The Log Analysis Engine uses a highly tunable algorithm to determine what normal and abnormal network activity is. When countermeasures are required, the Analysis Engine issues a command to the router(s) to block the IP address.
To prevent unnecessary denial of service, the V-SOC has built-in safeguards to prevent a massive automated “block all” situation, which could theoretically occur during a rare case of multiple false alerts. Conversely, when there is a known security threat outbreak (e.g., Code Red, Sasser, Nimda), these safeguards are disabled and the V-SOC will block all events until the outbreak is contained.
The Log Database is not only a report repository, it is an integral part of the system that keeps track of the location of devices (i.e., which router to block), the systems users, the owners of specific IP address ranges, and other data necessary to provide a comprehensive view of the security posture of the enterprise. The Log Database also provides powerful search and analysis capabilities to augment forensic analysis.