NitroView Enterprise Security Manager

NitroViewEnterprise Security Manager (ESM),Enterprise Log Manager (ELM), & ReceiversThe World's Fastest and Most Scalable SIEMFinally … an enterprise-class security information and event management system that identifies, correlates, andremediates threats in minutes instead of hoursSecurity management needs continue to push the limitsof security information management platforms,requiring massive scalability, broad and deep visibilityinto business and IT systems, and blazing analyticalperformance.To accommodate these needs, next-generation securitymanagement must be built upon a foundation ofperformance and scalability, allowing security andcompliance professionals to collect, store, analyze, andact upon risks and threats—quickly, easily and accurately.NitroView ESM rises to the challenge, leveraging ourpatented, high-speed and purpose-built datamanagement engine to provide:• Unbeatable performance, producing actionable securityintelligence in minutes instead of hours• Massive data collection across a wide range of sources• Content awareness for broad visibility & deep analytics• Long-term data retention, for immediate access to yearsof event and flow data• Powerful detection & management of risks and threats• Policy-aware Compliance Management• Integrated tools for improved security workflow• High availability options for maximum reliabilty

Powerful Security Information and Event ManagementUnbeatable PerformanceNitroView's patented data management engineprocesses and analyzes security information andprovides it back to you as actionable securityintelligence. Unlike most SIEM reports, however, theresults are produced in a fraction of the time. Evenduring periods of peak event collection, on systemsstoring billions of records, NitroView can producesecurity and compliance information in just a fewminutes, rather than hours or even days.Massive Data CollectionWhether using a single, entry-level appliance or a fullydistributed implementation of our flagship ESM X5,you'll appreciate the industry's highest event and flowcollection rates, from a wide range of data sources. Asingle NitroView Receiver can collect over 20,000 eventsper second. The ESM itself can support multipledistributed receivers, and is able to handle hundreds ofthousands of events per second without compression oraggregation. With aggregation, a single appliance cansupport tens of millions of events per second—enoughfor almost any network.Long-term Data RetentionNitroView is able to store billions of events and flows,keeping all information available for immediate analysis,investigation and reporting. That's important wheninvestigating low-and-slow attacks, searching forindications of advanced persistent threats, orattempting to remediate a failed compliance audit—allof which require looking at years of data, and having fullaccess to the complete details of specific events.NitroView ESM’s dynamic baselinesprovide at-a-glance indication ofnetwork and event anomalybehaviorDynamic, Real-Time BaselinesWhether its network traffic, user activity, or trends inapplication use, any variation from normal activity couldindicate that a threat is imminent. Normal event activitycan also be a clue to a larger threat or incident. Nitro-View calculates real-time baseline activity for allcollected information and alerts you of potential threatsbefore they occur, while at the same time analyzing thatdata for patterns that could indicate a larger threat.Content AwarenessNitroView's scalability and performance enables moreevents to be collected, from more sources. All informationis heavily indexed, normalized, and correlatedtogether to detect a wider range of risks and threats.When contextual information is available from vulnerabilityscanners, identity & authentication managementsystems, or privacy solutions, each event is enrichedwith that context for•a better understanding of howevents correlate to real business processes and policies.Policy-aware Compliance ManagementCompliance management requires more than simpleevent logging. It requires an understanding of networkdevices and their vulnerabilities, users and their roles,allowed applications and their use, and the business andoperational policies that tie it all together. NitroViewmakes compliance management easy, and provideshundreds of pre-built dashboards and reports forPCI-DSS, HIPAA, NERC-CIP, FISMA, GLBA, SOX, and others.Integrated Tools for Improved Security WorkflowNitroView ESM gets to the heart of security operationswith integrated tools for configuration and changemanagement, case management, and centralized policymanagement needed to improve workflow and facilitatedaily information security operations.

