|
Centralized Security Threat Management
ThreatVision solution offers real time
protection against rapidly changing information security
threats by unifying the threat information from multiple
devices across multiple platforms. ThreatVision provides
a centralized analysis and correlation engine that takes
events like status reports, alarms and alerts from multiple
sources in multiple formats and helps in identifying
the threat source.
The data is collected from multiple
device types via multi-tiered collectors and processed
on global and device specific processing rules. This
process results in alarms at various levels of threat
priority. The alarms and event data are then normalized
for automatic data correlation. The data is then stored
in relational database system for further analysis and
historical reporting. The event correlation results
in identification of alerts with various severities,
which are then displayed on the Management Console called
‘Event Viewer’ for action. The event correlation
and analysis, results in further data reduction and
bubbling of critical events to the top in real-time,
thus allowing most efficient use of the limited security
resources. The Event Viewer can be run in ‘Attended’
or ‘Un-Attended’ mode for highest flexibility.
The alert notifications can be sent to e-mail lists
or pagers.
eManager
The ‘eManager’ component
of the ThreatVision provides the data collection, parsing,
normalization and Analysis function for the incoming
event data stream. The analyzed events are then sent
to ACE Manager for further Analysis and Correlation.
All the captured event data is stored in a local Relational
Database Management System (RDBMS).
The eManager component is made of:
- eSyslog Manager for processing syslog
messages from devices such as Cisco PIX, Cisco Routers,
SNORT, ISS, UNIX or NT/Win2K systems.
- eCheckPoint Manager for processing
messages from CheckPoint firewalls and CheckPoint
Managers such as Provider-1/SiteManager.
Summary of eManager Features:
- Intelligent filtering and data reduction
through use of configurable agents.
- Events are normalized for correlation
and analysis purposes.
- Full range of security and network
devices to manage enterprise environment.
- Distributed log collector and batch
processing allows for efficient traffic management.
- Global Policy and source specific
Policy allows custom analysis of events from specific
sources.
- Centralized Time Zone stamping for
precision correlation across global event sources.
ACE Manager
The 'ACE Manager' provides the Analysis
and Event Correlation function for the incoming event
alarms from the 'eManager'. The ACE manager has 'ACE
Collector' module for collecting, analysis and correlation
of all the events and related alarms from the eManager
and an 'ACE Administrator' module for alarms and policy
management. Once the ACE Collector processes the incoming
alarms, they are sent to the Event Viewer console and
alert notification module for Real-time alerts. All
the alarms received from the eManager are stored in
a local Relational Database Management System (RDBMS).
Event Viewer
The 'Event Viewer' component of the
ThreatVision provides the real-time display of the alarms
received from the ACE server. The event viewer operator
console is a java-based console and can be customized
based on what attributes of the alarm the operator would
like to display. The Event Viewer also provides a useful
'dashboard' for providing availability and activity
reports on a single screen.
|
