SOLUTION OVERVIEWAll SenSage solutions are built on SenSage 4, the company's patented columnar based event data warehouse. More than 400 customers have deployed SenSage Solutions to reduce Security, Compliance and Operations risks at a fraction of the cost of traditional security, log management and data warehouse approaches. SenSage also provides new Business Data Intelligence solutions that enable organizations to make better business decisions, dramatically reduce costs, and improve their ability to respond to risk and security threats.
Key elements for the SenSage 4 event data warehouse include:
Data Collection - SenSage has an unparalleled log & event collection layer called the Collector. Data collection, sometimes called Extract/Transform/Load (ETL), is particularly complex for event data due to the lack of standards and huge data volumes. ETL is a key process to bring heterogeneous and asynchronous event data sources together in a homogeneous environment. Through the Collector, customers have out-of-the-box support for over 250 sources (Log Adapters). Log adapters run in an agentless mode, without requiring agents to be deployed on or near the log source. The Collector receives event and log data through a wide variety of protocols including but not limited to: Syslog, Syslog NG, SNMP, FTP, SFTP, SCP, SMB, RPC, SQL*Net/RDBMS, HTTP(S) GET and PUSH. Customization is easy and many customers develop their own log adaptors. SenSage collects data in both real-time stream as well as batch modes - generating alerts respectively.
Real-Time Event Correlation - SenSage 4 includes a highly scalable real-time correlation engine, the Scalable Alert Server (SAS). Correlation is based on the application of threshold and scenario-based rules against multi-source, real-time event streams. The SAS can easily be distributed to support scalable parsing processes for large deployments and has virtually no limit on event rate or volume. While real-time correlation performs dynamic parsing, normalization, filtering, analysis and alerting, a separate data fork of the same unparsed event logs and subsequent alerts is sent to a long-term data repository in a tamper-resistant, raw format. This capability uniquely bridges real-time and historic analysis while maintaining the complete event log for forensic evidence. Further, this allows instant replay visualization - events can be graphically and sequentially replayed.
Columnar Database - SenSage has developed and patented a columnar database architecture approach for event data. Unlike traditional relational database management systems that use a row format, data is organized by column in a single, centralized data repository specifically designed for event data. While the difference may sound trivial, the performance gains are dramatic. Indexes are unnecessary as each column is actually an index, reducing storage and maintenance requirements. Data is compressed at a 40:1 advantage vs. relational databases and stored in a hierarchical series of folders and flat files on each node's local disk. Deployed in a MPP organization, the SenSage Event Data Warehouse easily scales by adding new nodes and takes advantage of new hardware features such as multi-core processors and faster local drives. To maintain constant availability, backup copies of each node's data are stored on another node for data redundancy and automatic failover. With SenSage, organizations can easily query years of data from multiple sources at any detail level to support their business requirements.
Reporting Abstraction Layer - SenSage IntelliSchema provides cross-source and cross-vendor reporting, and new data sources can be easily added with no SQL changes. It was designed to give customers the ability to expand their solution footprint on the fly, adding new sources, new reports and analyses, without any changes to their data schema. IntelliSchema collects all the data, parses it for analysis, and easily incorporates custom data sources in both the collection and reporting processes. There is no need for complex indexed searches. Customers can adapt to new threats and new regulations without major upgrades or services engagements and there is no need for involving DBAs.
Management Console - The SenSage management console, called the Analyzer, provides a state of the art user interface to SenSage business analytics, reports, real-time and batch alerts, and administration functions. Report wizards enable non-technical users to create new reports, dashboards, and ad-hoc queries in seconds using a drag and drop interface. Exact-match querying across any data column enables easy creation of data aggregation, trending, business and technical level reports through bar, line, and tabular charts. Unlike solutions that use "Google-style" searches, only exact matches are returned. Technical users can use underlying SQL code to further refine and fine-tune reports and queries. External Business Intelligence tools can also be easily incorporated into SenSage analytics.
Administration - GUI-based administrative screens enable easy management of users, privileges, schedules, and reports. SenSage offers robust and secure authentication, administration and access control with multiple security levels down to a very granular degree of control. Authorized users are assigned roles with specific permissions that determine which features, functions, reports and data each user has access to. Role-based filters support granular permissions where users only see data with specific values (i.e., users only see data related to systems they own). Users can install SenSage clients in any geographic location, and the connection between client and server is secure and encrypted.
Analytics - SenSage provides out-of-the-box analytics packages with sets of pre-defined real-time rules, reports and dashboards mapped to common security monitoring guidelines and compliance standards. This offers customers a reduced time to value and immediate visibility into compliance with government regulations and standards, as well as security threats. SenSage currently has suites of reports which include: Foundation Analytics Package (ISO 17799), HIPAA Analytics Package, SOX Analytics Package, PCI Analytics Package and Government Analytics Package that covers FISMA, DCID/3, and NISPOM. SenSage has also expanded coverage to include report packages designed for specific business applications such as SAP, Database, Windows, Oracle, and is developing other industry specific applications
EVENT DATA WAREHOUSESenSage offers something new to the world of data management - the Event Data Warehouse. SenSage products consist of a patented, purpose-built Event Data Warehouse and targeted, pre-packaged Solutions that provide actionable results at a fraction of the cost of traditional data warehouse solutions and offer far superior analysis and scalability when compared to security and log management point solutions.
