"Nitro's ability to meet feature demands, coupled with its super fast NitroEDB data management engine on the back end put it in a unique position among SIEM vendors"
— Paul Roberts, Analyst, the 451 Group
 

    Quick Contact

    First Name:

    Last Name:

    Company:

    Email:

    Phone:

    State:

    What can we do for you?

      


    Click here for more contact options.

  •  

 
 

Event Analysis & Correlation

Incident Detection

Incident detection requires an in-depth understanding of everything within your infrastructure. Features such as event correlation and at-a-glance dashboards offer ease of use, but are only as good as the underlying data being analyzed. If a correlation is absent, or if certain event triggers for a correlation rule are missed, a potentially dangerous incident might go unnoticed.

The answer? Combine the best of both worlds:

  • Collect more information from more sources
  • Enhance that data to provide more context
  • Perform non-reductive correlation to detect larger threats

Data Collection

With more complex threats appearing every day, it's more important than ever to monitor as many systems in as much detail as possible. This means collecting and analyzing:

  • Network flows
  • Device, server, host and application logs
  • Data access, including database sessions and all database transactions
  • Alerts from firewalls, anti-virus systems, and Intrusion Prevention Systems
  • Vulnerability data
  • Identity information

It also means collecting more data over time, and making larger amounts of data accessible for immediate analysis. To meet forensic, operational, and compliance requirements, at least one full year of data should be available for concurrent analysis, if not more. View a complete list of supported devices.

Powerful Threat Detection

information security incident detectionThere's so much information that simpler mechanism are required to make sense of it. Event Correlation—the analysis of event, flow and log data to find indications of larger threats—is a necessary function of any modern security event management system. NitroView ESM provides a unique approach to correlation, with both:

  1. Easy to use correlation for fast notification of threats
  2. Raw events, flow and log data for deep analysis of threats

Unfortunately, most event analysis systems use correlation for notification, but provide that feature at the expense of forensic capability. That's because typical event managers use pattern matching as a means of reducing data: their architectures cannot manage large amounts of events concurrently, and so the reduction of many events into a few incidents is needed to keep the system responsive. NitroSecurity believes that all data is important, and that accessibility to that data, in a responsive manner, is important. That's why NitroView ESM provides the best of both worlds: maintaining the integrity of collected data for long periods of time, making that data easily accessible for analysis, and also providing correlation for faster incident detection.

NitroView's correlation provides:

  • Correlation of event data and log data and network flow data—together—for maximum detection of potential threats (see Advanced Event Correlation, below)
  • Non-reductive correlation, maintaining all source events—and providing quick access to those events for further investigation.
  • A collection of pre-defined rules for out-of-the-box protection
  • Flexible rule creation—because correlation is only as good as the underlying rules

Data Enhancement

Once an event, network flow, or log is collected, it is normalized using NitroSecurity's NitroEDB data management engine. NitroEDB is capable of extremely fast reporting and analysis, even when managing very large amounts of information. In addition, NitroEDB allows each event, flow or log to be heavily indexed, so that commonly requested information—usernames, network location, protocols used, risk exposure, severity, source and destination ports, etc—can be easily referenced, searched, and filtered. Even better, context available from one event can be extrapolated to others, so that each individual data-point holds more context than was originally provided at the time of collection.

Ease of Use

NitroView ESM provides concise, easy-to-use dashboards for at-a-glance indication of network health. At the same time, every dashboard component is interactive, allowing users to drill down into any item, when further investigation is needed. Other ease-of-use features include:

  • Dozens of pre-built dashboards tailored to the needs of network- and security- professionals
  • Custom reports and views that can be created in minutes, with no SQL knowledge required
  • An easy-to-use graphical editor for the creation or modification of event correlation rules
  • Pre-defined reports for compliance purposes, including: PCI, HIPAA, SoX, FISMA, and more
  • Integrated device management for NitroSecurity IPS and Database Monitor products, for single-UI security operations

Powerful Event Management capabilities

  • Event Signature Correlation to detect complex attacks
    • Faster remediation when an attack occurs
  • Inclusion of network flow data for situational and locational context
    • Track attack vectors to mitigate further damage, or find the root cause of an attack
  • Inclusion of log data for historical context
    • Proof of compliance with validated, auditable logs
    • Analyze historical data for forensic operations
  • Inclusion of identity data for user context
    • Associate events and suspect activities with device, accounts and users
    • Satisfy compliance requirements of PCI, SoX, HIPAA, and others

Manage years of historical data using NitroView's interactive interface, immediately seeing event and network data correlations, baselines and trends. In real time. No more "coffee cup queries" or "let it run overnight" reports.

Event Correlation: Evaluation Criteria

  • Database technology with in-memory performance—Our real-time data management engine allows all collected events to be correlated at the speeds similar to that of in-memory technology.
  • Multi-Symptom, Multi-Source Correlation—NitroView is able to correlate data from a variety of sources, not just from IDS and IPS devices. Logs, events, and network flow information is collected from servers, hosts, routers, firewalls, IPS and IDS devices, and virtually any network device. All data is correlated, allowing for a broader range of detectable threats.
  • Correlation without Data Loss—Because NitroView is built on a highly scalable data management engine, both correlated threats and the source "symptoms" are maintained in full granular detail. Drill into any correlated threat to see the individual events, instantly. Because everything occurs in real-time, there's no need to discard source detail, ever.
  • Total IS awareness (logs, events, flows, assets and identities—Weighting event severity by assets and by identities improves the relevance of threat notifications. Because Nitroview collects all types of data from multiple data sources, more fields are available for analysis: including identity information, which is critical in the long-term reporting requirements of regulatory compliance for HIPAA, SOX, PCI, FISMA, and others.
  • New and Adaptive Rules—Correlation rules are constantly being developed by NitroSecurity's Network Threat Analysis Center (NTAC), and are provided to all NitroSecurity customers via live signature updates. Rules can be easily customized to fine-tune them to your particular environment, and a custom rule builder allows you to quickly create new rules.




These icons link to social bookmarking sites to help share this content.
  • bodytext
  • del.icio.us
  • Reddit
  • Slashdot
  • Technorati
  • Propeller
  • TwitThis
              
 

Search NitroSecurity.com