Real-time Compliance Monitoring

The Real-time Compliance Module (RCM) from the CNAM Security Suite addresses the most basic requirement of event log management for security conscious organizations. A small sized enterprise network with a generic set of network and security devices generates upwards of 1GB of event logs per day. These events originate from devices from various vendors and therefore have no single standard format of logging. Having a central repository that collects logs from various devices at a high reception rate, organize the events and archive them in a systematic format is a burning need for the enterprise network. The RCM module provides a quick fix for this issue by providing a logging facility that can scale to meet the need of extremely large infrastructures.

What does RCM deliver

  • Collection of event logs from multiple event sources within the organization
  • Integrated with ERM allows customers to review compliance in real-time across geographies
  • Visualize events and logging information via a easy to use web based console
  • Compliance with regulatory standards by reporting requirements from the event log archive
  • Event archival high speed collection and archival facility that can collectively store, process and retrieve information in TB's making this an effective tool for evidence collection
  • Real-time analysis and saved searches allows customers to review evidence of attack and monitor networks for known patterns in real-time

Operational Details: How does RCM integrate

The real-time compliance manager is a distributed archival engine that receives logs from multiple event sources and stores them in a ready state for retrieval and analysis. Each RCM deployment consists of Network Aggregator (NAG) that are locally deployed in the customer premises and collect event logs from the various event sources. The capacity of the NAG is determined by the events generated per minute and the number of distributed aggregators deployed in each site. CNAM's distributed architecture allows customers to use multiple aggregators seamlessly integrated within the same location. Each aggregator is capable of operating in the agent and the agentless mode, which allows integration of devices that do not support standard logging protocols.

CNAM is compatible with standard / encrypted syslog, and other common logging technologies. Post collection, logs are translated into prioritized events and stored along with the original messages in the NAG. Event logs can then be centrally searched for attacks identification or just used for audit trail.

What can you monitor using RCM

RCM collects, translates and archives event information generated within the enterprise. It employs a a robust engine that collects, processes and translates all the received event logs and stores it in compressed readable formats. Following are the commonly used events that are processed by the RCM module:

  • Multi-Zone Firewall
  • Access Concentrators
  • Intrusion Detection / Prevention Systems
  • Centralized Anti-Virus
  • Operating Systems
  • Web Servers
  • Database Servers
  • Standard / Non Standard Application Servers
  • Transaction Logs

Real-time Compliance: The Key

The enterprise network is required to comply to regulatory standards, which is measured by the means of audit. Event log archives are primary focus of enterprise wide security audits, that include reporting success, failure, change etc. The real-time compliance module can now be used for adhering to audit requirements by reporting exceptions or events as required by the compliance standard. RCM provides reporting formats that are required by compliance standards such as PCIDSS, HIPPA, GLBA, ISO etc.

In an attack scenario, administrators are required to instantly dig up logs and report an analysis of the incident, the RCM module is extremely helpful in such conditions as it allows the administrator to query the raw event sources and collect evidence as required. The module also allows administrators save search criteria and review results periodically, thereby helping in constant monitoring of attack conditions within the network.

Benefits of Real-time Compliance Monitoring

  • Scalability is delivered by the RCM module due to CNAM's distributed architecture, an enterprise can scale using cheap server hardware and yet providing the requisite results
  • Real-time Operation distributed collection and collation techniques reduce the time to information being available for review by the administration staff
  • Compliance Reporting delivers the benefit of standard reporting formats that can be reviewed by the compliance team to identify violations to the requirement
  • Single View Dashboard provides a quick / detailed view of the entire enterprise that may span across geographies
  • Real-time searching allows analysts to examine event logs that have just been recorded, there by allowing customers to use the RCM module as a manual monitoring and verification tool
  • Asset Risk Prioritization analyzes and prioritizes events based on organizational view of assets

Quick Links

Resources

Benefits of using CNAM
A short write-up on the benefits of the CNAM Security Suite

Quick Intro to CNAM
Brief 4 slider introduction to CNAM

Effective Detection Strategies
Drives through most available options in the detection space.