SearchInform Event Manager:

Real-time threat detection

SearchInform Event Manager

SearchInform Event Manager (SIEM) is designed as a specific type of information security software.

A complicated principle of SIEM operation boils down to quite a simple algorithm:

  • Collecting events from different sources (network devices, software, security tools, OS).
  • Correlation of different events.
  • Data analysis and threat detection.
  • Detection of incidents and real-time notification.

SearchInform Event Manager collects, analyzes and correlates data with the DLP agents or captured network traffic. The SIEM+DLP combination allows providing highly-detailed information on breaches.

The SIEM system includes a set of predefined policies that allow you to control your company’s activity to the full extent.

What It Controls

SearchInform Event Manager supports the following event sources:

  • Active Directory domain controllers
  • File system
  • Antivirus software
  • DBMS (MS SQL, Oracle, and so on)

Currently under development and testing:

  • Exсhange mail servers
  • EventLog
  • Workstation-control agents
  • Traffic intercepted from network devices or proxy servers
  • Email captured via integration with mail servers
  • Network devices
  • Linux and Unix servers and workstations.
  • Virtualized environments and terminal servers

Software Objectives

Collection and processing of events from different sources

The sheer number of event sources nowadays is so high that it’s impossible to manually control all events in the infrastructure. And this might lead to the following risks:

  • Missing a security violation.
  • Failure to identify details and determine causes (due to event log clearance, etc.)
  • Failure to reconstruct events.

And SIEM, as an aggregator of information from different devices, solves this problem. The system unifies the data and provides a secure storage, from which even an administrator cannot remove data.

Real-time analysis and processing of incidents

SIEM not only unifies events but also evaluates their significance: The system visualizes information emphasizing important and critical events.

Correlation and rule-based operation

A single event is not always indicative of an incident. For example, a single failed logon might be just accidental, however, three or more attempts probably indicate a password-guessing attack. To identify really critical events, SIEM uses rules that contain a whole range of conditions and take into account the most diverse scenarios.

Automated notifications and incident management

Automated notifications and incident management enable SIEM to fulfill its main purpose: Create conditions for information security officers to rapidly respond to incidents. The solution provides automatic detection of incidents.

Principle of Operation: Incidents

The SIEM operation implies processing huge amounts of events and automatic combining of incidents in chains, which allows detecting threats using integrated analysis of all data.

At the input the product receives a list of the most diversified events, and at the output, it returns aggregated and grounded information: statistics, notifications on anomalies, failures, attempts of unauthorized access, disablement of security tools, viruses, suspicious transactions, data leaks, etc. The objective of the software is to reduce the time of incident response.

Incident search algorithms use different methods – from verification of compliance with current information security standards  to an intelligent algorithm of anomaly detection. SIEM provides a stable and non-stop control of corporate infrastructure.