Security Basics mailing list archives
RE: SIM Suggestions
From: "Ramki B Ramakrishnan" <bramkie () gmail com>
Date: Wed, 30 Jul 2008 11:50:58 +0530
Couple of things to add to Daniel's post... Cisco MARS 6.0 has lots of enhancements...one of them is on custom parsing - In MARS version 6.0 they have enhanced the custom parsing feature, now you can import parsers, rules, etc. MARS backs up data to a NFS drive, but in cases where you want to do a historical analysis and if some of the data you need is on the NFS volume; you need another MARS box to import and analyze. HTH, Ramki ----- Ramki B. Ramakrishnan Security Enthusiast GIAC:GSEC, CvA -----Original Message----- From: listbounce () securityfocus com [mailto:listbounce () securityfocus com] On Behalf Of Daniel I. Didier Sent: Tuesday, July 29, 2008 11:48 PM To: Lafosse, Ricardo; security-basics () securityfocus com Subject: RE: SIM Suggestions Ricardo, I've done a good many MARS installations (been working with the product since Protego developed it) and I can offer a lot of input on how this solution would and would not work for you. As far as real-time alerting for windows / Unix / Linux, MARS can do some of this for you. This is not its primary purpose, but it has a good built in rule set. A standard setup that I do is to identify critical users and groups. For critical users, any login failures will trigger an instant notification. The same goes for modifications to critical groups including adding users, modifying permissions etc. As far as AD user tracking, the MARS can let you know login failures, success, locked accounts, and similar metrics. MARS has excellent support for Oracle databases. However MSSQL is not supported. The MARS excels at correlating information from Cisco equipment, and will work with other vendor solutions. Asset tracking may not be a strong point of the MARS depending on what you are looking to do. MARS has a built in Nessus scanner to help it identify if a device is susceptible or not, but you can't access this information directly. MARS is designed to work in conjunction with external vulnerability management solutions such as Qualys for advanced vuln management. MARS has a built in case-management feature that works very well. It allows you to collect information in one case and pull it together. You can email reports or view it interactively through the interface. I'm not sure you'll find any one SIM that will do everything you need. You'll need to compare the different solutions and weigh the pros and cons. You may want to also check out Q1 labs and Arc Sight. One thing the MARS has that is very helpful for customized rules is the custom parser feature. It allows you to fairly easily build customized rules for devices that do not have built in support. Many legacy apps / systems fall into this group. Cisco claims they will soon release a feature that will allow people to easily share custom parsers, but I'm not aware of this yet. I'm just scratching the surface here. If I can be of any more assistance, please let me know -Dan http://www.NetSecureIA.com
-----Original Message----- From: Lafosse, Ricardo [mailto:rlafosse () sfwmd gov] Sent: Tuesday, July 29, 2008 11:40 AM To: Daniel I. Didier; security-basics () securityfocus com Subject: RE: SIM Suggestions First of all, thank you all for your quick replies. I knew this was going to be overwhelming. Daniel, A set of our primary goals include: 1. Real-time alerting/correlation from UNIX/Linux/Windows/Multiple
Cisco
devices/Multiple databases/Snort logs 2. Active Directory User Tracking (Identity Management) 3. Asset Tracking 4. Incident response Tracking System 5. Vulnerability Scans (either its own or inputs from Nessus) Thanks, Ricardo -----Original Message----- From: Daniel I. Didier [mailto:ddidier () netsecureia com] Sent: Tuesday, July 29, 2008 11:20 AM To: Lafosse, Ricardo; security-basics () securityfocus com Subject: RE: SIM Suggestions Ricardo, I have a lot of experience with Cisco MARS and can tell you where it will and won't be effective. Do you have a set of primary goals that you can share with us? -Dan Sometimes a SIM isn't really what an organization needs (Depending on the requirements) and a log analyzer might be a better fit... I can expand once I see what your goals are. http://www.NetSecureIA.com-----Original Message----- From: listbounce () securityfocus com[mailto:listbounce () securityfocus com]On Behalf Of Lafosse, Ricardo Sent: Tuesday, July 29, 2008 10:30 AM To: security-basics () securityfocus com Subject: SIM Suggestions Hello all, I know this is going to be a full loaded answer however we are interested in acquiring a SIM. Any good/bad experiences and/or suggestions would be greatly appreciated. We are a medium sized organization. Thanks, Ricardo
Current thread:
- SIM Suggestions Lafosse, Ricardo (Jul 29)
- RE: SIM Suggestions Daniel I. Didier (Jul 29)
- RE: SIM Suggestions Lafosse, Ricardo (Jul 29)
- RE: SIM Suggestions Daniel I. Didier (Jul 29)
- RE: SIM Suggestions Ramki B Ramakrishnan (Jul 30)
- RE: SIM Suggestions Lafosse, Ricardo (Jul 29)
- RE: SIM Suggestions Daniel I. Didier (Jul 29)
- RE: SIM Suggestions Tariq Naik (Jul 29)
- RE: SIM Suggestions Ramki B Ramakrishnan (Jul 29)
- Re: SIM Suggestions ॐ aditya mukadam ॐ (Jul 29)
- RE: SIM Suggestions Mike Theriault (Jul 29)
- Re: SIM Suggestions Vu Anh Tu (Jul 30)
- Re: SIM Suggestions David Gadoury (Jul 31)
- Re: SIM Suggestions Albert R. Campa (Jul 31)
- Re: SIM Suggestions ॐ aditya mukadam ॐ (Jul 31)
- RE: SIM Suggestions Ramki B Ramakrishnan (Jul 31)
- Re: SIM Suggestions Kurt Buff (Jul 31)
- Re: SIM Suggestions Vu Anh Tu (Jul 30)