'Re: IDS and Log Consolidators'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       focus-ids
Subject:    Re: IDS and Log Consolidators
From:       "John Kelly" <idswizard () hotmail ! com>
Date:       2002-07-04 2:49:19
[Download RAW message or body]

This is really about what product and vendor best meets your needs.  If you 
are a 24X7 SOC, you will have one set of needs.  If you are a 9-5 risk 
management group, you will have another set of needs.

Since I have a security operations background, this respone will be in that 
direction.

When I look at these products I see 4 distinct categories for consideration 
(the questions are used for example purposes; many more can be added):

1. Event monitoring – What devices does the product support?  How does the 
product collect the event data?  How are the events displayed (real time vs. 
search)?  Can the product present events based on set criteria (e.g.; I want 
to see activity coming from X-Network because my security intelligence 
service warned me of possible malicious activity)?  What normalization, 
aggregation and correlation technologies are used?

2. Threat analysis – What threat analysis technologies are used?  How are 
threats presented?  Can the product quickly show which networks or business 
units are under attack?  What tools are available to quickly analyze the 
threat?  Does the product provide collaboration tools (tickets, chat, etc.)? 
  Does the product integrate vulnerability scans for an effective event 
response decision process (e.g.; if System A is not vulnerable to the attack 
but System B is, responded to System B first)?

3. Reports – Does the product provide canned reports?  Are the reports 
provided as summaries and with detail?  Can the reports be scheduled?  Does 
the product provide “off-line” data mining for advanced trend analysis?

4. System Administration – Can the product easily integrate data retention 
policies?  What is the process for adding devices?  What are the processes 
for user administration?  Can users be individually or via a group assigned 
networks, hosts, devices, reports, etc.?  Does the product provide a central 
point of administration and analysis?  What filter techniques does the 
product use?

With all that in consideration, here is my take on those products 
(gentlemen, start your flames):

neuSECURE – Based on my experience, hands down the best product for security 
operations.  A quick view of the interface shows what networks are 
threatened, the level of threat, if the threat is increasing or decreasing 
and what analyst is working on what event.  The real-time console is 
outstanding as it provides a true drill-down capability.  The investigative 
workbench is a great feature as it allows an analyst to quickly evaluate the 
network or host.  It does not use agents, rather a combination of native 
support, Cisco POP, SNMP and syslog.  I love the simplistic approach of 
pointing a device at the product and having it being monitored within 
minutes.  This should be great for scalability.  The only real problem is 
their lack of marketing.  They have a great product; they just need to tell 
the world about it.

netForensics – netForensics is great if you are not interested in real-time 
monitoring of your network.  I have taken a long hard look at this product 
and it really comes short in that area.  The product does have strong points 
in database management and extensive documentation.  However, for security 
operations it really fails to deliver.  The interface is very awkward and 
not very intuitive.  Lots of reports for risk management types, but not very 
useful for real-time event response.  I found it difficult to drill down 
quickly through the event data.  They do offer a real-time console, but it 
is sorely lacking in functionality.  They also require you to use agents if 
a native format is not supported (Checkpoint LEA_CLIENT for example).  
Depending on how big or complex your network is, a massive agent install 
process may not be very appealing.

netForensics was built to fill in the gaps of a pure Cisco deployment, but 
they have tried to break away from that image.  Due to that relationship 
with Cisco, they get their foot into the door before many of the other 
vendors.  I really see them as the ISS of this market. Lots of great 
marketing, very little substance (yeah I know a bit of a stab, sorry)

Intellitactics – Interesting interface with lots of visualization, but 
perhaps a bit too much visualization.   Sometimes a simple interface is a 
better tool so the analyst does not become overwhelmed with information.  
With that stated, it is a powerful product with lots of capabilities.  They 
do not supply the Oracle database or web server (netForensics and Guarded 
Net do), so getting it up and running may be a pain if you do not have DBA 
experience.

Their new NSM analytics looks interesting and may be worth something.  Data 
mining products are always a good thing.

e-Security – IMHO Don’t waste your time.  They may have been the first, but 
they are so far off the mark today that it is not even funny. This is a 
hodgepodge of other products slapped together to make it look like one 
product and it just does not work as an effective solution.  If you enjoy 
pain, this is the product of choice.

These are my opinions based on my experience and others will definitely have 
different views.  It all comes down to YOUR requirements.  My suggestion to 
you is define your requirements, scale and weight those requirements, send 
out an RFI and conduct a pilot plan based on the RFI.  This will provide you 
with the best result for your requirements.  You really can’t go wrong by 
doing a real world evaluation on the product.

Hope that helps.

Some links of interest:

http://www.networkcomputing.com/1307/1307f2.html
http://www.networkcomputing.com/1307/1307f1.html
http://www.infosecuritymag.com/2002/jan/features_command.shtml
http://www.infosecuritymag.com/2002/jan/pdfs/Command_Chart1.pdf

>From: Travis Dawson <tdawson@sprintlabs.com>
>To: focus-ids@securityfocus.com
>Subject: IDS and Log Consolidators
>Date: Wed, 03 Jul 2002 10:18:31 -0700
>
>Question:
>         Has anyone here looked at any of the IDS and Log consolidators. 
>The vendors I have started to look at are NetForensics, Guarded, 
>Intellitactics, and E-Security. They all look pretty good although the 
>industry is new. I have so far found Intellitactics with the Analysis pack 
>to be the most interesting. Would like to hear what others have to say.
>
>
>
>
>-tdawson
>-tdawson@sprintlabs.com






_________________________________________________________________
MSN Photos is the easiest way to share and print your photos: 
http://photos.msn.com/support/worldwide.aspx

[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic