1. 1 | P a g e
ANET SURELOG
Security Information and Event Management
System Product Information
AboutANET.......................................................................................................................................2
SureLog SIEM.....................................................................................................................................2
What Is SureLog For?..........................................................................................................................2
What We Offer?.................................................................................................................................2
Advantages of SureLog .......................................................................................................................3
Why Do Companies Need SIEMSystems? ............................................................................................5
Why SureLog SIEMis Intelligent?.........................................................................................................6
What Sets SureLog Apart from the Others?..........................................................................................6
The Correlation Rules Examples ..........................................................................................................9
The Competition ..............................................................................................................................10
SureLog FAQ....................................................................................................................................12
The Competition References.............................................................................................................14
Murat Korucu
ANET New Zealand Consultant
murat.korucu@anet.net.nz
www.anet.net.nz
2. 2 | P a g e
About ANET
ANET is a privately owned software company incorporated in VA, USA with branches in Turkey and New
Zealand. Our mission is to build a software company that embraces "open development philosophy" and provides
innovative solutions to problems in collaboration with customers. We have worked extensively with Turkey s biggest
Telekom companies Turk Telekom and TTNET on network and internet security. Turk Telekom group provides integrated
telecommunication services from PSTN, GSM to Wide band internet. Turk Telekom group companies have 17.1 million of
PSTN customers, 6 million ADSL customers and 12.4 million GSM customers as of June 30, 2009.
Also our team and projects have received awards from the Scientific and Technical Research Council of Turkey.
(TUBİTAK) and the Republic of Turkey Ministry of Industry and Trade: Small and Medium Industry Development
Organization. (KOSGEB)
ANET has 250 clients including Santander Bank, Adidas, Honda and Bayer pharmaceuticals experiencing the
ANET difference throughout Europe. Please see http://www.anet.net.nz/references.
ANET SureLog’s unique SIEM architecture provides Superior Correlation Engine, Get the Fastest EPS
Performance on the Market, High Speed Log Search, Cost-effective Security Information and Event Management (SIEM),
you get unparalleled speed at scale, A SIEM platform that’s simple to deploy:
Aggressive discounts and strong registration program: with the industry’s highest partner margins
Product that just works: thousands of installed systems and hundreds of customer references
Lowest cost to the customer: priced to help you win more deals
90% win rate against competitive products
SureLog SIEM
Automate 24x7 security monitoring, alerting, and response
Collect and correlate log and event data in real-time
Streamline compliance reporting and security audits
Fast forensic investigation and root cause analysis
Gain the power of SIEM without spending most of the IT lifecycle time and IT Budget
Perform rapid root cause analysis with built-in intelligence and strong visualization cross networks, systems,
applications, and security
What Is SureLog For?
SureLog helps network security administrators & IT Managers for security events monitoring efficiently and real-
time alerting. Also the SureLog software generates reports to comply with various regulations such as Health Insurance
Portability and Accountability Act (HIPAA), Gramm-Leach-Bliley Act (GLBA), Sarbanes-Oxley Act (SOX), and Payment Card
Industry Data Security Standards (PCI) and archives logs for the purpose of network auditing and forensic analysis.
What We Offer?
Multiple Device/ Vendor Support, Flexible Log Archiving, Capability to view traffic trends and usage patterns,
Multi-level drill down into top hosts, protocols, web sites and more, VPN/ Squid Proxy Reports, Multi-varied Reporting
Capabilities, Centralized event log management, Compliance reporting, Automatic alerting, Historical trending, Security
analysis, Host grouping, Pre-built event reports, Customizable report profiles, Report scheduling, Multiple report
formats. Compliant with Turkish Law 5651 which guaranties that logs cannot be changed and digitally signed.
3. 3 | P a g e
Advantages of SureLog
Fast. Supports 50 000 EPS with thousands of rules.
Trace multiplelogs of different types within defined time frames. Sample rule: Detects An Unusual Condition
Where A Source Has Authentication Failures AtA Host Not Followed By A Successful Authentication At The
Same Host Within 2 Hours
Correlate different logs (Example: Windows User Creation Event and Telnet Event) accordingto related fields.
