Security Basics mailing list archives
RE: log analyser
From: "Tariq Naik" <Tariq_Naik () symantec com>
Date: Thu, 4 Jun 2009 10:57:04 +0530
Hi, I am not writing officially on behalf of my company. Give a consideration to Symantec Security Information Manager (SSIM).
From security perspective SSIM has the best correlation engine. The
reason being it gives a lot more flexibility and power in rule writing other than the traditional methods of rule writing given my most vendors. By traditional methods of rule writing I mean signature based rules like Signature (A or B or C ...) followed by Signature (X AND (Y or Z)), or say 30 instances of Signature (L or M)in 1 minute. In SSIM you start by importing you asset table into the SSIM by means of a VA Scanner. This allows you to populate the assets along with their vulnerability, services and OS information in the SSIM. You can even assign CIA rating to all you assets as well as label them as per Compliance Standards to which they should confirm to or based on their function. Regular Global Intelligence Feeds from Symantec means that CVE rating are also populated for the assets. You can also define internal networks. What this means is that even before the correlation starts, SSIM is a very good idea about your enviorment from the technical as well as business perspective. The event stream which comes in for correlation is also has a lot of relevant information added to it thanks to regular Global Intelligence Feeds. This includes BugTrag, CVE, and Malicious Code IDs for relevant events as well as Generic Symantec Signatures and something known as EMR Values. EMR Values map the likely EFFECT for an event eg. System Compromise, Reconnaissance, Flooding, MECHANISM is the Mechanism that event may be part of eg Port Scan, Login, Buffer Over Flow, and RESOURCE is the likely resource that event may be targeting eg Web Service or Username. Thanks to EMR you have a risk rating to every event and you also know the resource that event may target. Thanks to Generic Signature you need to bother about then vendor of your devices while writing rules. Thanks to information Like CVE and BugTraq in the events, you can now correlate the event with the vulnerably of your devices. Writing generic rules based on EMR or Generic Signatures which take Asset information into consideration means your rules will always be relevant and give minimum false positives. All the mappings for new point product signatures are handled blackened by Symantec and you get the feeds automatically on your Correlation Engine. Also taking Compliance or function based labels and CIA ratings into consideration means the rules which are relevant to the business requirements and device functions can be written. Regards, Tariq Naik Consultant Symantec Services Group- Consulting Services Symantec Corporation www.symantec.com __________________________________________________________ Office: (D)+91 22 3067 1416; (B)+91 22 3067 1400 Mobile: +91 98 1947 0825 Fax: +91 22 6675 0398 Fingerprint: 4F03 3899 4249 B4A9 6038 FDA3 461C 88C4 88CF FF5F _________________________________________________________ -----Original Message----- From: listbounce () securityfocus com [mailto:listbounce () securityfocus com] On Behalf Of aditya mukadam Sent: Tuesday, June 02, 2009 7:54 AM To: sec () nd-f com; security basics Subject: Re: log analyser Andy, There are quite lot of solutions out there based on your requirement to collect, correlate, analyze etc . I would recommend you to take a look at below: 1) Netforensics 2) LogRhythm 3) Juniper STRM 4) ArcSight Feel free to let me know if any questions. Thanks, Aditya Govind Mukadam CISSP,CEH, JNSA-Advanced Security, JNCIA-SSL,CQS-PIX,CQS-VPN http://www.linkedin.com/in/adityamukadam On Fri, May 29, 2009 at 4:55 AM, <sec () nd-f com> wrote:
Hi, can someone of you recommend a good enterprise log analyser solution?
i have to collect, corrolate and analyse about 1200 windows machines and 200 linux boxes. i want to do this in real-time, trigger actions (like email notification), make sense out of e.g. ten failed login attempts following the one successful etc.
any hint would be helpful thanks andy ---------------------------------------------------------------------- -- This list is sponsored by: InfoSec Institute Need to pass the CISSP? InfoSec Institute's CISSP Boot Camp in both
Instructor-Led and Online formats is the most concentrated exam prep available. Comprehensive course materials and an expert instructor means you pass the exam. Gain a laser like insight into what is covered on the exam, with zero fluff!
http://www.infosecinstitute.com/courses/cissp_bootcamp_training.html ---------------------------------------------------------------------- --
------------------------------------------------------------------------ This list is sponsored by: InfoSec Institute Need to pass the CISSP? InfoSec Institute's CISSP Boot Camp in both Instructor-Led and Online formats is the most concentrated exam prep available. Comprehensive course materials and an expert instructor means you pass the exam. Gain a laser like insight into what is covered on the exam, with zero fluff! http://www.infosecinstitute.com/courses/cissp_bootcamp_training.html ------------------------------------------------------------------------ ------------------------------------------------------------------------ This list is sponsored by: InfoSec Institute Need to pass the CISSP? InfoSec Institute's CISSP Boot Camp in both Instructor-Led and Online formats is the most concentrated exam prep available. Comprehensive course materials and an expert instructor means you pass the exam. Gain a laser like insight into what is covered on the exam, with zero fluff! http://www.infosecinstitute.com/courses/cissp_bootcamp_training.html ------------------------------------------------------------------------
Current thread:
- log analyser sec (Jun 01)
- RE: log analyser Hindley Nick (Jun 01)
- RE: log analyser Todd Neal (Jun 01)
- Re: log analyser Abilash Praveen (Jun 01)
- Re: log analyser Jared Curtis (Jun 01)
- Re: log analyser giuseppe . fuggiano (Jun 01)
- RE: log analyser John Lightfoot (Jun 01)
- Re: log analyser aditya mukadam (Jun 02)
- RE: log analyser Amardeep Singh (Jun 03)
- RE: log analyser Tariq Naik (Jun 04)
- RE: log analyser Ramki B Ramakrishnan (Jun 08)
- Re: log analyser TT-SEC (Jun 12)
- Re: log analyser Richard Thomas (Jun 15)
- <Possible follow-ups>
- Re: Re: log analyser joe . zhuo (Jun 01)
- Re: log analyser dgonzalez . itpro (Jun 02)
- RE: log analyser Hindley Nick (Jun 01)