CorreLog SIEM Technology Synopsis

1. Correlog Market and Technology Overview Account Executive September 18, 2009

2. The SIEM Market Continues to Grow The SIEM market grew about 30% in 2008, with total revenue at approximately $1 billion. Demand for SIEM remains strong (there is still a growing number of funded projects), but we are seeing a more tactical focus, with Phase 1 deployments that are narrower in scope. Despite a difficult environment, we still expect healthy revenue growth for 2009 in this segment. – Gartner May 2009

3. Companies Continue to Struggle with SIEM “The majority of respondents have not yet achieved those quantifiable benefits, and in some cases are seeing increases in audit deficiencies, security incidents, and operational costs associated with security management.” – May 19, 2009 Study on Current SIEM Deployments

4. Why? The Enterprise Challenge How do I prioritize network security environment? (AV, web filtering, endpoint encryption, malware, host DLP, firewalls, switches, DB servers, application servers, etc.)? Rapidly changing threat environment With hundreds of GB of event data, how do I determine what is relevant to my organization?

5. Why? The Enterprise Challenge (continued) Where are the REAL threats and vulnerabilities? How can I reduce false-positives? Where do I deploy my best resources? How do I automate the analysis and decision-making process to manage all that data? Can I leverage the investment in my existing infrastructure? How does that automation ensure compliance?

7. Core team developed “Sentry Enterprise Manager” Network Management solution

8. Company sold original Sentry technology to Allen Systems Group in 2001

9. Original investors and developers created CorreLog in 2008

10. More than 200 customers globally, including:

11. US State Department

12. Juniper Networks

13. American Express

14. Thrivent Financial

16. CorreLog furnishes an essential viewpoint on the activity of users, devices, and applications to proactively meet regulatory requirements, and provide verifiable information security. CorreLog automatically identifies and responds to network attacks, suspicious behavior and policy violations by collecting, indexing and correlating user activity and event data to pinpoint security threats, allowing organizations to respond quickly to compliance violations, policy breaches, cyber attacks and insider threats.

20. Cross-Platform Correlation CorreLog finds meaning in vast amounts of logs, events, and syslog data, by translating them into messages. It uses the following unique correlation components: Threads: partitioning of raw message data into categories based on match patterns (i.e. keyword, device type, time interval, etc.) Alerts: counts messages received by threads and generates a new message when defined thresholds are exceeded. Generated messages can be fed back into CorreLog for further correlation

21. Cross-Platform Correlation Correlation Components (continued) Actions: ability to take action on a message when correlation rules are satisfied, such as running a program, send a notification, update a database, generate a log file, send SNMP Trap, or open a helpdesk ticket. Tickets: the highest level of correlation, where specific correlated patterns generate incident tickets that are assigned to specific users and groups.

22. Who to call on Network Admin VP of IT Security CISO Compliance and Audit

23. Questions to ask What are the endpoints and platforms that you collect log data? Are there any devices you are unable to collect log data from currently? Are you able to correlate security events on these platforms and efficiently secure your enterprise? Can you perform queries on all the IT data in your environment?

25. High Speed Indexing – Searching done in Google-like fashion to produce quick and accurate queries. No reliance on open databases or 3rd parties

26. Mainframe Agent– Ability to correlate security log events occurring on IBM mainframes and security solutions RACF, CA-ACF2, and CA-Top Secret

27. Flexible Reporting – Customize and deliver relevant detail via email, RSS feed, or secure portal to defined groups or individuals

28. Double Byte Support – CorreLog fully supports double byte characters (DBCS) to allow for localization in the Asia Pacific region

29. Dashboards – Ability to obtain 3,000 foot overview of security environment from single pane of glass with ability to customize views and objects

31. Market Snapshot: The Competitive Landscape (cont.) Windows Agent (converts to Syslog) UNIX/Linux Agent Mainframe Agent/Support IT Search Double Byte Support Cost Effective Quick installation Web Based Interface Strong Weak / None

32. Sample Dashboard View

33. Custom, Mainframe Dashboard View

34. Custom Dashboard Drill-Down

35. Customer Testimonial “Our implementation of CorreLog has given us the power to quickly discover security threats and has allowed us to do it with fewer internal resources. CorreLog shows us the things that are going on in our environment, correlates and categorizes these events, allowing us to take quick, decisive action and ensuring our security compliance. This has enabled ASG to move from a reactive organization when it comes to security, to becoming a much more proactive one.” – Alan Bolt, Chief Information Officer, ASG

36. Market and Technology Discussion Questions or Comments? Jeff Stomber – Account Executive Phone: 239-821-9761 Email: jeff.stomber@correlog.com