Re: SIM Suggestions

[Albert Gonzalez <albertg () cerveau us>]

Ricardo,

What is the driving force for implementing a SIM device? Correlation?
Centralized Analysis? Reducing event counts? Understand that a SIM is just
another tool in your arsenal and should not be the starting basis for
providing analytical capabilities. If your reporting devices are not
properly tuned the correlation provided will not be much use (garbage in,
garbage out). Initially a SIM device will increase your overall workload and
require resources, tuning and is always an on-going process.

The vendor won't know your environment, you should have it clearly defined
as much as possible, and will help illustrate some initial requirements you
will require from the SIM solution. This can include but not limited to:

 - Analysis Workflow
         - Who will use the SIM?
         - What will they need to perform analysis?
         - Escalation?
       
 - Reporting devices
        - Types
        - hardware
        - Data generated
        - Policies, logging levels, etc...
        - Reporting methods.

  - Network model
        - Defining business critical assets
        - Defining IP ranges used, zones, etc...
        - Detailed asset information. (Owner, Function, OS, etc...)

  - Policies
        - Business requirements? (Audits, Standards, etc...)
        - Procedures for X, Y, and Z

[And so on...]

The more information you have going into this will help with asking specific
questions, basic requirements and go from there. From the above we can
provide some high level requirements to the vendor, for example:

- Defined reporting devices will give you requirements how you can report
the data, can vendor support it? Can appliance handle an agent executable?
Is it supported? Event counts can help determining a range of EPS
requirements for the solution and with the required retention periods can
help with storage requirements.

- Network model can illustrate requirements for asset categorization,
prioritization, to provide business relevant data to the output. Asset
information can provide analysts with team, ownership information in case
further information is required, etc...

- Established policies might require the use of the standard ticketing
system, can vendor export to it? Also might require certain type of
encryption and bit levels, etc...

You also want to understand the correlation process of the solutions.
Correlation is the core functionality of a SIM, understanding what criteria
is used during by the evaluation by the correlation engine will help model
your deployment to provide as much of the required criteria. Correlation can
cause overwhelming amounts of data that usually results in disabling various
rules. The more relevant information you can initially incorporate will help
illustrating various use-cases and show value to the deployment.
Customization and flexibility should also be available to tailor the default
content and create your own.

I hope that helps. And good luck with the project.

- Albert Gonzalez



On 7/29/08 5:39 PM, "Lafosse, Ricardo" <rlafosse () sfwmd gov> wrote:

> First of all, thank you all for your quick replies. I knew this was
> going to be overwhelming.
> Daniel,
> A set of our primary goals include:
> 1. Real-time alerting/correlation from UNIX/Linux/Windows/Multiple Cisco
> devices/Multiple databases/Snort logs
> 2. Active Directory User Tracking (Identity Management)
> 3. Asset Tracking
> 4. Incident response Tracking System
> 5. Vulnerability Scans (either its own or inputs from Nessus)
>
> Thanks,
>
> Ricardo
>
> -----Original Message-----
> From: Daniel I. Didier [mailto:ddidier () netsecureia com]
> Sent: Tuesday, July 29, 2008 11:20 AM
> To: Lafosse, Ricardo; security-basics () securityfocus com
> Subject: RE: SIM Suggestions
>
> Ricardo,
> I have a lot of experience with Cisco MARS and can tell you where it
> will and won't be effective.  Do you have a set of primary goals that
> you can share with us? -Dan
>
> Sometimes a SIM isn't really what an organization needs (Depending on
> the requirements) and a log analyzer might be a better fit...  I can
> expand once I see what your goals are.
>
> http://www.NetSecureIA.com
>
> > -----Original Message-----
> > From: listbounce () securityfocus com
> [mailto:listbounce () securityfocus com]
> > On Behalf Of Lafosse, Ricardo
> > Sent: Tuesday, July 29, 2008 10:30 AM
> > To: security-basics () securityfocus com
> > Subject: SIM Suggestions
> >
> > Hello all,
> >
> > I know this is going to be a full loaded answer however we are
> > interested in acquiring a SIM. Any good/bad experiences and/or
> > suggestions would be greatly appreciated. We are a medium sized
> > organization.
> > Thanks,
> >
> > Ricardo