Regular monitoring of host and device performance helps to diagnose system problems early, maintain critical system availability, take timely preventive action and ensure the steady health of your systems and network devices. The performance analytics function collects data on CPU, memory, disk and I/O bandwidth usage and employs the data in the detection and remediation of security incidents and IT regulatory compliance gaps. The data is especially useful when correlated with other data from hosts and devices on the network. For example, a spike in memory and I/O bandwidth usage following suspicious configuration and asset changes could more clearly identify the presence of a new virus, worm or bot. The sooner these kinds of attacks can be detected, the less likely a more widespread outbreak will put other machines at risk.

Challenges for Performance Analytics
Data security and IT compliance professionals seek solutions offering more timely and cost-effective detection and mitigation of security incidents and instances of noncompliance with regulations, standards and best practices (compliance gaps) than has been possible using the available security and compliance management solutions. The real challenge for these solutions has been one of TIMELINESS.

Consider a typical “low and slow” breach in which an attacker remains undetected once they have compromised an organization’s systems by progressing slowly with minimal activity to evade detection from existing defenses like IPS and device security. The timely detection of a “low and slow” attack has proven especially elusive because it requires the collection of data from multiple sources. Specifically, log, asset, configuration, vulnerability, performance and network flow data can each reveal different aspects of an attack. The following table outlines the typical steps involved in this type of attack and the data source that would reveal each step’s activity.

A Typical “Low and Slow” Attack

Attack step:	Attacker action:	Action revealed in:
1. Probe	Runs port scans seeking targets with known vulnerabilities.	Log data
2. ID entry point	Identifies a target system with a known vulnerability.	Log data
3. Access	Brute-forces access to the system with multiple failed logins preceding the successful login.	Log data
4. Admin privilege	Escalates to Admin/Root or created a new account with Admin privilege.	Asset data
5. Config change	Disables logging.	Configuration data
6. Exploit vulnerability	Creates a buffer overflow that spikes performance by exploiting a vulnerability.	Vulnerability & Performance data
7. Rogue app	Installs a back door to the system.	Asset data
8. Data theft	Steals confidential data.	Flow data

Thus, to meet the needs of security and compliance professionals, the primary challenge for a security and compliance management solution is to deliver more timely security event and noncompliance issue mitigation by collecting and correlating multiple types of data. Log data by itself is insufficient for achieving such targeted, efficient and timely security incident detection.

As shown in the table above, performance data greatly enhances the accuracy and speed of identification of breaches when correlated with other log, asset and configuration data from hosts and devices on the network. Should device performance spike due to an exploit, virus, worm or bot, you can more easily detect and correct the problem before it becomes a major issue impacting system availability. Similarly, performance changes can be correlated with other asset and configuration data to more readily reveal unauthorized activity by an authorized internal individual. Thus, like the other data analytics of an integrated security and compliance platform, the principal challenge for performance analytics is to help mitigate a security event or compliance gap in a timely fashion through seamless integration with the end-to-end correlation of all key security and compliance data.

Other key challenges that performance analytics must address to deliver superior value as an enterprise security and compliance management platform include:

• Availability reporting that presents the uptime and bandwidth availability of a service, device or host. The correlation of availability information with other data helps you understand what happened during a period of unexpected downtime. Such an understanding, in turn, helps to determine the reliability of the network and helps to manage SLAs.
  

• Historical trending enabled by the collection and correlation of information over months. As with other important types of data, this historical trending ability is necessary for the detection of “low and slow” security events and in the determination of their root causes.

• Alerting in response to anomalous performance that could indicate a breached system or the presence of malware.

Performance Analytics Using SecureVue
Existing security management products primarily focus on one or two different types of data from different network devices. SecureVue, on the other hand, allows you to keep up with what is happening on your network through the collection and correlation of all important security-related information from all hosts and devices on the network, including performance data. After centrally archiving the performance data, SecureVue then includes it in its real-time, 24x7, end-to-end correlation. Thus, perhaps the greatest difference between SecureVue and other security management solutions is that performance analysis is one of several types of data analyses that are integrated into the end-to-end correlation function, a function that allows SecureVue to deliver more timely identification and subsequent mitigation of elusive attacks and instances of noncompliance

Besides offering performance analysis that is integrated with its end-to-end correlation, SecureVue also meets the other key challenges for performance analytics:

• SecureVue’s availability reporting allows you to determine host or device uptime and bandwidth availability to more closely manage performance and meet SLA requirements. In addition, availability information is often critical to understanding what happened during a period of unexpected downtime.
  

• With SecureVue you can collect and correlate performance data over a period of months. This enables the historical trending essential to the detection and remediation of security incidents that evolve slowly over time.

• SecureVue allows you to configure performance triggers or thresholds that, when achieved, alert you of anomalous CPU, disk or memory usage. This alerting function could prove essential to the rapid detection and removal of malware or an unauthorized application installed after a breach.

In the end, SecureVue meets and exceeds all these challenges for performance analytics by delivering the only integrated security and configuration management platform delivering end-to-end correlation of all important data, including performance data.

Discover why Network World wrote, “eIQnetworks has the broadest range of capabilities we have seen in one integrated product”. Download whitepapers, datasheets, case studies and more from the eIQ Resource Center today.

When you are ready, don’t hesitate to test drive a free evaluation copy of SecureVue to see how it can simplify management, boost efficiency, and enable easy audit reporting for your organization.