ALM-SIEM monitors, detects and helps to respond to cyber security incidents and data protection threats. It combines Security Information & Event Management (SIEM), File Integrity Monitoring, Vulnerability Assessment and Log Management functionality in an integrated and trusted software solution.
By continuously monitoring your on-premise and cloud based IT and business infrastructures, ALM-SIEM provides deep security intelligence and visibility of critical threats to your organisation, helping to mitigate and prevent those threats, while also helping with regulatory compliance.
ALM Log Sources
Event logs and machine data normally enter an ALM-SIEM system through an ALM agent or via a direct API connection, depending on the source of the data. For reasons of log data integrity, efficiency and resilience, the preferred option is to install small, unobtrusive ALM agents on the hosts that create the logs, but agentless deployment is also available in order to collect logs remotely and in cases where data integrity is not of primary concern.
ALM’s architecture allows collection and management of almost any log or data type (not just syslog streams as with many SIEM solutions). These can include binary logs, cloud data and many other types.
ALM-SIEM provides a huge range of data collection and processing features (known as Data Sources) out of the box and Assuria is constantly extending its portfolio of data sources based on the needs of our customers. But, with some training it is also possible for customers to add additional log sources to meet their own unique needs, via the optional Assuria Log Source SDK.
ALM Log Collection
Assuria’s ALM-SIEM solution uses agents to collect log data into a central store, although agentless collection is also available. ALM server-side components then process the collected logs from the store, e.g. to normalise and filter selected events into a database, or to export to external systems.
ALM’s collection architecture uses agents to collect data (typically logs, but ALM can collect anything, including screenshots and network packet captures) from a variety of sources. Data sources can be added at will, and include local log files, support for various remote protocols such as Syslog, WMI and OPSEC LEA, and querying of web/cloud services.
The agent collects data in their original format, unchanged, sequence numbered and digitally signed. It then transfers the data via a mutually-authenticated TLS channel to an ALM Collector, which writes the data into a Store. ALM agents can also be configured to generate alerts at source when specific events appear in the logs that it collects.