Infigo SIEM (Security Information and Event Management), in the simplest term, is your best chance of seeing everything that is going on in your system. Every device on your network generates some kind of data – do not think just about computer and network hardware, but often software, and other miscellaneous hardware like smart locks and in the world of IoT even smart coffee machines.
Infigo SIEM gathers all that data, processes it in real-time, and goes through a set of scenarios to determine what is happening. There are millions of daily events on your network, so we have to be smart about ingesting and filtering them all; if you filter the data incorrectly, you are losing complete visibility.
Infigo SIEM gives you answers to many questions. Some are relatively easy to answer – are all of our servers up to date? Some are not – are almost 150 seemingly unrelated security events happening through several months really of little importance, or are they all part of a big and complex cyber attack that will generate a critical security alert?
How does our SIEM know the answers? Infigo IS has been focused on IT security for the last 15 years, playing defense and offense, integrating big security solutions, making big security solutions, doing forensics, consulting on many challenging projects, and all that knowledge was used to create Infigo SIEM.
Infigo SIEM is built on big data platform and can gather data from every possible source. Even if there is no automatic way of ingestion, Infigo IS makes custom importers because every point of data can be crucial. Best of all, our SIEM is extremely scalable so we can ingest from a few logs to millions without any problems and with minimum impact on the whole network. All of the ingested data can be stored in line with data retention policies and can be retrieved for further inspection if the need arises. Of course, everything is configurable with the organization's policies.
Many of today's SIEMs filter data in the most unnatural way, by getting rid of the majority while ingesting it. We strongly disagree with that practice – by automatically discarding data, you lose important things in the long run. Our way, the correct way, is by doing multiphase enrichment; we drive the data through many phases, and on every phase we enrich the data further (depending on the phase, enrichment is done from various sources, some internal, some external). After the data is enriched it is processed and only then the events without significance are discarded.
Alerting is a big part of the SIEM functionality. Infigo SIEM uses two kinds of alert types – scheduled or real-time. With scheduled alerts, we specify the conditions that have to be met for an alert to fire, but it all happens on schedule. With real-time type, the alert is triggered when conditions are met with searches that run continuously. Of course, in practice, all that is quite complicated, with alert classifications, custom risk scoring, machine learning thresholds, but anything that happens can be seen in the alert console and/or send through email or ticketing system of your choice.
More than a hundred scenarios are working in the background to ensure your system is safe. Infigo SIEM transforms the raw data into useful and actionable information. The main goal of correlation is to connect mutually independent data sources according to common characteristics, to create order out of chaos.
Enrichment is especially important for Infigo SIEM. That is why we use every possible step to give our data meaning – we use internal (e.g., HR data) and external data (e.g., numerous threat intelligence sources) because not every information has the same importance. Not an easy process to get right, but if it were easy, anybody could do it.
Whatever happens, there is always a complete and detailed view of any incident that happened. Analysts can start with a high-level overview through specially designed dashboards, and with just a click of a button do a drill-down to the source log. There is also an option of writing custom searches that can encompass all the data since logging started.
Different SIEM stakeholders can get different reports depending on their needs – from security experts, over compliance officers, to CEOs, everybody can benefit from a well-timed report. Reports can be automatic, ad-hoc or scheduled, and can be sent through email or ticketing service. Of course, every report can be modified and customized.
With a rich and configurable GUI (Graphic User Interface) it is easy to get fast insight into relevant events. Dashboards can present complex searches in a clear graphical form and make any investigation and event review accessible to a wide range of users – visualizations can be turned into reports so even non-SIEM users can get their information.
Users can access Infigo SIEM through a web-based GUI using any modern browser without any additional component installation. That relieves the strain on IT support. GUI access has a role-based control because not every user is privy to every information; it supports internal authentication, LDAP, single sign-on, and scripted authentication for external authentication systems.
Infigo SIEM plays great with others – no matter what the other network components are, our SIEM will seamlessly integrate with them. It can ingest a wide variety of data, human or machine generated, and Infigo IS will write custom importers for older components that other vendors tend to skip over. We believe in full service.
Redundancy and High Availability
Infigo SIEM can be configured for redundancy and high availability environments; load balancing for fast data searching, index replication (with regards to the local indexing and storage), distributed searches, it all depends on the client's needs.