Customers are looking for options when it comes to purchasing their own or outsourcing a Security Information and Event Management system (SIEM). With our modular components and distributed system architecture, SecureIQ makes it easy for customers to choose the best mix of on or off-premise monitoring equipment and staffing.
SIEM System Architecture
Our SIEM system is comprised of six major components. The first of these is the Sentinel, a Linux-based appliance that resides at the customer premise and receives security event information from monitored devices like routers, firewalls, and servers. The Sentinel’s role is to filter out any non-security related data, parse and compress it, and then forward it securely using HTTPS to the Gateway.
Next is the Gateway, a data-caching device that features a real time Rules Engine for static event processing. For large scale, high availability SIEM installations, multiple Gateways can be installed and replicated in parallel. Security events processed by the Gateway are then forwarded to the Distributed Data Warehouse where they are indexed and archived in our high performance database schema. This patent-pending database schema features unlimited scalability and has been optimized to handle very large volumes of data, especially firewall and intrusion detection system data.
SIEM at Secure IQ gives a holistic view of your organization’s overall information technology making it easier to spot any patterns and trends that are out of the ordinary and take provocative action against potential threats in your security system.
At the core of the system is our Intelligent Correlation Engine (ICE). This module analyzes security anomalies that occur anywhere in the network and originate from monitored devices. The ICE delivers industry-leading correlation capabilities and uses 56 different detection algorithms to pinpoint anomalies such as network intrusions and attacks. It also helps to reduce a Security Analyst’s workload by presenting only anomalous behavior on security related events, filtering out non-threat based events and consolidating data in near real-time.
For MSSPs and other large-scale providers, our system includes built-in Customer Relationship Management and Trouble Ticket systems. Information stored in these two systems includes customer contact and site records as well as device, address, network, change request, and trouble ticket information. This module can also integrate with a customer’s own Remedy IT help desk system. Our system serves the key need of the MSSP and that is of cost saving, the reason why organizations opt to outsource their information security service to MSSP’s.
Customer and administrative access to the SIEM system is via our Customer Portal, a web-based application that offers a desktop look-and-feel. The Customer Portal includes a near real-time security event console as well as a user customizable dashboard. Other capabilities include a rich set of reporting tools as well as security event search capabilities and multi-layer administration.
To meet varying customer needs, our system modules come in various form factors, including hardware appliances, software modules, and VMware images. All modules can be located either on or off-premise.