RE: SIM Suggestions

["Daniel I. Didier" <ddidier () netsecureia com>]

Ricardo,
I've done a good many MARS installations (been working with the product
since Protego developed it) and I can offer a lot of input on how this
solution would and would not work for you.

As far as real-time alerting for windows / Unix / Linux, MARS can do
some of this for you.  This is not its primary purpose, but it has a
good built in rule set.  A standard setup that I do is to identify
critical users and groups.  For critical users, any login failures will
trigger an instant notification.  The same goes for modifications to
critical groups including adding users, modifying permissions etc.  As
far as AD user tracking, the MARS can let you know login failures,
success, locked accounts, and similar metrics.  

MARS has excellent support for Oracle databases.  However MSSQL is not
supported.  

The MARS excels at correlating information from Cisco equipment, and
will work with other vendor solutions.

Asset tracking may not be a strong point of the MARS depending on what
you are looking to do.

MARS has a built in Nessus scanner to help it identify if a device is
susceptible or not, but you can't access this information directly.
MARS is designed to work in conjunction with external vulnerability
management solutions such as Qualys for advanced vuln management.

MARS has a built in case-management feature that works very well.  It
allows you to collect information in one case and pull it together.  You
can email reports or view it interactively through the interface.

I'm not sure you'll find any one SIM that will do everything you need.
You'll need to compare the different solutions and weigh the pros and
cons.  
You may want to also check out Q1 labs and Arc Sight.

One thing the MARS has that is very helpful for customized rules is the
custom parser feature.  It allows you to fairly easily build customized
rules for devices that do not have built in support.  Many legacy apps /
systems fall into this group.  Cisco claims they will soon release a
feature that will allow people to easily share custom parsers, but I'm
not aware of this yet.

I'm just scratching the surface here.  If I can be of any more
assistance, please let me know -Dan

http://www.NetSecureIA.com



> -----Original Message-----
> From: Lafosse, Ricardo [mailto:rlafosse () sfwmd gov]
> Sent: Tuesday, July 29, 2008 11:40 AM
> To: Daniel I. Didier; security-basics () securityfocus com
> Subject: RE: SIM Suggestions
>
> First of all, thank you all for your quick replies. I knew this was
> going to be overwhelming.
> Daniel,
> A set of our primary goals include:
> 1. Real-time alerting/correlation from UNIX/Linux/Windows/Multiple
Cisco
> devices/Multiple databases/Snort logs
> 2. Active Directory User Tracking (Identity Management)
> 3. Asset Tracking
> 4. Incident response Tracking System
> 5. Vulnerability Scans (either its own or inputs from Nessus)
>
> Thanks,
>
> Ricardo
>
> -----Original Message-----
> From: Daniel I. Didier [mailto:ddidier () netsecureia com]
> Sent: Tuesday, July 29, 2008 11:20 AM
> To: Lafosse, Ricardo; security-basics () securityfocus com
> Subject: RE: SIM Suggestions
>
> Ricardo,
> I have a lot of experience with Cisco MARS and can tell you where it
> will and won't be effective.  Do you have a set of primary goals that
> you can share with us? -Dan
>
> Sometimes a SIM isn't really what an organization needs (Depending on
> the requirements) and a log analyzer might be a better fit...  I can
> expand once I see what your goals are.
>
> http://www.NetSecureIA.com
>
> > -----Original Message-----
> > From: listbounce () securityfocus com
> [mailto:listbounce () securityfocus com]
> > On Behalf Of Lafosse, Ricardo
> > Sent: Tuesday, July 29, 2008 10:30 AM
> > To: security-basics () securityfocus com
> > Subject: SIM Suggestions
> >
> > Hello all,
> >
> > I know this is going to be a full loaded answer however we are
> > interested in acquiring a SIM. Any good/bad experiences and/or
> > suggestions would be greatly appreciated. We are a medium sized
> > organization.
> > Thanks,
> >
> > Ricardo