Security Basics mailing list archives
Re: log monitoring/analysis/correlation systems
From: vachanta () gmail com
Date: 22 Nov 2006 07:45:21 -0000
Hello Sami,
Logs are to be collected from routers, firewalls, IDS and antivirus.
we can go beyond just these we can collect logs from *nix,unix,and windows server.Application servers like apache,IIS,proxy servers etc. IDS/IPS systems,DHCP/DNS server and much more...everything and anything that can syslog+ many vendors developed agents for properietary systems to interface with their products. Basically,i see that there are two types of emerging products evolving in this space. 1) The Log Management Market space- Log aggregation products for compliance and forensic reasons(archiving log data with tamper proof). Products like Loglogic fall into this category. very basic corrleation engine is built into these products but they have great archival methods. Loglogic especially has robust search tool and pretty neat interface. SOX,GLBA and other auditors will be happy with this kind of products for now. 2) The SIM (Security Information Management)/ Real time event correlation Market space: In future as the compaliance standards get more granular there will be a need for enterprise to demonstrate that they identify,prevent and respond to security events within organisation,you will need to look at SIM(security information Management) tools like these Automation of real time event analysis using the intelligence built into these systems is their selling point. These are the products that are out there in this space Cisco MARS Arcsight Netforensics NetIQ Trigeo high-tower and more coming in as more VCs dump their money into this industry. The market and the products are relatively young,so be careful while choosing an appropriate SIM tool/log management. These are expensive IT investments and you should the keep the compliance requirements of the organization in mind.Choose a system that suits your needs the best and which is open ended should you need more enhancements to the current system for your future needs(your needs are going to change as per compliance standards). I have been researching the same for a variety of client base across many verticals with different budgets.Its very interesting product set and different set of challenges in implementation,which is fun. Finally there is a industry building itself around protecting the internal IT assets rather than just worrying about the noise on the internet. ohh ok....let me stop here. I can go on and on ....thanks for reading this long e-mail. Sami,Feel free to shoot me e-mails offlist if you have more questions. -Venkata Achanta Security Architect vachanta () gmail com Learn, experience, share and mentor. --------------------------------------------------------------------------- This list is sponsored by: Norwich University EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE The NSA has designated Norwich University a center of Academic Excellence in Information Security. Our program offers unparalleled Infosec management education and the case study affords you unmatched consulting experience. Using interactive e-Learning technology, you can earn this esteemed degree, without disrupting your career or home life. http://www.msia.norwich.edu/secfocus ---------------------------------------------------------------------------
Current thread:
- Re: log monitoring/analysis/correlation systems, (continued)
- Re: log monitoring/analysis/correlation systems Florencio Cano (Nov 21)
- Re: log monitoring/analysis/correlation systems sami seclist (Nov 23)
- RE: log monitoring/analysis/correlation systems Erin Carroll (Nov 21)
- RE: log monitoring/analysis/correlation systems Matt Davis (Nov 21)
- Audit Windows Machine, IRM (Nov 21)
- Re: Audit Windows Machine, Ansgar -59cobalt- Wiechers (Nov 22)
- Re: log monitoring/analysis/correlation systems Jon Hart (Nov 22)
- Re: log monitoring/analysis/correlation systems Kurt Buff (Nov 22)
- Re: log monitoring/analysis/correlation systems q (Nov 21)
- Re: log monitoring/analysis/correlation systems a . lagana (Nov 21)
- Re: log monitoring/analysis/correlation systems vachanta (Nov 22)
- Re: log monitoring/analysis/correlation systems vameg (Nov 22)
- Re: log monitoring/analysis/correlation systems Joseph Jenkins (Nov 23)
- Re: Re: log monitoring/analysis/correlation systems jlehman (Nov 22)
- Re: log monitoring/analysis/correlation systems Florencio Cano (Nov 21)