Re: log monitoring/analysis/correlation systems



Hello Sami,

Logs are to be collected from routers, firewalls, IDS and antivirus.

we can go beyond just these we can collect logs from *nix,unix,and windows server.Application servers like apache,IIS,proxy servers etc.
IDS/IPS systems,DHCP/DNS server and much more...everything and anything that can syslog+ many vendors developed agents for properietary systems to interface with their products.

Basically,i see that there are two types of emerging products evolving in this space.

1) The Log Management Market space- Log aggregation products for compliance and forensic reasons(archiving log data with tamper proof).

Products like Loglogic fall into this category.
very basic corrleation engine is built into these products but they have great archival methods.

Loglogic especially has robust search tool and pretty neat interface.

SOX,GLBA and other auditors will be happy with this kind of products for now.

2) The SIM (Security Information Management)/ Real time event correlation Market space:


In future as the compaliance standards get more granular there will be a need for enterprise to demonstrate that they identify,prevent and respond to security events within organisation,you will need to look at SIM(security information Management) tools like these

Automation of real time event analysis using the intelligence built into these systems is their selling point.

These are the products that are out there in this space


Cisco MARS
Arcsight
Netforensics
NetIQ
Trigeo
high-tower

and more coming in as more VCs dump their money into this industry.

The market and the products are relatively young,so be careful while choosing an appropriate SIM tool/log management.

These are expensive IT investments and you should the keep the compliance requirements of the organization in mind.Choose a system that suits your needs the best and which is open ended should you need more enhancements to the current system for your future needs(your needs are going to change as per compliance standards).

I have been researching the same for a variety of client base across many verticals with different budgets.Its very interesting product set and different set of challenges in implementation,which is fun.

Finally there is a industry building itself around protecting the internal IT assets rather than just worrying about the noise on the internet.

ohh ok....let me stop here. I can go on and on ....thanks for reading this long e-mail.

Sami,Feel free to shoot me e-mails offlist if you have more questions.

-Venkata Achanta
Security Architect
vachanta@xxxxxxxxx

Learn, experience, share and mentor.


---------------------------------------------------------------------------
This list is sponsored by: Norwich University

EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE
The NSA has designated Norwich University a center of Academic Excellence
in Information Security. Our program offers unparalleled Infosec management
education and the case study affords you unmatched consulting experience.
Using interactive e-Learning technology, you can earn this esteemed degree,
without disrupting your career or home life.

http://www.msia.norwich.edu/secfocus
---------------------------------------------------------------------------



Relevant Pages

  • RE: Betr.: Re: MS Patches Management software: SUS vs 3rd party
    ... We are also currently looking at a solution for updating our clients and servers. ... The major drawback is that if a new unpatched client connects to it, it retrieves all patches at once. ... There is no management in SUS, ... >The Presidio integrates PGP data encryption and XML Web Services security to ...
    (Security-Basics)
  • Re: Betr.: Re: MS Patches Management software: SUS vs 3rd party
    ... > it retrieves all patches at once. ... There is no management in SUS, ... > If they are planning to include the Windows NT 4.0 servers for the ... >> simplify the management and deployment of PGP and reduce overall PGP ...
    (Security-Basics)
  • RE: OpenVMS - When downtime is not an option
    ... And that is a management problem and not a Windows problem. ... Which typically means servers require ... Also, remember that dev/test environments ...
    (comp.os.vms)
  • Re: Project 2003 EPM performance improvements
    ... I did not see a Project 2003 Managed Newsgroup so I hope this is the next ... Our upper management would like us to find out if there are any improvements ... The servers are midrange Dell ... The database server is using iSCSI technology for its SQL ...
    (microsoft.public.office.misc)
  • RE: [fw-wiz] question on securing out-of-band management
    ... Tongue visibly protruding through cheek - Windows and Cisco, ... If the server is somehow compromised, the management network ... network KVM is a nice way to do OOB management for Windows servers. ... but your big risk on a management net isn't so ...
    (Firewall-Wizards)