[logs] Re: Security Management Tool

From: Dan Barahona (dan@private)
Date: Tue Apr 11 2006 - 21:49:27 PDT

Bruno, you have discovered one of the challenges with security information
management... it tends to be focused on security devices and applications
(firewalls, IDS, VA, etc.). To make sense of the data from these sytems,
and to correlate events across different sources, many products are
optimized for data where there's always an IP address, a port, etc.

The problem you've highlighted is that you also want to audit/monitor
internal applications like SAP and HR systems. These sytems don't log
events the way a firewall does. Also, while there are relatively low
number of firewall devices, for example, making it easy to support and
analyze messages from all/most of them, there are almost limitless
internal applications (and associated log formats that don't fit neatly
into a security schema).

In order to monitor all the types of systems you describe, look for a
solution that can accept non-security sources, store the data in their
native schema/context (ie, not normalized), and allow you to query the
data any way you want to. Oh, and you probably wat to keep a decent amount
of history online for forensics and investigations.

I invite you to visit SenSage - http://www.sensage.com (disclaimer: I work
there). Our solution will accept and report on all the types of systems
you have.



Dan Barahona
Director, Business Development
SenSage, Inc.

> Thank's Keith, but MARS don't analyse Database and ERP security events.
> MARS is very good to infraestruture/security devices (network security.).
> Bruno.
> ---------- Início da mensagem original -----------
> De: "Keith" kpasley6@private
> Para: "Bruno Moraes" bdmoraes@private,"loganalysis"
> loganalysis@private
> Cc:
> Data: Tue, 11 Apr 2006 14:21:58 -0400
> Assunto: RE: [logs] Security Management Tool
>> There are several on the market today. Cisco Monitoring Analysis
>> Reporting
>> System, for example does what you state plus it can mitigate ongoing
>> attacks, too. http://www.cisco.com/en/US/products/ps6241/index.html
>> Keith
>> -----Original Message-----
>> From: loganalysis-bounces+kpasley6=comcast.net@private
>> [mailto:loganalysis-bounces+kpasley6=comcast.net@private] On
>> Behalf
>> Of Bruno Moraes
>> Sent: Wednesday, April 05, 2006 4:11 PM
>> To: loganalysis
>> Subject: [logs] Security Management Tool
>> Hello All,
>> Good Afternoon! I need of a tool that manage security events in several
>> environments, as network devices (FW, IDS, Routers, Switchs),
>> operational
>> systems (Unix, Linux, W2003) and Corporate Systems (SAP, HR Systems,
>> etc) ..
>> this in one box.
>> Anything knows any tool to receive, correlate and response security
>> information gathering in this environments (all-in-one)??
>> Thanks in advance.
>> Bruno
> _______________________________________________
> LogAnalysis mailing list
> LogAnalysis@private
> http://lists.shmoo.com/mailman/listinfo/loganalysis

LogAnalysis mailing list

This archive was generated by hypermail 2.1.3 : Wed Apr 12 2006 - 10:45:21 PDT