Security-relevant information in organizations is often held in silos where it is frequently ignored or underutilised. A correlation of logs with network flows, vulnerabilities, IDS data, SIEM findings other data breaks down the walls between silos and presents all relevant information in one big picture.
Correlation and cross-correlation is based on rules, policies and machine learning: Rules are predefined to detect patterns. They are continuously enhanced and customised to each client’s needs. Policies are used to verify if certain actions happen at the right time and place. And machine learning comprises the correlation engine‘s abilities to learn and differentiate between normal and abnormal state as well as to detect changes in the behaviour of applications, server and other areas of a network. Usage outside the business hours, extensive usage of applications and other IT services, patterns in network traffic over time and compared to former periods (in consideration of daily, weekly, monthly or seasonal variation) are examples for the detected anomalies.
Results are analysed by the Risk & Security Intelligence Team. They receive instant alerts in critical situations. Moreover the client receives alerts in predefined, highly critical situations.