RE: log analyser

["Tariq Naik" <Tariq_Naik () symantec com>]

Hi,

I am not writing officially on behalf of my company.
 
Give a  consideration to Symantec Security Information Manager (SSIM).
> From security perspective SSIM has the best correlation engine. The
reason being it gives a lot more flexibility and power in rule writing
other than the traditional methods of rule writing given my most
vendors. By traditional methods of rule writing I mean signature based
rules like Signature (A or B or C ...) followed by Signature (X AND (Y
or Z)), or say 30 instances of Signature (L or M)in 1 minute.

In SSIM you start by importing you asset table into the SSIM by means of
a VA Scanner. This allows you to populate the assets along with their
vulnerability, services and OS information in the SSIM. You can even
assign CIA rating to all you assets as well as label them as per
Compliance Standards to which they should confirm to or based on their
function. Regular Global Intelligence Feeds from Symantec means that CVE
rating are also populated for the assets. You can also define internal
networks. What this means is that even before the correlation starts,
SSIM is a very good idea about your enviorment from the technical as
well as business perspective.

The event stream which comes in for correlation is also has a lot of
relevant information added to it thanks to regular Global Intelligence
Feeds. This includes BugTrag, CVE, and Malicious Code IDs for relevant
events as well as Generic Symantec Signatures and something known as EMR
Values. EMR Values map the likely EFFECT for an event eg. System
Compromise, Reconnaissance, Flooding, MECHANISM is the Mechanism that
event may be part of eg Port Scan, Login, Buffer Over Flow, and RESOURCE
is the likely resource that event may be targeting eg Web Service or
Username.

Thanks to EMR you have a risk rating to every event and you also know
the resource that event may target. Thanks to Generic Signature you need
to bother about then vendor of your devices while writing rules. Thanks
to information Like CVE and BugTraq in the events, you can now correlate
the event with the vulnerably of your devices.

Writing generic rules based on EMR or Generic Signatures which take
Asset information into consideration means your rules will always be
relevant and give minimum false positives. All the mappings for new
point product signatures are handled blackened by Symantec and you get
the feeds automatically on your Correlation Engine. Also taking
Compliance or function based labels and CIA ratings into consideration
means the rules which are relevant to the business requirements and
device functions can be written.

Regards,
Tariq Naik
Consultant
Symantec Services Group- Consulting Services
Symantec Corporation
www.symantec.com
__________________________________________________________ 
Office: (D)+91 22 3067 1416; (B)+91 22 3067 1400
Mobile: +91 98 1947 0825
Fax: +91 22 6675 0398
Fingerprint: 4F03 3899 4249 B4A9 6038 FDA3 461C 88C4 88CF FF5F
_________________________________________________________ 

-----Original Message-----
From: listbounce () securityfocus com [mailto:listbounce () securityfocus com]
On Behalf Of aditya mukadam
Sent: Tuesday, June 02, 2009 7:54 AM
To: sec () nd-f com; security basics
Subject: Re: log analyser

Andy,

There are quite lot of solutions out there based on your requirement to
collect, correlate, analyze etc . I would recommend you to take a look
at below:

1) Netforensics
2) LogRhythm
3) Juniper STRM
4) ArcSight

Feel free to let me know if any questions.

Thanks,
Aditya Govind Mukadam
CISSP,CEH, JNSA-Advanced Security, JNCIA-SSL,CQS-PIX,CQS-VPN
http://www.linkedin.com/in/adityamukadam


On Fri, May 29, 2009 at 4:55 AM,  <sec () nd-f com> wrote:
> Hi,
>
> can someone of you recommend a good enterprise log analyser solution?
i have to collect, corrolate and analyse about 1200 windows machines and
200 linux boxes. i want to do this in real-time, trigger actions (like
email notification), make sense out of e.g. ten failed login attempts
following the one successful etc.
> any hint would be helpful
> thanks
> andy
>
> ----------------------------------------------------------------------
> -- This list is sponsored by: InfoSec Institute
>
> Need to pass the CISSP? InfoSec Institute's CISSP Boot Camp in both
Instructor-Led and Online formats is the most concentrated exam prep
available. Comprehensive course materials and an expert instructor means
you pass the exam. Gain a laser like insight into what is covered on the
exam, with zero fluff!
> http://www.infosecinstitute.com/courses/cissp_bootcamp_training.html
> ----------------------------------------------------------------------
> --

------------------------------------------------------------------------
This list is sponsored by: InfoSec Institute

Need to pass the CISSP? InfoSec Institute's CISSP Boot Camp in both
Instructor-Led and Online formats is the most concentrated exam prep
available. Comprehensive course materials and an expert instructor means
you pass the exam. Gain a laser like insight into what is covered on the
exam, with zero fluff! 

http://www.infosecinstitute.com/courses/cissp_bootcamp_training.html
------------------------------------------------------------------------


------------------------------------------------------------------------
This list is sponsored by: InfoSec Institute

Need to pass the CISSP? InfoSec Institute's CISSP Boot Camp in both Instructor-Led and Online formats is the most 
concentrated exam prep available. Comprehensive course materials and an expert instructor means you pass the exam. Gain 
a laser like insight into what is covered on the exam, with zero fluff!

http://www.infosecinstitute.com/courses/cissp_bootcamp_training.html
------------------------------------------------------------------------