Turn Billions of Events & Flows into Security Intelligence in MinutesDeveloped specifically for large-scale collection and real-time analysis of data, NitroView provides theperformance needed to support the requirements of a content-aware, operational SIEM.NitroSecurity has decades of experience in database technology, which provides a dramatic performance advantageover other SIEM systems. NitroView’s highly optimized data management architecture uses patented techniques toprovide simultaneous event collection, analysis and reporting—at extremely high speeds.Rich, Flexible AnalyticsPatented technology also enables real-time statisticalcalculations—including baselines and deviations—on allcollected information. This enables NitroView to detectanomalies across all monitored activity, from networks,users, applications, or any other information source. Italso enables visual indicators of trend activity across alldashboards, for at-a-glance trend analysis.High Acquisition RateUnlike most databases, NitroView's data managementengine is able to collect, parse and insert newinformation at extremely high rates—up to thousands oftimes faster than commercial SQL databasemanagement systems. This also allows NitroView tomaintain these high collection rates without impactingthe performance of other SIEM functions, such asanalysis and reporting.Rapid ResponseNitroView's patented data management engine eliminatesthe need to perform time-intensive database tablescans, producing detailed reports and queries in justminutes instead of hours. NitroView won’t slow downduring periods of peak event activity—making Nitro-View the perfect real-time analytical tool for yourSecurity Operations Center.Diverse Device SupportNitroView can support a wide range of devices becausethe underlying architecture supports diverse indexes.This means that NitroView can collect more than just logand event data, collecting and analyzing identityinformation, database activity, policy, privacy and otherinformation from third party systems and applications.Efficient Storage UtilizationNitroView's patented data indexing also allows moreinformation to be stored using less physical storage,while maintaining full granularity of all collectedinformation. This allows billions of events and flows tobe stored locally on the NitroView appliance—fullyaccessible for analysis and reporting.

Fast, Reliable and Powerful Event and Flow CollectionCONTENTCorrelation&AnalysisCONTEXTVulnerabilityAssessmentIdentity,AuthenticationPrivilege,PolicyNetwork Location,Geo-locationRiskNitroView Receiver collects third party events and logs — and performs native network flow collection —faster and more reliably than any other solution.NitroView Receiver appliances are responsible for the collection of log and event information from hundreds of thirdparty devices including firewalls, IDS/IPS devices, UTMs, switches, routers, applications, servers and workstations,identity and authentication systems, vulnerability assessment scanners, and more, 1 using a variety of collectionmethods including passive log collection, authenticated log collection, CEF, OPSEC, SDEE, XML, ODBC, and others —including encrypted collection validated to FIPS 140-2 Level 2.Flexible Collection ArchitectureNitroView supports fully centralized “all in one” eventcollection and management, or fully distributed eventcollection using dedicated NitroView Receiver appliances,rated for a few thousand to tens of thousands ofevents per second. Virtual appliances are also available,making highly distributed deployment easier and morecost effective.High ReliabilityNitroView Receivers can be deployed redundantly formaximum reliability without any risk of data loss. Inaddition, every NitroView Receiver caches all collecteddata locally to preserve data in the event of a networkcommunication error or outage.1. For a complete list of supported devices, please visitnitrosecurity.com/products/supported-devices/Robust Collection, Powerful CorrelationWhen NitroView Receiver collects an event, it parses allrelevant details into a fully normalized event taxonomy,and then provides full correlation against all events todetect larger incidents. All details of parsed events andcorrelated events are preserved, and stored in a highlyindexed database for fast retrieval and analysis. NitroViewReceiver can even correlate events collected by otherdistributed Receivers for system-wide threat detection.Optional AgentsNitroView supports agentless, agent-based, or hybridcollection models. NitroView Receiver supports avariety of third party agents in addition to the NitroPlugin Protocol (NPP) agent, a highly reliable andencryptable agent for secure log and event collection.NPP has been validated under the strict requirements ofFIPS 140-2, and is suitable for use in almost any network.

