Security Information & Event Management (SIEM)

Security information & event management (SIEM) software is essential to managing the alerts generated in support of effective IT security. As enterprises deploy an increasing number of point solutions such as firewalls, IPS, DLP, and anti-malware systems, it becomes clear very quickly that these products generate too much information—they swamp operators and analysts with noise and meaningless alerts. SIEM systems collect, consolidate and correlate security product log and event data, enabling smart filtering, automated threat triage and smart intruder detection. Enterprises that deploy effective SIEM systems can see a dramatic reduction in the number of alarms that need to be investigated, saving considerable time and effort.

EventCenter is a security information and event management (SIEM) product that receives risk factored log events of interest from the Log Matrix Collectors including data from security devices, network devices, identity stores, data stores, and business services from across the enterprise. It then performs real-time event correlation and generates alerts which it sends to LogMatrix CommandCenter. The complete process from event collection to alerting is done in memory real-time.

EventCenter’s primary method of event correlation is a risk-based algorithm which has proven to be extremely effective at detecting threats including zero-day attacks, while minimizing false positives. However, no one algorithm can detect every type of threat. Therefore, EventCenter concurrently executes multiple algorithms including our risk-based, low-and-slow, and compromised system algorithms, and a rules engine.

• Continuously sifts data, correlating and calculating risk using pre-defined risk models
• Provides real-time alerting and correlation for operations & security
• Alerts are issued only when thresholds are crossed

The key though is that while our competitors rely on rules programming as the primary method of event correlation, EventCenter customers use the rule engine as a last resort. The advantage of this approach is much faster deployments (weeks rather than months), higher quality alerts (fewer false positives and fewer false negatives), much lower administrative and operational resources, and an ability for your security operations team to respond more quickly and effectively -- freeing up staff time for proactive mitigation and vulnerability management activities. In other words, better situational analysis at much lower cost.

Another key capability that enables EventCenter to be so successful at threat detection is its use of external information to provide greater decision-making context. Examples of this referential data include vulnerability scanner information, IP reputation services, asset management systems, and directory services. In general, the more information you can provide, the higher the quality of the Alerts.

EventCenter also employs a new concept that we call "normalized risk scoring." This capability supports the ability of EventCenter to model user-based activities across different applications, each with its own set of risk factors. Instead of using absolute numbers, which prevents you from comparing the riskiness of events from different applications. EventCenter normalizes risk scores such that all risk scores are between >0 and 100. This normalized risk scoring actually strengthens the efficacy of the behavior anomaly algorithm.

• Supports risk-based prioritization and scoring
• Risk score applied to every possible event type for each event source
• “Turn the dial” to adjust risk score
• Employs “Threat – Vulnerability” database with over 345,000 entries

And when you need to create a report to prove to your auditors that your network is secure, simple drop down reporting options allow administrators to create reports of both real time and recent historical data without writing complex SQL queries and trying to merge multiple device logs. Combined with LogCenter, the same reports can be run against longer term data for compliance reporting and forensic analysis. undefined