Tenable Network Security Log Correlation Engine v3.6
Strengths: Advanced analytics and impressive security event correlation.
Weaknesses: Can be complex and unwieldy to use on smaller networks.
Verdict: Expensive, but capable SIEM that works best when paired with Tenable’s other products.
SummaryLog Correlation Engine (LCE) from Tenable has been around for several years and has constantly been improved, enhanced and updated as needed to meet the ever-evolving needs of SIEM. The latest iteration of LCE can be considered something that is part of a bigger picture. Tenable refers to this as a unified security monitoring (USM) approach. Through this option, the company combines security management with log analysis and vulnerability scanning. That said, LCE is still a fine product when used independently of those other capabilities. However, it is nice to know that there is a bigger, integrated picture involved if one is looking to pursue a USM paradigm.
As the name implies, LCE is all about processing system logs and putting some sense to them in the form of intelligence and correlation. Its primary function is to collect, normalize and analyze logs from devices throughout the network. This, in turn, allows it to identify threats and vulnerabilities in real time.
LCE accomplishes that by analysis and data correlation from firewalls, intrusion detection and prevention systems, and data leakage prevention solutions, as well as from raw network traffic, application logs and user activity. The product also features an added bonus: the capability to perform traffic inspection, monitoring and analysis via NetFlow data, which many SIEM products cannot do.
Tenable has a focus on performance and claims that LCE can normalize and analyze one billion events in as little as 10 seconds, which speeds remediation efforts. Much of LCE's capabilities come from an anomaly detection engine that works hand in hand with event correlation to create statistical profiles, which trigger alerts when unusual behavior and never-before-seen events occur.
Simply put, LCE is one of the most sophisticated SIEM solutions on the market. However, that sophistication comes at a price - one that consists of a dedicated Linux (Redhat or CentOS) server and a significant investment in licensing fees. Still, those costs are offset by the high performance offered and the advanced capabilities included in the product.
LCE proves to be one of the more complex products to install and provision, requiring some Linux knowledge and a significant familiarity with networking devices and communications. Nevertheless, that setup complexity is offset by the product's easy-to-use GUI, which breaks events and devices up into manageable chunks so as to correlate directly with managed assets.
LCE shows real promise when integrated with Tenable's other products and wrapped under the company's top-of-the-line SecurityCenter product. Even alone, though, LCE offers some pretty amazing capabilities, such as 3D visualizations, real-time log analysis and intrusion correlation.
It is clear that LCE is designed for larger, more complex, highly active networks where SIEM is just one part of a larger posture. Yet, the product doesn't require a scientist to understand what is going on. Sure, a modicum of network and security knowledge is required to effectively use LCE, but one can leave the doctorate at the university when looking to leverage LCE's abilities.