NitroView Enterprise Security Manager & Receiver SpecificationsModelDescriptionCollectionRatesAnalyticalPerformanceLocalStorageDedicated NitroView ESM AppliancesNS-ESM-X5NS-ESM-X5NS-ESM-X3NS-ESM-5750-RNS-ESM-5510-RNS-ESM-5205-RNitroView ESM X5 Enterprise Security Managerprovides Log Analysis, SIEM, and Network Analysis functionsfor large enterprise networks. 7TB local storage plus 500GB ofin-memory storage for extremely high performance. One 3Uappliance, plus one 2U Appliance.NitroView ESM X3 Enterprise Security Managerprovides Log Analysis, SIEM, and Network Analysis functionsfor large enterprise networks. 7TB local storage plus 320GB ofSSD storage for extremely high performance. One 3Uappliance.NitroView ESM 5000 Enterprise Security Manager provides LogAnalysis, SIEM, and Network Analysis functions for medium tolarge enterprise networks. 7TB local storage. 3U Appliance.NitroView ESM 5000 Enterprise Security Manager providesLog Analysis, SIEM, and Network Analysis functions. 3.75TBlocal storage, 3U appliance.NitroView ESM 5000 Enterprise Security Manager provides LogAnalysis, SIEM and Network Analysis functions. 2.5TB localstorage. 3U appliance.300,000Less than 10 seconds 3 7 TB 4 +per second 1 500GB RAM 5Less than 10 seconds 3150,0007 TB 4 +per second 1 Less than 30 seconds 3320 GB SSD70,000Less than 1 minute 3 7 TB 4per second 160,000Less than 2 minutes 3 3.75 TB 4per second 150,000Less than 3 minutes 3 2.5 TB 4per second 1All-in-one NitroView ESM and Receiver AppliancesNS-ESMRCV-5205-RNS-ESMRCV-4245-RNitroView ESM 5000 Enterprise Security Manager providesLog Analysis, SIEM and Network Analysis functions. Includesintegrated NitroView Receiver for collection of third partyfeeds. 2.5 TB local storage. 3U appliance. Rated for 5,000events per second.NitroView ESM 4000 Enterprise Security Manager providesLog Analysis, SIEM and Network Analysis functions. Includesintegrated NitroView Receiver for collection of third partyfeeds. 1.5 TB local storage. 1U appliance. Rated for 1,000events per second and manages up to (3) NitroSecuritydevices (IPS, DAM, or ADM.5,000Less than 4 minutes 3 2.5 TB 4per second 21,000Less than 5 minutes 3 1.5 TB 4per second 2Dedicated NitroView Receiver AppliancesNS-NRC-4500NS-NRC-4245NS-NRC-2250NS-NRC-2230NS-NRC-1225NitroView Receiver, collects 3rd party logs, events and flowdata for correlation and analysis by NitroView ESM. 1UAppliance. Supports up to tens of thousands of data sources.NitroView Receiver, collects 3rd party logs, events and flowdata for correlation and analysis by NitroView ESM. 1UAppliance. Supports up to tens of thousands of data sources.NitroView Receiver, collects 3rd party logs, events and flowdata for correlation and analysis by NitroView ESM. 1UAppliance. Supports up to tens of thousands of data sources.NitroView Receiver, collects 3rd party logs, events and flowdata for correlation and analysis by NitroView ESM. 1UAppliance. Supports up to tens of thousands of data sources.NitroView Receiver, collects 3rd party logs, events and flowdata for correlation and analysis by NitroView ESM. 1UAppliance. Supports up to tens of thousands of data sources.20,000- 1 TB 4per second 218,000- 1 TB 4per second 215,000- 1 TB 4per second 210,000- 1 TB 4per second 25,000- 500 GB 4per second 2Virtual NitroView Receiver AppliancesNS-NRC-VM-500NitroView Virtual Receiver, for medium sized environments ofup to 500 data sources.NS-NRC-VM-25 NitroView Virtual Receiver, for small environmentsof up to 25data sources1,000per second 2250per second 2----1 Based on typical network environments using average event and flow aggregation.2 Represents raw event rates, without compression or aggregation.3 Indicates the average response time to generate a monthly report consisting of all events that occurred over a period of 30 days.4 Represents usable event and flow storage, after RAID configuration.5 NitroView ESM X5 utilizes a dedicated half terabyte RAM array for fast access to event and flow data.

NitroView Enterprise Log Manager (ELM)Compliant Log Collection, Storage and ManagementNitroView Enterprise Log Manager (ELM) automates the log management and analysis for all log types, includingWindows Event logs, Database Logs, Application Logs, and Syslogs. Logs are signed and validated, ensuringauthenticity and integrity—a necessity for regulatory compliance. Out-of-the-box, compliance rule sets and reportsensure that it is simple to prove your organization is in compliance and policies are being enforced.Fully IntegratedNitroView's performance and scalability allow securityinformation and log management functions to betightly integrated. When a security event is generated,the parsed event files are linked directly to the sourcelog file and even to the specific log record—for instantaccess during the event management and forensicprocesses. There's no extra step, extra application tolaunch, or extra time to waste by searching throughlogs manually.Maintains the log storage and retentionrequirements of compliance mandates, including:• PCI-DSS• SOX• HIPAA• FISMA• NERC-CIP• GLBAWhy is this important? Because log files alone don't tell us everything that we need: they contain important pieces ofevidence and are an important link in establishing chain-of-custody, but they also raise important new questions. Forexample, we might see a username in an access log, but there is no information about what that user's role is, or whathis or her privileges are. We also might know what system was accessed, but we're told nothing about what types of• GLBAinformation are used by that system, or who should be accessing it.• ISO 17799NitroView ESM and NitroView ELM, together, provide context about each and every• Basellog—relevantIIinformation aboutthe source or destination IP address, the username, hostname, or service being used, • FFIEC vulnerability information from aVA scanner, network topological information, even valuable policy and privacy information—making • DCID 6/3 every parsed logrecord much more valuable.

