Understanding what is going on in a network is very important not only for capacity planning but also to detect unusual behaviour and produce reports to ensure good governance or compliance to the myriad of rules and regulations which face every type of business.
The complexity of diverse logs and the sheer volume of data that is produced often swamps an organisation and makes detection very difficult and therefore frequently ignored. Also, logs need to be stored to be used as evidence should the organisation face an audit either by internal divisions, external clients or law enforcement or financial agencies. This storage of raw logs needs to be kept ‘untouched’ rather than what is termed ‘normalised’ and should be protected to ensure they cannot be tampered with.
nSIEM and industry standard log management controls
nSIEM is based on industry standard log management controls with Digital Pathways gathering and storing the logs from any server, application or proprietary system in our secure data vaults and encrypted using the nCrypt system. The raw logs are made available to each client, or, pre-defined reports are emailed at set times to selected members within the organisation.
All logs can be processed by a rules-driven analysis and anomaly detection engine. This allows for tailored and extensible analytic rules which allow ‘questionable’ events to be tagged and written to a database for further review and possible alerting. This is achieved through a ‘Google’ type search on an item, providing a rapid and effective interactive understanding of any incident. Knowledge gained in this way can provide input to the generation of new automated policies for data access and reports.
Custom reports and real-time alerts are sent via email to selected individuals and can be created either on the fly or ordered through the Digital Pathways support portal.
Logs are gathered wherever the data servers are located and either consolidated at a location by a locally installed software agent and then batch uploaded or direct streams are established to our nSIEM system. Both forms of transfer are digitally signed using an RSA/SHA256 digital signature which is calculated and the log digitally signed before transfer. Every transfer is authenticated and encrypted using TLS in transit to ensure the integrity of the data.
Once the data is stored within the nSIEM the collected logs are processed by a rules-driven analysis and anomaly detection engine. Flexible and extensible analysis rules allow ‘interesting’ events to be tagged and written to a database for further analysis and reporting.
Any alerts, once verified by our trained security analysts, are raised with the client and appropriate action plans are agreed by our NOC team and the client. We continue to monitor the alerts and work with the clients’ teams until the situation has been resolved. In the event that a client does not have sufficient resource to deal with the situation, consultants from Digital Pathways professional services can be deployed.