The SenSage Enterprise Security Analytics platform, the flagship offering of the company, is dedicated to the collection, retention, and analysis of system event information generated from multiple disparate sources. The offering includes components focused on the collection of system events; the correlation of real-time events for the generation of alerts; and the insertion, retention, and analysis of those events within a centralized repository. Event analysis is facilitated via built-in reports as well as support for ad-hoc and user customized queries; and the vendor additionally offers optional Analytics Packages with pre-defined rules and reports tailored to common security monitoring and/or compliance reporting needs.

The SenSage platform consists of the following components:

The SenSage Collector is responsible for the collection of batched event log information from individual machines throughout the network; a process that does not require agents and supports the retrieval of information from multiple sources (the vendor notes the existence of over 170 log adapters and the ability to create custom log adapters as required) using both PUSH and PULL techniques via technologies including SFTP, SCP, RCP, and Syslog. Event data is compressed (to as little as 10 percent of the original event log data volume) and then forwarded to the SLS (see below). In addition to batch log event collection, the Collector can also collect streaming real-time event information (such as Syslog, SNMP, LEA and HL-7), parse it, and forward it to the SAS and SLS for immediate analysis.

The SenSage Scalable Alert Server (SAS) retrieves the streaming data forwarded from the Collectors and generates alerts based on pre-defined correlation rules and thresholds. It then forwards its information to the SLS for historical analysis.

The SenSage Scalable Log Server (SLS) is the key component of the system, and maintains the searchable and reportable data repository of collected event information. The SLS is actually a clustered collection of servers; capacity can therefore be expanded by adding more servers, adding storage to individual member servers, or utilizing external NAS or SAN storage (the vendor in particular points out their support for the EMC Centera platform; noting that overall performance using EMC Centera storage is 95% that of using the platform's native member storage).

The SLS stores data in a compressed flat-file format that is optimized for event insertion, retention and query retrieval. (Decompression is only executed at query time.) According to the vendor, a five-node SLS cluster can collect information at a sustained rate of up to 87,000 events per second and scan that information to the tune of 2,000,000 records per second per node. The platform builds a virtual schema to support SQL query analysis against the data; and stored data is mirrored and distributed across the cluster nodes for protection.

Finally, the SenSage Analyzer, a Java-based GUI component, allows for the generation of reports and ad-hoc query and analysis of the repository information. The Analyzer also supports scheduled queries, allows for the management of SAS alerts and rules, and provides user administration functions.

For auditing purposes, the Collectors maintain a log of activities including log file retrieval and loading; information which is additionally forwarded to the SLS for storage. The SLS itself can be configured to maintain a signed hash for each log record in an additional column, and additionally does not support SQL UPDATE or DELETE statments to avoid data tampering.

The SenSage platform is available now, for Red Hat Linux ES 3.4 and now SUSE Linux Enterprise Server 9.

Visit the SenSage Web site for further information.

product submission by EITPlanet Staff

E-Mail this page to a colleague
send info about SenSage

Suggest a link
for the SenSage fact sheet