Security Basics mailing list archives
RE: SIM Suggestions
From: "Tariq Naik" <Tariq_Naik () symantec com>
Date: Tue, 29 Jul 2008 20:48:11 +0530
Hi, Do consider SSIM (Symantec Security Information Manager). I am from Symantec so it would seem like a biased answer. But the way correlation works in SSIM is very unique and gives SSIM the edge. All events are mapped to EMR (Effects that have on you asset, Mechanisms used for an attack, and Resources that can be affected by that attack). Some events might may have multiple E or M or R or may have one of these as blank. The correlation rules work on EMR so the rules always remain relevant. Eg if there is an attack targeting webservers it may have a mechanism as buffer flow and resource as webserver. The rule will check for all attack using M as buffer overflow that target R webserver. A real rule will cover all mechanism that can be used to attack a webserver with R as a webserver. So whenever there are new attacks also as long a their EMR satisfies the rule, the rule fires. A rule can refer to all EMR or one or two of these. Symantec does the work of mapping vendor signatures from a large no. of devices from large number of vendors into EMR values which are sent as updates to the SSIM. Ofcource you can write rules to work on individual or generic event like other correlation engines. Regards, Tariq Naik -----Original Message----- From: listbounce () securityfocus com [mailto:listbounce () securityfocus com] On Behalf Of Lafosse, Ricardo Sent: Tuesday, July 29, 2008 8:00 PM To: security-basics () securityfocus com Subject: SIM Suggestions Hello all, I know this is going to be a full loaded answer however we are interested in acquiring a SIM. Any good/bad experiences and/or suggestions would be greatly appreciated. We are a medium sized organization. Thanks, Ricardo
Current thread:
- SIM Suggestions Lafosse, Ricardo (Jul 29)
- RE: SIM Suggestions Daniel I. Didier (Jul 29)
- RE: SIM Suggestions Lafosse, Ricardo (Jul 29)
- RE: SIM Suggestions Daniel I. Didier (Jul 29)
- RE: SIM Suggestions Ramki B Ramakrishnan (Jul 30)
- RE: SIM Suggestions Lafosse, Ricardo (Jul 29)
- RE: SIM Suggestions Daniel I. Didier (Jul 29)
- RE: SIM Suggestions Tariq Naik (Jul 29)
- RE: SIM Suggestions Ramki B Ramakrishnan (Jul 29)
- Re: SIM Suggestions ॐ aditya mukadam ॐ (Jul 29)
- RE: SIM Suggestions Mike Theriault (Jul 29)
- Re: SIM Suggestions Vu Anh Tu (Jul 30)
- Re: SIM Suggestions David Gadoury (Jul 31)
- Re: SIM Suggestions Albert R. Campa (Jul 31)
- Re: SIM Suggestions ॐ aditya mukadam ॐ (Jul 31)
- RE: SIM Suggestions Ramki B Ramakrishnan (Jul 31)
- Re: SIM Suggestions Kurt Buff (Jul 31)
- Re: SIM Suggestions Vu Anh Tu (Jul 30)
- <Possible follow-ups>
- Re: SIM Suggestions Kurt Buff (Jul 31)