Product
Continuous security monitoring, threat hunting, file integrity monitoring and enterprise log management in an integrated trusted solution.
ALM-SIEM monitors, detects, raises alerts and supports response to cyber security incidents and data protection threats. It combines SIEM, File Integrity Monitoring, Vulnerability Assessment and Enterprise Log Management functionality.
By continuously monitoring on-premise and cloud infrastructures, it provides deep security intelligence and visibility of critical threats while supporting regulatory compliance.
ALM-SIEM ingests industry leading Threat Intelligence feeds, automatically enriching log and event data with key intelligence from external watchlists and threat data. ALM-SIEM also enriches the Threat Intelligence data feed with additional user-defined threat content, such as client context information and white lists.
ALM-SIEM is delivered with comprehensive out-of-the-box security controls, threat use cases and powerful alerting dashboards. Automated analytics using these built-in controls and threat intelligence feeds provides immediately enhanced security defences, visibility of security issues and mitigation support.
ALM-SIEM is delivered with comprehensive alerting and operational dashboards to support threat and audit reporting, detection and response operations and analyst threat hunting services. Multi format hard and soft copy alerting and reporting is available, including HTML, PDF, XLS, XML and CSV.
ALM-SIEM includes a built-in FIM service that alerts on potentially un-authorised changes to critical assets outside of the scope of audit logs. FIM continuously monitors key assets such as critical system files, configuration files, packages, critical data files and system objects.
Enterprise wide, agent and agentless automated log management built-in. Secure and forensically sound collection of logs and machine data from almost any source ensures the security, continuity and integrity of all collected logs and allows alerting at the log source.
An RSA/SHA256 digital signature is calculated and the log digitally signed before transfer. Transfer is authenticated and encrypted using TLS. Log data are securely stored and retained in verifiably original and complete form, allowing multiple uses and deep forensic investigations.
Archive harvested data in original, forensically sound form into secure long term storage, complete with a digitally-signed manifest and essential meta data. Fully searchable store includes chain of custody records and supports deep forensic investigation and re-investigation.
ALM-SIEM is an open platform solution, with no data or technology lock in. Automated data normalisation, filtering, enrichment and transformation, along with built-in data export features, mean that data can be exported in original, normalised or transformed form to almost any external service.
Event logs and machine data normally enter an ALM-SIEM system through an ALM agent or via a direct API connection, depending on the source of the data. For reasons of log data integrity, efficiency and resilience, the preferred option is to install small, unobtrusive ALM agents on the hosts that create the logs, but agentless deployment is also available in order to collect logs remotely and in cases where data integrity is not of primary concern.
ALM’s architecture allows collection and management of almost any log or data type (not just syslog streams as with many SIEM solutions). These can include binary logs, cloud data and many other types.
ALM-SIEM provides a huge range of data collection and processing features (known as Data Sources) out of the box and Assuria is constantly extending its portfolio of data sources based on the needs of our customers. But, with some training it is also possible for customers to add additional log sources to meet their own unique needs, via the optional Assuria Log Source SDK.
Assuria’s ALM-SIEM solution uses agents to collect log data into a central store, although agentless collection is also available. ALM server-side components then process the collected logs from the store, e.g. to normalise and filter selected events into a database, or to export to external systems.
ALM’s collection architecture uses agents to collect data (typically logs, but ALM can collect anything, including screenshots and network packet captures) from a variety of sources. Data sources can be added at will, and include local log files, support for various remote protocols such as Syslog, WMI and OPSEC LEA, and querying of web/cloud services.
The agent collects data in their original format, unchanged, sequence numbered and digitally signed. It then transfers the data via a mutually-authenticated TLS channel to an ALM Collector, which writes the data into a Store. ALM agents can also be configured to generate alerts at source when specific events appear in the logs that it collects.