Chapter 11 - Real-Time Event Correlation, Analysis, and Response

Abstract

As we discussed in the preceding chapter, we are no longer considering the data being processed by the Enterprise Security Management (ESM) system as being a simple log. The logs have been enriched by the connectors or log collection appliances to the point where they are now considered events. When the ESM system receives these events a series of real-time operations are applied in memory. In this way, ESM solutions help identify and manage malicious activity more efficiently than having to rely upon a database for historical queries. Some examples of this are real-time event prioritization, correlation, and visual analytics. This chapter will focus on the ESM system's capability to process these events in real time and some of the tools that analysts can use to assist in investigations and incident response in the form of workflow and network remediation. The next chapter will cover event analysis from a forensics and reporting perspective by using historical data from the ESM system's database.