BigSIEM

BigSIEM

BigSIEM is our security event correlation engine. From here, we manage event security in order to provide rapid detection and response to any threat to IT systems.

BigSIEM merges four major systems:

• BigDATA: dynamically growing cluster, both horizontally and vertically, for the storage, collection and analysis of logs and monitoring events.
• Threat Analyzer: heuristic analysis based on proprietary and third-party signatures. More than a hundred vendors are included, including the largest in the market (AlienVault, Snort, Suricata, etc.).
• Dynamic Malware Analyzer: Proprietary SandBox and integration with more than 50 vendors for malware analysis, both on-demand and automated based on defined monitoring. It is capable of analyzing most of the detected downloads, which is an extra on top of the antivirus security measures.
• Intelligence Engine: Our intelligence engine is an ad hoc development , designed by our intelligence and security engineers and analysts. It is capable of performing event correlation, advanced heuristic detection, monitoring and alerting, learning from the behavior of our clients’ systems.

What do we get?

• Real-time analysis
• Data storage and recording
• Categorization and records
• Business intelligence
• Alerts and notifications
• Visualization and control tools
• Event prioritization
• Reporting
• Compliance

BigSOAR – Incident Containment

BigSOAR is a set of drivers or interfaces that interconnect BigSIEM with the systems governed by our Operations Center. It allows immediate containment actions to be carried out, executing actions on these systems when a breach occurs, reducing the attacker’s probability of success.

What actions can BigSOAR take?

• Block a user in Active Directory (Azure or OnPremises) when an unauthorized login is detected (after brute force, on suspicion of credential theft, from unauthorized locations, etc.).
• Firewall blocking of malicious incoming traffic. This occurs, for example, in the event of server intrusion attacks.
• Firewall blocking of outgoing traffic to a malicious address, e.g. in case of data exfiltration.
• Firewall blocking of an internal IP address. This is an additional and faster measure to host isolation in the EDR.
• Expel a VPN-SSL user from a firewall when their login is identified as malicious.
• Isolate a workstation on the network when malicious activity is detected on the workstation, by means of an action with the EDR.
• Kill a process on all systems in the network.
• In very serious cases, remote shutdown of network servers to prevent the spread of malware or reduce its impact.

BigSOAR integrates with the main vendors in the market (Fortinet, Paloalto, Trendmicro, Bitdefender, Sophos, Checkpoint, Windows, Linux, etc.).