Sample rule: Look for a new accountbeing created followed by immediate authentication activity fromthat
same accountwould detect the backdoor accountcreation followed by the account being used to telnet back
into the system
Trace both a logbeing created with desired parameters or not. Sample Rule: Detects An Unusual Condition
Where A Source Has Authentication Failures AtA Host Not Followed By A Successful Authentication At The
Same Host Within 2 Hours
Audit privileged user activity,such as new account creation,for greater operational transparency
Correlate privileged user behaviour with specific network activity.Sample Rule: Look for a new account being
created followed by immediate authentication activity fromthat same accountwould detect the backdoor
accountcreation followed by the accountbeing used to telnet back into the system
Correlation ruleeditor is simpleto use
Multiplefilteringoptions
Compression-based correlation.Monitors multipleoccurrences of the same event, removes redundancies and
reports them as a singleevent.
Threshold-based correlation.Has a threshold to trigger a report when a specified number of similar events
occur.
Filter-based correlation.Inspects each event to determine if itmatches a pattern defined by a regular
expression.If a match is found,an action may be triggered as specified in the rule.
Sequence-based correlation.Helps to establish causality of events. Events can be correlated based on specific
sequential relationships.For example, synchronizingmultipleevents such as event a being followed by event B
to trigger an action.
Time-based correlation is useful for correlatingevents that have specific time-based relationships.Some
problems can be determined only through such temporal correlation.For example, time based correlation can
be used to implement clean-up rules given a specific interval
Decision speed: Integrated analysistechnology processes highly complex decision logic in real -time– similarto
how humans reason.
Continuous learning:We continuously learn the behavior of your environment by cross -correlatinglog
information,device availability and performance statistics.
Real-time alertingand historical forensics:Many ready to use rules detect anomalous behaviour and events.
Comprehensive search and reporting capabilities simplify compliancereporting.
Business servicevisibility:Monitoring data center resources,users and applicationsin thecontext of business
services – not devices, speeds and feeds – to accelerateproblem detection and resolution.
4. 4 | P a g e
Cost-Effective Security Information and Event Management (SIEM) software
Real-Time Event Correlation
Log Search
Real-time Alerting
Dashboard and User based Views
Automates the entire process of managingterabytes of machine-generated logs
Agent-less log analyticssoftwarefor network security devices
Collects,archives,and analyses security devicelogs and generates forensic reports from a central console
Provides end-point security monitoringand analysis,employee Internet monitoring, and bandwidth monitoring
Supports capacity planning,policy enforcement, security,and complianceauditreporting
Works with open sourceand commercial network firewalls (Check Point,Cisco,Juniper, Fortinet, Snort, and
more) and IDS/IPS
Supports VPNs, proxies,and related security devices
Collects,analyses,searches,reports,and archives froma central location
Reports on user activity,regulatory compliance,historical trends,and more
Conducts logforensics analysis,monitors privileged users,and ensures compliancewith regulatory bodies
Agent-less Log Collection
Agent based Log Collection
Log Search
Log Analysis
Log Archiving
Log Forensics
Importing Event Logs
User Authentication
Ready-builtEvent Log Reports
Custom Event Log Reports
MicrosoftInternet Information Services (MS IIS) Server Log Reports
VMware Server Log Management Reports
Active Directory Log Reports
PrivilegeUser Monitoring(PUMA) Reports
User Session Monitoring
Event Log Reports
Historical Event Trends
Advanced Search Result as Report Profile
MicrosoftIIS Web server application
MicrosoftIIS FTP server application
DHCP Windows application
DHCP Linux application
MS SQL databaseapplication
Oracledatabaseapplication (Audit)
Apache web server application
Printserver application
Windows Terminal Server Log Monitoring
Custom / Scheduled Reports
5. 5 | P a g e
Why Do Companies Need SIEM Systems?
