Correlation

The CNAM Security Suite's correlation engine bridges multiple data sources and processes information across multiple levels in the enterprise network hierarchy. The correlation engine used by CNAM is extremely modular and is been used by customers to detect attacks as well as fraud in a real-time basis. CNAM brings with it a team of expert service providers and partners who manage complex correlation algorithms and continuously support customers in raising the standard of the organizations security.

CNAM's correlation engine provides the much needed power to cross correlate between raw logs and pre-processed information. This allows customers to correlate detected attackers and open source security feeds with real-time network level activity, and implement freely available information on the network as it happens.

Network aggregation and event prioritization

The CNAM Security Suite comes with an extensive event aggregation module that is deployed on the NAG in each client network. This event aggregation module compiles cross platform information from multiple data sources such as servers, applications, firewalls and normalizes the information into smaller blocks. This information is also translated and linked with external data sources such as CVE, CAPEC, CWE and CVSS to ensure compatibility with other common standard systems. CNAM supports most commonly deployed devices, the service promises to integrate any non compatible device within a weeks time. All events aggregated are processed prioritizing events that need immediate attention.

However, deviating from the common process, CNAM implements a non-linear correlation module that examines every conversation by processing transactions using network flow analysis tools. These are the key differentiators as compared to other correlation engines, as it provides the added sensitivity for events that are below the least count of the correlation engine. 

Correlating events across your enterprise

Handling incidents across multiple point of presence is a logistical issue, most organization that have to deal with a situation such as this prefer to maintain individual teams at each location that reports to a central security manager. This as most customers have realized is a manual process and is prone to failures in communications. Alternately, SIEM tools provide you the flexibility of maintaining a central security resource bench, however it requires you to transfer all event log information into a central log processing repository for analysis. This transfer of events, is a time and bandwidth consuming process, that overall increases the operating cost of an effort such as this.

CNAM provides the flexibility of maintaining event log aggregation devices at each location which are centrally connected to the closest CNAM point-of-presence, events are processed locally at each location and are prioritized. These prioritized events and summaries are cross processed across multiple locations of the enterprise network. Special correlation modules execute arbitrary checks on the raw event logs at locations, this is typically done to minimize false positives and increase the overall accuracy of the intelligence thread available to each organization.

Benefits of CNAM's enterprise grade correlation

• Non-liner correlation allows customers to perform complex checks, combining raw as well as correlated information that are further merged into a prioritized and summarized data set
• Multi-level correlation provides the ability to correlate events within a device and also across multiple network zones
• Inter-location correlation enables customers to correlate information across multiple locations
• Event data privacy by local storage and processing of logs, thereby reducing the need for bandwidth
• Customized options allows customers to configure multiple logging formats and extract valuable information, CNAM's correlation engine has been regularly used to detect enterprise fraud and misuse