Sightline Compliance Solution for CDM

A Continuous Diagnostics and Mitigation program (CDM) seeks to defend IT networks from cyber security threats by providing continuous monitoring sensors (tools), diagnosis, mitigation tools and dashboards to strengthen the security posture of networks. There are four mandatory tool functional areas that need to be addressed to provide a complete solution. Sightline provides the solution that satisfies these capabilities within a single tool. Our approach is based on the philosophy that you can unlock the potential to be aware of all threats, known and unknown, by integrating traditional security practices with performance monitoring.
Read the white paper

Tips and Tricks: Using ACLs to control access to views

0825_a

EDM provides the ability to create views for displaying lists of objects in the UI. By creating views you can select the columns that will be displayed, and also specify filtering characteristics (conditions) for the items to be displayed or excluded from the display. EDM 3.3 provides one more configuration option: ACLs. On the new User tab of Edit View dialog box, you can select which users will be able to use that view, effectively limiting the users that can see Hosts, Connections, or any other screen in the EDM UI. Of course, you can still select the Make Public option, to allow all users to see the entries defined for the view.

What connections are EDM alert groups assigned to?

Alerting is one of the core capabilities of EDM. Alerting provides a collection of thresholds that are evaluated by EDM for each incoming data block, and defines the actions to be taken (email notifications, run external application, etc) for each of them in case a metric’s value rises above or falls below of the value defined in the threshold definition.
0825_b

0825_c

Alerts are groups into Alert Groups, and every Alert Group contains a set of configured alerts that can be assigned to one or more connections. How do you know whether an Alert Group has been assigned to a connection? In EDM 3.3, you can display this information by selecting the server icon in the Alert Groups display. This seems like a simple thing, but it can be a real time-saver when you need to double-check the your alert settings!

Setting your data retention policy

An important consideration in performance management and capacity planning is your data retention policy. Some data consumes a tremendous amount of space and loses its value quickly, such as process data. The granularity of data also loses its value over time. For example, for analyzing bottlenecks, detailed performance and process data is quite useful. For Service Level reporting, a small subset of data is required and no process data is needed. For trending and capacity planning, only highly summarized workload and resource utilization data representing peak periods is necessary.

A sound data retention policy provides for storing different types of data for different periods. It may be advantageous to store detailed performance and process data for two weeks to one month, while data summarized hourly will be stored indefinitely. It may also be desirable to store daily capsules of peak demand periods that contain fine granularity and process information. For example, month-end processing demand may be worth storing permanently as a baseline of peak demand. Government regulations may also specify data retention rules.

The capacity to store collected data directly on the monitored system in a host trace file (HTF) provides a temporary store of data which facilitates flexible strategies for downloading data to the central Sightline server. Sightline Enterprise Data Manager (EDM) or Expert Advisor/Vision (EA/V) acts as the central management console within the Sightline deployment. It aggregates, manages, displays and analyzes heterogeneous information from networks, platforms, operating systems, databases and applications. Your data storage strategy is implemented at this level of the Sightline deployment. This offloads a significant portion of performance management overhead.

By default, individual HTFs are uploaded or transferred to the Sightline server, where data is maintained at the raw data collection interval. Summarization can then be applied, allowing for long-term storage of data. Using Sightline EDM, the connection template allows you to set your data retention policy once, and then apply it to all of your new and existing connections. What’s our recommendation? We start with these settings:

  • Live data: 14 days at the data collection interval, including process-level data
  • Archive data: 32 days of daily archives, including process-level data
  • 10-minute summary: 90 days, process data is not included. In EDM, this is often used for visualization.
  • 30-minute summary: 13 months, process data is not included. This long-term data is used for visualization, trending and forecasting.

Keep in mind that forecasting requires at least twice the amount of data as the intended forecast. For example, a one-month forecast requires at least two months of input data. As with many things, more is better! The more historical data you can put into the forecast, the more accurate the forecast will be.

Ask John

Questions? Comments? Suggestions? Ask John! If we use your input in a future newsletter, we’ll send you a $10 Amazon gift card!