If your company has more than 50 computers and more than 5 servers you need log
aggregation, so at the bare minimum you need log management
If your company needs log forensics, you need log management
SIEM is a required tool for compliance purposes in many industries. SIEM is a big part of PCI,
HIPAA, HITECH, GLBA, and SOX. If you need compliance or regulatory mandated logging and
reporting, go with SIEM
If your company needs real-time alerts across multiple platforms, to help you detect potential
security breaches, you need a SIEM
If your company needs to monitor your intranet (your users) for security breaches and
protect against inside attacks, you need a SIEM
A SIEM solution exponentially increases the chances of successfully identifying malicious
traffic due to its advanced correlation between so many different types of logs from various
devices, so if you need to react to malicious traffic, you need a SIEM
If your company needs to monitor and log the access and use of sensitive data , you need a
SIEM
The size and complexity of today's enterprises is growing exponentially; if you have a small IT
team, you need a SIEM for security monitoring
According to an Evalueserve survey, 57 percent of companies capable of detecting targeted
attacks within minutes experienced 10 or fewer attacks in 2013
78 percent of those companies employ a real-time SIEM solution. So If you need real-time
attack detection, you need a SIEM
A SIEM is a backup facility that thwarts anyone trying to cover their tracks by deleting log
data. So if you need a backup facility for your system logs, you need a SIEM
If your company has a limited IT budget, SIEM cuts costs and increases your IT department’s
productivity by automating IT management
SIEM can be used to measure employee performance metrics by monitoring employee
resource usage against configurable rules and rule sets
6. 6 | P a g e
Why SureLog SIEM is Intelligent?
In today’s dynamic and evolving environment of threats, busy IT security teams don’t have
the time or resources to do analysis of emerging threats on their own. Continuous Threat
Intelligence updates are fully integrated into the SureLog platform for threat assessment, detection,
and response.
The SureLog advanced correlation engine is integrated to Threat Intelligence updates and
advances in memory correlation rules help IT security teams to detect threats.
What Sets SureLog Apart from the Others?
SureLog has a highly flexible architecture and supports high volume data throughput rates.
As well as the flexible architecture, SureLog possesses a superior correlation engine. The
system lets you define complex combinations of events that you need to be alerted of by
easily creating and customizing correlation rules with a graphical, drag-and-drop rule creator
SureLog supports 155 brands and 350 devices and categorises logs into 1513 groups
Sophisticated threat intelligence management allows SureLog to dynamically collect black
lists and update its database
Unlike many of its competitors, SureLog does not use legacy SQL systems like MS SQL, My
SQL , PostgreSQL - instead it uses Vertical DB for archiving
The intuitive interface of SureLog enables users to easily drill-down query interface for ad-hoc
or saved context based queries, tabbed data views and provides interactive filtering
SureLog is the ultimate integrated Log Management and SIEM solution with many other
features as listed in detail below.
