Re: log monitoring/analysis/correlation systems

[vachanta () gmail com]

Hello Sami,

> > Logs are to be collected from routers, firewalls, IDS and antivirus.

we can go beyond just these we can collect logs from *nix,unix,and windows server.Application servers like 
apache,IIS,proxy servers etc.
IDS/IPS systems,DHCP/DNS server and much more...everything and anything that can syslog+ many vendors developed agents 
for properietary systems to interface with their products.

Basically,i see that there are two types of emerging products evolving in this space.

1) The Log Management Market space- Log aggregation products for compliance and forensic reasons(archiving log data 
with tamper proof).

Products like Loglogic fall into this category.
very basic corrleation engine is built into these products but they have great archival methods.

Loglogic especially has robust search tool and pretty neat interface.

SOX,GLBA and other auditors will be happy with this kind of products for now.

2) The SIM (Security Information Management)/ Real time event correlation Market space:


In future as the compaliance standards get more granular there will be a need for enterprise to demonstrate that they 
identify,prevent and respond to security events within organisation,you will need to look at SIM(security information 
Management) tools like these  

Automation of real time event analysis using the intelligence built into these systems is their selling point.

These are the products that are out there in this space


Cisco MARS
Arcsight
Netforensics
NetIQ
Trigeo
high-tower

and more coming in as more VCs dump their money into this industry.

The market and the products are relatively young,so be careful while choosing an appropriate SIM tool/log management.

These are expensive IT investments and you should the keep the compliance requirements of the organization in 
mind.Choose a system that suits your needs the best and which is open ended should you need more enhancements to the 
current system for your future needs(your needs are going to change as per compliance standards).

I have been researching the same for a variety of client base across many verticals with different budgets.Its very 
interesting product set and different set of challenges in implementation,which is fun.

Finally there is a industry building itself around protecting the internal IT assets rather than just worrying about 
the noise on the internet.

ohh ok....let me stop here. I can go on and on ....thanks for reading this long e-mail.

Sami,Feel free to shoot me e-mails offlist if you have more questions.

-Venkata Achanta
Security Architect
vachanta () gmail com

Learn, experience, share and mentor.
 

---------------------------------------------------------------------------
This list is sponsored by: Norwich University

EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE
The NSA has designated Norwich University a center of Academic Excellence 
in Information Security. Our program offers unparalleled Infosec management 
education and the case study affords you unmatched consulting experience. 
Using interactive e-Learning technology, you can earn this esteemed degree, 
without disrupting your career or home life.

http://www.msia.norwich.edu/secfocus
---------------------------------------------------------------------------