Why Use Correlation?

Correlation allows users to:

  • Reduce the mass of information to monitor
  • Compensate for inconsistency among security device-generated messages
  • Automate the response after receiving a message
  • Enhance the quality of the diagnosis

To Reduce the Amount of Information to Monitor

Security administrators and analysts are facing a mass load of information coming from numerous security devices. This quantity of information cannot be easily monitored, therefore a grouping method must be applied to the various messages. Correlation rules allow for this type of bundling.

To Automate the Response after Receiving a Message

Once correlation has been performed and according to the configuration of the correlation rule, an immediate action can take place such as the:

  • Automatic creation of an alert
  • Modification of the event’s severity
  • Sending of an alert or event from one SMP to another in a multi-instance environment
  • Mailing of the event to contacts
  • Automatic creation of an incident from the alert
  • Creation of a scenario based on rules

To Enhance the Quality of the Diagnosis

By using the Asset Database, the correlation process can meet a user’s business security demand. Once a user’s business environment has been correctly configured in SureLog (vulnerabilities, list of computers, etc.) and with the help of the events generated by vulnerability scanners, a user can obtain an alert with information about the installed base. Therefore, an alert linked with a critical server from the asset database will be considered more important than an alert about a less sensitive server. Its severity will be modified and the alert will be processed by priority. The information contained in the asset database will also be taken into account to fill the alerts’ messages such as the IP address of a workstation.

To Compensate for the Lack of Consistency among Security Device-Generated Messages

Messages generated by equipment are very different. Through correlation and standardization, messages will be classified so that events with the same information will always have the same description.

For example, if a detected port scan occurs, the following happens:

  • a Checkpoint firewall will generate a Port Scanning message
  • a NetASQfirewall will generate a Possible port scan message
  • a Snort detection probe will generate a Port Scan detected message

Therefore, all these events can be correlated into one alert, simply titled “Port Scan”.

results matching ""

    No results matching ""