Security Basics mailing list archives
Re: SIM Suggestions
From: Albert Gonzalez <albertg () cerveau us>
Date: Sat, 09 Aug 2008 07:15:35 +0200
Ricardo, What is the driving force for implementing a SIM device? Correlation? Centralized Analysis? Reducing event counts? Understand that a SIM is just another tool in your arsenal and should not be the starting basis for providing analytical capabilities. If your reporting devices are not properly tuned the correlation provided will not be much use (garbage in, garbage out). Initially a SIM device will increase your overall workload and require resources, tuning and is always an on-going process. The vendor won't know your environment, you should have it clearly defined as much as possible, and will help illustrate some initial requirements you will require from the SIM solution. This can include but not limited to: - Analysis Workflow - Who will use the SIM? - What will they need to perform analysis? - Escalation? - Reporting devices - Types - hardware - Data generated - Policies, logging levels, etc... - Reporting methods. - Network model - Defining business critical assets - Defining IP ranges used, zones, etc... - Detailed asset information. (Owner, Function, OS, etc...) - Policies - Business requirements? (Audits, Standards, etc...) - Procedures for X, Y, and Z [And so on...] The more information you have going into this will help with asking specific questions, basic requirements and go from there. From the above we can provide some high level requirements to the vendor, for example: - Defined reporting devices will give you requirements how you can report the data, can vendor support it? Can appliance handle an agent executable? Is it supported? Event counts can help determining a range of EPS requirements for the solution and with the required retention periods can help with storage requirements. - Network model can illustrate requirements for asset categorization, prioritization, to provide business relevant data to the output. Asset information can provide analysts with team, ownership information in case further information is required, etc... - Established policies might require the use of the standard ticketing system, can vendor export to it? Also might require certain type of encryption and bit levels, etc... You also want to understand the correlation process of the solutions. Correlation is the core functionality of a SIM, understanding what criteria is used during by the evaluation by the correlation engine will help model your deployment to provide as much of the required criteria. Correlation can cause overwhelming amounts of data that usually results in disabling various rules. The more relevant information you can initially incorporate will help illustrating various use-cases and show value to the deployment. Customization and flexibility should also be available to tailor the default content and create your own. I hope that helps. And good luck with the project. - Albert Gonzalez On 7/29/08 5:39 PM, "Lafosse, Ricardo" <rlafosse () sfwmd gov> wrote:
First of all, thank you all for your quick replies. I knew this was going to be overwhelming. Daniel, A set of our primary goals include: 1. Real-time alerting/correlation from UNIX/Linux/Windows/Multiple Cisco devices/Multiple databases/Snort logs 2. Active Directory User Tracking (Identity Management) 3. Asset Tracking 4. Incident response Tracking System 5. Vulnerability Scans (either its own or inputs from Nessus) Thanks, Ricardo -----Original Message----- From: Daniel I. Didier [mailto:ddidier () netsecureia com] Sent: Tuesday, July 29, 2008 11:20 AM To: Lafosse, Ricardo; security-basics () securityfocus com Subject: RE: SIM Suggestions Ricardo, I have a lot of experience with Cisco MARS and can tell you where it will and won't be effective. Do you have a set of primary goals that you can share with us? -Dan Sometimes a SIM isn't really what an organization needs (Depending on the requirements) and a log analyzer might be a better fit... I can expand once I see what your goals are. http://www.NetSecureIA.com-----Original Message----- From: listbounce () securityfocus com[mailto:listbounce () securityfocus com]On Behalf Of Lafosse, Ricardo Sent: Tuesday, July 29, 2008 10:30 AM To: security-basics () securityfocus com Subject: SIM Suggestions Hello all, I know this is going to be a full loaded answer however we are interested in acquiring a SIM. Any good/bad experiences and/or suggestions would be greatly appreciated. We are a medium sized organization. Thanks, Ricardo
Current thread:
- Re: SIM Suggestions R Buena (Aug 03)
- Re: SIM Suggestions Glenn (Aug 05)
- <Possible follow-ups>
- Re: SIM Suggestions pelletier . norbert (Aug 08)
- Re: Re: SIM Suggestions sgonzalez (Aug 08)
- Re: Re: SIM Suggestions ॐ aditya mukadam ॐ (Aug 11)
- Re: SIM Suggestions Albert Gonzalez (Aug 11)