AccelOps SIEM – Details

 

With an integrated and cross-correlated view into your network, devices, apps and user logs, AccelOps simplifies the collection of information that impacts your business.

With a powerful analytics engine, automated CMDB and event consolidation, smart anomaly detection, identity and location binding, and flexible data management, we redefine the next generation of SIEM.

Network Computing
Greg Shipley Reviews AccelOps:

Download the PDF file

Why AccelOps SIEM is Better

Compliance

Log Matters

Event log management / security information event management (SIEM) is considered an IT best practice, and for regulated industries, an audit compliance requisite.

The challenge is how to consistently aggregate, decipher and normalize non-standard log formats; manage massive volumes of event log data for real-time and historic analysis; correlate and consolidate complex event log data to yield actionable intelligence; and maximize event log value to support IT service reliability.

Some equate log management to log aggregation, display, and storage – a simple approach that fails to address these complex challenges. Most SIEM products offer basic event consolidation, simple correlation rules, limited real-time analysis, poor reporting and investigation flexibility, and no identity or infrastructure context. Many still require special collectors, add-on modules, additional systems and significant expertise.

AccelOps’ founders and core team developed one of the industry’s most successful security event management solutions. We are again changing the playing field with our all-in-one, scalable datacenter and IT service management solution. See how AccelOps leverages network performance, applications, change management, identity, location, virtualization, and other intelligence to take SIEM to the next level.

AccelOps SIEM 2.0 – Robust Log Management and Beyond

AccelOps delivers a robust, scalable log management solution offering:

  • Mainstream device support
  • Event source monitoring
  • Event log and network flow data consolidation
  • Comprehensive, extensible analytics
  • Network, virtualization, and application intelligence
  • Identity and location intelligence
  • Configuration and configuration change monitoring
  • In-depth database security, availability and anomalous activity monitoring
  • Powerful, layer 7 rules engine
  • Real-time and historical cross-correlation
  • Prioritized, valid security incidents with correlated and raw details
  • Dynamic dashboards, topology maps and notification
  • Real-time and long-term search with web-like query and iterative filtering
  • Directory service integrated and custom asset and user grouping
  • Compliance and standards-based reports
  • Optimized event repository
  • Event log data integrity secured by HMAC
  • Unlimited online data retention
  • As needed performance and coverage capacity
device tree

Collect, Parse, Correlate from anywhere

Supporting multi-vendor device sources and advanced parsing technology, AccelOps can collect, parse, correlate and store logs from virtually all IT infrastructure sources. The solution automatically interprets the device type and how to process the event logs as they are received.

  • Network activity logs from Firewalls, Routers, Switches, VPN Gateways, Wireless LAN, Web/Mail Security Gateways, and Network IPS
  • Network resource utilization and anomaly detection from network flow data
  • Server operating system activity logs from Windows, Unix, Linux and virtual machines
  • Network infrastructure application logs from domain controllers, authentication servers, DNS and DHCP servers, and vulnerability management servers
  • User application logs from web, application, and database servers

The parser intelligently categorizes the source of the log into different device groups such as Firewalls, Routers/ Switchers, Wireless LAN Controllers, Printers, etc. It also groups into various server categories such as Windows, Unix, VMWare, and storage devices.

device tree

Automatic Discovery

AccelOps automatically discovers your network infrastructure and its resources using intelligent scanning methods. It supports a smart scan method, which iteratively learns only about the live devices in your network. Since only live devices are traversed, it is much faster than other traditional methods of network discovery.

It also supports a range scan method where each machine in the range is first pinged and then an attempt is made to do full discovery using the given credentials. Once the capabilities of the devices are known, the performance metrics which can be fetched from those devices are automatically determined.

credentials

Multi-Faceted Data Collection

AccelOps supports virtually all agent-less and agent-based data collection methods to collect logs from a variety of devices and applications including:

  • SNMP
  • Syslog
  • Windows Management Instrumentation (WMI)
  • Microsoft RPC
  • Cisco SDEE
  • Checkpoint LEA
  • JDBC
  • VMWare VI-SDK
  • JMX
  • Telnet
  • SSH
  • NetFlow
  • HTTPS
  • IMAP
  • IMAP over SSL
  • POP3

Powerful Analytics for Real-time Correlation and Alerting

200 plus rules

AccelOps can detect network services and profile network traffic from network flows and firewall logs. An advanced analytics engine detects patterns in data over a rolling time window taking into account very complex patterns. This includes combined patterns of network, system, application and user activity. The built-in analytics engine can be easily extended using XML-based definitions.

AccelOps contains more than 200 built-in rule classes which cover scenarios such as:

  • Host scans, port scans, fixed-port host scans, denied scans and other traffic anomalies from firewall and netflow logs
  • Network device and server logon anomalies
  • Network access anomalies from VPN, domain controller and wireless logons
  • Web server and database access anomalies
  • Rogue workstations, PDAs, WLAN APs etc. from DHCP logs
  • Account lockouts, password scans and unusual failed logon patterns
  • Botnets, mail viruses, worms, DDOS and other day zero malware from DNS, DHCP, web proxy logs and flow traffic

The analytics engine patterns are comprehensive and allow for complete Boolean operators and nested sub-pattern rules:

  • Sub-patterns connected in the time dimension by operators such as AND, OR, FOLLOWED_BY, AND_NOT, NOT_FOLLOWED_BY
  • Each sub-pattern can apply condition operators such as =, !=, BETWEEN, IN, NOT IN, IS, IS NOT, etc
  • Each sub-pattern can filter and apply aggregation operators such as AVG, MAX, MIN, COUNT, and COUNT DISTINCT
  • The thresholds can be static or statistically derived from automatically profiled data

Customizable Dashboards

The built-in summary dashboards provide a consolidated overview of performance, availability, and security status for all devices and applications which belong to a specific functional group or business service.

Using a fast update mechanism and leveraging the Adobe Flex interface, AccelOps screens are refreshed quickly and automatically to provide quick insight into the current health of network devices, servers, applications, and services. Health is presented in three simple grades: normal, warning, and critical. You can conveniently drill down and obtain the details for each metric along with trends, to proactively manage issues and respond to problems or threats before they become critical. You can further tune the performance of health parameters according to the criticality of the device.

AccelOps also features fully customizable dashboards across availability, performance, change and security dimensions including TopN information on various metrics along with the system itself.

The solution contains more than 400 customizable widgets and can be drag-and-dropped into any dashboard. Each widget can be further customized to provide aggregate, trending, or tabular views. You can adjust the layout by easily selecting from several options and choose from charting displays such as time series trending, pie, column, or spark line charts

The fast auto-refresh mechanism allows the near real-time update of the dashboard data to provide a current view into infrastructure issues and threats as they occur. You can quickly obtain additional context within dashboard object health status by instantly running a query or drilling down into specific incidents.

Instant Drill down

Instant Drill Down

One-click, recursive drilldown can be performed on any column to make refining search criteria a breeze and to expedite root-cause analysis that is less error prone. The quick information will provide detailed information about IP address, MAC address or user. In addition to the inventory data, it shows the health summary of the server without leaving the context.

You can select to view multiple rows of interesting information within the same trend view using checkbox selections in order to help pinpoint anomalies in the network behavior in a matter of seconds.