NitroView Enterprise Log Manager SpecificationsModelDescriptionDedicated Enterprise Log management AppliancesCollectionRatesNS-ELM-5750-RNS-ELM-4245-RNS-ELM-5510-RNS-ELM-5205-RNitroView ELM 5000 Enterprise Log Manager provides Compliant Log Management functions. 7 TB localstorage. 3U appliance.NitroView ELM 4000 Enterprise Log Manager provides Compliant Log Management functions. Supportsnetwork / SAN storage options. No local storage. 1U appliance.NitroView ELM 5000 Enterprise Log Manager provides Compliant Log Management functions. 3.75 TB localstorage. 3U appliance.NitroView ELM 5000 Enterprise Log Manager provides Compliant Log Management functions. 2.5 TB localstorage. 3U appliance.50,000events/sec45,000events/sec35,000events/sec20,000events/secCombination Enterprise Log Manager and NitroView Receiver AppliancesNS-NRCLM-4245-RNS-NRCLM-2250-RNS-NRCLM-2230-RNitroView ELM Receiver provides compliant Log Management and collects flow data for correlation andanalysis by NitroView ESM. 1U Appliance. Rated for 10,000 events per second.NitroView ELM Receiver provides compliant Log Management and collects flow data for correlation andanalysis by NitroView ESM. 1U Appliance. Rated for 8,000 events per second.NitroView ELM Receiver provides compliant Log Management and collects flow data for correlation andanalysis by NitroView ESM. 1U Appliance. Rated for 5,000 events per second.10,000events/sec8,000events/sec5,000events/secAll-in-one NitroView ESM, ELM and Receiver AppliancesNS-ESMLM-5510-R NitroView ESM / ELM 5000 Enterprise Security Manager provides SIEM , Compliant Enterprise Log5,000Management, and Network Analysis functions. Includes integrated NitroView Receiver for collection of third events/secparty feeds. 3.75 TB local storage. 3U appliance.NS-ESMLM-5205-R NitroView ESM / ELM 5000 Enterprise Security Manager provides SIEM , Compliant Enterprise Log2,500Management, and Network Analysis functions. Includes integrated NitroView Receiver for collection of third events/secparty feeds. 2.5 TB local storage. 3U appliance.NS-ESMLM-4245-R NitroView ESM / ELM 4000 Enterprise Security Manager provides SIEM , Compliant Enterprise Log1,000Management, and Network Analysis functions. Includes integrated NitroView Receiver for collection of third events/secparty feeds. 1 TB local storage. 1U appliance.

Beyond SIEM & Log ManagementComplimenting powerful analytics with advancednetwork, database and application monitoringWhile most SIEM solutions require you to “tune” existinglog and event sources in order to minimize the databeing managed, the value of NitroView increases asmore information is added. That’s why NitroSecuritybuilt a fully integrated suite of monitoring appliances tohelp obtain that information.Every one of our appliances is fully integrated,leveraging the power and flexibility of NitroView ESMfor central device and policy management in addition toinformation and event management, providingeverything you need to deploy, maintain and operate acohesive security monitoring and managementstrategy—all in a “single pane of glass.”NitroView Application Data Monitor (ADM)NitroView ADM provides deep packet inspection of allapplication traffic, providing full decode of applicationdata and meta-data, for maximum visibility into howapplications are being used in your network. All traffic ismonitored for anomalies or for specific policyviolations, making NitroView ADM an ideal detector ofrisk, fraud and data loss. All violations are logged,creating a clear audit trail to meet regulatoryrequirements.NitroView Database Monitor (DBM)NitroView DBM is a complete database protectionsolution that delivers non-intrusive, detailed securitylogging by monitoring all access to sensitive corporateand customer data. NitroView DBM's pre-defined rulesand reports, privacy-friendly logging features andencrypted, time-stamped files make it easy to complywith the specific data access regulations required byPCI-DSS, HIPAA, NERC-CIP, FISMA, GLBA, SOX and others.NitroGuard Intrusion Prevention System (IPS)NitroGuard is an intrusion prevention appliance thatactively detects, analyzes, and protects networks fromsecurity attacks, including viruses, worms, spyware,DDoS attacks, malware, and zero-day attacks.Through its integration with NitroView ESM, NitroGuardIPS is able to dynamically react to larger indications ofrisk and threats that can only be detected when lookingat all event and network activity holistically. Oncediscovered, NitroView can tell the relevant NitroGuardIPS device to blacklist that traffic, mitigating the event.FIPS 140-2Level 2VALIDATEDCERTIFIEDCommonCriteria EAL3For more informationCall: 1-888-LOG-SIEMCorporate Headquarters230 Commerce Way, Suite 325Portsmouth, NH 03801, USAMain Phone: 603.766.8160Main Fax: 603.766.8169www.nitrosecurity.comrev020811