The Top 8 Criteria for Evaluating SIEM Vendor Event Correlation Capabilities

What to Look for in a SIEM Tool for Best Results

The heart of any Security Information and Event Management solution is the correlation engine. Without it, the product does little more than log management, but with it, the product can become a powerful network security tool and a unique network defense technology.

Consider these critical factors when evaluating products that claim to offer event correlation capabilities:

1. Real-Time Log and Event Analysis

Is the data evaluated in real-time, or will you be waiting for polled data that's guaranteed to be at least 10 or 15 minutes behind?

You can't correlate what you can't see, so it's important to know if the event stream is real-time.

TriGeo captures real-time event streams from network devices and utilizes its proprietary agent technology to capture host-based events in real-time.

2. Memory or Database Correlation

Does the correlation engine process events in memory or query a database?

The distinction is critical if the goal is real-time event analysis versus forensic analysis.

TriGeo is completely based on an in-memory pool capable of correlating millions of events without the performance bottleneck associated with database insertion and query speeds.

3. Multiple-Event Correlation

Can the correlation system detect and associate anomalous behavior based on multiple events?

Systems designed to identify the occurrence of a single event, even with time and frequency constraints, simply can't identify today's blended threats.

TriGeo has comprehensive support for multiple-event correlation, including the unique ability to set independent thresholds of activity per event, or group of events. This is precisely what's needed when the correlated activity is dramatically different such as the number of user logon failures and denied traffic counts.

4. Non-Linear Correlation

Does the correlation rely on traditional sequential event evaluation?

With today's blended or multi-faceted attacks, there's no guarantee what order events might appear in. Couple this reality with typical deviations in equipment time stamps, and you quickly realize that linear event correlation is extremely limited.

TriGeo employs a patent-pending technology that maps events in memory and applies a completely non-linear, multi-vector, correlation algorithm. This greatly reduces the number of rules needed because it's no longer necessary to build distinct rules for every possible combination of events.

5. Field-Level Comparison

Does the product provide a rich set of discrete fields that can be used in the correlation?

The event collection and normalization process often strips critical details that are needed for effective correlation, or that detail is not available in the product's rule editor.

TriGeo captures an extensive array of field-level data, and makes all of it easily accessible via our graphical rule builder. TriGeo then combines this data with user-defined groups and variables (see Environmental Awareness), enabling very detailed rules that minimize false positives and focus your attention where and when it's needed.

6. Environmental Awareness

Can the correlation rule factor in details about the organization, such as critical assets, applications, time of day or day of week?

It's vital that rules be tuned to address the specific business environment, standard processes and IT objectives.

TriGeo SIM employs several techniques to minimize the noise and maximize the value. This includes user defined groups that can identify critical assets, and be easily integrated into rules, as well as unique time sensitivity. For example, rules can be built to operate inside or outside defined business hours, or activity on a server can be monitored with regard to a defined maintenance or reboot window.

7. Correlation Rule Builder

Can you build a rule?

This is critically important. Most products employ rule "editors" that were clearly designed by programmers, for programmers. Even when "wizards" are used, it takes five steps to accomplish even the most basic tasks.

TriGeo's simple, yet powerful; rule builder employs an intuitive graphical interface using common "drag and drop" techniques that can be mastered in minutes. The correlation rule builder is deceptively simple: you'll be surprised when you construct the most complex and powerful correlations in the market with just one, simple-to-use tool.

8. Active Response

What happens when the rule fires?

An integral component of the correlation is the action that can be taken when the modeled behavior is identified. While most products provide various notification options, such as email or pager, few go further without requiring a human to confirm or activate any pre-programmed responses.

TriGeo is unique in its approach to active response or automated remediation. It ships with the largest arsenal of actions that can be linked directly to correlations. Only TriGeo communicates directly with both network infrastructure devices and host operating systems, providing network defense coverage from the perimeter to the endpoint.