"Nitro's ability to meet feature demands, coupled with its super fast NitroEDB data management engine on the back end put it in a unique position among SIEM vendors"
— Paul Roberts, Analyst, the 451 Group
 

    Quick Contact

    First Name:

    Last Name:

    Company:

    Email:

    Phone:

    State:

    What can we do for you?

      


    Click here for more contact options.

  •  

 
 

Incident Response & Forensic Investigations

With deep visibility into your network and security infrastructure—and the ability to provide reports and analytics in real-time — NitroView ESM offers a whole new way to think about incident response and forensics. In the past, "forensics" meant "slow" or "historical" ... yet the end result of any forensic investigation is directly relevant to incident response. Incident Response, by definition, requires fast intervention (see our whitepaper, "The Fundamental Requirements of SIEM"). Why the disconnect? Because traditional SIEMs aren't capable of real-time forensics.

Rapid Response

The ability to detect a threat, notify a security professional, perform a detailed investigation of that threat, and take appropriate actions is perhaps the most necessary function of SIEM. The United States government defines the requirement for incident response as needing to be "timely" and "rapid"—with good reasons. Every minute between the detection and notification of an incident, and the successful exploitation or theft of a protected asset, costs a company money, exposure, and liability.

If your SIEM can't access current and "historical" data, analyze it for root cause, vector, and risk analysis, and provide actionable intelligence in a matter of minutes, it provides little to no value as response tool.

Zero-Day Correlation

Real-time, operational forensics allows a security professional to perform ad-hoc correlation of data to detect, track, and remediate complex attacks as they occur—the ability to provide zero-day response to complex threats. That means the ability to use NitroView ESM to see threats that haven't yet been defined within event correlation rules (of course, pre-defined rules exist as well, for automation of well-known attacks). [Read more]

Rapid Response, Rapid Remediation

NitroView ESM is able to detect, prevent, mitigate and remediate threats. Remediation occurs in two primary ways:

  • Port-level Access ControlNitroView ESM performs device- and host- discoveries, and maintains an active topology of your network. Using NitroView's real-time data correlation capability, events and flows can be tracked back to a specific end-user, quickly and easily. A simple mouse click lets you then disable that user's network interface, or force them into a quarantine VLAN.
  • Blacklist Control — Take advantage of NitroView's tight integration with NitroGuard, and adjust your IPS configuration in response to a higher-level security analysis. For example, if NitroView detects a complex event, NitroGuard can automatically blacklist all traffic from a specific IP address or port, with timed recovery.

Role based access to NitroView can even limit remediation capabilities to specific users or groups, allowing NitroView's remediation capabilities to benefit both Security- and Network- operations teams.

Seeing is Believing

Watch the above demonstration to see CTO Michael Leland creating a custom report to determine attack vector and propagation. Looking for something more interactive? Kick the tires yourself with a online test-drive, or register for an engineer-led webinar to see for yourself the power of real-time, operational forensics.



These icons link to social bookmarking sites to help share this content.
  • bodytext
  • del.icio.us
  • Reddit
  • Slashdot
  • Technorati
  • Propeller
  • TwitThis
              
 

Search NitroSecurity.com