SecureWorks IDS/IPS

Summary

SecureWorks provides real-time, 24/7 monitor­ing and analysis of host logs, leveraging its proprietary Sherlock Security Management Platform. The company’s log monitoring service can capture, correlate and analyze log data from virtually any critical information asset.

The offering falls into the log monitoring and security event management (SEM) segment. Using its proprietary filtering and advanced correlation and logic engine rules, the Sherlock Platform analyzes all logs and alerts in real time and presents events of interest for assessment and response to a team of SANS GIAC-certified intrusion ana­lysts in the company’s counter­threat unit. The analysts attempt to identify malicious activity or policy violations. There are no agents to load on client-side equipment. Logs and event data can be transferred to the SecureWorks servers via several supported methods.

Events are reported via the portal in real time, providing clients with full visibility into secu­rity issues and policy violations within their environment. A full-ticket tracking system is available for managing client requests and monitoring progress on various monitored situations. The portal also features asset-based report­ing allowing users to easily view the security and compliance activity across their environment, as well as demonstrate compli­ance with various regulatory requirements.

As with most managed log monitoring solutions, client data is stored in a shared repository. SecureWorks can provide log detail back to clients in XML format for use in other analysis tools or for incident response.

We were impressed with both the canned and custom reporting capabilities. The user dashboard is fully customizable and easy to use. Alerting is very granular and based on a per asset basis, i.e., set a phone alert for a critical asset versus send email for a less critical asset. There is also an option for keeping the assets up-to-date by conducting user-configured network scans. We liked what we saw.