Event Data is Everywhere
Event data, sometimes referred to as an "audit trail" or "system of record", is a set of chronologically sequenced data records that capture information about an event. Driven by changes in security threats, compliance mandates, and risk management initiatives, organizations are collecting event data from multiple sources, storing it online longer, and analyzing it more frequently. Examples of event data include:
* Network and security devices
* Physical access systems
* Identity management systems
* Workstations, servers, and operating systems
* Database activity
* Enterprise applications - 3rd party and in-house
* Banking transactions such as online, ATM and debit card use
* Historical prices of stocks and other instruments
* Telco call detail records (CDRs)
* Internet protocol detail records (IPDRs) of web based access and transactions
* Updates to shipping status in RFID records
* Email, Windows, network and other systems management activity events
* Manufacturing sensor data
Event Data is Important
Sophisticated, long term analysis of event data is the key to addressing emerging security threats, compliance mandates, and a host of risk management initiatives. Why? First, compliance mandates require firms to retain and analyze event data for up to seven years. As a result, nearly every organization is required to create secure, centralized log and event data repositories. Second, event data is the fingerprint of internet and corporate system activity and is critical to preventing and minimizing corporate security threats. Recent independent reports peg the cost of stolen corporate data for a mid-sized corporation at $6.6M per incident and rising. Preventing and minimizing these threats requires precise analysis of multiple, complex data sources in real-time and, especially, over long time frames. Organizations that are not leveraging log and event data to make strategic decisions are putting their firms at risk.
Unique Challenges of Managing Event Data
For many organizations, event data is their fastest growing data and, often, their single largest data store. Even for small firms, it's common to generate over a terabyte a day. For most, the first place to turn for help is to legacy data management suppliers. Unfortunately, traditional data management systems were built for transactional data not event data. The requirements to manage event data are different:
* Data - Log and event data can never be updated or changed
* Collection - Difficult due to hundreds of data formats and dispersed endpoints
* Analysis - Data must be analyzed in real-time and over extremely long frames
* Users - Typically few users but they need access to years of data
* Queries - Often ad hoc, time-sensitive, and dispersed across huge data sets
* Volume - Enormous volumes of data creation and collection
Attempts to use traditional data management systems to manage event data often lead to dramatically higher costs and complexity. Some vendors still try to convince customers that a single enterprise data warehouse is the correct approach, forcing them to over spend and endure extremely long implementation cycles. Security vendors espouse the benefits of legacy log management and SIEM tools to manage event data. Unfortunately, these point solutions don't scale, are difficult to customize, and often can't address many of the emerging use cases of event data management. SenSage believes both of these strategies are wrong. Effective management of event data is achieved through a single enterprise approach that provides true business intelligence, rapid delivery, scale, and targeted business solutions.
The Event Data Warehouse
An Event Data Warehouse is purpose-built to provide actionable results from massive amounts of log and event data. Powerful features and benefits include:
* An integrated solution containing data collection (ETL), storage and business intelligence analytics components
* Data can be easily collected (without agents) from any source - databases, applications, logs.
* Solution analytics including dashboards, alerts, summary and trending reports provide automatic visibility to issues. From any of these, detailed investigations and ad hoc queries into terabytes of data is a click away.
* Data storage capabilities, built on a patented columnar database, provide a 40:1 compression advantage vs. traditional databases
* Advanced query techniques - data mining vs. "Google-like" search
* A clustered share-nothing architecture that allows for a deployment on inexpensive commodity hardware and incremental MPP scaling as data and query volume expand without an upgrade of the current environment
* Open access from a number of methods including SQL, Perl DBI, and JDBC.
* Significantly lower TCO - 10:1 advantage in up front costs and ongoing administrator/DBA support costs
Click here for more information on SenSage Event Data Warehouse Solutions.
LOG MANAGEMENTSenSage has helped hundreds of organizations around the world quickly implement Security and Log Management solutions for event data. Enterprise security has evolved from merely "keeping the bad guys out" to securing critical data and "keeping it inside". Insiders are clearly the new risk, and event data from internal systems exists that can catch the vast majority of security breaches prior to expensive and damaging results. SenSage Event Data Warehouse solutions minimize the time, expense, and risk for safeguarding a broad set of corporate assets.
SenSage purpose-built security solutions uniquely deliver actionable results from massive amounts of log and event data. Organizations are able to easily query years of data from multiple sources at any detail level to support their business requirements. SenSage Security and Log Management solutions include:
• Log Management — SenSage created the industry category for log management, and provides automated collection, storage, correlation and reporting to allow organizations to effectively manage activity and events from thousands of different log sources throughout the enterprise. SenSage delivered the first commercially available log management solution, and enables organizations to monitor end-users as well as administrators to detect suspicious behavior and intrusion attempts, establish audit trails for change control, enforce accountability over administrators, and conduct better investigations and forensic analysis.
• Windows Event Management — The collection, retention and reporting of Windows event data is a huge challenge for companies. Starting with the agent-less collection of Windows events, SenSage then deciphers and correlates complex event data to support out-of-the-box analytics, policy alerts and ad hoc forensic reporting. SenSage provides standard dashboards, reports and alerts that match Microsoft best-practice recommendations.
• SIEM - The SenSage SIEM solution supports a broad footprint of source types (including security monitoring products, applications and databases), and complex real-time, long term, and multi-source event correlation. A powerful management console makes it easy to create and manage rules and organize information into customized dashboards. The benefits of the SIEM solution include substantially improved data retention, enhanced data analytics and real-time alerting capabilities for a 360 degree view of user-access monitoring, forensics and compliance reporting.
• McAfee Enterprise Security — SenSage and McAfee have partnered to integrate their solutions to provide a complete 360 view of system and user activity directly from McAfee ePolicy Orchestrator (ePO). The integrated solution provides in-depth reports on log data from virtually any McAfee product and publishes them directly into ePO dashboards.
Implementing controls to monitor insider access, database activity, email activity and enterprise application activity helps organizations reduce risk and are easily justified with acceptable financial analysis required by senior executives. SenSage delivers Security and Log Management solutions for industries including Communications, Financial Services, Health Services, Government, Insurance, Retail and Utilities.