Overview of the risk detection modules.

Your needs are the starting point: our portfolio comprises six IT risk detection modules which you can select from freely. Our experts assist you in selecting the right components for your IT security monitoring if you wish.

Security Information & Event Management (SIEM)

The collection, analysis and correlation of logs from various sources results in alerts in case of security flaws or potential risks.

Central to a SIEM is the collection and analysis of logs from various sources within a network (e.g. server, clients, network devices, firewalls, applications) for security-relevant information and events. Various common log formats are understood out of the box. Furthermore there is always the possibility for additional parsers to normalize custom logs. Information and events from all these areas are aggregated. Risk is identified through the state-of-the-art correlation engine with continuously updated, enhanced and always customized correlation rules and policies.

An effective management of security flaws is enabled. A fraudulent use of the IT and applications, internal fraud and security threats are detected out of millions of events. Our Intelligence Team analyses suspicious events and prioritizes them in terms of business criticality and need for urgency. The number of events reported to a client is reduced to a handful of important incidents.

An effective configuration of the system is achieved through predefined filters, templates and plugins. Thus setting-up is neither time consuming nor resource intensive.


Network-based Intrusion Detection (NIDS)

High performance analysis of the network traffic is used for signature- and behaviour-based detection of dangerous malware, anomalies and other network traffic risks.

Network traffic from and to the Internet is analysed in real-time in order to detect suspicious patterns and anomalies such as malware, command and control server, bots, spyware, drive by sources, DDoS targets and sources and others.

More than 19,000 continuously updated (matched with IP reputation data) signatures and rules serve as the basis for detection. On-hand is also an additional behaviour-driven analysis for zero-day exploits and other unknown attacks without signatures as well as the detection of protocols even if varying ports are used. Moreover thousands of file types are identified via MD5 checksums and possible file extraction to let documents stay out or not get out.

Technical details: The module is highly scalable with a master/probe configuration option for decentralised internet breakouts. 1Gbit and 10Gbit interfaces are supported (copper and fibre).


Vulnerability Management and Assessment (VAS)

Continuous internal and external vulnerability scans with comprehensive detection, compliance checks and tests deliver results with zero false positives and full vulnerability coverage.

VAS includes continuous and highly accurate internal and external vulnerability scans for a 360-degree view. Besides fast and efficient authenticated or non-authenticated vulnerability scans, open ports, the use of potential unsecure or unnecessary services on these ports as well as shares and non-secure shares are detected.

Furthermore compliance- and password-checks spot configuration problems with regard to applications as well as password and user-policies. Standard and missing passwords are detected. Outdated patch versions of installed software and services with registry and dll-checks on Windows systems are done.

State-of-the-art vulnerability scanning in combination with the analysis of the Intelligence Team delivers results with zero false-positives and full vulnerability coverage.

Safe scanning is ensured, thus any disturbance of the availability or integrity of information is avoided. Moreover scans do not interfere with daily operations or availability because of predefined scan plans. No training is required.

Overall more than 67,000 tests are carried out in the categories of OS, software and vulnerabilities using the largest database in the industry.

Vulnerabilities are categorized in high, medium or low risk as well as the possibility of exploitation to provide easy to understand overviews of the current vulnerability landscape and information ready to meet compliance requirements.


VAS - Technical details

The comprehensive scanning capabilities include

  • Network devices: firewalls/routers/switches (Juniper, Check Point, Cisco, Palo Alto Networks), printers, storage
  • Virtualization: VMware ESX, ESXi, vSphere, vCenter, Hyper-V, and Citrix Xen Server
  • Operating systems: Windows, Mac, Linux, Solaris, BSD, Cisco iOS, IBM iSeries
  • Databases: Oracle, SQL Server, MySQL, DB2, Informix/DRDA, PostgreSQL, MongoDB
  • Web applications: Web servers, web services, OWASP vulnerabilities
  • Cloud: scanning of cloud applications and instances like Salesforce and AWS

Software Compliance (SOCO)

Compliant software per server / server groups is assessed according to policies and a continuous analysis of the current status.

The software compliance module takes care of the management of the full software inventory for Windows- and Linux systems. A continuous retrieval of the installed software is done as well as the display of currently and previously installed software.

Policies can be defined for software compliance rules including permitted software and software packages, minimum software versions and blacklisted software. Thereby the analysis of compliance in accordance with policies and historical progression is achieved.

Alerts point to software with known vulnerabilities.


Host-based Intrusion Detection System (HIDS)

Analysis, monitoring and detection of anomalies on hosts lead to active response and immediate alerts.

HIDS collects, analyses and precorrelates logs of a server or client and alerts if an attack, fraudulent use or error is detected. It checks file integrity of the local system. Rootkit detection identifies hidden actions by attackers, trojans, viruses, etc. when system changes occur.

HIDS leads to real-time alerts and active response. HIDS integrates smoothly with SIEM and delivers additional valuable information for central correlation.

Technical details: It runs on nearly every operating system (Linux, Solaris, HP-UX, AIX, BSD, MacOS, Windows, VMware ESX) and supports to meet compliance requirements. Centralised policy deployment is done for all HIDS agents to monitor the server’s compliance.


Advanced Threat Detection (Email & Web / ATD)

Next generation sandbox technologies are used for the detection of advanced malware in e-mails.

Best-in-class detection of advanced malware is specifically designed to detect and stop advanced and evasive malware created to bypass conventional security defences and sandbox technologies used by first-generation APT security systems.

The next-generation sandbox technology is powered by full-system emulation to catch not only persistent threats and zero-day exploits. It has a deeper understanding of malware behaviour to measure its impact.

The continuously updated feed for advanced threats ensures currentness.