RE: Correlation software

From: Chris Petersen (chris_at_security-conscious.com)
Date: 03/23/04

Next message: sendsec_at_gmx.net: "AW: Correlation software"

Previous message: Alberto Gonzalez: "RE: Correlation software"
In reply to: sam_at_neuroflux.com: "Correlation software"
Next in thread: Tadeo Cwierz: "RE: Correlation software"
Reply: Tadeo Cwierz: "RE: Correlation software"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

To: <sam@neuroflux.com>, <focus-ids@securityfocus.com>
Date: Tue, 23 Mar 2004 11:13:55 -0700

**** Fair-warning, I am the CTO of a Log Management/Correlation Company
*****

The products I am familier with in this area are:
- ArcSight (strong in correlation & eye-candy)
- Intellitactics (good underlying engine from what I've heard)
- GuardedNet (Have heard a log of good things about this product. I think
they get it)
- NetForensics (strong on reporting side)
- Addamark (not sure what they have for correlation, heavy focus on log
management)
- Open (???)
- LogRhythm...

LogRhythm takes a somewhat different approach than the aformentioned. It's
based on a distributed log management architecture on top of which event
management is built. Users can deploy our rules or develop their own to
identify and transform logs into events. Events are then forwarded to an
event management system. However, instead of throwing away the log or
normalizing beyond the point of recognition, the orginal logs remain stored
at the log management layer and can be queried on-demand to support event
analysis. We are also doing some very interesting things in the area of
data-mining intrusion/fraud detection.

For additional information on LogRhythm, a technical whitepaper is available
at http://www.security-conscious.com/literature.html

Chris Petersen
Security Conscious, Inc.
chris@security-conscious.com
www.security-conscious.com

> -----Original Message-----
> From: sam@neuroflux.com [mailto:sam@neuroflux.com]
> Sent: Thursday, March 18, 2004 9:07 AM
> To: focus-ids@securityfocus.com
> Subject: Correlation software
>
>
> Hello.. Thank you all for your responses to my Entercept
> email, they have all been fantastic!
>
> I am also looking to find out if there are any commercial Log
> Correlation packages available? I'm looking for something
> that can correlate Firewall
> + IDS + HIDS type of logs and create a logical flow of events..
>
> Can anyone recommend, or point me in the right direction?
>
> Thanks!
> -Sam
>
>
> --------------------------------------------------------------
> -------------
> Test your IDS
>
> Is your IDS deployed correctly?
> Find out by easily testing it with real-world attacks from
> CORE IMPACT.
>
> Visit:
> www.coresecurity.com/promos/sf_eids1 to learn more.
> --------------------------------------------------------------
> -------------
>
>

---------------------------------------------------------------------------

Next message: sendsec_at_gmx.net: "AW: Correlation software"

Previous message: Alberto Gonzalez: "RE: Correlation software"
In reply to: sam_at_neuroflux.com: "Correlation software"
Next in thread: Tadeo Cwierz: "RE: Correlation software"
Reply: Tadeo Cwierz: "RE: Correlation software"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages

RE: Correlation software
... Asunto: RE: Correlation software ... ArcSight (strong in correlation & eye-candy) ... LogRhythm takes a somewhat different approach than the aformentioned. ... based on a distributed log management architecture on top of which event ...
(Focus-IDS)
Re: Whos paranoid now.
... They enjoy having the power over other men's lives. ... I've never seen any correlation between management and rightardism myself. ...
(soc.culture.scottish)