CorrelationEngine
Rule Chains
Advanced correlation rules
AttackFollowed by AccountChange
Scan Followed by an Attack
Detects An UnusualCondition WhereA Source HasAuthentication FailuresAtA Host Not
Followed By A SuccessfulAuthentication AtTheSameHostWithin 2 Hours
Lookfor a new accountbeing created followed by immediate authentication activity from
thatsameaccountwould detect backdooraccountcreation followed by theaccountbeing
used to telnet backinto the system
Compression-based correlation. Monitors multiple occurrences of the same event, removes
redundancies and reports them as a single event
Threshold-based correlation. Has a threshold to trigger a report when a specified number of
similar events occur
7. 7 | P a g e
Filter-based correlation. Inspects each event to determine if it matches a pattern defined by
a regular expression. If a match is found, an action may be triggered as specified in the rule
Sequence-based correlation. Helps to establish causality of events. Events can be correlated
based on specific sequential relationships. For example, synchronizing multiple events such
as event A being followed by event B to trigger an action
Time-based correlation
Supports special correlation requirements
Define rule triggering time frame.Fire Rule B only at lunch time
Define rule suspend timeframeafterfire. Suspend RuleA 1 hourafterfire
Taxonomy
SureLog supports 155 brands and 350 devices. Categorize (Taxonomy) logs into 1513 groups
such as:
Compromised->Remote Control App->Response
Health Status->Informational->High Availability->Link Status->Down
IP Traffic Audit->IP Too many fragments
IP Spoof Access->ICMP CODE Redirect for the Host
File Transfer Traffic Audit->Authentication Failed
Naming Traffic Audit
Session->Start
ICMP Destination Network is Administratively Prohibited
EPSPerformance
We can reach 10000 EPS and beyond with standard system resources, but our competitors
cannot reach this level with their specifications - they require huge resources. The below table
depicts our systemrequirements:
8. 8 | P a g e
SIEM,LogManagementandTrafficReportingIntegrated
Log search filteringcapabilitiesare asrichas typical logsearch frameworks.Usercansearch anytype
of login the fastestway
SupportsLogs byDevice feature.SureLogreportswhichmachinesare sendingthe logdata
Also,SureLoghasmany predefinedreportsforcompliancymanagement.A large numberof
preconfigureddashboardsare present,tailoredtowardsmonitoringperformance,compliance,
vulnerabilities,flowdataandothermetrics.Customdashboardsare easilycreatedthroughasimple
drag-and-dropinterface,givingusersaccesstoreports
Predefined commonly usedsearchfilters suchas:
Get listof logged-inusers toourWindowsservers.Noneedtoknow EventID(oranything
else)
Track whena passwordchange was done
Change passwordattempts
See whoislogged-inonYourLinux System
No needtoknowEventID (oranythingelse).Filterandreportsare available withone click
SureLoghas a trafficreportingmodule aswell assecurityreportingsuchas:
Who issending/ receivingthe traffic?
Whichhost issending/ receivingthe traffic?
What isthe trafficshare of variousprotocol groups?
What isthe eventseveritypatterndue tothe traffic?
Receive trafficreportsforthe following:
Host specifictraffic
User specifictraffic
Protocol Group specifictraffic
Eventseverityspecifictraffic
OtherPredefinedTrafficandSecurityReportCategories:
Firewall Reports
TrafficReports
URL Report
VPN Reports
TrafficDetailsReport
Inbound& OutboundTraffic
IntranetReports
SecurityReports
VirusReports
Attack Reports
Spam Reports
TrendReports
Protocol TrendReports
TrafficTrendReports
EventTrendReports
VPN TrendReports
9. 9 | P a g e
Simplicity
SureLog has an end user point of view, no need to develop scripts etc.
SureLog technology is designed to transform huge volumes of data into an effortless
package
No learning curves. Minimize the burden of needing qualified security professionals on staff
EasytoInstall
Software solution that can be installed both with 64 bit Windows and Linux OS. The setup is
straightforward.
LowImplementationandManagementCosts
Because of low system requirements for high EPS values, easy install & setup and no learning
curves; SureLog costs are low.
The Correlation Rules Examples
Warn if 5 failed logon attempts are tried with different usernames from the same IP to the
same machine in 15 minutes and after that, if a successful login occurs from the same IP to
any machine.
Warn if a host scan is made by an IP and then if a successful connection is established by the
same IP and then backward connection is established from connected IP to connecting IP.
Warn if more than 100 connections are established from the different external IPs to the
same destination IP in one minute.
Warn if 100 connections are established from the same external IP through different ports
to the same destination IP in one minute.
Warn if the same user tries more than three failed logon attempts to the same machine in
an hour.
Warn if a user can’t log into any server and caused failed authentication and in two hours if
that user can’t log into the same server.
Warn one if more than 100 packets are blocked by UTM/FireWall from the same source IP
and don’t warn within an hour. (Millions of packets are blocked in case of DDOS attack. If
email is sent for each, you are exposed yo yourself DDOS attack.)
Report the source IP which causes UnusualUDPTraffic.
