Video Screencast Help
Protect Your POS Environment Against Retail Data Breaches. Learn More.

Security Information Manager - Architecture

Created: 24 Jan 2013 | 6 comments

Hello,

I am working on updating an old architecture diagram for our current Security configuration. We are using Critical System Protection as well as a few other Security products. Is there a way to tell how and where SIM is collecting the events? Does the SIM event collector look directly to the CSP Database, or CSP Management Server, OR does SIM have it's own database and is perhaps similar to CSP and have agents which forward events to that Database?

Any clarification on this would be great.

Thank you

-D

Comments 6 CommentsJump to latest comment

Avkash K's picture

Hi,

SSIM is independent security information manager, which has it's own DB to store the event & alert data.

You can collect the events from CSP separately.

You can have the SSIM Agents, collecting the data from diff. sources.

or you can configure the SSIM to remotely pull the data.(Requires changes as per the integration).

If you have currently SSIM installed in your environment & you have some agents collecting events for you, then you can have a look at Visual connection of your SSIM to diff. log sources connected from your SSIM Console.

Hope that helps you

Regards,

Avkash K

ddemers@cvs's picture

Thanks Avkash.

Is there a way to tell either in the client software or the web client how the environment is configured. I need to know how the CSP events are getting pulled to the SSIM event collector. Does the SSIM event collector contact and pull logs directly from the CSP Database, or does the collector grab those events a different way?

Thanks.

-D

Avkash K's picture

As per my knowledge, CSP might be using MS SQL.

If that is the case, then there are two ways to collect the logs from any DB.

one is you have Agent & collector installed on target machine, which will be forwarding DB logs to SSIM.

Other is, you can remotely fetch the DB logs using jdbc connection to the DB by using jdbc drivers.

 

In the SSIM COnsole check the sensor configuration done for CSP  & check in the properties of that config for the Agent added to distibute that config.

If the IP you can see in the properties is your target DB machine then you might have agent & collector installed on your target machine.

 

Hope that helps you!!

Regards,

Avkash K

GarethR's picture

In the setup used here, the SSIM Event Agent and the CSP collector are installed on the CSP Manager server, which uses jdbc to connect to the SQL Database and collect the logs. (I think it's easier to configure the jdbc connection from a Windows based Event Agent.) I guess it could also be installed directly on the SQL Server, but DBadmin might not like that. The event agent uses standard Event Agent connection over port 443 to send to your SSIM. View the System tile/Visualizer tab on SSIM console to understand your setup better.

We have found a complete lack of SCSP product specific queries, but many of the HIPS queries and some SCS queries can apply. Asset table is not automatically populated, and having added it to the list for the Rules/Monitors/System Monitors/Asset Detector, SSIM is only getting the ip address in the host name field - very disappointing !!

Happy to help.

Gareth Rhys

Managed Services, SSIM, SCSP, SEP

Milan_T's picture
 
For details how ssim works and how it fetches event data or how it stores dataand correlation rule etc. you can refer SSIM Admin Guide.
 
It will help you to guide you about detailed architecture of SSIM.
Click on below link to get SSIM Admin Guide.
It is very small ( i.e. 38 Pages ) to refer but it can clear your concepts for SSIM.
 
Tush_B's picture

As avkash_k informed, SSIM and CSP both are independent products.

To monitor CSP database you need to enable login data on CSP and give authority to SSIM so that it can fetch audit / transaction logs from CSP.

Also if you have CSP Management Server you can configure CSP Management Server to collect database's audit+ transaction data at one CSP Management Server and tell SSIM to fetch data from CSP Management Server.

For this configuration you will have to provide apropreate permission and path / direction to SSIM to fetch such data.