A Different Approach to SIEM
Tenable's security information and event management (SIEM) solution leverages the log management capabilities of the Log Correlation Engine (LCE) to collect all logs, software activity, user events, and network traffic. It analyzes all data for correlated events and impact on security and compliance posture. Event context and threat-list intelligence about any system is provided by Tenable Nessus vulnerability and configuration scans and real-time monitoring with the Tenable Passive Vulnerability Scanner (PVS).
- Alerting - Configure and receive automatic alerts based on customized event thresholds.
- Event Correlation - Multiple forms of event correlation are available for all events including statistical anomalies, associating IDS event with vulnerabilities, and alerting on 'first time seen' events.
- Log Normalization - Normalize, correlate, and analyze user and network activity from log data generated by any device or application across the enterprise in a central portal.
- User Monitoring - Monitor user activity. Associate events such as a NetFlow, IDS detection, firewall log activity, file access, system error, or login failure with specific users for easy reporting and insider threat detection.
- Full Log Indexing & Search - All logs are compressed and stored, whether they are normalized according to a rule or left raw. Using full-text search, you can rapidly search logs for keywords, user names, IP addresses, and many other terms. Log searches are stored with an independent checksum and can be re-launched at any time.
- NetFlow Analysis - Each instance of the Tenable LCE includes agents for many different platform technologies. They can collect NetFlow traffic logs from routers, switches, and other network devices.
- Malware Detection - The Tenable LCE Windows client monitors all processes running on Windows machines for malware processes, and can alert the security team if malware is discovered.
- Network Content Analysis - Analyze network traffic in real-time with Tenable PVS. It produces an accurate vulnerability report and a real-time forensic log of network events such as shared files, DNS lookups, and social network activity.
Collect log events from any number of devices and store them for as long as required. This data is typically dispersed across the organization under different ownership. Having the ability to centrally manage and analyze all network activity delivers usable and actionable information to solve security problems.
LCE can store any log received via syslog or a Tenable agent that collects netflow, Windows events, IDS events, application log files, and many other types of sources. It compresses logs in real-time and stores them for analysis, investigation, and/or data retention requirements. For example:
- IDS correlation tells you if vulnerabilities are present that are actively being attacked. This greatly improves situational awareness.
- Automatically trigger alerts/scans/email notifications when events happen in near real-time, with lists of the IPs and other data.
- Upload historic logs for automatic normalization and indexing.