Central Monitoring Platform
A summary of all log and event data and alarms from various components (firewalls, IDS, servers, routers, etc.) is kept on a central monitoring platform. The log and event data is converted to a uniform format (normalisation) and unnecessary data is filtered out.
 

Real-Time Threat Analysis
A real-time correlation of data and events is carried out using various methods (impact, statistical and rule-based correlation). This yields a reduction in false-positive reports and false alarms while focusing on real and important events.

Examination and Countermeasures
The established potential threat is examined and the necessary countermeasures to remedy the threat are taken (for example patch installation or adjusting the IDS or firewall systems).

Reporting and Audits
«Real-time» and historic reports of security-relevant events are generated and used for an audit (for example SOX, ISO 17799 / BS 7799 reports)