SpyLogix Architecture

Share |

Overview

The SpyLogix architecture was designed as a state-of-the-art information security middleware solution with these technical tenets: 1) continuous security data (access control and activity) intelligence, 2) automated data management, and 3) automated data actualization. The first tenet seeks to harvest security data directly from multiple disparate sources continuously, employing optimum combinations of baseline and monitoring technologies, collectively called a SpyLogix Module, enables any enterprise source to be eligible for the efficiencies and effectiveness of SpyLogix management. Next, harvested data is processed automatically using a message handling architecture to eliminate IT complexities and support costs. Finally, with enterprise security data stored and organized for fast access, data actualization ensues: (i) ActionLogix™ processes in real-time intact messages to generate alerts, synthesize events, trigger actions or forward messages; (ii) Security intelligence is continuously and simply available via an interactive console for data query, analysis and reporting; (iii) Reports or assessment programs (producing periodic output) may be scheduled to run in the background, then distributed; and (iv) Security data may be shared via Web Services with programs supporting other IT services.

IdentityLogix’s patent pending SpyLogix designs for continuous security intelligence and real-time data actualization enable cost efficiencies and staff effectiveness. SpyLogix uses a standardized message based design for attaining optimum end-to-end automation and leverage of enterprise access control and activity data. With this approach, modern technologies may be applied that elevate abilities to achieve governance, risk control, and compliance easily and with better quality. The SpyLogix architecture affords flexibility to deploy platform components to meet organizational and scalability wants or needs, including new “cloud computing” security demands. Lastly, SpyLogix’s innovative approach to “data actualization,” or the ability to make data actionable and shareable with other programs, enables organizations to do more with less (time, money and resources) for optimal business outcomes.

SpyLogix components are designed for enterprise scalability. Components can be deployed on physical or virtual servers. SpyLogix Data Management uses a Windows embedded database, which can use local, SAN disk, or network attached storage. SpyLogix components (Data Access, Communications Services, Message Services, Data Management or Data Actualization) may be split across servers for scalability; separated components use Communications Services and TCP/IP (by configuring IP address and port) to communicate.

A practical distribution of components would include Data Access, Message Services and Data Management (with an embedded database) on a server, Data Actualization on its own server, and optionally for MSPs or Cloud providers, another SpyLogix server to receive forwarded messages. Data Access is positioned to harvest data from desired enterprise sources, and then components downstream from Data Access would be configured to support its security data feeds.

Data Access
Communication Services
Data Actualization
Message Services
Demo

Data Access technologies, licensed as Modules, are designed to acquire, map, and send security data in a standardized way. Collectively, SpyLogix Modules acquire security data from any programmatically accessible enterprise source using the most direct and effective means possible. Security data is simply mapped into a standardized message format, and then communicated efficiently and safely for automatic processing by one or more centralized SpyLogix Platform server(s). Individually, SpyLogix Module technologies compromising Data Access may be described as:

Discovery modules are used to proactively baseline a resource’s security data to which monitored changes may be subsequently compared.

Resource Monitoring technologies are designed to consume real-time data from sources:
- Agent-less monitors consume source data fed over a network connection;
- Plug-in monitors query a resource, then consume source data fed over a network connection;
- Agent monitors are designed to accept source data fed at high rates from an efficient and high-capacity cross-OS (Windows, Linux and UNIX) universal companion agent;
- C-SPY monitors are specially designed to accept Windows OS security data from a proprietary client agent, including qualified user logon and logoff events, event viewer events, executables run, and LDAP API invocations. The C-SPY agent is highly extensible to accomplish custom end-point monitoring tasks.

3^rd Party monitors may be customized to consume data from any 3^rd party source.

Communication Services are available for safely communicating via a network connection or locally well-formed messages to the Message Services layer. Default message communication mode is high-performing streaming, unless remote sources are connected via unreliable network connection. Communication Services automatically support safe mode delivery of messages over less-reliable networks. Communication to Message Services is configurable (standard TCP/IP network link and configurable firewall port) and multi-threaded so as to handle high-throughput utilizing multi-CPU servers.

Data Actualization provides multiple post-storage processing services to effectively use incoming messages in real-time:

ActionLogix is a series of components used to automatically analyze (filter) message content and trigger an action (see Alerts), synthesize events or forward messages to SpyLogix Platform(s):
- Policy Engine employs configurable programmatic logic gates (PLG) incorporating Boolean logic to automatically process message data. PLG deployment is expedited using message metadata, including: basic, state, RBAC, and utility. Any message passing PLG processing may trigger an action, for example, generate an Alert.
- Alerts are embellished messages generated by blending standardized text with selected message data passing the Policy Engine rules, and then written to email, RSS, net send, a file, an application, Windows Event Log or SQL database. New output targets may be easily added.
- Synthesizers are Module specific events that are generated by analyzing message payload, drawing measured conclusions and storing a synthesized event persistently.
- Message Forwarder communicates intact well-formed messages to another network connected SpyLogix Platform. This capability is appropriate for cloud computing infrastructures or distributed SpyLogix Platform message aggregation for security data mining.

Web Services (data out) provides as easy to use interface for sharing data with other software.
Interactive Console enhances security intelligence visibility through tools for querying, analyzing and reporting on stored security data.
Scheduler enables scheduling of Interactive Console reports for background execution. Other system assessment or scripts may be scheduled for periodic execution and feed data output into SpyLogix for Data Management, security intelligence or Data Actualization.

SpyLogix meets the performance and scalability requirements of some of the world's largest IT environments. SpyLogix Platform and Modules are designed to scale horizontally, vertically and functionally, making it possible for SpyLogix components to be distributed across computing realms to manage hundreds of thousands of users, thousands of applications and millions of entitlements.

Message Services processes incoming well-formed messages employing either a SpyLogix Binary protocol or XML format. Web Services (data in) interface is provided to easily send (via a standard TCP/IP network and configurable firewall port ) external data into SpyLogix Platform. Message Streaming efficiently moves messages to the Data Management layer for persistent storage.

SpyLogix Architecture

Products