OPSEC Partners

SenSage Enterprise Security Analytics addresses data management issues by delivering unparalleled performance, retention and virtually limitless scalability. SenSage has teamed a purpose-built, clustered repository with parallel processing data collection and analysis. The solution supports a broad range of event log sources and out-of-the-box reports and rules which accelerate a customer's time-to-value. SenSage gives IT professionals a much more comprehensive view into their security operations - allowing them to better respond to threats and violations, and conduct investigations with greater precision and productivity.

Key SenSage enterprise-class attributes include:

• Broad event log source support
• Optimized storage and online retention
• Extensive, long-term analytics
• Intelligent correlation mapping
• Dynamic compliance monitoring
• High-speed, precision query and reporting
• Clustered, linear scalability

SenSage supports appliance-like deployment and configuration. It can be placed on one system, or distributed across multiple systems for scalable performance, high availability and distributed data collection and analysis. The system operates on an inexpensive, off-the-shelf, Red Hat or SUSE Linux platform. Specifically, the SenSage solution consists of the following integrated modules:

SenSage Collector

• captures batch and streaming real-time log events from a variety of log sources and protocols
• forwards streaming events to the Scalable Alert Server for correlation and processing and to the Scalable Log Server for historical analysis and retention

Scalable Alert Server (SAS)

• receives the parsed streaming event log data and performs real-time event correlation
• generates alerts based on pre-defined correlation rules

Scalable Log Server (SLS)

• Centralized, clustered analytics repository manages data storage and user access provisioning.

SenSage Analyzer

• issues immediate and scheduled queries against the SLS
• provides GUI access to reports, real-time and batch alerts, user, asset and system administration

SenSage Analytics Packages

• pre-defined rules and reports mapped to common security monitoring guidelines and compliance standards

SenSage's LEA receiver collects streaming data from Check Point FW1 and Check Point VPN1 devices via the OPSEC LEA protocol. This streaming data is analyzed in real-time against a pre-defined set of correlation rules. SenSage's Scalable Alert Server matches those events against correlation logic, and automatically sends alerts to security engineers for immediate response and threat mitigation. Additionally, the raw data is sent to SenSage's clustered repository - the Scalable Log Server - for historical analysis and long-term cross correlation for investigation and compliance purposes. Two copies of each event are stored for high availability and to optimize the processing of queries.

Additionally, SenSage customers have the option of collecting Check Point event data using the Check Point command line utility "fw export". The data is collected via batch protocols during off-peak hours, to facilitate operational requirements. This data is sent directly to SenSage's Scalable Log Server (SLS) and is immediately available for analysis using SenSage's out-of-the-box compliance and investigation reports.

SenSage reports give security professionals insight into key events affecting all aspects of the enterprise. These pre-defined reports provide correlation across disparate data types and are mapped to specific compliance and investigation objectives, truly leveraging Check Point awareness into business-critical threats. In addition, SenSage customers can easily create ad-hoc queries to mine event data for user-defined parameters or keyword searches. Due to SenSage's optimized data repository and parallel-processing infrastructure, report results are delivered in minutes, regardless of data volume or complexity of query.

The Event Analysis & Retention Dilemma [PDF]