Correlog Market and Technology Overview

Account Executive

September 18, 2009

The SIEM Market Continues to Grow

• The SIEM market grew about 30% in 2008, with total revenue at approximately $1 billion. Demand for SIEM remains strong (there is still a growing number of funded projects), but we are seeing a more tactical focus, with Phase 1 deployments that are narrower in scope. Despite a difficult environment, we still expect healthy revenue growth for 2009 in this segment. – Gartner May 2009

$0$500,000

$1,000,000$1,500,000

Worldwide SIEM Market (Revenue in Millions)

2006

2007

2008

2009

Companies Continue to Struggle with SIEM

• “The majority of respondents have not yet achieved those quantifiable benefits, and in some cases are seeing increases in audit deficiencies, security incidents, and operational costs associated with security management.” – May 19, 2009 Study on Current SIEM Deployments

Why? The Enterprise Challenge

• How do I prioritize network security environment? (AV, web filtering, endpoint encryption, malware, host DLP, firewalls, switches, DB servers, application servers, etc.)?

• Rapidly changing threat environment

• With hundreds of GB of event data, how do I determine what is relevant to my organization?

Why? The Enterprise Challenge (continued)

• Where are the REAL threats and vulnerabilities?

• How can I reduce false-positives?

• Where do I deploy my best resources?

• How do I automate the analysis and decision-making process to manage all that data?

• Can I leverage the investment in my existing infrastructure?

• How does that automation ensure compliance?

CorreLog – A History of Success

• Originally founded in 1994

• Core team developed “Sentry Enterprise Manager” Network Management solution

• Company sold original Sentry technology to Allen Systems Group in 2001

• Original investors and developers created CorreLog in 2008

• More than 200 customers globally, including:• US State Department • Juniper Networks • American Express • Thrivent Financial• UCLA Medical Center

About CorreLog, Inc.

• About CorreLog, Inc.

CorreLog delivers security information and event management (SIEM) combined with deep correlation functions. CorreLog's flagship product, the CorreLog Security Correlation Server, combines log management, Syslog, Syslog-NG, SNMP, auto-learning functions, neural network technology, proprietary semantic correlation techniques and highly interoperable ticketing and reporting functions into a unique security solution.

CorreLog furnishes an essential viewpoint on the activity of users, devices, and applications to proactively meet regulatory requirements, and provide verifiable information security. CorreLog automatically identifies and responds to network attacks, suspicious behavior and policy violations by collecting, indexing and correlating user activity and event data to pinpoint security threats, allowing organizations to respond quickly to compliance violations, policy breaches, cyber attacks and insider threats.

CorreLog provides auditing and forensic capabilities for organizations concerned with meeting SIEM requirements set forth by PCI DSS, HIPAA, SOX, FISMA, GLBA, NCUA, and others. Maximize the efficiency of existing compliance tools through CorreLog’s investigative prowess and detailed, automated compliance reporting. CorreLog markets its solutions directly and through partners.

How CorreLog Works

• High-speed message reception; Enterprise-class, single- message, holistic view: Integrate into existing management hierarchy (OpenView, Tivoli, ePO, SEP11 etc.)

• Ability to index multiple gigabytes of data in real-time • Provide a cross-platform pool of pure event data to support

forensics and other security operations• Sophisticated search features let you perform rapid queries

over messages from various platforms (routers, UNIX, Windows, Linux, firewalls, mainframes, etc.)

• Advanced correlation engine produces easy to understand reports and dashboard views from massive amounts of enterprise log messages coming from anywhere

How CorreLog Works (continued)

Click icon to add picture

Cross-Platform Correlation

• CorreLog finds meaning in vast amounts of logs, events, and syslog data, by translating them into messages. It uses the following unique correlation components:– Threads: partitioning of raw message data

into categories based on match patterns (i.e. keyword, device type, time interval, etc.)

– Alerts: counts messages received by threads and generates a new message when defined thresholds are exceeded. Generated messages can be fed back into CorreLog for further correlation

Cross-Platform Correlation

• Correlation Components (continued)

– Actions: ability to take action on a message when correlation rules are satisfied, such as running a program, send a notification, update a database, generate a log file, send SNMP Trap, or open a helpdesk ticket.

– Tickets: the highest level of correlation, where specific correlated patterns generate incident tickets that are assigned to specific users and groups.

Who to call on

• Network Admin• VP of IT Security• CISO• Compliance and Audit

Questions to ask

• What are the endpoints and platforms that you collect log data?

• Are there any devices you are unable to collect log data from currently?

• Are you able to correlate security events on these platforms and efficiently secure your enterprise?

• Can you perform queries on all the IT data in your environment?

Key Differentiators

• Real-Time Event Correlation – CorreLog uses Threads, Alerts, Triggers, and Actions to provide meaning into massive amounts of log messages. Correlation that allow you take quick, decisive action to protect your environment

• High Speed Indexing – Searching done in Google-like fashion to produce quick and accurate queries. No reliance on open databases or 3rd parties

• Mainframe Agent– Ability to correlate security log events occurring on IBM mainframes and security solutions RACF, CA-ACF2, and CA-Top Secret

• Flexible Reporting – Customize and deliver relevant detail via email, RSS feed, or secure portal to defined groups or individuals

• Double Byte Support – CorreLog fully supports double byte characters (DBCS) to allow for localization in the Asia Pacific region

• Dashboards – Ability to obtain 3,000 foot overview of security environment from single pane of glass with ability to customize views and objects

• IT Search– The ability to search and analyze all the data from your IT infrastructure and perform Ad Hoc investigations on log data

Market Snapshot: The Competitive Landscape

Strong Weak / None

Consolidate Log Messages

Event Correlation

Prioritize incidents

Support Thousands of EPS

Compliance Auditing

Customizable Dashboards

Custom Reporting

Secure Archiving

Market Snapshot: The Competitive Landscape (cont.)

Strong Weak / None

Windows Agent (converts to

Syslog)

IT Search

Double Byte Support

UNIX/Linux Agent

Quick installation

Mainframe Agent/Support

Cost Effective

Web Based Interface

Sample Dashboard View

Custom, Mainframe Dashboard View

Custom Dashboard Drill-Down

Customer Testimonial

 

“Our implementation of CorreLog has given us the power to quickly discover security threats and has allowed us to do it with fewer internal resources.  CorreLog shows us the things that are going on in our environment, correlates and categorizes these events, allowing us to take quick, decisive action and ensuring our security compliance. This has enabled ASG to move from a reactive organization when it comes to security, to becoming a much more proactive one.”  

– Alan Bolt, Chief Information Officer, ASG

Market and Technology Discussion

Questions or Comments?

Jeff Stomber – Account ExecutivePhone: 239-821-9761Email: jeff.stomber@correlog.com