Security event management, no strings attached

By Joel Snyder
Information Security, August 4, 2006

Original Article on Network World Web Site

Eventia Analyzer 2.0, Eventia Reporter
Firewall managers have long drowned in security logs, ignoring or disabling them because of the lack of good analysis tools. Security event management (SEM) products address this by receiving raw log data and pulling out the interesting, useful information.

Check Point's Eventia Analyzer is a vendor-agnostic tool for receiving firewall, Unix and Windows OS logs, and then analyzing them and creating alerts and reports that identify the most critical security events on your network.

Eventia's support is strongest for Check Point security products--all are included and contain built-in business intelligence rules for almost everything a Check Point product could log, ranging from system integrity measures, such as high CPU usage, to traditional security events, such as forged packets.

Nonetheless, the SEM market demands multivendor support, and Check Point has done a good job of adding support for some of the biggest names in security, including Cisco Systems and Juniper Networks' NetScreen firewalls, Internet Security Systems, McAfee and Snort, as well as several virus scanners, Windows event logs and common Unix logs.

Check Point has documentation on adding your own devices to Eventia by writing log parsers, but this is not something that the company encourages or makes easy. If your security products aren't covered by Eventia out of the box, you may want to look elsewhere.

SEMs' secret sauce is their capability to take logs and provide correlation and analysis to generate actionable or interesting events. That company-specific capability is called business intelligence.

Eventia has a fairly limited set of business intelligence options. Events can be triggered by a single or set of log entries within a time frame (such as five events in 300 seconds). Eventia's business intelligence rule capabilities are adequate, but aren't up to the level of similar products.

Eventia's integration with the Check Point management framework brings some elegance to the work of building business intelligence rules that makes this a good add-on for existing Check Point customers. For example, you can use network and subnet definitions from your Check Point firewalls in Eventia rules--a slick feature that reduces error, lets you modify definitions in one place and allows them to propagate automatically.

However, there are also obvious gaps, such as the requirement to refer to every device by vendor rather than by generic type (e.g., "all firewalls" or "all IDS sensors"), as most other SEMs allow.

Traditional Check Point strengths in management and data display are carried over to Eventia. With automated reporting and a fast and flexible GUI based on Check Point's outstanding management client, the Eventia is intuitive and easy to use whether you're configuring policy, researching events or generating reports.

Basic reporting is solid with the addition of Eventia Reporter, but it's with its forensics capabilities that Eventia Analyzer really excels. Each event is easy to track back to specific log entries, and a separate log browsing tool with filtering capabilities makes searching logs for other relevant information speedy and easy.

Anyone using Check Point security products should seriously consider Eventia as a well-integrated SEM to help build knowledge and sift down through the mountain of logs.