Yesterday, we kicked off our Correlation Mini-Series by discussing Identity Correlation. Today, In the second installment of that mini-series, we’ll discuss what we see as the second most frequent type of correlation we run into, event correlation.
Event correlation looks at events occurring during a specific period of time. It is the process of examining events, pinpointing the interactions of those events and determining which events and event interactions are important. In the context of IT security, event correlation is handled by a Security Information and Event Management system (SIEM) and involves looking at events from multiple source systems to identify potential risks. Event correlation is usually performed in a separate correlation engine, which could receive each event as it happens or read it from SIEM stored data.
Examples of events monitored and managed in IT security could be user authentication, user access to systems and applications, physical access to a building, and output from an Intrusion Detection System.
When properly configured, a SIEM tool will determine event correlations and raise alerts when needed. For example, if Rachel Johnson logs into a computer in Sydney, but then swipes her employee badge at a door in Chicago, her organization’s SIEM tool would alert IT staff of this event correlation. Proper risk containment steps could then be initiated because the SIEM tool realized her dual locations are not possible.
How do Event Correlation and Identity Management Work Together?
SIEM products handle the actual event correlation within an organization, but they receive event logs from systems across the organization, like operating system logs, application logs, and physical security systems. An identity management platform would be a provider and producer of event data to a SIEM product, which would then build sophisticated correlation policies to examine events from multiple source systems to identify risks. Most identity management products also support alerts from a SIEM product for responding to risks. In the situation mentioned above where Rachel Johnson appeared to be in both Sydney and Chicago at the same time, an identity management product could take action, such as disabling her account, after receiving an alert from a SIEM product.
Don’t forget to read the post on Identity Correlation in our Correlation Mini-Series.
To learn more about all three types of correlation, download our free guidebook, Do You Need Correlation?