Improve your SIEM solution ROI with InTrust for centralized log management

We're excited to announce the launch of Quest InTrust version 11.4! Already a long-time leader in native event log management for Windows environments, InTrust version 11.4 now delivers reliable integration with leading SIEM tools, like Splunk, IBM QRadar and others. This integration enables you to slash your annual SIEM licensing costs. Simply put, you can store long-term event log data with InTrust and then filter and forward only relevant data to your existing SIEM solution for real-time security analytics. Let’s dive in deeper to see how this works.

Bridging the gap between compliance and analytics

Many organizations use Security Information and Event Management (SIEM) tools to aggregate operating system and application log data for compliance and threat analytics purposes. Per GB licensing fees used by leading SIEM tool vendors, however, can make those tools cost prohibitive as the long-term data stores required for demonstrating compliance for regulations like HIPAA, PCI, SOX and more.

InTrust 11.4 helps bridge the gap between collecting and storing data for compliance purposes and providing up-to-date events for threat analytics. Optimized for Windows native event log management, InTrust can collect and store massive volumes of data in a highly-compressed repository, 20:1 with indexing and 40:1 without. Additionally, one InTrust server can process up to 60,000 events per second. The combination of scalability, performance and readability makes InTrust the perfect vehicle for long-term event storage.

New UDP and TCP InTrust forwarding transport to Splunk, IBM QRadar, and other SIEMs ensures Windows event data reliably transfers to your SIEM tool of choice in near real time. InTrust 11.4 has improved forwarding parsing improvements, providing up to 15,000 EPS speed. Because this data has been enhanced for readability, it also improves troubleshooting efficiency for Microsoft infrastructure and central security teams. More importantly, by storing long-term data in InTrust and limiting SIEM data to what’s required for analytics, organizations can save hundreds of thousands of dollars in licensing costs annually.

Through thorough research and analysis of industry reports, and conversations with our customers, we understand the massive amount of data each user generates on infrastructure severs and their corresponding endpoints. With this information, we’ve been able to create a ROI tool that enables you to calculate an exact amount of cost-benefit that InTrust usage offers your organization. Based on the calculations in this tool, we estimate that using InTrust with Splunk in an organization of 10,000 users or more that generates 500 GB of event traffic daily could save as much as $200,000 per year in license fees.

Cybersecurity starts at the endpoint

Many security analysts and software market leaders agree that identity is the new perimeter. Proxies, firewalls and other network perimeter tools, although still relevant, cannot block your user from being tricked by clever socially engineered phishing attacks.

You could have best-in-class network security in place, but when one of your users clicks on that phishing link that was created hours ago specifically for your organization — this person’s endpoint workstation is the first attack surface inside your organization. With this new “assume breach” reality, advanced and detailed monitoring of endpoints inside your organization is extremely important.

This creates a challenge of collecting, storing and providing this data for analysis. Thousands of endpoints may generate up to several terabytes of data daily, quickly inflating your SIEM license and maintenance costs.

But InTrust was built to overcome this challenge without issue or license cost change. InTrust is capable of automatically deploying agents and scaling up to 10,000 endpoints per server and beyond, giving you more efficiency, scalability and substantial hardware cost savings. Multiple servers can be used for a fault-tolerance scenario or for hundreds of thousands of endpoints. And if you need more volume, you can simply add another InTrust server and divide the workload — scalability is virtually limitless.

Prioritize event log data by noise and severity and forward only critical data to SIEM

Several global security institutes and state security departments have published guidelines and recommendations regarding the importance of endpoint log data. For example, the Australian government recently released cyber-security guidelines with more than 20 types of event log data prioritized by importance and noise levels. This guideline could be very useful for determining which data should be kept in InTrust and which must be forwarded to your SIEM solution to drive security workflows and response measures.

Sysmon logs as a new, rising star of endpoint monitoring

Although Sysmon has been known for years, only recent recommendations from cybersecurity experts increased the use of this former sysinternals tool for security purposes.

The service is well protected against harmful configuration modifications and enables the collection of highly valuable security-related data, such as launched processes with their security context and file hashes as well as initiated network connections from endpoint to other destinations.

However, according to several estimations, the most important data on a real workplace endpoint could generate an event forwarding flow of up to 500 MB per day — which easily crosses the terabyte-per-day value for large organizations.

There are, however, recommendations and techniques on how to reduce the amount of data collected. InTrust enables organizations to choose their desired level of detail without compromising your log management solution license costs.

Want to learn more?

Get a free 30-day trial of InTrust to try in your environment.

Get started