On the missing argument of ease-of-integration; These custom efforts are done often with a commercial SIM. The effort would be the same, if not easier with a commercial SIM. If this is a requirement, the product selector should take a look at the database design, and ability to build tools off the existing architecture. I agree, a SIM should deliver intelligence and an ability to complete a security incident workflow and audit. It is not easy. I can only think of one vendor that delivers this :) -Erik << One argument that's missing from the discussion so far is the ease of integration with other information sources in the enterprise. For me, this is a major incentive for doing in-house development of this kind of solutions; correlating inventory information, user databases, personell databases and so forth with the log events is important, and this is an area where commercial solutions traditionally have been weak (particularly in the ystem management space). Furthermore, I think that viewing a SIM solution as a machine that goes 'ping!' when something bad happens is just about as futile as the initial, simplistic IDS offerings. While alerts certainly are useful, I would claim that 'better operational understanding of what's going on' is a more important goal than the 'ping!' factor. Viewing the SIM as an operational tool is therefore more important than the 'black box' factor, imho. FloCon (http://www.cert.org/flocon/2005/presentations/) is an example of cool research trying to give us a better understanding of our networks -- and not just the security events taking place on them. Just my $0.02. YMMV. :-) > Anton Chuvakin, Ph.D., GCIA, GCIH, GCFA -oddbjorn _______________________________________________ LogAnalysis mailing list LogAnalysis@private http://lists.shmoo.com/mailman/listinfo/loganalysis ************************************************************************************************** The contents of this email and any attachments are confidential. They are intended for the named recipient(s) only. If you have received this email in error please notify the system manager or the sender immediately and do not disclose the contents to anyone or make copies. ** This e-mail has been scanned for viruses, vandals and malicious content. ** ************************************************************************************************** _______________________________________________ LogAnalysis mailing list LogAnalysis@private http://lists.shmoo.com/mailman/listinfo/loganalysis
This archive was generated by hypermail 2.1.3 : Tue Jan 03 2006 - 21:48:55 PST