Warn if a traffic is occurred to a source or from a source in IPReputation list.
Warn if network traffic occurs from the source or to a source in malicious link list published
by TRCERT - Turkey - Computer Emergency Response Team
If someone sets up DHCP server in your network or if a different gateway broadcasts, to find
out this: Warn if a traffic occurs from inside to outside or from outside to inside whose
protocol is UDP, destination port is 67, and destination IP is not in registered IP list.
Warn if an IP scan occurs.
Warn if SQL attack occurs via web server.
Warn if the servers are accessed out of hours.
Warn if the same user tries more than three failed logon attempts to different machines in a
minute.
10. 10 | P a g e
Warn If an attack followed by account change
Warn If scan followed by an attack
Detects an Unusual Condition Where A Source Has Authentication Failures At A Host But
That Is Not Followed By A Successful Authentication At The Same Host Within 2 Hours
Look for a new account being created followed by immediate authentication activity from
that same account would detect the backdoor account creation followed by the account
being used to telnet back into the system
Monitor same source having excessive logon failures at distinct hosts,
Check whether the source of an attack was previously the destination of an attack (within 15
minutes)
Check whether there are 5 events from host firewalls with severity 4 or greater in 10
minutes between the same source and destination IP
Look for a new account being created, followed shortly by access/authentication failure
activity from the same account
Monitor system access outside of business hours
The Competition
In this section SureLog and our main competitors’ EPS performance, correlation capability
and log management integration features will be compared. When available, product development
official documents are also given as a reference to the comparison result.
Alienvault:Appliance setup can be a little challenging. Max Correlation EPS performance
is limited to 10 000 EPS. All SIEM logs are stored in the MySQL database and this causes an issue in
terms of scalability, especially with high log volume environments because backup and restore is
time and CPU/RAM consuming.
The biggest issue we have seen with the product is its poor stability. With too many
components, myriad integration and many scripts, the product is likely to be unstable.
Alienvault uses cross Correlation rules to connect just IDS events and vulnerabilities which is very
limited. Also you cannot develop rules like User Has Authentication Failures at a Host Not Followed
by a Successful Authentication at the Same Host by the Same User within 2 Hours, because
username relation between two events is not possible. Also, computer name relation is not
possible. Another rule sample that you cannot develop: If condition occurs, then within 5 minutes,
condition B occurs and condition C does not occurs and condition D occurs. This is because ‘Not
occur’ is not supported in Alienvault Directives. Alienvault has drawbacks in rule definitions such as
having to restart the server after editing a rule or adding a new rule. Prices for 1000 eps collection +
1000 EPS collation = 25000 USD
CorreLog:CorreLog’s correlation engine is very primitive. There is no user-friendly
correlation rule editor. Taxonomy, creating scenarios based on multiple rules and cross correlation
rules are not supported. Everything is query based. Lacks some high-end features, such as an
interactive report generator. There is no report template support. Pre-defined reports like Deleted
files, Attack reports etc. are missing. Rule editor needs a specific notation and it is hard to develop a
simple rule.
EIQNetworksSecureVue:It is a resource monster SIEM solution. Just for 1000 EPS,
SecureVue requires a Dual Quad Core 2.0 GHz, 64 GB RAM, 15 K RPM Disk.
11. 11 | P a g e
Eventtracker:The Eventtracker correlation engine is not as powerful as SureLog.
Taxonomy is not supported. EPS is not considered a critical issue and there is no data about EPS
performance.
LogRhythm:LogRhythmis a good competitor. But LogRhythm system requirements are
high; for just 1000 EPS, LogRhythm requires 6 Core, 64 GB RAM. LogRhythm report-building is
limited by its use of Crystal Reports. It has limitation in Crystal Reports. Anon-editable template
must be created, then the report is created against the template. The template needs a preview
option, as well as an edit option.
Also prices start at 25000 USD and for 1000 EPS and it reaches 75 000 USD.
ManageEngine:ManageEngine Firewall Analyser and ManageEngine Event Analyser
are two different products; one for firewalls and one for mainly Windows. They are not integrated.
