IDS mailing list archives

Previous By Date Next
Previous By Thread Next

RE: Correlation software

From: "Phil Hollows" <phollows () open com>
Date: Wed, 24 Mar 2004 00:56:55 -0500
Fair warning - I work for Open.  Yes, we deliver real-time correlation as described.  Our approach uses stateful 
analysis of log events instead of rules (signatures) to link vulnerability data, assets, events and logs from 
multi-vendor, multi-class event sources.  All entirely web based, so no big consoles to install.  We're at www.open.com 
the product is "Security Threat Manager" or STM for short.  
 
In answer to another question on the thread, you can access log data streams from the sensor or from its management 
platform; which is best for you depends on the vendor, your setup etc.  For anything approaching real-time in a 
non-trivial environment simply stashing log data into a database won't scale and won't be real-time (you can't optimize 
a relational db for both high insert rates and fast retrievals needed for correlation; you need indices for the latter 
and it's index creation that cripples insert performance).  STM uses over the wire and in memory state analysis to 
deliver consistently high performance.  FWIW. Due your own due diligence when evaluating product.  
 
Phil

        -----Original Message----- 
        From: Chris Petersen [mailto:chris () security-conscious com] 
        Sent: Tue 3/23/2004 1:13 PM 
        To: sam () neuroflux com; focus-ids () securityfocus com 
        Cc: 
        Subject: RE: Correlation software
        
        

        **** Fair-warning, I am the CTO of a Log Management/Correlation Company
        *****
        
        The products I am familier with in this area are:
        - ArcSight (strong in correlation & eye-candy)
        - Intellitactics (good underlying engine from what I've heard)
        - GuardedNet (Have heard a log of good things about this product.  I think
        they get it)
        - NetForensics (strong on reporting side)
        - Addamark (not sure what they have for correlation, heavy focus on log
        management)
        - Open (???)
        - LogRhythm...
        
        LogRhythm takes a somewhat different approach than the aformentioned.  It's
        based on a distributed log management architecture on top of which event
        management is built.  Users can deploy our rules or develop their own to
        identify and transform logs into events.  Events are then forwarded to an
        event management system.  However, instead of throwing away the log or
        normalizing beyond the point of recognition, the orginal logs remain stored
        at the log management layer and can be queried on-demand to support event
        analysis.  We are also doing some very interesting things in the area of
        data-mining intrusion/fraud detection. 
        
        For additional information on LogRhythm, a technical whitepaper is available
        at http://www.security-conscious.com/literature.html
        
        Chris Petersen
        Security Conscious, Inc.
        chris () security-conscious com
        www.security-conscious.com
        
        
        > -----Original Message-----
        > From: sam () neuroflux com [mailto:sam () neuroflux com]
        > Sent: Thursday, March 18, 2004 9:07 AM
        > To: focus-ids () securityfocus com
        > Subject: Correlation software
        >
        >
        > Hello..  Thank you all for your responses to my Entercept
        > email, they have all been fantastic!
        >
        > I am also looking to find out if there are any commercial Log
        > Correlation packages available?  I'm looking for something
        > that can correlate Firewall
        > + IDS + HIDS type of logs and create a logical flow of events..
        >
        > Can anyone recommend, or point me in the right direction?
        >
        > Thanks!
        > -Sam
        >
        >
        > --------------------------------------------------------------
        > -------------
        > Test your IDS
        >
        > Is your IDS deployed correctly?
        > Find out by easily testing it with real-world attacks from
        > CORE IMPACT.
        >
        > Visit:
        > www.coresecurity.com/promos/sf_eids1 to learn more.
        > --------------------------------------------------------------
        > -------------
        >
        >
        
        
        ---------------------------------------------------------------------------
        
        ---------------------------------------------------------------------------
Previous By Date Next
Previous By Thread Next

Current thread: