TAP Cloud Collector Datasheet

Event Generator that Securely Creates and Streams Event Data to the FireEye Threat Analytics Platform (TAP)

The FireEye® TAP Cloud Collector is a managed technology that securely generates meta-data in the form of network events and streams that data to the FireEye Threat Analytics Platform (TAP). In combination with TAP, the Collector provides a network security monitoring solution that applies threat intelligence to all network data and gives visibility across all locations without the operational complexity and costs associated with traditional solutions such as SIEMs.


Highlights

  • Speeds TAP time-to-value by simplifying event & log aggregation
  • Passively collects over 20 types of data from network data
  • Eliminates need to configure log sources at each site
  • Collects, compresses & encrypts data before sending to TAP
  • Centrally managed as a part of the TAP ecosystem
  • Deploys via SPAN or network tap
  • Ideal for organizations with branch offices & remote sites

A Simpler Way to Collect Event Data

The Cloud Collector speeds time-to-value for the Threat Analytics Platform by eliminating the complexity of deploying and managing log sources at each site. It comes preconfigured with the necessary parsers and software to securely stream network event data into TAP. Organizations only need to configure their TAP credentials.

Flexible Deployment Options

The Cloud Collector is deployed via SPAN or a network tap. It can be placed in various locations within a network, and provides differing value based on its positioning. The technology does not apply threat intelligence, analytics, or rules — all analysis is performed in the TAP cloud. This flexibility allows the Cloud Collector to be an affordable extension of your FireEye Threat Analytics Platform.

FireEye offers the Collector in software, for customers who wish to deploy it on their own hardware or virtual machine environments, or as a hardware solution.

Securely Stream Event and Log Data to TAP

The Cloud Collector watches network traffic passively and constructs events to describe the activity it sees. It can create logs for over 20 types of activities and artifacts including web browsing, file transfers, certificate exchanges, Windows file shares, and Remote Desktop sessions. All event data and logs are compressed and encrypted before being sent to TAP, thereby maximizing security while minimizing network bandwidth.

During a typical forensic investigation, most PCAPs are manually processed in order to extract a suspicious file or email. The File Analysis Framework feature allows specific file types to be pulled from the network stream to be analyzed automatically. This data can be optionally sent to cloud MVX for in depth behavioral analysis.

CC allows for capture of all observed network traffic for in depth analysis in FireEye products. PCAPs can be requested and retrieved through the Helix and TAP product interfaces.

Highly Scalable Architecture

The TAP + Cloud Collector deployment architecture is highly scalable and ensures high performance event collection, regardless of whether a handful or thousands of devices are deployed

Centrally Managed through TAP

All Cloud Collectors are centrally managed through the TAP cloud without the need for additional management consoles, staff, or training. Once connected, the TAP team manages the configuration and monitors health of the sensor remotely.

Ideal for Remote Offices

The cost-effective Cloud Collector is ideal for many use cases but one particularly powerful use case is branch offices or remote sites. The plug-and-play nature is ideal for locations without dedicated IT staff and can be rapidly installed in just a few minutes.

Together with TAP, the Cloud Collector delivers the industry’s best threat intelligence and visibility to advanced threats targeting an organization’s assets across all locations. All of this is accomplished without the operational complexity and costs associated with traditional solutions, such as SIEMs.

Event & Log Data Sources

The TAP Cloud Collector aggregates event data and logs from a broad range of protocols, software logs, SIEMs, and other 3rd party vendor devices. Some common event or log data sources are listed below:

SOURCE WHAT IS COLLECTED HOW LOGS ARE USED IN TAP
FireEye Logs Alerts from FireEye Threat Prevention Platform devices Alerts from FireEye Threat Prevention Platform devices Analyzes FireEye alerts and correlates across all other events to reconstruct attacks Analyzes FireEye alerts and correlates across all other events to reconstruct attacks
Security Device Logs Event data from 3rd party security devices Event data from 3rd party security devices Filters through the high volume of alerts to find the alerts that matter Filters through the high volume of alerts to find the alerts that matter
Connection Logs Connection information and duration between two hosts Connection information and duration between two hosts Track movement of malicious hosts around the network Track movement of malicious hosts around the network
DNS Logs All DNS requests All DNS requests Identify malware or APT activity Identify malware or APT activity
Files Logs Names/hashes of files Names/hashes of files Useful for malware detection Useful for malware detection
SMTP Logs All SMTP headers All SMTP headers Identify internal spam abuse or augment SMTP logs Identify internal spam abuse or augment SMTP logs
HTTP Logs Similar to proxy/webserver logs Similar to proxy/webserver logs See attacks on internal web servers or malware leaving an egress See attacks on internal web servers or malware leaving an egress
SSL Certificate Logs Certificate information such as CA Certificate information such as CA Identify known bad certificates Identify known bad certificates
SMB Logs Files and user access across Microsoft ports Files and user access across Microsoft ports Track files and authentications across the network boundaries Track files and authentications across the network boundaries
Remote Desktop Session Logs Details on remote desktop sessions (keyboard language, source/dest) Details on remote desktop sessions (keyboard language, source/dest) Visibility into lateral movement Visibility into lateral movement
SIEM Logs Event data from a local SIEM Event data from a local SIEM Analyzed against threat intel to detect threats Analyzed against threat intel to detect threats
ICS Logging Logs all Modbus and DNP3 commands Logs all Modbus and DNP3 commands ICS rule pack ICS rule pack

Hardware Specifications

CLOUD COLLECTOR 100
Performance Up to 100 Mbps Up to 100 Mbps
Network Interface Ports 5x 10/100/1000 BASTE T-Ports 5x 10/100/1000 BASTE T-Ports
Management Ports 1x 10/100/1000 BASTE T-Ports 1x 10/100/1000 BASTE T-Ports
IPMI Port Included Included
PS/2 Keyboard & Mouse, DB15 VGA Ports Included Included
USB Ports 2x type A USB Ports 2x type A USB Ports
Serial Port 115, 200 bps, No Parity, 8 Bits, 1 Stop bit 115, 200 bps, No Parity, 8 Bits, 1 Stop bit
Drive Capacity Dual 2TB HDD, Internal fixed Dual 2TB HDD, Internal fixed
Enclosure 1RU, Fits 19 inch Rack 1RU, Fits 19 inch Rack
Chassis Dimension 16.8” x 14” x 1.7” (427 x 356 x 43mm) 16.8” x 14” x 1.7” (427 x 356 x 43mm)
AC Power Supply Internal 200W, 100-240 VAC 3-1.5A, 50-60Hz IEC60320-C14 200W, 100-240 VAC 3-1.5A, 50-60Hz IEC60320-C14
Appliance Weight 11 lb. (kg) 11 lb. (5 kg) 11 lb. (kg) 11 lb. (5 kg)
Regulatory Compliance RoHS, REACH, WEEE RoHS, REACH, WEEE