ThreatVision solution offers real time protection against rapidly changing information security threats by unifying the threat information from multiple devices across multiple platforms. ThreatVision provides a centralized analysis and correlation engine that takes events like status reports, alarms and alerts from multiple sources in multiple formats and helps in identifying the threat source.
The data is collected from multiple device types via multi-tiered collectors and processed on global and device specific processing rules. This process results in alarms at various levels of threat priority. The alarms and event data are then normalized for automatic data correlation. The data is then stored in relational database system for further analysis and historical reporting. The event correlation results in identification of alerts with various severities, which are then displayed on the Management Console called ‘Event Viewer’ for action. The event correlation and analysis, results in further data reduction and bubbling of critical events to the top in real-time, thus allowing most efficient use of the limited security resources. The Event Viewer can be run in ‘Attended’ or ‘Un-Attended’ mode for highest flexibility. The alert notifications can be sent to e-mail lists or pagers.
eManager
The ‘eManager’ component of the ThreatVision provides the data collection, parsing, normalization and Analysis function for the incoming event data stream. The analyzed events are then sent to ACE Manager for further Analysis and Correlation. All the captured event data is stored in a local Relational Database Management System (RDBMS).
The eManager component is made of:
eSyslog Manager for processing syslog messages from devices such as Cisco PIX, Cisco Routers, SNORT, ISS, UNIX or NT/Win2K systems.
eCheckPoint Manager for processing messages from CheckPoint firewalls and CheckPoint Managers such as Provider-1/SiteManager.
Summary of eManager Features:
Intelligent filtering and data reduction through use of configurable agents.
Events are normalized for correlation and analysis purposes.
Full range of security and network devices to manage enterprise environment.
Distributed log collector and batch processing allows for efficient traffic management.
Global Policy and source specific Policy allows custom analysis of events from specific sources.
Centralized Time Zone stamping for precision correlation across global event sources.
ACE Manager
The 'ACE Manager' provides the Analysis and Event Correlation function for the incoming event alarms from the 'eManager'. The ACE manager has 'ACE Collector' module for collecting, analysis and correlation of all the events and related alarms from the eManager and an 'ACE Administrator' module for alarms and policy management. Once the ACE Collector processes the incoming alarms, they are sent to the Event Viewer console and alert notification module for Real-time alerts. All the alarms received from the eManager are stored in a local Relational Database Management System (RDBMS).
Event Viewer
The 'Event Viewer' component of the ThreatVision provides the real-time display of the alarms received from the ACE server. The event viewer operator console is a java-based console and can be customized based on what attributes of the alarm the operator would like to display. The Event Viewer also provides a useful 'dashboard' for providing availability and activity reports on a single screen.