SearchInform Event Manager:
Real-time threat detection
SearchInform Event Manager
SearchInform Event Manager (SIEM) is designed as a specific type of information security software.
A complicated principle of SIEM operation boils down to quite a simple algorithm:
- Collecting events from different sources (network devices, software, security tools, OS).
- Correlation of different events.
- Data analysis and threat detection.
- Detection of incidents and real-time notification.
SearchInform Event Manager collects, analyzes and correlates data with the DLP agents or captured network traffic. The SIEM+DLP combination allows providing highly-detailed information on breaches.
The SIEM system includes a set of predefined policies that allow you to control your company’s activity to the full extent.
What It Controls
SearchInform Event Manager supports the following event sources:
- Active Directory domain controllers
- File system
- Antivirus software
- DBMS (MS SQL, Oracle, and so on)
Currently under development and testing:
- Exсhange mail servers
- Workstation-control agents
- Traffic intercepted from network devices or proxy servers
- Email captured via integration with mail servers
- Network devices
- Linux and Unix servers and workstations.
- Virtualized environments and terminal servers
Collection and processing of events from different sources
The sheer number of event sources nowadays is so high that it’s impossible to manually control all events in the infrastructure. And this might lead to the following risks:
- Missing a security violation.
- Failure to identify details and determine causes (due to event log clearance, etc.)
- Failure to reconstruct events.
And SIEM, as an aggregator of information from different devices, solves this problem. The system unifies the data and provides a secure storage, from which even an administrator cannot remove data.
Real-time analysis and processing of incidents
SIEM not only unifies events but also evaluates their significance: The system visualizes information emphasizing important and critical events.
Correlation and rule-based operation
A single event is not always indicative of an incident. For example, a single failed logon might be just accidental, however, three or more attempts probably indicate a password-guessing attack. To identify really critical events, SIEM uses rules that contain a whole range of conditions and take into account the most diverse scenarios.
Automated notifications and incident management
Automated notifications and incident management enable SIEM to fulfill its main purpose: Create conditions for information security officers to rapidly respond to incidents. The solution provides automatic detection of incidents.
Principle of Operation: Incidents
The SIEM operation implies processing huge amounts of events and automatic combining of incidents in chains, which allows detecting threats using integrated analysis of all data.
At the input the product receives a list of the most diversified events, and at the output, it returns aggregated and grounded information: statistics, notifications on anomalies, failures, attempts of unauthorized access, disablement of security tools, viruses, suspicious transactions, data leaks, etc. The objective of the software is to reduce the time of incident response.
Incident search algorithms use different methods – from verification of compliance with current information security standards to an intelligent algorithm of anomaly detection. SIEM provides a stable and non-stop control of corporate infrastructure.