
• Query Precision – Do you need to find a particular event such as a user copying or deleting a file? SenSage automatically correlates event data using the power of SQL. Other SIM vendors rely on text-based search that they compare to Google searches. Problem is Google brings back thousands or millions or records for its queries. Don’t spend time sifting through thousands of returned records. SenSage finds what you need, exactly and quickly.