Symantec 10521146 Administration Guide - Page 30
About analysis, About refinement, About correlation
UPC - 037648268134
View all Symantec 10521146 manuals
Add to My Manuals
Save this manual to your list of manuals |
Page 30 highlights
30 Architecture About the core architecture data from the native format to the Symantec Network Security format, and transmits the data to the software or appliance node. See "About detection" on page 159. See "About Smart Agents" on page 37. About analysis Symantec Network Security includes state-of-the-art correlation and analysis that filters out irrelevant information and refines only what is meaningful, providing threat awareness without data overload. Symantec Network Security correlates common events together within an incident to compress and relate the displayed information. This section describes the analysis mechanism in greater detail: ■ About refinement ■ About correlation ■ About cross-node correlation About refinement Symantec Network Security detects both known and unknown (zero-day) attacks, using multiple detection technologies concurrently. Event refinement rules extend the Protocol Anomaly Detection capabilities. Symantec Network Security matches generic anomalies against a database of refinement rules, and for known attacks, reclassifies an anomaly event by retagging it with its specific name. About correlation Symantec Network Security uses event correlation, the process of grouping related events together into incidents. This produces a shorter, more manageable list to sift through. Some types of intrusions, such as DDoS attacks, generate hundreds of events. Others, such as buffer-overflow exploits, might generate only one event. Event correlation brings each key event to the forefront in an incident so that it remains visible despite floods of events from other activities. It automates the process of sorting through individual events and frees the user to focus on responding directly to the security incident. Symantec Network Security correlates security events (intrusions, attacks, anomalies, or any other suspicious activity), response action events (automated actions taken by Symantec Network Security in response to an attack), and operational events (action taken in the administration of the product, such as logging in or rotating logs).