ManageEngine EventAnalyzer's correlation engine is very simple. Firewall Analyser does not have a
SIEM-like correlation engine. There is no taxonomy support. Requires huge resources for high EPS
and device support is very limited.
Splunk:Splunk is a log search framework. Not a complete SIEM solution and costly for
large enterprise installations. Splunk is often significantly more expensive than competing SIEM
solutions. Splunk doesn’t do In-Memory Correlation. Splunk may require additional installation
assistance.
SolarwindsLEM:TheSolarwinds LEMcorrelation engine isvery simple. For example, you
cannot create arule to detect An Unusual Condition Where A Source Has Authentication Failures At A Host Not
Followed By ASuccessful Authentication At The Same Host Within 2 Hours. Solarwinds LEMdoes not support
creating scenarios based on multiple rules. Threshold rules are very limited. For example you cannot create a
rule such as the following: If you want to check whether there are 5 events from Host Firewalls with severity 4
or greater in10 minutes between the same source and same destination IP. There is no data for bigger
installations but initial requirements are: 8 GBRAM, Dual processor, 3GHz. Most reports are client-based. WEB
based reports are limited. EPS performance is very limited also.
TripwireLogCenter:Tripwire Log Center isaresource monster SIEM solution; for only 500
EPS, the Tripwire Log Center requires Quad processor/Six core 64 GBRAM 10K RPM. The SureLog correlation
engine issuperior to than tripwire. Also not cost-effective for some environments.
Trustwave:Trustwave has very limited EPS performance. There isno capacity above 3400 EPS.
The SureLog correlation engine issuperior to that ofTrustwave. Report wizard can be cumbersome to use, and
manual custom report creation requires SQL and XML skills.Also expensive and hard to use.
12. 12 | P a g e
SureLog FAQ
LogEventCollection
Does ANETSureLog deploy eventcollectors as agent-less? YES
Does ANETSureLog providea comprehensiveout-of-the-boxcoverageacrossalltypesof event
sources?YES
Are failuresof theevent collection infrastructuredetected immediately and operationspersonnel
notified?YES
Does ANETSureLog supporttheability to parsemulti-line log files? YES
Does ANETSureLog havea toolkitto allow customersto create integration with unsupported legacy or
home-grown eventsources? YES(Itsupportsdeveloping customparsersvia XMLdefinitions)
Does ANETSureLog providean agent-lesssolution thatcan automatically accepteventsand startto
monitordeviceswithoutany administratorintervention? YES
Can ANET SureLog importapplication logs? YES
Does ANETSureLog collect logsin a distributed manner,offloading theprocessing requirementsof the
log managementsystemfortaskssuch asfiltering,aggregation,compressionand encryption?YES
Can ANET SureLog import syslog?YES
Can ANET SureLog importHTTP requestsmadeon yourwebsite? YES
× Does ANETSureLog provideencrypted transmission of log data to the log managementsystem? NO
LogEventProcessing
Does ANETSureLog categorizelog data into an easily readableformatto eliminate the need to know
vendor-specificeventIDs?YES
Does ANETSureLog providethe ability to reduce eventdata through filtering or aggregation beforeit
is sent to thelog managementorcorrelation system? YES
Is ANETSureLog capableof correcting eventtime for systemswith incorrect timestamps? YES
Does ANETSureLog normalizeall collected eventdata into a consistentformat(e.g.,NIST800-92)?
