Which SIM product do you use?
Results 1 to 5 of 5

Thread: Which SIM product do you use?

Hybrid View

  1. #1
    Member
    Join Date
    Jun 2006
    Posts
    43

    Which SIM product do you use?

    Currently at work we have tons of logs and many tedious processes to check the logs from firewalls, IDS, proxy, events logs, patchlink, and so on. In a prior job, I implemented CISCO MARs, which worked ok from a network perspective, but fell short from a log management perspective. The products I'm looking at are Trigeo, Network Intelligence, and Arcsight. I'm steering more for Trigeo because of the open platform, and it has tons of flexibility and control. The price is also much better than the rest. Also, the open source SIM OSSM has. With all that said, which products does everyone use and/or recommend.

    Thank you everyones input and time.

  2. #2
    Master-Jedi-Pimps0r & Moderator thehorse13's Avatar
    Join Date
    Dec 2002
    Location
    Washington D.C. area
    Posts
    2,883
    ArcSite will require you to hire an entire team of people (and developers) to maintain it. It falls short of the claims.

    MARS is "ok" but you too have discovered that you can't manage logs very well. I'm saying this based on my log management requirements which are going to be very different than most.

    Net Forensics == Poop.

    I use NueSecure, which is now called IBM TSOM (Tivoli Security Operations Manager). I've used it for years and I am reasonably happy with it. That said, IBM is making me do a forklift upgrade. They are re-writing the product and dumping MySQL for DB2 (big surprise) and they are making enhancments to the custom rule engine that *should* boost performance when doing complex custom analysis. The interface is going to get some lipstick and heels too.

    Now, as far a log "management" goes, you haven't provided a single requirement so I can't give you a well educated answer as to what the products that I've used can and cannot do. How about throwing some out there so I can really give you the meat you're after.

    --Th13
    Our scars have the power to remind us that our past was real. -- Hannibal Lecter.
    Talent is God given. Be humble. Fame is man-given. Be grateful. Conceit is self-given. Be careful. -- John Wooden

  3. #3
    Member
    Join Date
    Jun 2006
    Posts
    43
    For log management I'm looking for:

    -changes on the servers (change management)
    -event logging for security/application
    -logging on the firewalls of denied packets/drops
    -IDS correlation to other logs to create incidents, some type of ticketing system
    -auditing of users changes create/delete/kill services on all devices
    -database logging for changes

  4. #4
    Master-Jedi-Pimps0r & Moderator thehorse13's Avatar
    Join Date
    Dec 2002
    Location
    Washington D.C. area
    Posts
    2,883
    You do realize the enormous amount of disk space you're going to need for all of this right? If you have to meet regulatory compliance, you have to retain some data for 7 years. Also, if you're going to sift through Event Viewer logs in your SIM, get ready for *TONS* of useless data to be pumped through your SIM. You better have a good agent running on the Win32 hosts that will only fire SNMP traps over to the SIM when your create/delete/kill event IDs are seen. That's what I'm doing now so that I don't get a 99% garbage feed from Win32 hosts.

    TSOM can do all of the above requirements reasonably well right now but when you start writing custom expressions for the correlation and ticketing features, you will notice a performance lag. This is supposed to be handled in the re-write.

    --TH13
    Our scars have the power to remind us that our past was real. -- Hannibal Lecter.
    Talent is God given. Be humble. Fame is man-given. Be grateful. Conceit is self-given. Be careful. -- John Wooden

  5. #5
    Junior Member
    Join Date
    Feb 2005
    Posts
    26
    Use Network Intelligence on the project I'm currently on. Depends on your criteria (obviously) and what you intend to collect events from.

    We've found custom integration quite fiddly, once you go above standard OS events via Syslog.

    I don't have any experience with other SIM products so can't recommend (or not) NI but it's not bad, certainly worth evaluating. They have quite a good looking roadmap last time I looked and are constantly updating the system (is that a good or bad thing?).

    Sometimes it still has the feel of a beta product but it has held up pretty well. Also now they are under the EMC/RSA umbrella then I would expect it to be well supported.

Similar Threads

  1. Symantec discontinuing L0phtCrack - now what?
    By genXer in forum Miscellaneous Security Discussions
    Replies: 13
    Last Post: December 22nd, 2005, 06:52 AM
  2. AV Product Guidelines....
    By JohnHACK in forum AntiVirus Discussions
    Replies: 2
    Last Post: February 5th, 2004, 04:33 AM
  3. New Product: Microsoft Contraceptives
    By w0lverine in forum Tech Humor
    Replies: 7
    Last Post: January 13th, 2004, 12:42 PM
  4. Tcp/ip
    By gore in forum Newbie Security Questions
    Replies: 11
    Last Post: December 29th, 2003, 08:01 AM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •