Those of you that are security practitioners know the necessity of incident awareness across various dimensions of the network. Threats are ready to strike any time, and having informative and meaningful data at hand would help to counter-attack and remediate risks.
Logs are the means to any actionable result. Any piece of critical activity on your network will trigger log messages: they may be syslog messages or SNMP traps, system logs, server logs, etc. From these silos of data from so many disparate devices and systems across the network, how could you gain visibility into specific threat events, and pinpoint the cause of these threats?
The heart of security information and event management (SIEM) is event correlation. This allows you to get coherent information in real time as and when there are peculiarities and suspicious activities on the enterprise network.
How Does Event Correlation Work?
SolarWinds has made this intricate activity extremely simple with a correlation technology so powerful that you don’t have to do anything – the correlation engine will monitor, detect, alert, react and report when encountered with anomalous system or user activity on the network. SolarWinds Log & Event Manager (LEM) is a full-function SIEM solution that offers an intelligent correlation engine to understand operational, security and policy-driven events.
- Log Collection: LEM captures real-time event streams from network devices and utilizes agent technology to capture host-based events in real time. Here is a list of data sources from which LEM can receive log data for correlation and analysis.
- Normalization: This is a key step before events are correlated. LEM parses the raw log data from agent nodes (workstations, servers, VMs, OS, etc.) and maps events from disparate sources to a consistent framework. This helps structure the data into identified categories and fields.
- In-Memory Correlation: LEM correlates event logs in-memory thus avoiding performance bottlenecks associated with database insertion and query speeds.
- Multiple-Event Correlation: LEM has comprehensive support for multiple-device, multiple-event correlation, including the unique ability to set independent thresholds of activity per event, or group of events.
- Non-Linear Correlation: After mapping events in-memory, LEM applies a completely non-linear, multi-vector, correlation algorithm. This reduces the number of correlation rules and eliminates the need to build distinct rules for all possible combination of events.
- Field-Level Comparison: LEM combines field-level data with user-defined groups and variables, making it possible to build rules that minimize false positives and focus your attention where and when it’s needed.
- Environmental Awareness: LEM’s correlation rules factor in details about the organization, such as critical assets, applications, time of day or day of week, etc. to bring focus on the environmental parameters associated with the events and maximize the value of the data that’s being captured and analyzed.
So, What’s The Result of Event Correlation?
You have meaningful and actionable data that provides advanced incident awareness and threat visibility on your entire IT environment.
Using the correlated event data, you can:
- Set up alerts to trigger when a specific security condition is encountered
- Program active responses to counter threats, troubleshoot issues and react to policy violations
- Perform event forensics and root cause analysis to identify suspicious behavior patterns and anomalies
- Generate compliance reports for network and security audits
Correlation Rule Builder
SolarWinds LEM offers a simple-to-use correlation rule builder that allows you to build correlation rules using interactive drag-and-drop interface. Plus, there are nearly 700 correlation rules available out of the box for immediate use.
SolarWinds Log & Event Manager makes event correlation simple yet powerful offering you a central SEIM solution to process and manage log data.