TAP Cloud Collector Datasheet
Event Generator that Securely Creates and Streams Event Data to the FireEye Threat Analytics Platform (TAP)
The FireEye® TAP Cloud Collector is a managed technology that securely generates meta-data in the form of network events and streams that data to the FireEye Threat Analytics Platform (TAP). In combination with TAP, the Collector provides a network security monitoring solution that applies threat intelligence to all network data and gives visibility across all locations without the operational complexity and costs associated with traditional solutions such as SIEMs.
- Speeds TAP time-to-value by simplifying event & log aggregation
- Passively collects over 20 types of data from network data
- Eliminates need to configure log sources at each site
- Collects, compresses & encrypts data before sending to TAP
- Centrally managed as a part of the TAP ecosystem
- Deploys via SPAN or network tap
- Ideal for organizations with branch offices & remote sites
A Simpler Way to Collect Event Data
The Cloud Collector speeds time-to-value for the Threat Analytics Platform by eliminating the complexity of deploying and managing log sources at each site. It comes preconfigured with the necessary parsers and software to securely stream network event data into TAP. Organizations only need to configure their TAP credentials.
Flexible Deployment Options
The Cloud Collector is deployed via SPAN or a network tap. It can be placed in various locations within a network, and provides differing value based on its positioning. The technology does not apply threat intelligence, analytics, or rules — all analysis is performed in the TAP cloud. This flexibility allows the Cloud Collector to be an affordable extension of your FireEye Threat Analytics Platform.
FireEye offers the Collector in software, for customers who wish to deploy it on their own hardware or virtual machine environments, or as a hardware solution.
Securely Stream Event and Log Data to TAP
The Cloud Collector watches network traffic passively and constructs events to describe the activity it sees. It can create logs for over 20 types of activities and artifacts including web browsing, file transfers, certificate exchanges, Windows file shares, and Remote Desktop sessions. All event data and logs are compressed and encrypted before being sent to TAP, thereby maximizing security while minimizing network bandwidth.
During a typical forensic investigation, most PCAPs are manually processed in order to extract a suspicious file or email. The File Analysis Framework feature allows specific file types to be pulled from the network stream to be analyzed automatically. This data can be optionally sent to cloud MVX for in depth behavioral analysis.
CC allows for capture of all observed network traffic for in depth analysis in FireEye products. PCAPs can be requested and retrieved through the Helix and TAP product interfaces.
Highly Scalable Architecture
The TAP + Cloud Collector deployment architecture is highly scalable and ensures high performance event collection, regardless of whether a handful or thousands of devices are deployed
Centrally Managed through TAP
All Cloud Collectors are centrally managed through the TAP cloud without the need for additional management consoles, staff, or training. Once connected, the TAP team manages the configuration and monitors health of the sensor remotely.
Ideal for Remote Offices
The cost-effective Cloud Collector is ideal for many use cases but one
particularly powerful use case is branch offices or remote sites. The plug-and-play
nature is ideal for locations without dedicated IT staff and can be rapidly
installed in just a few minutes.
Together with TAP, the Cloud Collector delivers the industry’s best threat intelligence and visibility to advanced threats targeting an organization’s assets across all locations. All of this is accomplished without the operational complexity and costs associated with traditional solutions, such as SIEMs.
Event & Log Data Sources
The TAP Cloud Collector aggregates event data and logs from a broad range of protocols, software logs, SIEMs, and other 3rd party vendor devices. Some common event or log data sources are listed below:
|SOURCE||WHAT IS COLLECTED||HOW LOGS ARE USED IN TAP|
|FireEye Logs||Alerts from FireEye Threat Prevention Platform devices Alerts from FireEye Threat Prevention Platform devices||Analyzes FireEye alerts and correlates across all other events to reconstruct attacks Analyzes FireEye alerts and correlates across all other events to reconstruct attacks|
|Security Device Logs||Event data from 3rd party security devices Event data from 3rd party security devices||Filters through the high volume of alerts to find the alerts that matter Filters through the high volume of alerts to find the alerts that matter|
|Connection Logs||Connection information and duration between two hosts Connection information and duration between two hosts||Track movement of malicious hosts around the network Track movement of malicious hosts around the network|
|DNS Logs||All DNS requests All DNS requests||Identify malware or APT activity Identify malware or APT activity|
|Files Logs||Names/hashes of files Names/hashes of files||Useful for malware detection Useful for malware detection|
|SMTP Logs||All SMTP headers All SMTP headers||Identify internal spam abuse or augment SMTP logs Identify internal spam abuse or augment SMTP logs|
|HTTP Logs||Similar to proxy/webserver logs Similar to proxy/webserver logs||See attacks on internal web servers or malware leaving an egress See attacks on internal web servers or malware leaving an egress|
|SSL Certificate Logs||Certificate information such as CA Certificate information such as CA||Identify known bad certificates Identify known bad certificates|
|SMB Logs||Files and user access across Microsoft ports Files and user access across Microsoft ports||Track files and authentications across the network boundaries Track files and authentications across the network boundaries|
|Remote Desktop Session Logs||Details on remote desktop sessions (keyboard language, source/dest) Details on remote desktop sessions (keyboard language, source/dest)||Visibility into lateral movement Visibility into lateral movement|
|SIEM Logs||Event data from a local SIEM Event data from a local SIEM||Analyzed against threat intel to detect threats Analyzed against threat intel to detect threats|
|ICS Logging||Logs all Modbus and DNP3 commands Logs all Modbus and DNP3 commands||ICS rule pack ICS rule pack|
|CLOUD COLLECTOR 100|
|Performance||Up to 100 Mbps Up to 100 Mbps|
|Network Interface Ports||5x 10/100/1000 BASTE T-Ports 5x 10/100/1000 BASTE T-Ports|
|Management Ports||1x 10/100/1000 BASTE T-Ports 1x 10/100/1000 BASTE T-Ports|
|IPMI Port||Included Included|
|PS/2 Keyboard & Mouse, DB15 VGA Ports||Included Included|
|USB Ports||2x type A USB Ports 2x type A USB Ports|
|Serial Port||115, 200 bps, No Parity, 8 Bits, 1 Stop bit 115, 200 bps, No Parity, 8 Bits, 1 Stop bit|
|Drive Capacity||Dual 2TB HDD, Internal fixed Dual 2TB HDD, Internal fixed|
|Enclosure||1RU, Fits 19 inch Rack 1RU, Fits 19 inch Rack|
|Chassis Dimension||16.8” x 14” x 1.7” (427 x 356 x 43mm) 16.8” x 14” x 1.7” (427 x 356 x 43mm)|
|AC Power Supply Internal||200W, 100-240 VAC 3-1.5A, 50-60Hz IEC60320-C14 200W, 100-240 VAC 3-1.5A, 50-60Hz IEC60320-C14|
|Appliance Weight||11 lb. (kg) 11 lb. (5 kg) 11 lb. (kg) 11 lb. (5 kg)|
|Regulatory Compliance||RoHS, REACH, WEEE RoHS, REACH, WEEE|