NetCitadel’s Threat Response Platform includes patent-pending security orchestration technologies that integrate existing security devices, such as firewalls and web proxies, with rich sources of security information like Security Incident and Event Management (SIEM) systems.
The Threat Response Platform (TRP), distributed as a virtual appliance, seamlessly integrates the following core technology components to deliver real-time responses to security events.
- Event Processor logs incoming security events and runs them through an event parser so they can be analyzed
- Correlation Engine takes the parsed event and combines it with data from external sources to increase the information regarding the event
- Rules Engine includes user defined logic for categorizing security events after they have been correlated, based on the information contained in the event
- Workflow System provides support for both fully-automated and semi-automated response workflows
- Data Connectors provide rich 3rd party information relating to security event data
- Device Connectors push and pull information from a wide range of security devices including Cisco™, Juniper™ , Check Point™, Palo Alto Networks™ and Fortinet™
Each time a security event is received by the Event Processor the system parses the event and extracts critical event information, such as the IP addresses involved in the event, and hands the deconstructed event to the Correlation Engine. The Correlation Engine uses proprietary algorithms along with external data sources such as reputation data to provide deeper understanding of the received event.
Once the event has been processed, it goes to the Rules Engine to determine if the event matches any existing criteria. Matching criteria can include information such as the location of the systems involved in the event or the original severity of the event. If matching criteria is found, the event is automatically mapped to an action in the system.
Using the Workflow System, actions can be configured to be either semi-automated or fully-automated depending on the information in the event. Once an action is in the Workflow System the action can be approved or rejected resulting in organization-wide security device updates using the Device Connectors.
TRP includes an audit sub-system that provides full audit details about all events, actions and system settings.
The NetCitadel Difference
Threat Response. It’s what makes us unique–and what you need to turn your static security devices into a context-aware infrastructure that can automatically adapt to security events as they are detected. Respond instantly to Advanced Persistent Threats (APTs) and other targeted attacks as soon as they are discovered.