Firewall log analysis and anomaly detection

Swiss IT Security Deutschland has developed easy-to-use managed services that boost security levels dramatically. It took home the BEST OF – Industriepreis 2018 award in the ‘IT and Industry’ category for this.

Swiss IT Security Deutschland products stand out

SEDM and ELA enable quick and easy log analysis and alerts for anomalies in firewall logs.



Anomaly detection

Previously undetected threats are frequently revealed through anomalies. SEDM recognises these solely on the basis of firewall logs and thus non-invasively.

Extensive log storage

Firewall logs are extremely extensive. Firewalls themselves often do not offer a high-performing and simple analysis function, and their storage capacity is limited. These limitations are reduced significantly with ELA.

Analysis made simple

Our web-assisted administrative interface allows search and analysis of specific threats or anomalies.

ELA – Enhanced Log Analysis is a web-based interactive platform

  • Detects business-critical anomalies
  • Provides quick and reliable information on security incidents
  • Establishes and reports security-related correlations over long periods
  • Detects anomalies across locations
  • Detects anomalies automatically
  • Analyses security incidents in detail
  • Establishes and reports security-related correlations over long periods
  • Discovers configuration errors in the security perimeter
Icon Control
ELA – Enhanced Log Analysis is a web-based interactive platform for IT administrators who want to analyse their firewall log data. ELA enables detailed display and analysis of firewall incidents and creates a clear dashboard for key values. To enable use of ELA, the managed firewall is configured to allow log data to be sent to the ELA system in real time. Detailed log data is indexed, stored separately for each customer and kept in the system for analysis for up to 90 days. Initial set-up is accompanied by the client administrator’s induction into ELA. Swiss IT Security Deutschland helps evaluate and interpret the firewall log data. Compilation of logs from several firewalls in a central system enables easier detection of anomalies and differences between locations. If a security incident requires investigation, flexible log evaluation enables rapid analysis. If the client administrator reaches their limitations in the evaluation process, the security specialists at Swiss IT Security Deutschland can help out.
Firewall logs are connected via VPN, which means confidential firewall systems can also be connected to ELA. ELA is based on high-performing, open-source ElasticSearch and Kibana software, operated by Swiss IT Security Deutschland in its data centre in Germany Security and firewalls play a key role in the industrial and manufacturing environment, but the top priority is to ensure that production keeps running uninterrupted. Each disruption must therefore be detected and eliminated as quickly as possible. The log evaluations built into firewall systems are often limited and provide insufficient support to the firewall admin. Swiss IT Security Deutschland has developed an easy-to-use managed service based on the outstanding and highly complex open-source solutions ElasticSearch and Kibana. The service offers the firewall admin ultra-fast log evaluation. The firewall admin does not have to set up and run a highly complex infrastructure in order to experience a significant reduction in workload.

SEDM – Security Event Detection Management

SEDM – Security Event Detection Management is used for the analysis of firewall logs and NetFlow data in which anomalies are detected automatically. An anomaly is a deviation from previous behaviour. Previous behaviour is determined based on historical data from a period of 15 to 90 days, depending on the detection module. SEDM is based on firewall log data, which is stored in an ElasticSearch system. This data is then available for SEDM and – if an anomaly is discovered – for the administrator for dynamic evaluation using ELA (Enhanced Log Analyser). In principle, explainable anomalies can lead to false positives; for instance, newsletters that are not sent regularly, but in peaks. Whitelists can be drawn up to turn off anomaly detection for these systems. An anomaly does not need to be malicious, as mentioned above. Other causes may include configuration errors, changed behaviour due to the introduction of new processes, or the introduction of new software. An anomaly is reported only once, as it is subsequently considered part of previous behaviour and thus not an anomaly. SEDM does not supply the cause of the anomaly, but it does provide hints. Based on the existing firewall log, the administrator can analyse the cause using tools such as ELA. An in-depth analysis of anomalies takes place only in conjunction with the client, as only the client can decide whether the behaviour is an error, a malicious anomaly or just a change in use. In principle, SEDM will detect a network contaminated by bots only if the bots change their behaviour; for instance, due to new commands from a C&C server. Anomaly detection in SEDM can clean up a network and make it much more secure. SEDM is not invasive and does not disrupt normal operations. However, it helps the administrator to detect unusual behaviour and remedy it. Although SEDM was developed primarily to detect attacks, particularly APTs, which are otherwise difficult for firewalls to limit, the detection of anomalies caused by configuration errors can also offer rapid and significant added value, even in the absence of active attacks. In the field of Industry 4.0, which is characterised by uniform, regular and little erratic network traffic, SEDM is an outstanding product for identification of infection in hard-to-maintain industrial facilities. As SEDM runs based solely on firewall logs, it can be used during ongoing operations without disrupting production.

We also provide

The following services might also be of interest to you


SIEM as a Service


Thank you for your interest!

You can download the product sheet by clicking the button below.