AW: [logs] Security Monitoring software customization limit?

From: Lubomir.Nistorat_private
Date: Wed Jul 17 2002 - 09:16:55 PDT

  • Next message: Fabio Pietrosanti (naif): "Re: [logs] Security Monitoring software customization limit?"

    well you're looking for a centralized security monitoring system.. 
    and even worse.. you are looking to offer SOC services to various customers..
    did I get it right?
    
    welllll...
    you should be looking for something flexible and dynamic that you can adapt to fit customer needs..
    or else you end up with checkpoint provider one and firewalling services and be able to have only one particular type of customer..
    
    in order to get a fully dynamic and flexible system you should look into opensource..
    and try to place a database in the center.. (you can replicate mirror whatever.. just be HA and redundand)
    
    then utilize a general event processing system that will pick up alarms from various parts/utilities/programms and place it to attention to surveilance..
    I haven't seen any general event processing systems (maybe ipfc:see my earlier messages), but I'm working on it and I hope to get some help on it if possible..
    
    but I'd like to know how TBird's team is doing it :)
    
    kr
     Lubo
    
    
    -----Ursprüngliche Nachricht-----
    Von: Fabio Pietrosanti (naif) [mailto:naifat_private]
    Gesendet: Mittwoch, 17. Juli 2002 11:13
    An: loganalysisat_private
    Betreff: [logs] Security Monitoring software customization limit?
    
    
    Dear Guys,
    
    suppose that i need to create a SOC for monitoring purpose ( like Counterpane
    does ) that should be able to manage incident and alert coming from "A LOT" of
    different device, application, operative system and blah blah blah.
    
    Suppose that i have in mind "how to do that" from the procedure point of view
    but not perfectly from the "technological" point of view.
    
    I'm going to evaluate different software for doing that things and what i need
    is a solution that guarantee me at least the following feature:
    
    - High Avaiability of every component 
    - Correlation of event between different device
    - Ability to response to event with many actions ( trap snmp, mail, sms,
      killing with a gun the operator ;P )
    - Extendable agent ( for integrating custom application )
    - Ability to be a distributed, scalable infrastructure ( at least to monitor
      +5000 device )
    
    I know netforensics products, but i have some doubt regarding the possibility to
    customize very hard it for my needs. 
    There is an agent called "Universal Agent" that allow me to write my own rules
    for my own application but i cannot modify the rest of the infrastructure.
    
    I think that there are a lot of other software doing similar things and i
    would like to know the opinion of the list regarding the possibility to implement
    new feature and customize the software for security monitoring that are
    avaiable on the market ( Tivoli Somethings, etc, etc ) :)
    
    Bye :)
    
    -- 
    
    Fabio Pietrosanti ( naif )
    E-mail: naifat_private - naifat_private
    PGP Key (DSS) http://naif.itapac.net/naif.asc
    --
     "Hacking is the future of security research" R.Power, CSI 
    Free advertising: www.openbsd.org Multiplatform Ultra-secure OS
    
    ---------------------------------------------------------------------
    To unsubscribe, e-mail: loganalysis-unsubscribeat_private
    For additional commands, e-mail: loganalysis-helpat_private
    
    
    ---------------------------------------------------------------------
    To unsubscribe, e-mail: loganalysis-unsubscribeat_private
    For additional commands, e-mail: loganalysis-helpat_private
    



    This archive was generated by hypermail 2b30 : Wed Jul 17 2002 - 09:24:43 PDT