Identity Analysis & Correlation

NitroSecurity Solution Brochure (14.3 Mb)
NitroView ESM Information
NitroView LogCaster Information

Security Information & Event Analysis isn't much without an easy way to link that analysis back to real users and applications. That's why NitroSecurity provides protection and visibility throughout your infrastructure, from the edge to the core. When data is accessed on your core application server, what account was used? Is that user guilty? What other identity information—such as that user's IP address, OS, domain, etc.—is relevant to that account? Did the user access the database directly, or is there more that needs to be looked: the user's PC might have been compromised, for example, or the user credentials could have been stolen by a malicious third party.

This contextual detail is only possible when activity and events are collected from all areas of the network:

  • The Core, via database activity and transaction monitoring
  • The Edge, via network-aware intrusion prevention systems
  • Everywhere in between, including network flow data, host and server logs, and other sources.

To provide true visibility from edge-to-core, an information management system is required that can normalize all of the collected event data, providing rich analysis and correlation between it all.

"70% of all database breaches are internal."

Forrester Research, January 2007

NitroSecurity offers several products, which may be used singly or as an integrated solution, to provide robust identity awareness within your infrastructure:

The Hacker INSIDE the Firewall

Today's hacker is most likely to be a former technical employee using remote access to exploit system vulnerabilities, according to CERT, the Internet security research center run by the Software Engineering Institute at Carnegie Mellon University, which has access to U.S. Secret Service data. Scary...But we bet you aren't surprised. What this really means to you as an IT professional?

  • The line between an external attack and an internal attack is blurring. A former employee using remote access is acting from a completely different set of motives and from a completely different base of knowledge than a hacker. He/she may know exactly where the most important or confidential data resides, and he/she may know colleague's passwords and enough security practices to cover his/her tracks.
  • A zero-day scenario is more likely to be a planned event: a former employee waiting for the opportunity to do damage. He/she may know your patch policies and the exact length of the window of opportunity.

CERT's report also says the majority of insider attackers compromised computer accounts, created unauthorized backdoor accounts, or used shared accounts in their attacks. The majority of such attacks were only detected once there was a noticeable irregularity in the information system or a system became unavailable.

  • NitroGuard Database Monitor provides visibility to the core: the databases and applications that are the ultimate target of an attack. Useful identity data can be collected from NitroGuard DBM, including:
    • The user (or admin) account responsible for unauthorized data access
    • related login activity (successful and unsuccessful)
  • NitroGuard Intrusion Prevention is a session-aware IPS that collects intrusion events as well as related flow information, providing an event-to-network correlation at the point of ingress:
    • The source of the event
    • The target
  • NitroView Receiver is a data collection appliance, designed to capture log and flow events from firewalls, IPS devices, routers, switches, servers and hosts. This data is passed to NitroView Enterprise Security Manager for normalization and analysis to determine:
    • The attack vector through the network
    • Other instances of the known user's identity
    • Related authentication activity
  • NitroView LogCaster is an additional data source, designed to collect any log file from any source. LogCaster provides storage and validation of logs for compliance purposes, but also has the capability to perform text filters on logs, triggering events that are highly useful. These events can be collected by NItroView Enterprise Security Manager for further analysis.
    • Other instances of the known user's identity
    • universal log collection and filtering to discover user activity in custom logs, binary logs, and other difficult data sources
  • NitroView Enterprise Security Manager provides a real-time data management and reporting engine for deep contextual analysis of all of the above information. NitroView ESM normalizes all data, allowing fast correlation, data pivoting, data drill-down, trend analysis, and other high-level analytics. NitroView ESM is highly responsive, easy to use, and scalable.
    • Rich identity details based on active fingerprinting
    • User location within the network
    • Trend analysis to determine normal vs. abnormal user behavior

    Identity Analysis within NitroView allows you to:

    • Provide required identity data for compliance reporting
    • Search or filter on known identities for forensic investigations
    • Link identity summaries to event and flow reports
    • Summarize an identity to see all events or flow relevant to that user
    • Locate a user within the network using NitroView's Network & Event Analysis Topology (NEAT).
    • Remediate a threat by disabling the user
    • Provide detailed user authentication and activity as required by regulatory compliance.