Back in 2005, Gartner coined the term ‘security information event management’ (SIEM). They used it to describe a holistic approach to an organization’s IT security defence – from threat detection and incident response to compliance reporting.
The trouble is, not all enterprise SIEMs are created equal. Traditional security monitoring systems meet an audit and compliance need but often don’t contribute to security threat detection, timely alerting and reporting or incident response capability. Security Analytics is now a crucial component of SIEM capabability.
Why choose Huntsman for your SIEM needs?
In contrast to other platforms, Huntsman’s security analytics capabilities provides a holistic and real-time approach to data security. This means Huntsman is ideal for organisations that need to detect and manage issues, indicators of compromise and behavioural anomalies in the data stream as soon as they occur.
Does Huntsman Enterprise SIEM support protection of my data?
Data leakage is detectable in several ways:
• Database/application query volumes and user accesses (e.g. an application of database query that returns a large number of rows/records)
• Repeated/frequent/high volume file accesses in file systems or record accesses from CRM/finance systems (i.e. an anomalously large volumes of records accessed or search requests)
• Transmission of unusually large volumes of data across the network, from proxies, firewalls, network logs or netflow details
• Using the Exchange connector (which supports message tracking logs) the size/characteristics of user emails could be monitored as part of a normal profile so that any anomalous times/message sizes were obvious – as well as transmission to webmail or non-business systems
• Proxy/firewall/gateway logs are monitored to identify access to webmail sites and cloud based storage or document transfer/conversion sites
• Often neglected avenues for data extraction, such as print records and activity are monitored
• The solution also take log / alert data from specific control solutions already in place.
How does Huntsman detect anomalous activity?
Huntsman pioneered true Behaviour Anomaly Detection. It’s a breakthrough that allows organisations to detect the widest range of misuse, breaches and anomalous behaviour across their network, systems, user and application environments.
Huntsman automatically creates a dynamic baseline of normal behaviour and activity that allows the monitoring of data sources for unusual events, trends and patterns; Huntsman Enterprise SIEM monitors netflow data and traffic patterns (including DNS logs and external connections) to track normal patterns of traffic flow between systems. Most commonly this would be between user systems or clients and servers, so the presence of malware or an attacker that was moving/connecting between systems within the workstation address ranges would be a detectable anomaly – especially if combined with other indicators of compromise such as user account/privilege abuse activity, external “phone home” traffic from proxies etc.
Where malware detections have come from dedicated malware detection/sandbox systems, the solution will take details of the malware detonation directly from the gateway and examine target hosts for signs of suspicious/predicted activity/traffic as well as registry key and file system changes. This, along with proxy or gateway logs, is then used to detect the spread of malware or an active attack in the environment where the “patient zero” had connected or infected other hosts that exhibit similar host compromise modifications and/or other cases that were apparent through similar patterns of activity.
This means your security team can investigate and take action on outliers, advanced persistent threats, insider attacks, and command and control activity that indicate a breach has occurred – while there is still time to make a difference.
Huntsman real-time analysis: the facts when you need them
Huntsman provides real-time collection, management, processing and analysis of log, system, transaction, network, intelligence and activity data. It continually monitors security controls and enterprise environments, and flags incidents immediately so analysts can investigate and respond.
Huntsman automatically gathers diagnostic data to enable your security team to rapidly understand the surrounding context of an alert, allowing them to clear benign alerts and false positives with complete confidence.
In addition, Huntsman enables easy access to a wider range of security, activity, compliance and management information – taking collected raw data, alerts and context and translating them into enriched business information for real-time dashboards, ad hoc business intelligence and scheduled reporting.
Huntsman is scalable: develop your security posture in line with your business needs
Huntsman’s architecture is modular, which means your organisation can simply add capacity as it needs. This flexibility extends in multiple dimensions to support increases in data flow rates and storage volumes within the processing engine, storage repositories and the display interface.
In addition, Huntsman’s flexible licensing means an organisation can expand its core enterprise SIEM capability, from simple compliance to enterprise-wide intelligent security.
Huntsman simplifies the compliance process
Huntsman translates operational security metrics into meaningful intelligence to provide real-time visibility of your organisation’s risk posture to stakeholders, support decision-making, and highlight the impact of security issues on business areas.
Want to find out more?
Arrange a meeting with our Security Specialists Click here