RE: Host based IDS Reports

["Teicher, Mark (Mark)" <teicher () avaya com>]

If an enterprise spends from $15,000 to upwards of a $400,000 for a host
based enterprise IDS solution.  Providing useful reporting tools or
useful reports is a given.

As I have discovered as you stated, as long the data is retrievable via
some method of either SQL query or some other method, building one's own
reports is nice thing to do.  But the issue there, if the person or team
who crafted the reports goes away (i.e gets a better job, retires,
suffers a massive heart attack after reading the money they spend on the
vendor's software and it doesn't do what management wants).  Many vendor
shy away from report tools and report formatting.  Just letting an admin
modify the graphic on the report seems to a major issue.  Some other
vendor products make it so easy to create a custom report that one does
not need to have any SQL skills at all.

Ensuring that data is useful is another issue.  Some vendors don't
capture enough information to provide an executive level report except a
nice pretty pie graph with some percentages.  What does it all mean to
the administrator.

Time is another issue in the data, what timestamp do the logs use, the
server or the end point's ??

Does it normalize the timestamp based on GMT location ??

/mark

-----Original Message-----
From: Mike Lyman [mailto:mlyman-security () comcast net] 
Sent: Monday, December 22, 2003 9:59 PM
To: focus-ids () securityfocus com
Subject: Re: Host based IDS Reports


On Sat, 2003-12-20 at 14:05, Teicher, Mark (Mark) wrote:

> Thoughts, comments, rants, raves, suggestions for a geek who preaches 
> from the corner soapbox.. :)

My old boss and I used to drive vendors nuts when they'd ask us how we
liked their reporting features and we'd tell them we didn't use them.

As long as the data was being reported to a database, we'd generate our
own reports, import to Excel and pretty them up from there. None of the
built in reports met our constantly changing needs so we relied on the
database.

We also stress SQL skills as one of our main requirements for new
members of the team. We had so much data available that everybody had to
be able to write ad-hoc queries in their sleep.

It may takes some skill to pretty them up but nothing beats being able
to generate exactly the info you need instead of relying on what
somebody else thinks you probably need.


-- 
Mike Lyman <mlyman-security () comcast net>


------------------------------------------------------------------------
---
------------------------------------------------------------------------
---


---------------------------------------------------------------------------
---------------------------------------------------------------------------