Looking for a 2-in-1 Audit Log Management and SIEM solution that’s federal-compliant? Today, SecureVue is used to meet the audit log requirements for a large number of DoD and civilian agencies. The requirements outlined in 8500.2 and 800-53 direct IA managers to collect and review security logs on a regular basis. While there are many ways to collect logs, the challenge for IA managers is to review thousands of logs collected each day with existing staff.
SecureVue allows IA managers to quickly and easily meet these requirements by:
- Collecting event logs from all their IT assets
- Providing out-of-the-box alerts to notify IAMs of suspicious activity, via email or trouble ticket
- Providing hundreds of out-of-the-box reports
- Providing a forensic searching capability to search through millions of events in seconds
SecureVue Log Management and SIEM provides industry-leading event and log collection, storage, correlation, reporting, and search functions for meeting all DoDI 8500.2 and NIST 800-53 Audit Log Management requirements. The solution supports a broad range of event sources including network infrastructure, security solutions, operating systems, and applications.
Automated Event Review
One of the key requirements pertaining to audit log management contained within NIST 800-53 and DoDI 8500.2 is the need to review events for suspicious activity. Once SecureVue is collecting event data, it can automatically correlate and filter events and notify individuals of which ones, if any, are considered suspicious or require further investigation. This automated method removes the need to manually review events and saves a tremendous amount of time.
SecureVue comes with more than 600 alerts and many that are tailored specifically for DoD and federal agencies. These alerts can be easily tailored via a GUI to meet any specific requirements you may have. Out-of-the-box alerts include notifications when the following events occur:
- X number of failed login attempts on a device from a single IP within a Y period
- Traffic that violates ports and protocols policies
- Systems connected to network with missing required software (such as Host-Based IPS, Anti-Virus) or systems with banned software
- DNS queries from organizations that query non-organization DNS servers
- Large data transfers to the Internet – data exfiltration
- Long outbound connections
- Inbound traffic to Web servers not using TCP 80/443
- Multiple denies at the firewall followed by an allow (Single source IP address)
- SQL anomalies: the xp_cmdshell being enabled followed by user accounts added to local systems
- CPU usage, memory usage, and low disk space
- Profiling service accounts
- Accounts added to local groups on servers
SecureVue comes with more than 50 dashboards out of the box that allow users to easily visualize the risk and operational picture of the network. Any dashboard can be easily tailored to meet specific requirements or user preferences, and can be saved and shared with others.
Dashboards can incorporate controls for both event and state data sets and are interactive so users can drill-down to get further details.
Utilize ForensicVue, an integrated component of SecureVue, to significantly decrease the time required to discover and visualize the root cause of security incidents. Organizations can use ForensicVue in almost the same manner as a search engine: getting answers to specific questions. For example, using ForensicVue, you can quickly see:
- All login events between 12:10 a.m. and 12:15 a.m.
- The results could be easily narrowed to search within those results for those login attempts using the user ID administrator
What makes SecureVue even more powerful is the fact that searches can be conducted to go beyond event data and search within device state data. For example, you may want to run a search to show what systems are missing a particular patch or which systems have “Wireshark” installed.
Easy Setup and Management
The fact that SecureVue does not require an agent makes the setup and ongoing management much easier. SecureVue can begin monitoring hundreds of devices in hours.
What also makes SecureVue much easier to manage is the fact that it does not utilize a relational database management system. This is important because many log management and SIEM systems require an RDBMS, which requires system administrators who know and understand these complex databases. With such systems, one needs to understand how to increase tablespace sizes, run import and export commands, create new indexes, and optimize the database. These are all DBA activities that may require training and certification in Oracle, MSSQL, or Sybase. With SecureVue, the database is a highly efficient, flat-file system, which means if you know how to use Windows Explorer, you know how to manage the SecureVue database.