RE: Correlation software

From: Joe Luna (joe.luna_at_kinkos.com)
Date: 03/20/04

  • Next message: Alberto Gonzalez: "RE: Correlation software"
    Date: Fri, 19 Mar 2004 17:21:53 -0800
    To: focus-ids@securityfocus.com
    
    

    Is anyone aware of any open source (free..) event correlation packages,
    or an initiative to develop such a beast?

    When looking at commercial solutions I was able to work with ArcSight
    and found their solution impressive.

    -Joe

    -----Original Message-----
    From: Chris Kirschke [mailto:durnie@hushmail.com]
    Sent: Friday, March 19, 2004 4:23 PM
    To: sam@neuroflux.com; focus-ids@securityfocus.com; phollows@open.com
    Subject: RE: Correlation software

    -----BEGIN PGP SIGNED MESSAGE-----
    Hash: SHA1

    Check out www.guarded.net, their NeuSecure app is what we use at our
    bank and we've enjoyed it the entire way...

    durnie

    On Fri, 19 Mar 2004 02:56:53 -0800 Phil Hollows <phollows@open.com>
    wrote:
    > [Fair Warning: I work for a security management and correlation
    >company]
    >
    >
    >
    > Hi Sam & list:

    >
    >
    > Security Threat Manager (STM) from Open (www.open.com
    <http://www.open.com>
    >) does what you're looking for, providing real-time correlation,
    >analysis and triage of FW, IDS, IPS, AV, VA and network events using
    >a variety of techniques. It links multiple (tens or hundreds or
    >for worms thousands) of raw events from your devices into a few timely,

    > actionable and relevant alerts - in other words, significant false
    >positive reduction. It links events to asset values and vulnerability
    >scans and recent event history and attack source. It also provides
    >extensive reporting and analysis capabilities into attacks, correlated
    >threats and operations performance. We've a couple of case studies
    >(no registration required) on how the product works and the benefits
    >it can bring at http://www.open.com/pdf/STM_Case_Study_Legal_ROI.pdf
    ><http://www.open.com/pdf/STM_Case_Study_Legal_ROI.pdf> and
    http://www.open.com/pdf/STM_Case_Study_Finance_Firewall.pdf
    ><http://www.open.com/pdf/STM_Case_Study_Finance_Firewall.pdf> if
    >you're interested.
    >
    >
    >
    > STM features a nightly update service that updates its internal
    >database of exploit and vulnerability signatures, so instead of writing
    >rules for your correlation engine for each new potential attack vector
    >and spending time managing it, you are free to focus on improving
    >policies, testing and verifying patches, ensuring that your IDS are
    >up to date, and otherwise working on proactive defense. It all runs
    >on standard hardware too, and because it uses a "no rules" approach
    >to correlation, it's fast to install, baseline and tune.
    >
    >
    >
    > Enough of the product info - I'm more than happy to continue the
    >conversation off-list for Sam and anyone else who's interested in
    >product or implementation-specific detail.
    >
    >
    >
    > Thanks
    >
    >
    >
    > Phil Hollows
    >
    > VP
    >
    > OpenService Inc (www.open.com <http://www.open.com> )
    >
    >
    >
    > -----Original Message-----
    > From: sam@neuroflux.com [mailto:sam@neuroflux.com]
    > Sent: Thu 3/18/2004 11:07 AM
    > To: focus-ids@securityfocus.com
    > Cc:
    > Subject: Correlation software
    >
    >
    >
    > Hello.. Thank you all for your responses to my Entercept email,
    > they have
    > all been fantastic!
    >
    > I am also looking to find out if there are any commercial Log
    Correlation
    > packages available? I'm looking for something that can
    correlate
    >Firewall
    > + IDS + HIDS type of logs and create a logical flow of events..
    >
    > Can anyone recommend, or point me in the right direction?
    >
    > Thanks!
    > -Sam
    >
    >
    > ---------------------------------------------------------------
    >------------
    > Test your IDS
    >
    > Is your IDS deployed correctly?
    > Find out by easily testing it with real-world attacks from CORE
    >IMPACT.
    >
    > Visit:
    > www.coresecurity.com/promos/sf_eids1 to learn more.
    > ---------------------------------------------------------------
    >------------
    >
    >
    >

    life is meant to be lived. hear me? didn't think so...
    -----BEGIN PGP SIGNATURE-----
    Note: This signature can be verified at https://www.hushtools.com/verify
    Version: Hush 2.3

    wkYEARECAAYFAkBbjvoACgkQ3UH5NRolsbaq5ACguxPk1PrBNmlr6baOVVJT1SMgqxYA
    njlR/REuYZd8T4sHxv29c2oahqfG
    =gQ8z
    -----END PGP SIGNATURE-----

    ------------------------------------------------------------------------

    ---
    Test your IDS
    Is your IDS deployed correctly?
    Find out by easily testing it with real-world attacks from CORE IMPACT.
    Visit: 
    www.coresecurity.com/promos/sf_eids1 to learn more.
    ------------------------------------------------------------------------
    ---
    ---------------------------------------------------------------------------
    ---------------------------------------------------------------------------
    

  • Next message: Alberto Gonzalez: "RE: Correlation software"