Re: SIM Suggestions

["R Buena" <dreamsbig () gmail com>]

I would like to add to this thread by asking a question about the
administrative overhead of everyone's respective SIM? This will
probably help Ricardo in shopping for a SIM.

I find once you get a SIM to start collecting, correlating, and
reporting it tends to break more as it is a system with a lot of
"moving parts" collecting logs from operating systems event logs,
syslogs, database audit tables, proxy logs, and whatever else logs you
have or want to collect.  When I mean break, I find that managing and
maitaining a SIM daily is a full time job or what amounts to a lot of
overtime for an admin.  Given this, it is important to have a very
good technical support team and support contract from the vendor of
your SIM and a whole LOT of patience. Make sure you also get the
latest and greatest hardware to run your SIM. I believe this later
suggestion may have added to the issues I currently have with a SIM.

There seems to be a lot of response about Cisco MARS, but does anyone
else use any of the Gartner leading SIM solutions such as
NetForensics, enVision, TriGeo,Arcsight, or Intellitactics?

FYI-I use enVision




On Tue, Jul 29, 2008 at 10:29 AM, Lafosse, Ricardo <rlafosse () sfwmd gov> wrote:
> Hello all,
>
> I know this is going to be a full loaded answer however we are
> interested in acquiring a SIM. Any good/bad experiences and/or
> suggestions would be greatly appreciated. We are a medium sized
> organization.
> Thanks,
>
> Ricardo