BlackStratus Log Storm v22.214.171.124
Strengths: Simple to use as well as a large list of agent modules
Weaknesses: There is a need for more prepared policies and reports to help non-expert users
Verdict: This is a quality product with great potential
BlackStratus Log Storm combines log management and security information management with correlation technology, real-time monitoring and an integrated incident response system. The tool analyses all event messages to identify patterns of attack, filters out false positives and prioritises critical events. Incident information is accessible from nearly all screens within the Log Storm GUI.
This product improves the quality of alerts by incorporating vulnerability data into its correlation technology - allowing alert administrators to better determine if the monitored assets are vulnerable to certain threats. Another interesting feature is its behaviour-based analytics aiding in the identification of new attacks that follow similar patterns to past attacks, but use different types of connections that attempt to bypass signature-based countermeasures.
The workflow management functions provide best-practice recommendations for remediation, mitigation, centralised case tracking and automated notification, so incident response personnel know what to do and administrators have clear insight into the actions of their team. Log Storm provides an array of reports to aid in investigating incidents and preparing for audits, including the standard compliance package of PCI, SOX, HIPAA, GLBA, FISMA and ISO. It uses AES-256 encryption for the logs.
BlackStratus Log Storm was delivered to our lab as an appliance, along with initial setup and quick-start guides. Following the instructions provided made the application configuration go well. Identifying networks, registering assets and adding systems and devices was straightforward and we were impressed with the list of agent types that were available.
We found the dashboard to be fairly easy to navigate. It took some time to learn the features under each tab. The help function was easy to read and the instructions for most tasks were simple to follow. There was a bit of trouble trying to create the desired custom rules to use for the testing, as we did not find a way to create keywords inside the rules. The intention was to generate an alert trigger and an incident for detection of common hacker tools that were downloaded and used on the network. However, it should be noted that the system rules were easy to set up and modify.
Case management was easy to set up and within the case was a simple workflow to follow. The ability to attach files to the case was a plus, as well as the ability to make free-form notes. This allowed a bit of familiarity to the forensic-style investigation where the notes were time-stamped and the author identified. Once saved, the notes could not be modified. Reporting was fairly rudimentary. The crystal reports backend allowed for nearly unlimited custom development of reports, which is good if there is expertise in the organisation.
Improvements could be made in the product to provide more 'canned' reports, as well as more system rules similar to the great work that was done in the development of system agents, especially for organisations that do not have the resources to spend doing development work.
Support is divided into multiple tiers beginning with 24/7/365 no-cost service during the product trial period. Pay-for-services options include three levels: platinum, gold and standard. All three include: virtual helpdesk and troubleshooting information online; software and signature updates; expert help for managing security incidents; and delivery of new agents as they become available. In addition, BlackStratus provides assistance from its website via a product knowledgebase and FAQs section.
Overall, this product is properly priced and good value for an entry point into SIEM.