|
|
|
In This Section: |
Today complex multi layered security architecture consists of many devices to ensure that servers, hosts, and applications running on the network are protected from harmful activity. These devices all generate voluminous logs that are difficult and time-consuming to interpret. In a typical enterprise, an intrusion detection system can produce more than 500,000 messages per day and firewalls can generate millions of log records a day. In addition, the logged data may contain information that appears to reflect normal activity when viewed on its own, but reveal evidence of abnormal events, attacks, viruses, or worms when raw data is correlated and analyzed.
Enterprises need control over and practical value from the deluge of data generated by network and security devices.
SmartEvent provides centralized, real-time event correlation of log data from Check Point perimeter, internal, and Web Security Gateways -as well as third-party security devices-automatically prioritizing security events for decisive, intelligent action. By automating the aggregation and correlation of raw log data, SmartEvent not only minimizes the amount of data that needs to be reviewed but also isolates and prioritizes the real security threats. These threats may not have been otherwise detected when viewed in isolation per device, but pattern anomalies appear when data is correlated over time.
With SmartEvent, security teams no longer need to comb through the massive amount of data generated by the devices in their environment. Instead, they can focus on deploying resources on the threats that pose the greatest risk to their business.
SmartEvent delivers a flexible, scalable platform capable of managing millions of logs per day per correlation unit in large enterprise networks. Through its distributed architecture, SmartEvent can be installed on a single server but has the flexibility to spread processing load across multiple correlation units and reduce network load.
SmartEvent provides a large number of predefined, but easily customizable, security events for quick deployment. Its tight integration with the Security Management Server architecture, allows it to interface with existing Security Management Log Servers, eliminating the need to configure each device Log Server separately for log collection and analysis. In addition, all objects defined in the Security Management Server are automatically accessed and used by the SmartEvent Server for event policy definition and enforcement. An enterprise can easily install and have SmartEvent up and running and detecting threats in a matter of hours.
SmartEvent provides centralized Event Correlation and management for all Check Point products such as Security Gateway, Application Control, and Mobile Access, as well as third-party firewalls, routers and switches, intrusion detection systems, operating systems, applications and Web servers. Raw log data is collected via secure connections from Check Point and third-party devices by SmartEvent Correlation Unit where it is centrally aggregated, normalized, correlated, and analyzed. Data reduction and correlation functions are performed at various layers, so only significant events are reported up the hierarchy for further analysis. Log data that exceeds the thresholds set in predefined event policies triggers security events. These events can be unauthorized scans targeting vulnerable hosts, unauthorized logging, denial of service attacks, network anomalies, and other host-based activity. Events are then further analyzed and severity levels assigned. Based on the severity level, an automatic reaction may be triggered at this point to stop the harmful activity immediately at the Security Gateway. As new information flows in, severity levels can be adjusted to adapt to changing conditions.
SmartEvent performs real-time Event Correlation based on pattern anomalies and previous data, as well as correlation based on predefined security events. By weeding out irrelevant data and by correlating data between multiple devices, SmartEvent is able to zero in on threats that pose greatest risk to the enterprise. SmartEvent is fully integrated with the Security Management Server and can access all Security Gateways and enforce automatic actions on these Security Gateways against critical threats, for real-time, dynamic threat mitigation.
SmartEvent lets you customize event thresholds, assign severity levels to event categories, and choose to ignore rules on specific servers and services- greatly reducing the number of false alarms. Administrators may perform event search queries, sorts and filters, as well as manage event status. With new information, the open event may easily be closed or changed to a false alarm. Daily or weekly events reports can be distributed automatically for incident management and decision support.
SmartEvent lets administrators to investigate threats using flexible data queries which are presented in timelines or charts. Once suspect traffic is identified, actions taken to resolve the threats are tracked using work tickets, allowing you to keep a record of progress made using statuses and comments.
In addition, daily or weekly events reports can be distributed automatically for incident management and decision support.
The SmartEvent Sizing Guide helps you find the recommended SmartEvent appliance suitable to your environment scale. See the Sizing Guide in sk87263.
SmartEvent has several components that work together to help track down security threats and make your network more secure:
They work together in the following manner:
The SmartEvent components can be installed on a single machine (i.e., a standalone deployment), or spread out over multiple machines and sites (i.e., a distributed deployment) to handle higher volumes of logging activity.
The SmartEvent and SmartReporter can be installed together on the same machine. In addition to generating Check Point reports, SmartReporter provides reporting services for SmartEvent.
Item |
Description |
|---|---|
A |
Log data flow |
B |
Event data flow |
1 |
Third party devices |
2 |
Check Point Security Gateway |
3 |
Log Server |
4 |
SmartEvent Correlation Unit |
5 |
SmartEvent Server |
6 |
Events database |
7 |
SmartEvent client |
We recommend that you install more than one SmartEvent Correlation Unit if there is high volume log activity. Each SmartEvent Correlation Unit can analyze logs for more than one Log Server.
The SmartEvent Correlation Unit is responsible for analyzing the log entries and identifying events from them. When analyzing a log entry, the SmartEvent Correlation Unit does one of the following:
The SmartEvent Server receives all the items that are identified as an event by the SmartEvent Correlation Unit. Further analysis takes place on the SmartEvent server to determine the severity level of the event and what action should take place. The event is then stored in the system database.
SmartEvent imports certain objects from the Security Management Server without having to recreate the objects in the SmartEvent client. Changes made to the objects on the Security Management Server are reflected in the SmartEvent client.
The SmartEvent client provides all of the tools necessary for configuring definitions which will recognize security-related issues in your network infrastructure. It also provides a wide variety of methods for you to view the resulting data, including timelines, reports and charts which allow you to drill down into the underlying data.
What can I do with the SmartEvent client?
What tools are included in the SmartEvent client?
The SmartEvent client is divided into seven sections:
