The products I'd (personally) suggest you look at are: ArcSight, Intellitactics & CyberWolf. They each are very extensible, have decent frontends (some better than others) and all have strong correlation engines under them. BEWARE: vendors in this space throw the word "correlation" around all the time when what they mean is "consolidation". Also, take into account whether the console will be able to properly handle not just parsing data from different products but actually understanding when two events are the same but named differently. E.g. is the console simply parsing/normalizing the data or is it catagorizing it or is it actually translating it into a standard format? CyberWolf does the most translation of any product I've seen. A larger group of products does catagorization (Which may be easier to extend than the translation engines), some of the older products in the market do parsing/normalization which really doesn't give you much (in my humble opinion) www.itactics.com www.arcsight.com www.cyberwolftech.com All opinions are my own and in no way reflect the views of my employers Toby Toby Kohlenberg, CISSP, GCIH, GCIA Senior Information Security Analyst Applied Security Technology Team Intel Corporate Information Security 503-712-8588 Office & Voicemail 877-497-1696 Pager "Just because you're paranoid, doesn't mean they're not after you." PGP Fingerprint: 92E2 E2FC BB8B 98CD 88FA 01A1 6E09 B5BA 9E84 9E70 > -----Original Message----- > From: Fabio Pietrosanti (naif) [mailto:naifat_private] > Sent: Wednesday, July 17, 2002 2:13 AM > To: loganalysisat_private > Subject: [logs] Security Monitoring software customization limit? > > > Dear Guys, > > suppose that i need to create a SOC for monitoring purpose ( > like Counterpane > does ) that should be able to manage incident and alert > coming from "A LOT" of > different device, application, operative system and blah blah blah. > > Suppose that i have in mind "how to do that" from the > procedure point of view > but not perfectly from the "technological" point of view. > > I'm going to evaluate different software for doing that > things and what i need > is a solution that guarantee me at least the following feature: > > - High Avaiability of every component > - Correlation of event between different device > - Ability to response to event with many actions ( trap snmp, > mail, sms, > killing with a gun the operator ;P ) > - Extendable agent ( for integrating custom application ) > - Ability to be a distributed, scalable infrastructure ( at > least to monitor > +5000 device ) > > I know netforensics products, but i have some doubt regarding > the possibility to > customize very hard it for my needs. > There is an agent called "Universal Agent" that allow me to > write my own rules > for my own application but i cannot modify the rest of the > infrastructure. > > I think that there are a lot of other software doing similar > things and i > would like to know the opinion of the list regarding the > possibility to implement > new feature and customize the software for security > monitoring that are > avaiable on the market ( Tivoli Somethings, etc, etc ) :) > > Bye :) > > -- > > Fabio Pietrosanti ( naif ) > E-mail: naifat_private - naifat_private > PGP Key (DSS) http://naif.itapac.net/naif.asc > -- > "Hacking is the future of security research" R.Power, CSI > Free advertising: www.openbsd.org Multiplatform Ultra-secure OS > > --------------------------------------------------------------------- > To unsubscribe, e-mail: loganalysis-unsubscribeat_private > For additional commands, e-mail: loganalysis-helpat_private > --------------------------------------------------------------------- To unsubscribe, e-mail: loganalysis-unsubscribeat_private For additional commands, e-mail: loganalysis-helpat_private
This archive was generated by hypermail 2b30 : Wed Jul 17 2002 - 15:33:35 PDT