|
Regardless of what type of log you send to the LCE, it will automatically build a profile of your network's "normal" activity and alert on changes which could be the result of normal administration or the result of malicious users. Login failures, web server "404" errors, software installs, user account creations, network activity, file integrity check alerts, firewall logs, web browsing and even IDS events can all be statistically profiled. When a significant change in activity is detected, the LCE can generate alerts.
Each LCE builds up the following profile for each host on your network:
- Client and Server connection activity
- Inbound/Outbound/Internal/External connection rates
- Unique event rate profiles for each normalized log type
- A baseline of normal event types to alert when events that have "Never Been Seen" occur
When deviations in these host models occur from "normal" activity, the LCE will generate an alert.
Configuring this type of anomaly detect is also very simple. All an LCE administrator needs to decide is the "volume" level of statistically significant events. The LCE will perform self-tuning from then on, regardless of log source or the "randomness" level of your network activity and logs.
When combined with the LCE's event correlation, behavioral anomalies can be combined with asset information or information about other events. For example, Tenable has released TASL event correlation scripts which automatically detect when a system has been attacked and then begins to behave irregularly later on.
When used with LCE's netflow or network sniffing agents, these anomaly rules can help detect zero-day attacks, worm outbreaks and DDOS.
 |
 |
 |
Change events highlight
any modifications |
Statistical events indicate
activity level changes |
Activity graphs
visually show events |
|
