From Monitoring to Preventive Real Time Detections

Overview

Industry

  • Cross Industry Solution

Supported SIEM Products

  • HP Arcsight
  • McAfee ESM
  • Splunk

Securonix Use Cases

  • Insider threat detection
  • Application risk monitoring
  • Fraud monitoring
  • Securonix for Arcsight
  • Securonix for McAfee ESM
  • Securonix for Splunk

Business Impact

  • Faster breach identification
  • Reduced breach impact
  • Comprehensive breach response and investigation
  • Lowers monitoring and management costs
  • Lowers compliance cost
  • Quantified, non-subjective threat and risk reporting

Data Sources

  • SIEM events
  • HR/Identity information
  • Proxy logs (optional)
  • DLP events (optional)

Relevant Compliance & Security Best Practices

  • SOX
  • PCI DSS
  • HIPAA/HITECH
  • FISMA
  • FERC/NERC

Challenge: Too Much Noise and Not Enough Detection

Companies have made significant investments in SIEM solutions for large-scale event collection, correlation, and monitoring. These investments have helped to address key compliance requirements, identifying known threats and providing a rich repository of data for detailed investigations, reporting and complex analysis.

Unfortunately the same collection, correlation and signature-based capabilities that make SIEM technologies effective for large scale information and event management make it ineffective at detecting the unknown insider and external cyber threats that are the real source of risk to enterprise applications, systems, and data today. Simply put, SIEM solutions were purpose built for large scale event collection, correlation, and storage NOT advanced security analytics focused on mining and enriching the data to quickly detect who, what, where, when, and how somebody is attacking your organization

Solution: Plug-n-Play Advanced Security Analytics and Visualization for SIEM

Securonix addresses this need with a purpose built security intelligence suite that mines, enriches and transforms your SIEM information from HP ArcSight, McAfee ESM, Splunk, and others to produce actionable intelligence on known and unknown threats against the entire IT environment including key business applications. The solution leverages the investment already made in SIEM providing the following immediate results:

  • Built for big data security analytics
  • Automated user identity correlation
  • API integration with all leading cyber threat, HR, IAM, directories & entitlement sources, etc.
  • Behavior-based anomaly and outlier detection for users, accounts, resources
  • Peer group risk analysis
  • Adaptive self-learning algorithms
  • Continuous risk scoring & monitoring
  • Visual link analysis
  • Out-of-box solution

Benefit: High Value Security Intelligence

SIEM customers that implement Securonix stand to gain a number of important benefits:

  • Less noise. Through rich identity context, threat intelligence, behavior and peer group analysis, Securonix reduces the noise and false positives down to a manageable level, increasing the overall effectiveness and reducing resource loads.
  • Zero-day attack detection. Using in-line behavior and peer group profiling of networks, systems, devices and accounts Securonix detects abnormal activity associated with an unknown attack in real-time
  • Business application monitoring. Through its ability to extract detailed transactional level logs and entitlement information Securonix provides threat detection and monitoring capabilities at the source of your sensitive information and transactions – business applications.
  • Service account monitoring. Through advanced identity correlation and behavior analysis, highly sensitive service and shared accounts are automatically identified and monitored for outlier behavior such as new connection types, addresses, times, frequency, amount – all of which are reliable indicators of a compromise.
  • Fraud detection. With application level visibility and signature-less behavior and peer group analysis Securonix detects the most sophisticated fraud scenarios across enterprise and web applications.
  • Data monitoring. By monitoring the access and activity behavior associated with sensitive data within an application, database or file system, Securonix identifies complex situations of data snooping, misuse and theft.

Solution Tour

Data Collection: SIEM-IAM-HRMS-Business Applications

Securonix integrates with SIEM products through a direct API connection, syslog, or a database connection where it picks up activity and event data. For full identity context, Securonix has connectors to leading HR and identity management systems bringing in more than 75 standard and custom identity attributes. For enterprise applications from SAP, SharePoint to EPIC to homegrown business applications, Securonix pulls in detailed activity and entitlement information for application level deep monitoring. As needed, Securonix also pulls in system access information directly from the target resource.

Data Collection

Advanced Security Analytics: Out-of-the-Box

Securonix performs automated real-time identity correlation using fuzzy logic, clustering algorithms and policy rules to provide identity context to all activities and events it consumes. The Identity Correlated Activities and Events are then continuously monitored for suspicious or abnormal activity at the user, account, peer group, and resource levels. This is done primarily through advanced peer group and behavior analysis allowing for true signature-less detection for:

  • Frequency spikes
  • Event rarity
  • Peer Group comparison
  • Value spikes
  • Clickstream analysis
  • Malware beaconing

second image

Actionable Intelligence

Unlike traditional SIEM solutions or analytics solutions, Securonix boils down the most suspicious and abnormal activities, transactions and access across users, accounts,systems and applications. Securonix presents this “actionable intelligence” as a starting point for investigations and then visualizes it into an interactive Forensic Investigation Workbench to help professionals quickly understand and respond to a threat.

Actionable Intelligence