Re: log monitoring/analysis/correlation systems



Hello Sami,

Logs are to be collected from routers, firewalls, IDS and antivirus.

we can go beyond just these we can collect logs from *nix,unix,and windows server.Application servers like apache,IIS,proxy servers etc.
IDS/IPS systems,DHCP/DNS server and much more...everything and anything that can syslog+ many vendors developed agents for properietary systems to interface with their products.

Basically,i see that there are two types of emerging products evolving in this space.

1) The Log Management Market space- Log aggregation products for compliance and forensic reasons(archiving log data with tamper proof).

Products like Loglogic fall into this category.
very basic corrleation engine is built into these products but they have great archival methods.

Loglogic especially has robust search tool and pretty neat interface.

SOX,GLBA and other auditors will be happy with this kind of products for now.

2) The SIM (Security Information Management)/ Real time event correlation Market space:


In future as the compaliance standards get more granular there will be a need for enterprise to demonstrate that they identify,prevent and respond to security events within organisation,you will need to look at SIM(security information Management) tools like these

Automation of real time event analysis using the intelligence built into these systems is their selling point.

These are the products that are out there in this space


Cisco MARS
Arcsight
Netforensics
NetIQ
Trigeo
high-tower

and more coming in as more VCs dump their money into this industry.

The market and the products are relatively young,so be careful while choosing an appropriate SIM tool/log management.

These are expensive IT investments and you should the keep the compliance requirements of the organization in mind.Choose a system that suits your needs the best and which is open ended should you need more enhancements to the current system for your future needs(your needs are going to change as per compliance standards).

I have been researching the same for a variety of client base across many verticals with different budgets.Its very interesting product set and different set of challenges in implementation,which is fun.

Finally there is a industry building itself around protecting the internal IT assets rather than just worrying about the noise on the internet.

ohh ok....let me stop here. I can go on and on ....thanks for reading this long e-mail.

Sami,Feel free to shoot me e-mails offlist if you have more questions.

-Venkata Achanta
Security Architect
vachanta@xxxxxxxxx

Learn, experience, share and mentor.


---------------------------------------------------------------------------
This list is sponsored by: Norwich University

EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE
The NSA has designated Norwich University a center of Academic Excellence
in Information Security. Our program offers unparalleled Infosec management
education and the case study affords you unmatched consulting experience.
Using interactive e-Learning technology, you can earn this esteemed degree,
without disrupting your career or home life.

http://www.msia.norwich.edu/secfocus
---------------------------------------------------------------------------