[prev in list] [next in list] [prev in thread] [next in thread]
List: focus-ids
Subject: Re: IDS and Log Consolidators
From: "John Kelly" <idswizard () hotmail ! com>
Date: 2002-07-04 2:49:19
[Download RAW message or body]
This is really about what product and vendor best meets your needs. If you
are a 24X7 SOC, you will have one set of needs. If you are a 9-5 risk
management group, you will have another set of needs.
Since I have a security operations background, this respone will be in that
direction.
When I look at these products I see 4 distinct categories for consideration
(the questions are used for example purposes; many more can be added):
1. Event monitoring – What devices does the product support? How does the
product collect the event data? How are the events displayed (real time vs.
search)? Can the product present events based on set criteria (e.g.; I want
to see activity coming from X-Network because my security intelligence
service warned me of possible malicious activity)? What normalization,
aggregation and correlation technologies are used?
2. Threat analysis – What threat analysis technologies are used? How are
threats presented? Can the product quickly show which networks or business
units are under attack? What tools are available to quickly analyze the
threat? Does the product provide collaboration tools (tickets, chat, etc.)?
Does the product integrate vulnerability scans for an effective event
response decision process (e.g.; if System A is not vulnerable to the attack
but System B is, responded to System B first)?
3. Reports – Does the product provide canned reports? Are the reports
provided as summaries and with detail? Can the reports be scheduled? Does
the product provide “off-line” data mining for advanced trend analysis?
4. System Administration – Can the product easily integrate data retention
policies? What is the process for adding devices? What are the processes
for user administration? Can users be individually or via a group assigned
networks, hosts, devices, reports, etc.? Does the product provide a central
point of administration and analysis? What filter techniques does the
product use?
With all that in consideration, here is my take on those products
(gentlemen, start your flames):
neuSECURE – Based on my experience, hands down the best product for security
operations. A quick view of the interface shows what networks are
threatened, the level of threat, if the threat is increasing or decreasing
and what analyst is working on what event. The real-time console is
outstanding as it provides a true drill-down capability. The investigative
workbench is a great feature as it allows an analyst to quickly evaluate the
network or host. It does not use agents, rather a combination of native
support, Cisco POP, SNMP and syslog. I love the simplistic approach of
pointing a device at the product and having it being monitored within
minutes. This should be great for scalability. The only real problem is
their lack of marketing. They have a great product; they just need to tell
the world about it.
netForensics – netForensics is great if you are not interested in real-time
monitoring of your network. I have taken a long hard look at this product
and it really comes short in that area. The product does have strong points
in database management and extensive documentation. However, for security
operations it really fails to deliver. The interface is very awkward and
not very intuitive. Lots of reports for risk management types, but not very
useful for real-time event response. I found it difficult to drill down
quickly through the event data. They do offer a real-time console, but it
is sorely lacking in functionality. They also require you to use agents if
a native format is not supported (Checkpoint LEA_CLIENT for example).
Depending on how big or complex your network is, a massive agent install
process may not be very appealing.
netForensics was built to fill in the gaps of a pure Cisco deployment, but
they have tried to break away from that image. Due to that relationship
with Cisco, they get their foot into the door before many of the other
vendors. I really see them as the ISS of this market. Lots of great
marketing, very little substance (yeah I know a bit of a stab, sorry)
Intellitactics – Interesting interface with lots of visualization, but
perhaps a bit too much visualization. Sometimes a simple interface is a
better tool so the analyst does not become overwhelmed with information.
With that stated, it is a powerful product with lots of capabilities. They
do not supply the Oracle database or web server (netForensics and Guarded
Net do), so getting it up and running may be a pain if you do not have DBA
experience.
Their new NSM analytics looks interesting and may be worth something. Data
mining products are always a good thing.
e-Security – IMHO Don’t waste your time. They may have been the first, but
they are so far off the mark today that it is not even funny. This is a
hodgepodge of other products slapped together to make it look like one
product and it just does not work as an effective solution. If you enjoy
pain, this is the product of choice.
These are my opinions based on my experience and others will definitely have
different views. It all comes down to YOUR requirements. My suggestion to
you is define your requirements, scale and weight those requirements, send
out an RFI and conduct a pilot plan based on the RFI. This will provide you
with the best result for your requirements. You really can’t go wrong by
doing a real world evaluation on the product.
Hope that helps.
Some links of interest:
http://www.networkcomputing.com/1307/1307f2.html
http://www.networkcomputing.com/1307/1307f1.html
http://www.infosecuritymag.com/2002/jan/features_command.shtml
http://www.infosecuritymag.com/2002/jan/pdfs/Command_Chart1.pdf
>From: Travis Dawson <tdawson@sprintlabs.com>
>To: focus-ids@securityfocus.com
>Subject: IDS and Log Consolidators
>Date: Wed, 03 Jul 2002 10:18:31 -0700
>
>Question:
> Has anyone here looked at any of the IDS and Log consolidators.
>The vendors I have started to look at are NetForensics, Guarded,
>Intellitactics, and E-Security. They all look pretty good although the
>industry is new. I have so far found Intellitactics with the Analysis pack
>to be the most interesting. Would like to hear what others have to say.
>
>
>
>
>-tdawson
>-tdawson@sprintlabs.com
_________________________________________________________________
MSN Photos is the easiest way to share and print your photos:
http://photos.msn.com/support/worldwide.aspx
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic