Event Correlation Software Blade
Overview
The Event Correlation Software Blade provides centralized, real-time security event correlation and management for Check Point security gateways and third-party devices. Automated aggregation and correlation of data not only substantially minimizes the time spent analyzing data but also isolates and prioritizes the real security threats.
With the Event Correlation Software Blade, security teams no longer need to comb through the massive amount of data generated by the devices in their environment. Instead, they can focus on deploying resources on the threats that pose the greatest risk to their business.
Key Benefits
- Translates security events into action items
- Quickly identifies previously undetectable activity
- Reduces business risk by responding in real-time
- Prioritizes resources to address the most critical threats
- Easily installs and deploys for low TCO
- Generates increased value from current security investments
Features
Scalable, Distributed Architecture
The Event Correlation Software Blade delivers a flexible, scalable platform capable of managing millions of logs per day per correlation unit in large enterprise networks. Through its distributed architecture, the Event Correlation blade can be installed on a single server but has the flexibility to spread its processing load across multiple correlation units.
Centralized Event Correlation
The Event Correlation Software Blade provides centralized event correlation and management for all Check Point products—as well as third-party devices such as firewalls, routers, switches, operating systems, mail servers, Web servers, intrusion detection systems, and antivirus applications. Raw log data is collected via secure connections from Check Point and third-party devices by the Event Correlation Software Blade correlation units where it is centrally aggregated, normalized, correlated, and analyzed. Third-party device logs can be easily converted into Check Point format by the patent-pending log parsing technology within the Event Correlation blade. Data reduction and correlation functions are performed at various layers, so only significant events are reported up the hierarchy for further analysis. Log data that exceeds the parameters set in predefined event policies triggers security events. The Event Correlation blade provides a large number of predefined, but easily customizable, security events for quick deployment. These events can be unauthorized scans targeting vulnerable hosts, unauthorized logins, denial of service attacks, network anomalies, and other host-based activity. IT security staffers can also easily create their own events using a wizard or predefined event to fine-tune the system to their particular needs.
Events are then further analyzed and severity levels assigned. Based on the severity level, an automatic action may be triggered at this point to stop the harmful activity immediately at the gateway. As new information flows in, severity levels can be adjusted to adapt to changing conditions.
Easy Deployment
The Event Correlation Software Blade interfaces with existing SmartCenter™ and Provider-1® log servers, eliminating the need to configure each device log server separately for log collection and analysis. All objects defined in SmartCenter or Provider-1 are automatically accessed and used by the Event Correlation blade server for event policy definition and enforcement. In addition, this tight integration enables the Event Correlation blade to automatically learn the network’s topology and detect correlated events that are sensitive to topological parameters.
Easy Maintenance
Once installed on the network, the Event Correlation Software Blade has a learning mode to baseline the normal activity pattern for a given site and suggest policy changes for fine-tuning the system. Easy-to-use event wizards provide users greater flexibility in customizing events to suit their particular environments. The ease of installation and maintenance enables customers to leverage existing IT/security staff.
Specifications
| Feature | Details |
|---|---|
| 3rd party device support* | Apache, BlueCoat, Cisco, Check Point, F5, Fortinet, ForeScout, Juniper, ISS, Linux, McAfee, Microsoft, NetContinuum, Nokia, Nortel, Sendmail, Snort, Sun, Symantec, Tipping Point, Top Layer, TrendMicro |
| Log data collected | Firewalls; Routers; Switches; Operating systems; VPN devices; Anti-virus applications, Mail servers, Web servers; Intrusion Detection Systems (IDS); Intrusion Prevention Systems (IPS); SSL VPNs, End point firewalls |
| Automatic discovery of log source | Parser identifies the product that produced the event |
| Intelligent learning mode | Baselines activity to discover normal trends |
| Predefined security events | Scans, DOS, unauthorized entry, virus alert, and host based events to name a few |
| Customizable security events | Filter by product, log fields, and conditions single or multiple events event output format GUI representation |
| Global and event specific exceptions | Customize alerts to exclude events by: product, source, destination and service |
| Include time objects | Fine tune event policy |
| Dynamic updates | Updates for new parsing and event definitions |
| Log parsing editor | Converts 3rd party logs to Check Point format |
| Scalable distributed architecture | Log server, event correlation server, and event server can be deployed on separate systems |
| Automatic event database maintenance | Customizable |
| Log collection methods | Agentless - supports syslog, SNMP trap, and Check Point feeds. Agent-based - Supports off-line imports of Check Point logs (using the secure Check Point OPSEC ELA API) |
| Automatic reactions | Email, SMTP, OPSEC SAM API blocking, and custom scripts to mitigate risks |
| Events per second | 2,300 |
| Short term storage | 60 days by default |
| Long term storage | Yes, depending upon hardware |
| Risk mitigation | Monitor user activities, security event data, infrastructure data, server and host events, firewall configuration changes, automatic reaction status and system status |
High Availability Features |
|
| Network discovery | Object database is synchronized with the Management Blade |
| Network security management system integration | Supports monitoring product and system status via SNMP |
Management and Multi-Domain Management Integration |
|
| Role based administration | Synchronized with Management blades |
| Standardized reporting | Health Insurance Portability and Accountability Act (HIPAA), Gramm-Leach-Bliley Act (GLBA), Federal Information Security Management Act (FISMA), Basel II, and Visa’s Cardholder Information Security Program (CISP). |
| Control frameworks supported | COBIT - Control Objectives for Information Technology; ISO 27002 (formerly ISO 17799) |
*See the product manuals for more information
Support
Threats to the network are constantly evolving and becoming more sophisticated. To maintain continuity and productivity, defenses must advance as quickly to deliver the technology and features that protect the business. Check Point Update service protects against emerging threats with critical hot software fixes, service packs, and major software upgrades.
Benefits
- Ensures continuous security with access to critical hot fixes and service packs
- Maximizes ROI and investment with access to major upgrades and enhancements
- Increases security with the latest applications, features, and technologies
Next Steps
- Find a Partner
- Call US sales: 1-866-488-6691
- Contact Us Online
Resources
Check Point Software Blade Architecture Brochure- Software Blades Demo
- Software Blade Architecture White Paper
Software Blades
Security Management Software Blades