Architecture

CNAM maintains regulatory compliance for its customers by implementing a distributed datamine that qualifies event information in real-time and groups it with relevant security feeds originating from other locations within an enterprise domain. The umbrella network enables CNAM customers to retain all event log information within the bounds of the customer's network perimeter. Distributing the processing load also enables CNAM to report events in real-time and reduce the need for bandwidth required for log transfer.

Serving a distributed security architecture

Each deployment of CNAM requires a Network Aggregator (NAG) that locally collects, translates and normalizes log information from a varied list of event sources to build the information log repository. This information is then constantly processed to extract active attacker data and real-time intelligence statistics. A distributed correlation engine feeding from the common intelligence base identifies attackers and escalates events of interest based on the custom escalation matrix.

Real-time attack information received from multiple networks distributed across multiple sites / organizations are presented to the user in a summarized form with precise action options, therefore reducing the need for skilled operators on a round-the-clock shift. CNAM, substantially reduces the need for distributed skill centers within an organization and centralizes the decision making process further reducing it to mere implementation of prompted actions for the given incident.

Network setup and event data flow

The CNAM network is distributed across the globe with installations of its intelligence bases scattered across geographies, each intelligence base is an independent repository of attack summaries derived from connected customer networks and global threat perspectives. Individual customer sites are connected to the nearest CNAM intelligence base via SSL encrypted tunnel or over a private leased circuit. This interconnected network exchanges real-time attack summaries and correlates events across customer networks and presents the information to partner Security Operations Centers (SOC).

Log storage and compliance

The CNAM system is uniquely designed and is built for purpose of delivering real-time attacker detection and at the same time meeting organizational compliance requirements. Conventional event correlation engines require all data to be transferred from branch offices (distributed sites) to a central events processing center in order to execute the event correlation process, against which CNAM provides following benefits:

• Minimal usage of bandwidth conventional products need sizable amounts of bandwidth to transfer logs to the central events processing center
• Limited event aggregation data is stored on the remote site and therefore information loss due to compression and aggregation is avoided
• Real-time response the architecture avoids delays due to large log repository transfers over remote links and fail-safe queuing methods needed to account for link failures
• Facilitates audit requirements most organizational policies disallow event log information to be transmitted to a third party service provider