locked
What if....connection is lost? RRS feed

  • Question

  • Hi guys,

    we are plan to implement ATA in our company and have some questions:

    What happens if the gateway or the center looses the connection?

    - Are the data cached on the gateway?

    The ATA Center can send information to a SIEM tool. To define some actions (preventing) for special security threats is this the only way?

    Greetings

    Thursday, October 15, 2015 6:05 AM

Answers

  • Hi,

    Network traffic is our most important source of data at the moment and for GA we only need events to extend our PTH capabilities (you can get event via syslog or WEF).
    So to sum this up we work great without events but they can help to further protect against PTH (all of this is relevent for GA of course).

    As for the your question of how many ports do we need for port mirroring, that only depends on your network topology and limits. ATA is agnostic to how we get the traffic (1 port for many DCs or 1 port per DC)

    If you have any other question on a different subject I ask that open a different thread.

    Thanks,

    The ATA Team.

    Saturday, October 17, 2015 2:28 PM

All replies

  • Hi,

    Yes we do cache the data on the gateway in memory, once the communication resumes it will resume the process of sending data to the center.

    I am not sure I understand you second questiosn: "The ATA Center can send information to a SIEM tool. To define some actions (preventing) for special security threats is this the only way?"

    Can you ask this in a different way?

    Thanks,

    The ATA Team.

    Thursday, October 15, 2015 1:42 PM
  • Hey,

    thank you for our response. The second question we can forget. The ATA is an analytic tool and I thought how can i define some actions against an attack but if I stream the information to an SIEM I can specify some acions in there. So, never mind :D

    But I have some oher questions...hope thats not a problem.

    As I understand the ATA can read information from 3 sources - Port mirroring, WEF, Syslog. Need to use the most features from ATA all the sources to be active or can ATA detect all security problems only with one source (e.g. Port mirroring only)? By the way - do i need one port on the gateway to receive all mirrored traffic or one port on the gateway for each mirrored Domain Controller port?

    Best Regards


    • Edited by EliWallic Friday, October 16, 2015 6:58 AM Additional Question
    Friday, October 16, 2015 5:19 AM
  • Hi,

    Network traffic is our most important source of data at the moment and for GA we only need events to extend our PTH capabilities (you can get event via syslog or WEF).
    So to sum this up we work great without events but they can help to further protect against PTH (all of this is relevent for GA of course).

    As for the your question of how many ports do we need for port mirroring, that only depends on your network topology and limits. ATA is agnostic to how we get the traffic (1 port for many DCs or 1 port per DC)

    If you have any other question on a different subject I ask that open a different thread.

    Thanks,

    The ATA Team.

    Saturday, October 17, 2015 2:28 PM