As the name implies, LCE is all about processing system logs and putting some sense to them in the form of intelligence and correlation. Its primary function is to collect, normalize and analyze logs from devices throughout the network. This, in turn, allows it to identify threats and vulnerabilities in real time.
LCE accomplishes that by analysis and data correlation from firewalls, intrusion detection and prevention systems, and data leakage prevention solutions, as well as from raw network traffic, application logs and user activity. The product also features an added bonus: the capability to perform traffic inspection, monitoring and analysis via NetFlow data, which many SIEM products cannot do.
Tenable has a focus on performance and claims that LCE can normalize and analyze one billion events in as little as 10 seconds, which speeds remediation efforts. Much of LCE's capabilities come from an anomaly detection engine that works hand in hand with event correlation to create statistical profiles, which trigger alerts when unusual behavior and never-before-seen events occur.
Simply put, LCE is one of the most sophisticated SIEM solutions on the market. However, that sophistication comes at a price - one that consists of a dedicated Linux (Redhat or CentOS) server and a significant investment in licensing fees. Still, those costs are offset by the high performance offered and the advanced capabilities included in the product.
LCE proves to be one of the more complex products to install and provision, requiring some Linux knowledge and a significant familiarity with networking devices and communications. Nevertheless, that setup complexity is offset by the product's easy-to-use GUI, which breaks events and devices up into manageable chunks so as to correlate directly with managed assets.
LCE shows real promise when integrated with Tenable's other products and wrapped under the company's top-of-the-line SecurityCenter product. Even alone, though, LCE offers some pretty amazing capabilities, such as 3D visualizations, real-time log analysis and intrusion correlation.
It is clear that LCE is designed for larger, more complex, highly active networks where SIEM is just one part of a larger posture. Yet, the product doesn't require a scientist to understand what is going on. Sure, a modicum of network and security knowledge is required to effectively use LCE, but one can leave the doctorate at the university when looking to leverage LCE's abilities.