A security plan that consolidates data from multiple sources is essential to preventing security breaches. If your company runs one or more operating systems or uses different hardware platforms, using a security plan that monitors the primary technology in use offers a broader picture of the network. Event log correlation collects data from various devices that use different technologies and provides a view of the relationship between events that occur on a network. The ability to view an interrelationship among events paints a broader picture of security breaches and the direction breaches take through a network.
Correlating Events on a Single Platform
Single platform correlation may work well for small or medium-sized organizations that run one operating system. The process collects information from a single type of log, such as Windows event log, and offers security analysts the ability to complete a trend analysis.
Correlating Events on Multiple Platforms
Larger organizations that manage large amounts of data require a more scalable and robust solution. In this situation, correlation software collects information from multiple sources and technologies.
For example, if a company uses Windows 2000 in conjunction with Cisco routers and a Linux-based email platform, the process becomes more involved. Software that can collect events from both syslog information sent by the network hardware and event records delivered by Windows-based systems represents the most effective solution.
To illustrate, if a hacker successfully breaches the firewall, the syslog would record the event. Following the firewall breach, a hacker may attempt to access a Windows-based desktop. The native Windows event program records the breach and the security software collects information from both logs and paints a picture of how the events are interrelated.
Event log correlation offers a detailed view of what occurs on different levels of a network. This powerful tool provides an informative option for security analysts who manage single- or multiple-platform networks and sift through significant amounts of information to identify security breaches.