Correlation within a module and cross-correlation of information from different modules lead to a high-quality detection of risks and security problems and a comprehensive view of the activities in the company.
In organizations, information is often available in silos and may therefore be neglected or underused. A correlation of logs with vulnerabilities, IDS data, Log Data Analytics findings and numerous other data provides a new type of general overview of security-relevant data.
Correlation and cross-correlation are based on rules, policies and self-learning algorithms: rules are predefined to recognize patterns. They are continuously expanded and tailored to the needs of the customer. Policies are used to determine whether specific actions are taking place at the right time and in the right place. Self-learning algorithms include the ability of the correlation engine to learn to distinguish between normal and abnormal occurrences and to be able to detect changes in behavior in applications, servers and other network areas. Use outside of business hours, excessive use of applications or other IT services and patterns of network traffic over time and compared to past periods (taking into account daily, weekly, monthly and seasonal fluctuations) are examples of abnormality detection.