RE: SIM Suggestions

["Tariq Naik" <Tariq_Naik () symantec com>]

Hi,

Do consider SSIM (Symantec Security Information Manager). I am from
Symantec so it would seem like a biased answer. But the way correlation
works in SSIM is very unique and gives SSIM the edge. All events are
mapped to EMR (Effects that have on you asset, Mechanisms used for an
attack, and Resources that can be affected by that attack). Some events
might may have multiple E or M or R or may have one of these as blank.
The correlation rules work on EMR so the rules always remain relevant.
Eg if there is an attack targeting webservers it may have a mechanism as
buffer flow and resource as webserver. The rule will check for all
attack using M as buffer overflow that target R webserver.

A real rule will cover all mechanism that can be used to attack a
webserver with R as a webserver.  So whenever there are new attacks also
as long a their EMR satisfies the rule, the rule fires. A rule can refer
to all EMR or one or two of these. Symantec does the work of mapping
vendor signatures from a large no. of devices from large number of
vendors into EMR values which are sent as updates to the SSIM.

Ofcource you can write rules to work on individual or generic event like
other correlation engines.

Regards,
Tariq Naik





-----Original Message-----
From: listbounce () securityfocus com [mailto:listbounce () securityfocus com]
On Behalf Of Lafosse, Ricardo
Sent: Tuesday, July 29, 2008 8:00 PM
To: security-basics () securityfocus com
Subject: SIM Suggestions

Hello all,

I know this is going to be a full loaded answer however we are
interested in acquiring a SIM. Any good/bad experiences and/or
suggestions would be greatly appreciated. We are a medium sized
organization.
Thanks,

Ricardo