Event Correlation: Evaluation Criteria

The heart of Security Information Management is the correlation engine. Without it, the product is little more than a log aggregator, but with it, the product can become a powerful network security tool or even a unique network defence technology.

Consider these critical factors when evaluating event correlation technologies:

Real-Time Analysis

Is the data evaluated in real-time, or will you be waiting for polled data that's guaranteed to be at least 10 or 15 minutes behind?

You can't correlate what you can't see, so it's important to know if the event stream is real-time.

TriGeo captures real-time event streams from network devices and utilizes its proprietary agent technology to capture host-based events in real-time.

Memory or Database Correlation

Does the correlation engine process events in memory or query a database?

The distinction is critical if the goal is real-time event analysis versus forensic analysis.

TriGeo is completely based on an in-memory pool capable of correlating millions of events without the performance bottleneck associated with database insertion and query speeds.

Multiple-Event Correlation

Can the correlation system detect and associate anomalous behavior based on multiple events?

Systems designed to identify the occurrence of a single event, even with time and frequency constraints, simply can't identify today's blended threats.

TriGeo has comprehensive support for multiple-event correlation, including the unique ability to set independent thresholds of activity per event, or group of events. This is precisely what's needed when the correlated activity is dramatically different such as the number of user logon failures and denied traffic counts.

Non-Linear Correlation

Does the correlation rely on traditional sequential event evaluation?

With today's blended, or multi-faceted, attacks there's no guarantee what order events might appear - couple that reality with typical deviations in equipment time stamps and you quickly realize that linear event correlation is extremely limited.

TriGeo employs a patent-pending technology that maps events in memory and applies a completely non-linear, multi-vector, correlation algorithm. This greatly reduces the number of rules needed because it's no longer necessary to build distinct rules for every possible combination of events.

Field-Level Comparison

Does the product provide a rich set of discrete fields that can be used in the correlation?

The event collection and normalization process often strips critical details that are needed for effective correlation, or that detail is not available in the product's rule editor.

TriGeo captures an extensive array of field-level data, and makes it all easily accessible via our graphical rule builder. When this data is combined with user-defined groups and variables (see environmental awareness), TriGeo makes it possible to build very detailed rules that minimize false positives and focus your attention where and when it's needed.

Environmental Awareness

Can the correlation rule factor in details about the organization, such as critical assets, applications, time of day or day of week?

It's vital that rules be tuned to address the specific business environment, standard processes and IT objectives.

TriGeo employs several techniques to minimize the noise and maximize the value. This includes the use of user defined groups that can identify critical assets, and be easily integrated into rules. It also includes the use of unique time sensitivity in rules. For example, rules can be built to operate inside or outside defined business hours. Activity on a server can be monitored with regard to a defined maintenance or reboot window.

Correlation Rule Builder

Can you build a rule?

While this question is deceptively simple, it's critically important. Most products employ rule "editors" that were clearly designed by programmers, for programmers. Even when "wizards" are used, it takes five steps to accomplish even the most basic tasks.

TriGeo's rule builder employs an intuitive graphical interface using common "drag and drop" techniques, and everything is done in one location. It can be mastered in a matter of minutes and it will surprise you that something so simple can construct the most complex and powerful correlations available on the market.

Active Response

What happens when the rule fires?

An integral component of the correlation is the action that can be taken when the modeled behavior is identified. While most products provide various notification options, such as email or pager, few go much farther. Where they do, they require human intervention (to press the big red button) to confirm or activate any pre-programmed responses.

TriGeo is unique in its approach to active response or automated remediation. It ships with the largest arsenal of actions that can be linked directly to correlations. Only TriGeo communicates directly with both network infrastructure devices and host operating systems, providing network defence coverage from the perimeter to the endpoint.

>>return to main Trigeo page

To find out more about Trigeo products call Phoenix Datacom on +44 (0)1296 397711 , send an email or use the Request More Info form.