YES
13. 13 | P a g e
SIEMAnalysisandReporting
Does thesolution allow for a quick drill-down fromhigh level to low level? YES
Are eventdatalists automatically populated by thesystemfortracking thingssuch as attacks,user
sessionsand otherpolicy violations? YES
Does ANETSureLog reportwhich machinesaresending the log data? YES
Does ANETSureLog havecorrelation for eventsfrommultiple eventsources,many thatdo not
contain userinformation,into a concise set of actionsperformed by a specific individual? YES
Does ANETSureLog aggregateand suppressalerting with granularoptionsand useconditionallogic
to determineif an alert should begenerated? YES
Does ANETSureLog offera reporting interfacethatcan leverageexisting reportsor the creation of
newreports? YES
Does ANETSureLog continueto work(withoutmodifications) if a particulartechnology,such asa
Firewall or IDS product,isreplaced with a newer productorvendor? YES
× Does thesolution allow to dynamically calculatea threatscore based on multiple criteria? NO
SecurityEventCorrelationRules
Does thesolution providea rule authoring system? YES
Does ANETSureLog’s correlation engineprovidemany correlation rules out-of-the-boxto automate
incident detection and workflowprocess? YES
Does ANETSureLog allow rules to be triggered in a series,matching variouscorrelation activitybefore
an alert is generated? YES
SecurityIncidentCompliance
Does thesolution provideout-of-the-box contentforcomplianceregulation NERC? YES
Does thesolution provideout-of-the-box contentforcomplianceregulation FISMA? YES
Does thesolution provideout-of-the-box contentforcomplianceregulation HIPAA? YES
Does thesolution provideout-of-the-box contentforcomplianceregulation PCI-DSS?YES
Does ANETSureLog providethe frameworkto reporton ISOor NISTcomplianceitems thatcan be
mapped directly to any regulatory standard orenterprisesecurity policy? YES
Does thesolution provideout-of-the-box contentforcomplianceregulation SOX? YES
× Does ANETSureLog alert when notin compliance? NO
14. 14 | P a g e
SecurityIncidentDetection
Is ANETSureLog able to correlateevent data againststaticlists of items thatthe customerdoesn't
allow on the network(i.e.list of insecureprotocols)? YES
Can ANET SureLog correlateDHCP, VPN and ActiveDirectory eventsto providesession tracking for
every user in the enterprise? YES
Is ANETSureLog capableof keeping a statistical baselineof "normal"monitored activity (e.g.,
attacker,target,ports,protocolsand session data)? YES
Is ANETSureLog capableof detecting patternsof activity thatwould otherwisego unnoticed by real-
time correlation? YES
Does thesolution incorporatedatafromVulnerability Assessmentproductsin orderto dynamically
definethe eventpriority? YES
Is ANETSureLog capableof presenting categorized data to the correlation engine to allow real-time
detection and response? YES
Is ANETSureLog capableof correlating activity acrossmultiple devices out-of-the-box to detect
authentication failures,perimetersecurity,wormoutbreaksand operationaleventsin real-time
withouttheneed to specify particulardevice type? YES
Does ANETSureLog allow customersto create objectssuch asfilters or search queriesthatare
reusablethroughoutthesystem? YES
Does thesolution dynamically read fromand add data fromeventsto lists? YES
× Is ANETSureLog capableof monitoring attackhistory againstcritical assetsor by particularusers?
NO
The Competition References
http://www8.hp.com/tr/tr/software-solutions/arcsight-esm-enterprise-security-management/tech-specs.html
http://www.eiqnetworks.com/pdfs/2013_Datasheets/SecureVue-Log-Management-and-SIEM-
Data%20Sheet.pdf
https://www.trustwave.com/Resources/Library/Documents/Trustwave-SIEM-Log-Management-Appliances-
Overview
https://www3.trustwave.com/siem-log-management-enterprise-appliance
http://www.tripwire.com/tripwire/assets/File/docs/Tripwire_Log_Center_Sizing_Matrix.pdf
http://www.logzilla.net/products/recommended-hardware
http://www.solarwinds.com/log-event-manager.aspx#p_systemrequirements
http://www.accelops.com/services/faq/#question1712
https://www.alienvault.com/docs/data-sheets/AV-USM.pdf
https://www.netiq.com/documentation/sentinel70/s701_install/data/btmckgy.html#bwwvoik
http://www.01.ibm.com/support/knowledgecenter/SS42VS_7.2.4/com.ibm.qradar.doc_7.2.4/c_hwg_3105_all
one_base.html