As organizations continue to use the Internet to expedite business processes, the security risk to information increases. Today, many organizations provide network access to partners, suppliers, customers, and mobile employees, increasing exposure to people with ill intent. Although these organizations may have established strong perimeter security, that is only a first line of defense. For an organization to effectively safeguard critical information, it takes more than integrating the latest security hardware and software. A complete security program that includes 24x7x365 management and monitoring, real-time security intelligence, as well as a staff of highly trained security experts is key to keeping pace with today's increasingly complex and frequent network security threats.

The only way for security professionals to stay on top of the potential threat is to analyze every log and alert produced by security and network devices. The challenge in accomplishing this is to distinguish false-positive (non-hazardous) events (such as the electronic traffic naturally produced by routers, switches, operating systems, applications, etc.) from real threats. Devices and programs regularly generate millions of log records in a single day. The object is to differentiate and identify the few messages that actually do indicate a real potential security concern.

C5i's DEFCON Event Monitoring and Management services provide real-time, proactive protection from attacks and enable organizations to reduce their overall security risk while helping customers gain unmatched control and efficiency over their security environments.

C5i's unique Security Operations Center (SOC) technology platform integrates real-time security alerts from a client's network with global intelligence information related to security threat activity. The result is a fast and accurate analysis of a client's vulnerability risk. This system enables C5i security analysts to quickly identify not only activity from known security threats but from emerging threats. C5i can then rapidly notify customers, and initiate precautionary procedures to track the source of the attack and minimize exposure and damage.

Some of C5i's unique DEFCON Event services include:

Data collection and normalization

Data collection and normalization is a process by which security device data (e.g., firewall logs, IDS alerts, etc.) are collected and transformed into a standard format regardless of device type and brand. Data normalization is essential to effective security monitoring, as it enables C5i to use a standardized set of queries to mine security device data and isolate signs of malicious activity.

Data mining

Data mining is a process in which an automated system continuously queries security data to isolate signs of malicious activity. This process separates malicious network traffic from legitimate network traffic.

Automated correlation

Automated correlation is the grouping of individual signs of malicious activity by logical criteria; such as the source, type, and destination of an attack. The result of this process is the rapid reconstruction of an attack, enabling C5i SOC engineers to comprehend the scale and potential threat of an attack. Without automated correlation, security analysts would be forced to manually piece together attack sequences by scrolling through millions of lines of security device data. Even on networks with a relatively low volume of traffic this task is too complex to handle manually and is not scalable.

Human response to security events

Human response to security events is the process in which C5i security engineers continuously review security events generated by the correlation process and then determine an appropriate response. Depending upon the nature of the event, actions may range from simple client notification to immediate involvement of law enforcement. In most cases, C5i SOC engineers are able to immediately determine the geographic locations of the attacker, down to the down to the country, region, state, city or zip code level. Having experts review security events on a 24x7x365 basis is a critical element of every managed security service. Security analysts have the responsibility of quickly determining an appropriate response to every security event generated by the correlation process.

Event reporting

Event reporting is the process by which clients are notified about security events detected on their network. Depending upon the nature of the event, reporting can be handled and escalated based upon a number of factors, and through a number of methods, including: immediate voice notification, e-mail, pager, SMS or trouble ticket on our web portal.