Security Information and Event Management (SIEM)
Enterprise security information and event management (SIEM) is difficult. Threats appear in real-time, over long periods, and originate from very sophisticated attackers. As a result, effective security management can become a complex and expensive task that overwhelms many organizations. In today's environment, security organizations are stretched thin and most can't afford single-purpose tools or departmental solutions. Many realize they can save money and improve their enterprise security readiness by combining point solutions into enterprise platforms that address the entire lifecycle of security management. With regard to SIEM, this requires integrated sophisticated real-time event correlation, log management, and security workflow.
Unfortunately, first generation SIEM solutions offer limited methods of real-time threat detection and only address single source, or simple, event correlation. In other cases, they have rigid security taxonomies, or organizational structures, that were built to address external and more basic threats. They have a data management layer that is only effective managing gigabytes of online security data, not the terabytes required today. Additionally, these SIEM solutions often require several FTEs to maintain and force customers back to the vendor for unexpected additional appliance purchases and customizations.
The SenSage SIEM solution is built from a foundation of highly scalable log management. SenSage was the first log management company, and has been recognized by Gartner Group and others as having the best analysis capabilities and scale of any log management product. The SenSage SIEM solution is built on this foundation of highly scalable log management, but with a fresh approach to SIEM that includes more sophisticated methods of real-time data analysis, and dramatically improved long-term access to relevant security information. All of these capabilities are integrated into an incredibly powerful management console for creating and managing rules and organizing information into customized dashboards. Finally, the SenSage SIEM solution is open with easily accessible APIs and web services interfaces.
Specific SIEM capabilities include:
- Real-Time Event Correlation - A core element of our SIEM solution is a highly scalable real-time correlation engine, the Scalable Alert Server (SAS). Correlation is based on the application of threshold and scenario-based rules against multi-source, real-time event streams, and he SAS can easily be distributed to support scalable parsing processes for large deployments and has virtually no limit on event rate or volume. While real-time correlation performs dynamic parsing, normalization, filtering, analysis and alerting, a separate data fork of the same unparsed event logs and subsequent alerts is sent to a long-term data repository in a tamper-resistant, raw format.
- EventScope - This capability uniquely bridges real-time and historic analysis while maintaining the complete event log for forensic evidence Instant replay visualization of events can be graphically and sequentially replayed. Events discovered in either real-time or through other alerts can be forwarded to service management workflow applications to insure end-to-end management of incidents.
- Multi-Source Correlation - Correlate data from multiple log sources and assess multiple events using a set of universal attack / event sequences. This feature provides for greatly improved incident coverage and alert accuracy. SenSage uses combinations of pre-incident reconnaissance activity, post-incident activity, and thresholds of events in order to describe scenarios which indicate a serious risk, attack and/or successful compromise of systems or applications. As such, there is not a 1:1 ratio of alert coverage to rule. One rule can cover dozens of threats, resulting in less time managing and creating dozens of repetitive rules.
- Compliance Reporting - Out of the box, SenSage delivers reports that map exactly to the regulations that affect organizations today including, SOX, HIPAA, PCI, DCID, FISMA, etc.. SenSage compliance reporting provides auditors with easy access so they can verify security compliance.
- Data Collection - Unmatched data collection. If it creates a log, SenSage gets it with minimal effort and system overhead through automated collection capability called the Collector.
- Alert Console - Allows line of business view, customized views, and integration into 3rd party consoles.
- Pre-Packed Real-Time Correlation Rules - Dozens of complex rules are pre-packaged and don't carry an additional cost.
- GUI-Based Rule Creation - The management console includes an easy, intuitive GUI to create and modify real-time correlation rules according to security and compliance needs.
